September's awareness seminar for management on "outsider threats" is coming along nicely.
This week I've been researching the web (well, OK, Googling) and exploring opinions, firstly on what "outsider threats" are, and secondly what to do about them.
It has been a frustrating few days, digging up the odd insightful nugget hidden under piles of tripe gently steaming away in Google-land.
A disappointing majority of commentators seem oblivious to the distinctions between "threat", "vulnerability" and "risk", their confused language more than merely hinting at a fundamental lack of understanding of the concepts that underpin the field. One piece in particular made me laugh out loud, muddling up impacts with exposure. [To be clear, over-exposure to the sun makes you red and sore. Melanoma is the impact. Muddle them up at your peril!]
Several are stubbornly and myopically focused on cyber, a few even defining "outsider threats" as if there is nothing but IT to worry about. If only it were that easy! Knock yerself out tackling hackers and malware, mate, while I get to grips with All The Rest Of It. Yes, I know you have a tough job. Yes I know those haxx0rs and VXers are evl, cunning buggrz. And no, you don't deserve a raise for being a superhero.
Today, I've made the decision to explain the process of managing information risks, again, using outsider threats specifically to illustrate the steps. I say "again" because information risk management is one of the home bases to which we return in almost every NoticeBored module. It's one of the handbags we always dance around, so to speak. It's an old friend that's never out of line.
So, here's slide 13 from the management slide deck, a process overview that we'll build up over the 8 preceding slides using typical examples of "outsider threats" ... and vulnerabilities ... and impacts to explain each step, bringing the cascade to life. It's part awareness, part teaching, part exploring the topic, part demonstrating techniques.
The trick, though, is to find engaging and insightful situations to illustrate each step. Drawing the process diagram took minutes. Preparing the sequence of slides, a few more minutes. Thinking up relevant examples will take me all weekend ... but luckily I can think about this while Doing Other Stuff - lambs to count, trees to plant, ditches to dig, that sort of thing.
Have a good weekend.