Today I've been busy in town doing 'stuff' but had the good sense to take some blank paper and a pen with me. In a few spare moment between apointments, I finally found the right combination of time to think with a clear head, a good dose of caffeine and creative spark.
During the rest of May, the scope, structure, content and themes for June's IoT security awareness module will emerge from this rough-n-ready hand-scrawled mind map:
Working clockwise from the 2 o'clock position, we need to prepare:
- An introduction to the topic - setting the organizational/busineness and technical background or context for the module;
- A basic explanation of things, with hints about the associated creative possibilities and practical constraints of various kinds (e.g. high-street retail IoT products vs industrial IIoT things used in factories, buildings and [perhaps critical national and corporate] infrastructures);
- Something about managing and controlling things, with nods towards governance aspects such as ownership and accountability;
- Something on the information risks (principally the threats, vulnerabilities and impacts concerning information confidentiality, integrity and availability) typically associated with or arising from things (which - with hindsight - may be better expressed before or in parallel with the management and control stuff, since our main focus will be managing the security of things, specifying and implementing security controls etc. to address the information risks);
- Some generic, pragmatic guidance on IoT security strategy, policies, procedures, guidelines etc., giving a practical edge to all of the preceding stuff - helpful, sensible, plain-speaking advice that the awareness audiences can actually use.
While it has a certain rustic charm as it is, I'll probably turn that barely-legible rough sketch mind-map into something more professional, more presentable, literally: it will eventually form the basis of slides for the awareness seminars, and illustrate some of the awareness briefings. No doubt the picture will evolve and become more elaborate in some areas as the month unfolds and various IoT security incidents come to light, but I'm willing to bet that the final version will bear more than just a passing resemblance to today's output.
I've had some ideas for the awareness posters too and will continue cogitating on those over the weekend. For now, though, the week is over and the work is done. At 7pm on a Friday evening, it's playtime!