Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Sep 3, 2017

NBlog September 3 - InfoSec 101 elevator pitch, part 2 of 3

Yesterday, I started telling you about one of the smallest deliverables in our awareness portfolio, the elevator pitch aimed at senior executive management. Despite its diminutive size, a lot of effort goes into selecting and fine-tuning those 100-odd words.

[Sorry if this detailed deconstruction of the pitch one paragraph at a time is tedious but I think it's useful to understand the design, the purpose of the page and the thinking that goes into it. As far as I know, we are the only security awareness provider specifically targeting senior management in this way. I've made disparaging comments in the past about awareness programs aimed at "end-users": neglecting other employees - especially managers and professionals - seems incredibly short-sighted to me, a bit like trying to teach the passengers how to drive a car, ignoring the driver and the mechanics.] 

OK, pressing swiftly ahead, the elevator pitch can be interrupted at any point. If someone is presenting or talking it through with an exec, they may well need to break off answer questions or respond to comments. If a busy exec is quickly skimming the piece online or on paper, they might get distracted by a phone call or email. We may only have their attention fleetingly, if at all. 

If we're lucky, the exec will swallow the bait and be hooked ... so the second paragraph has the essential barb:
Cybersecurity is important but there’s more to it than IT. Information security enables the business to exploit information in ways that would otherwise be too risky.
'Cybersecurity' is all the rage, of course. It's a term we see frequently in the media.  Although it's rarely defined, it is generally interpreted as IT and network security, specifically around Internet-related tech incidents such as hacking and malware. That's all very well, but what about all the rest of information risk and security? What about social engineering scams and frauds, piracy, industrial espionage and so forth? What about the whole insider-threat thing: where does that fit in relation to 'cyber'? 

Oh, hang on a moment: explaining the first 10-word sentence of the second paragraph took me about 100 words. Admittedly my explanation rambles on a bit, but on the other hand it's still just the tip of the iceberg.

The sentence that ends the second paragraph again mentions "business" - quite deliberately so but did you even notice? Here in New Zealand, we are suffering a spate of intensely annoying radio advertisements that inanely repeat some key word that, I presume, the client asked the ad agency to promote. "Wallpaper" is one that springs to mind, repeated about a dozen times in a typical 30 second ad. Maybe they think they are being clever because here I am talking about their wallpaper advertisement, but the repetition is so distracting that I can't remember the rest of the ad, including the company or product names. I reflexively hit the off button whenever I catch the first few seconds!

Rant aside, our second paragraph throws down a challenge before the reader. It's deliberately open-ended and thought-provoking. If cybersecurity is more than just IT, what else is it?  How does information security enable the business, and what's all this about risk anyway?

Tomorrow I'll conclude this little series by blogging about the final paragraph. Are you on the hook?