Show And Tell

- 10 mins read

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives.

This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes.

A woman’s hand holds a cellphone showing a BBC news article discussing Russian hacking.

What is it?

We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them.

  1. Stories that are in the news.
  2. Stories that impact our work.
  3. Stories that impact our lives.

Author’s Note: There’s some helpful tips below on how to gather these stories.

Why you should do it

There’s a lot of great reasons to do this, but I want to drive home a few really important ones.

How many times has this happened to you? You wake up, open infosec.exchange, and begin scrolling only to find out that $Vendor has a nasty zero-day and organizations (maybe even yours) are vulnerable to compromise. You reach out to your team who’s already crafting technical control implementations based on their current understanding and teams are mobilizing to begin threat hunting the IOCs made available. Together, your team shines up their new technical controls and presents them to the business for implementation. Sure, it’ll mean product delays, sprints will be behind, but the business will be Safe™. And the business says…“No.”

Wait.

“What!? No? But this is big bad,” says the security team! “The threat actors could flim flam our flooper and scoop da whoop!”, hears the executive team.

Still, “no.”

But we ARE the experts.

We SEE the problem.

We CREATE solutions.

Why won’t you let us help you?

Often, security gets a bad rap. We’re often seen as the team of “No.” Our reasoning is assumed to be paranoia and FUD (fear, uncertainty, and doubt). And our ability to partner with the business is lack-luster at best. This lack of rapport can create significant push-back when you and your team need buy-in the most.

Taking the time to educate your peers on security news allows them an opportunity to see into your world and to show them, when the pressure’s not on, what factors you’re taking into account to secure the business. Everyone at work is busy and has different motivators. By putting the news in front of your peers, you get to express the risks you’re attempting to mitigate, dispel FUD, and show that your team isn’t a bunch of paranoiacs, but seasoned security professionals, weighing business need and security.

Let’s look at the types of stories that help us do this.

Stories that are in the news

People are constantly inundated with the 24/7 news cycle. And if you’ve ever worked in media, you know the gruesome saying, “If it bleeds, it Leads”.

The same is happening in the cybersecurity space. Users are constantly hearing about ransomware attacks, zero-days, patches, viruses, cyber attacks, and on and on.

How are they supposed to know what’s FUD  and what actually matters? This is where your expertise as a security expert shines.

Is it important that Russian-backed KillNet attacked a German airport system? Probably. Tell your peers why or why not!

What good’s an expert if they’re not helping educate non-experts?

Stories that impact our work

What happens in the world can have an unknown impact on your ability to complete your work. China is targeting chip manufacturers with sanctions? Maybe you can’t build products anymore. National oil pipelines are down? We can’t move freight.

This is an opportunity to take the news through a PESTLE model (detailed below) and help our peers understand how these stories may effect our BC/DR (business continuity & disaster recovery) plans, our production, or even our customers needs.

Stories that impact our lives

These are stories that help keep our users secure at home. Security of the enterprise is our main goal, but with remote work being a reality for most enterprises, BYOD, and personally-owned mobile devices often can have an impact on our work. This makes good hygiene and patching an essential part of your security posture.

Even if your org doesn’t directly support a platform, if the platform is highly adopted (say macOS? or iOS?) by your users, notify them of relevant stories.

Here’s a quick example, Company A doesn’t issue mobile devices, instead opting to allow users to BYOD and enroll in an MDM solution. A quick review of the inventory shows that 30% of devices run $Vendor. If $Vendor has a zero-day, whether your team is responsible for patching that device or not, the security of your company’s data may be impacted. Notify your users, and get them patching. Plus, they have family and friends who may also be impacted.

How we do it

I don’t want to make this sound more complicated than it is. If we boil it down, it’s an hour of you giving a synopsis of news stories to your peers, then telling them what you’re going to do about it, if anything. Then they ask you questions or share their own insights and knowledge. But we want this to be polished and professional, so lets make it a little difficult.

Gather your news

This is the easy part. As a professional, you’re likely already plugged into Mastodon and other news sources. Discords, group-chats, industry mailing lists, etc… Start a running list each week of interesting news stories. Consider if and how they’ll impact your users and your work, and jot down the URL with a few notes. This will be the outline for your Show & Tell and serve as the follow-up notes for those who couldn’t attend.

Author’s Note: If you’ve read my “ News You Should Know” series, these are those notes!

