Today I'm working on the InfoSec 101 awareness seminar for professionals, by which I mean workers with a professional interest in information security.
As with the staff and management seminars, the aim is to cover the basics in a way that appeals to the audience: I figure the professionals are more clued-up than most, particularly on technology, so it's appropriate to go into a little more depth here on the fundamental concepts ... starting with risk and control.
The diagram above represents the nature of risk i.e. 'uncertain outcome'. That's a seminar slide's worth, with a few words from the presenter briefly explaining each of the red-amber-green spectra as they appear on the screen.
The next slide contrasts two complementary forms of control: either we stop harmful things from occurring by avoiding, preventing or mitigating incidents, or we ensure that good things occur - and that's an intriguing thought. What does that actually mean in this context?
'Prevent bad stuff' is what most people think security is all about ... but wait, there's more. 'Protect good stuff' refers to maintaining the confidentiality, integrity and availability of information, thereby supporting and enabling business activities which use and depend on information.
Looking again at those two images, the simpler, cleaner style of the 'control' one seems more elegant and better suited to InfoSec 101, so I will redraw the 'risk' one in the same style.
We could stop right there with a 2-slide InfoSec 101 pro seminar but, tempting as it may be, that's arguably a simplification step too far. An unknown proportion of the pro audience may have no background or interest in this area, and some will doubtless be flagging under the onslaught of this and other induction courses.
From there, we will briefly cover information risk management and information security management, mentioning a few basic security controls as examples of things we're using to manage information risk. The seminar will wrap up by returning to the business aspects - the reasons why InfoSec is important. And that's that. Bish bash bosh, job's a good'un. Simple enough when you know how ... thanks to, ooh, 17 years of full-time effort plus a couple of decades before that preparing and delivering occasional courses, seminars, reports and awareness activities.