Something that I took for granted early on in my career was translating the technical so what into risk and even how to explain that to people who don’t know technical content.
One thing that I have appreciated in working with some amazing and intelligent people in my last three jobs is observing them be so eloquent in how they explain the so what to senior leaders and people who aren’t in the cyber security space. It always reminds me of the interview John Oliver did with Snowden (https://youtu.be/XEVlyP4_11M) where he translates what NSA was doing to a risk to the average American using nude photos as an analogy. A disclaimer here, don’t take my mention of this to be my endorsement of what Snowden did as a positive or a negative just a comment on excellent journalism and debate by John.
A recent example of how I have seen this communicated which is just something I hadn’t really thought of before was watching Rob M. Lee present at Compact DISC 2022 when he explained that when defending critical infrastructure against attackers it’s not just business risk or immediate safety concerns to local operators and environment that you’re worried about but community risk also.
This is easy to understand from the standpoint of an energy provider. If you lose the ability to provide power in the middle of Winter and people start to suffer and potentially die due to insufficient heating. Or if you’re a water provider and the water becomes contaminated due to an attack and people get sick or die. However, what about third party support for some of the critical functions. What if the communications and planning systems for trucking got hit. That would likely mean fuel, food, and goods delivery would at minimum be delayed likely causing panic buying (if the pandemic is anything to go by) and what are all the other second and third order effects of this.
This is likely discussed and researched as part of some of the worlds best think tanks and probably part of the reason at least in Australia why we have started to see an extension to the organisations classed as critical infrastructure under the recent changes to the SOCI Act (https://www.legislation.gov.au/Details/C2022C00160). What I think we all can start to take away is questioning “Do I work somewhere that is critical infrastructure or supports it and are we doing enough or on the path for improvement?”
All this is to say that community risk is a scary thing and with the rise of cyberattacks (or at least reporting of) in recent years it’s safe to say that people who attack critical infrastructure or organisations that support it either directly or indirectly are complete fuckwits.
Lastly I’d like to leave you with a more positive thought. The ‘S’ looks like side boob. You can’t un-see it and you’re welcome.