“But we only sell hammers, do we really need the Cadillac solution?” During a 9 AM meeting, I sat across from a C-suite executive as these words hung in the air. I was left gobsmacked. It was readily apparent a significant language gap needed to be overcome to help leaders understand the motivations of cybercriminals. It doesn’t matter if your organization sells hammers, clothing, kids toys, or toilet paper – malicious parties want your data. This is a very common problem. Organizational leaders find themselves strategizing major movements and opportunities to grow their business, while hypothetical “what-if" doomsday scenarios are looked at as edge cases. Quantifiable metrics and experience drive most organizations' decisions. If the decision-maker cannot see a tangible impact, contractual numbers, or evaluate a potential outcome against their previous experience, you will have a very difficult time guiding their thought process. As engineers and security professionals, we are often told to not "get into the weeds” with details when speaking to non-technical leaders. Avoiding detail is very difficult for engineers and pen testers as “getting into the weeds” is what we do. As security professionals, we need to find ways to break through to leaders with information they can use regarding information security risks. Leaders really do want to know the state of cybersecurity in their organization and often crave it. However, they need it in a way that resonates with them, so they can lead other management in the organization. On April 16, I have the pleasure of presenting a talk entitled “But, we only sell ______ : Helping Leaders Understand Security Risk Via Red Teaming” at BSides Tampa. During this talk, we will look at the issues facing security professionals as they communicate with management. How do we get our message across in a way that our leadership can consume? We do this through real-world examples. We show them exactly how our organizations react when presented with a threat. We red team ourselves and present the outcome in a way they cannot only understand but also compliments their communication style. We will focus on using extremely low cost red teaming techniques that can be completed as small, fast, easily executed exercises. Furthermore, we will look at how to get leadership buy-in, permission to run the exercises, and what leaders expect as results from these red team exercises. The exercises will give defined outputs that show decision-makers how your organization reacts to common threats. Armed with this information you can illustrate exactly how a threat impacts your organization and make recommendations to mitigate it. These results can be used to drive budget, inform leaders, or create awareness within your organization. Once you can demonstrate the damage that can be done to an organization with an example, you have a powerful message. When you can present the challenge with names, places and systems decision-makers recognize, they will listen. It won’t matter if the company sells hammers or popsicles you will be prepared to show how to protect your organization.
About the Author: Ean Meyer is an information security professional working in Central Florida. Ean’s current focus areas are PCI, SOX, Intrusion Detection and Prevent Systems, Information Security Program Management, Penetration Testing, and Social Engineering/User Awareness Training. Ean has a BS in Information Security and an AS in Computer Network Systems. Ean also holds a CISSP certification. He can be found at: https://www.eanmeyer.com Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
