"How should I be thinking about cybersecurity?” Part 2
Speaker 1: Now, here's the thing. I say something like cyber risk management and people start breaking out in a cold sweat because it sounds like terribly complicated and it would be way over their heads and technical and so forth and so on. That's not the case. What I'd like you to do is as I talk about this, picture that the business you're in is you own a jewelry store. All right. Never mind anything about cyber security. And we're going to do a risk management exercise, a risk assessment, and a risk management exercise for a jewelry store. Okay. So your assets, what are you trying to protect from loss? All right. Instead of data, which is what the cyber security, cyber risk management would be focused on, you're trying to protect these precious jewelry items that you're trying to sell. Right? What's your threat? Who would like to steal or destroy your assets? How, or even why? All right. So the criminals are obviously going to try to steal the jewelry that you store in the cases. All right. Or in this case, the cyber criminals are going to try to steal the data. Probably your customer's data, right? And hold you for ransom. And what are your vulnerabilities? Where are your vectors? Literally unlock doors. Right. So think about if you own a jewelry store. What do jewelry stores these days do? They have guards at the doors. The doors aren't even necessarily unlocked during the day. All right. The jewelry's all locked up in cases. What do they do with the jewelry at night? Do they leave it out in the case? Do they leave it in the window displays? No. What have they learned over the years? Take the jewelry out of the case, put it in the big, safe in the back, upstairs, downstairs, whatever. They have taken steps, right? They determined the risk. They figured out what was the likelihood or sometimes called the probability and the impact. They prioritized their risks. And then they took steps to mitigate that risk. So taking the jewelry out of the case at night and putting it in the safe, that's a risk mitigation technique. That's all we're talking about in cybersecurity as well. You have all of this data that you're trying to protect. It's your crown jewels, right? Your data is your crown jewels. You're trying to protect your data. So what do you do with it? What kind of protective mechanisms can you wrap around that data? What kind of process steps? Remember, it's all people, process, and technology. Technology in and of itself is never the answer. Now, back to the jewelry store example. You can only do so many things yourself, right? You can only take so many protective measures yourself. So what does that jewelry store owner do after they've done everything they can? They buy insurance. All right. So what should we do after we've done everything we can do to protect our data, to protect our crown jewels? We should buy cyber insurance, right? That's the final piece. It's not this extra thing out there, unrelated. All right. It is an integral part of the solution. Cyber insurance is just as important as any other risk mitigation technique that you take along the way.