Nice vulnerability, I don't care presented at BSidesManchester 2019

by James Carter,

Summary : As Security professionals we are bombarded with data about what we do, from threat feeds & vulnerability reports to security alerts, logs and SIEM's not to mention worried users - there is no end of data if we want it. In most organisations staff outside of IT and security don't care about threats or vulnerabilities. Ask the board or a business manager and the want to know about risks and impacts. Ask most security and IT staff what their biggest risk is and they would be hard pressed to tell you.The biggest risk is probably that they don't know what their biggest risk is.My talk will define risk, explain what threats and vulnerabilities are in relation to risk and how this all can be applied and presented in a way that can be understood by non-technical staff who we need to be aware. Along the way we'll touch on- the difference between risk, threat, vulnerability, impact and may other misused and overloaded words.- The forgotten part of IT (Clue - its not all about technology)- methods to quantify risk.- how to use risk to identify the vulnerabilities you need to take action on and the the one you don't need to care (so much) about.- how talking the business language of risk will achieve the desired effect some what better than any amount of detailed explanation of a specific vulnerability.This is not breaking out of the InfoSec echo chamber but realising that by standing back from the detail (no matter how important) we may realise that the echo chamber is not some silo or ivory tower, in fact it probably doesn't exist at all. If there is an echo it's only because we repeat ourselves, if we have to repeat ourselves may be the problem is not that we are not being heard but that we are not saying the right things.My target audience is the over loaded internal IT and Security staff who need tools to turn the tsunami of data on threats, vulnerabilities and risks in to actionable knowledge - its really InfoSec 101 but based on my years of experience good and bad.