According to an impressive lineup at the Pittsburgh Technology Council’s Cyburgh 2024, communication is key to a successful cyber posture.
That’s music to my ears.
As a member of the Schneider Downs Marketing team, communication is my bread and butter. Based on the conversations at Cyburgh 2024, this is something I share with the cybersecurity community.
Communication Within Organizations
Cyburgh 2024 kicked off with a discussion of the “State of Cyber in 2024,” which focused on several key trends, including the impact of new regulations, shifts in hiring practices and predictions for the future. But the most interesting part of the presentation to my communication-biased ears was that the “key to success” in today’s cyber landscape was “context, communication and connection.” Organizational context can make or break a security program. As for how to best provide context within your organization… other presenters had thoughts.
- Leadership: Getting a security program off the ground requires buy-in from leadership. Of course, it’s difficult to demonstrate the precise ROI of “what might have happened if we didn’t have this program,” but there are several strategies that CISOs might use to get in the door. For example, one presenter suggested painting cyber as a business enabler. Maybe increased security makes you more competitive than your vulnerable competitors, maybe you can do business with more people or maybe you could create valuable efficiencies within the organization. Or, for the more technical leadership audiences, it could be helpful to explain the value of consolidating vendors to create a SASE tech architecture as a cost reduction opportunity.
- Across departments: While IT or cyber departments set the policy, incident response will touch groups all over your organization. A presentation on cyber resilience suggested running combined exercises: implementing incident response, business continuity and disaster recovery exercises in parallel rather than in sequence. Each of these exercises require different teams, and having each of them understand their role in the bigger picture will make all the difference in the event of an incident. Another cyber leader echoed this sentiment: taking us through an example of a tabletop exercise designed to engage departments across your organization. In addition, it’s incredibly important to conduct frequent tech trainings. Making sure you have someone on hand who knows how to work your tech stack is crucial—especially when legacy or proprietary technology is in play.
- Training: As we heard time and time again yesterday, your security program is only as strong as your organization’s weakest link: your people. Every presenter underscored the necessity of a robust training program—with some twists in 2024. For example, some presenters predicted that new technologies would allow for more personalized learning experiences and that training programs would expand to include security of the cloud, IoT and AI tools, as adoption of these tools accelerates.
Communication Outside Organizations
Communication doesn’t stop outside the four walls (virtual or physical) of your organization. Whether it’s through vendor relationships or positions on the supply chain, the cybersecurity world is incredibly interconnected. This interconnection is only increasing as more on-premise solutions are moved into the cloud. Collaboration with outside parties continues to be critical in 2024.
- Vendors: As firm as your own security program might be, you are, in many cases, at the mercy of the security of your vendors. In a panel discussion, panelists emphasized the importance of upfront conversations with your vendors: both about what you need from them and about how you can help them stay secure. And one speaker encouraged the use of a clear “pre-nup” with vendors to ensure all parties are clear on their liability in the event of an incident.
- Regulators: Regulation was, of course, a hot topic at the conference. In an era of heightened personal liability for CISOs, it’s more important than ever to not only have an effective plan in place, but also be able to demonstrate that you have an effective plan in place. Multiple presenters urged CISOs to rigorously document their attempts at promoting security. When it comes to communicating with regulators, a paper trail is everything. Interestingly, communication among regulators was also a topic at issue. In the “Strengthening Critical Infrastructure through Cybersecurity Safeguards” panel, the speakers outlined how tricky it is to navigate a plethora of (often conflicting) regulations and standards that change by state, industry and regulating body. According to the panel, better communication among regulators could go a long way.
- Cyber Insurance: The extensive questionnaires required by cyber insurance carriers are the stuff of legend by now. But communicating with your carrier doesn’t end when you check the box. The presenters had several creative ways to leverage your relationship with your insurance carrier. In a panel on operating a security program on a limited budget, industry leaders advised leaning into the demands of several carriers to use their services in the event of an incident and that carriers were incredibly helpful in explaining exactly which controls make sense: both for your organization and for reluctant boards.
Communication in Attacks
The importance of communication in 2024 isn’t lost on threat actors either, which is why social engineering attacks may be on the rise again. This is in part because of the power of AI technology. The keynote explored how the AI revolution has changed the social engineering game. Attackers can now deploy features like personalization at scale, conversation bots, deep fakes, enhanced targeting capabilities and adaptive phishing.
I’ve barely scratched the surface of everything covered at Cyburgh 2024. For example, the keynote address on AI included several mind-blowing demonstrations of how to both harness and outwit various artificial intelligence technologies. And did you know that, if the money in cyber crime were expressed as GDP, cyber criminals would be the third richest country in the world?
As sobering as the above statistic might be, I still came out of Cyburgh 2024 energized and excited to have learned more about how communication lies at the heart of the complex and ever-changing world of cybersecurity.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.
To learn more, visit our dedicated Cybersecurity page.