Tell them “so what”

Once you’ve got your news together, which ones require a security or business response? Is there any? Figure out and address the “So what”. We want people to walk away from this meeting having gained something of value. This is a great opportunity for attendees to go back to their area of responsibility as an ambassador for security.

“Gah, security is putting in new MFA requirements. I don’t know why they won’t leave everything alone.”

“Oh, I went to the Security Show & Tell last week, there was this thing the Chinese were doing to break into people’s email. They’re having to change our MFA because of it.”

Wow, for an hour of your time you now have a key communicator for security initiatives embedded in this area of the business!

Hold your meeting

A standing invite is sent to all members of the org. This is a round table. Sure, security is hosting, but this is an opportunity for your peers to hear the news through an expert lens, hear the planned security response to it, and ask questions.

We start off by addressing the Traffic Light Protocol (TLP) designation of the meeting. I use TLP: Amber+STRICT along with a short warning that while its an open discussion, the conversations should be considered protected. We want people to freely speak about security concerns, business processes, and other topics that could be detrimental to the business or its financial health.

Quick example: Security team shares a story about a new vulnerability in $Vendor software but relates that there’s no response from the security team as we don’t use $Vendor X. “Actually, Marketing uses $Vendor X. We brought them in last year for the Big Event. I think they do most of our credit card transactions at the booths too.”

Uh-oh. Security has two responses now. Choose wisely.

We can either freak out. Marketing has just admitted to running shadow IT by on-boarding $Vendor. AND they’re likely causing SOX concerns, if not PCI-DSS issues.

Or, we can begin working in partnership with Marketing to get $Vendor X secure in our environment. Sure, there’s going to be some uncomfortable conversations later. But we’re here to protect the business and educate our peers, not beat Marketing about the neck and shoulders for their sins.

How we respond in these moments will set the tone for all future Show and Tells and how their attendees work (or don’t) with your team in the future.

After sorting the Traffic Light Protocol conversation, the presenter starts the recording, and using OBS or MS Teams with the presenter in-lay begins sharing their screen with the original news story along with a spoken non-technical explanation of the topic and what, if any, the response will be.

The presenter then invites attendees to discuss the topic. If attendees are hesitant, this may be a good time to have a plant. Prime members of your team to ask questions or provide relevant commentary. The goal of this meeting is to create conversations around the topic that lead to great outcomes for your team and the business.

Ask others if they have topics they want to loop back on, or present. This can be a great opportunity to hand over the talking stick and share the limelight.

Finally, thank everyone for their time and provide show notes to attendees. We use the document we were already working out of as our show notes because it has a synopsis of the story, and with a little polishing can be quickly made available. This allows attendees to easily share with peers, or to refer back to stories that they may want additional information about later.

Author’s Note: These show notes can also be archived and referenced back to when covering developing stories.

Do’s & Don’ts

  • Don’t get too technical - the audience likely doesn’t care
  • Do invite collaboration - if no ones sharing their input, prime them with questions about the impact to their business area
  • Do provide show notes - these can be referenced later, passed on to others, and are a great tool for new or more junior public speakers
  • Do record - Our team is global, yours probably is too.
  • Don’t bring your political biases to the table - A lot of topics will have a geopolitical angle, keep your biases to yourself
  • Do invite others to present

Where we get stories

TheCyberWire - Provides a weekly synopsis of US-centric geopolitical and cyber news.

The Register - Security - TheRegister does a great job of covering a wide range of security topics with links to primary sources.

BleepingComputer - often on the bleeding edge, Bleeping Computer has been a great help

TechCrunch

TheHackerNews - Care should be taken for THN articles as they can often cover highly technical topics that may not be suitable for your audience.

Mastodon: Infosec.exchange - Infosec twitter migrated away in 2022 and has been replaced with infosec.exchange and other Mastodon servers. This is more easily passively consumed.

Pick the important ones

We will usually look at the last 8 days worth of articles and think about them using a PESTLE framework.

Quick version of PESTLE:

Is this relevant to my audience in the below areas;

  • Political - (geographic areas and/or countries our business operates in)
  • Economic - Competitors of our business, same industry vertical, significant customers
  • Socio-cultural - Tech being used badly, or in ways that it’s relevant for our technologist to consider, ethical concerns
  • Technological - Related to technologies we specifically use or broadly consumed by our user base
  • Legal - New compliance frameworks, or changes to governance of how we conduct business
  • Environmental - Is global warming, flooding, or fires a concern for our ability to perform our tasks?