<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Relations Security</title>
	<atom:link href="https://relationsec.net/feed/" rel="self" type="application/rss+xml" />
	<link>https://relationsec.net/</link>
	<description>CyberSecurity Consulting</description>
	<lastBuildDate>Sun, 05 Jul 2026 21:44:58 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0.1</generator>

<image>
	<url>https://relationsec.net/wp-content/uploads/2024/01/Fichier-1.svg</url>
	<title>Relations Security</title>
	<link>https://relationsec.net/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>CUI protection is about to stop being a defense-only problem.</title>
		<link>https://relationsec.net/far-cui-rule-nist-800-171-training/</link>
					<comments>https://relationsec.net/far-cui-rule-nist-800-171-training/#respond</comments>
		
		<dc:creator><![CDATA[alexmtro]]></dc:creator>
		<pubDate>Fri, 03 Jul 2026 14:19:53 +0000</pubDate>
				<category><![CDATA[GRC]]></category>
		<guid isPermaLink="false">https://relationsec.net/far-cui-rule-nist-800-171-training/</guid>

					<description><![CDATA[<p>The post <a href="https://relationsec.net/far-cui-rule-nist-800-171-training/">CUI protection is about to stop being a defense-only problem.</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<div class="et_pb_section et_pb_section_0 et_pb_with_background et_section_regular" >
				
				
				
				
				
				
				<div class="et_pb_row et_pb_row_0">
				<div class="et_pb_column et_pb_column_4_4 et_pb_column_0  et_pb_css_mix_blend_mode_passthrough et-last-child">
				
				
				
				
				<div class="et_pb_module et_pb_text et_pb_text_0  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><p>For years, protecting Controlled Unclassified Information to the NIST 800-171 standard has mostly meant one audience: defense contractors, and the CMMC program built to enforce it. The proposed FAR CUI rule changes who&#8217;s on the hook. It would extend NIST SP 800-171 to every federal contractor that handles CUI, civilian agencies included, and once the clause lands in your contracts there&#8217;s no phase-in period to catch up.</p>
<h2>What the FAR CUI rule actually does</h2>
<p>The FAR Council published an updated proposed rule on 23 June 2026, with a comment period running to 23 July 2026, and it&#8217;s expected to be finalized before the end of 2026. It would require any contractor whose contract identifies CUI to implement NIST SP 800-171 Revision 3, and a limited set of contractors tied to critical programs or high-value assets would also face the enhanced controls of NIST SP 800-172. The headline here is the scope. This is no longer a Department of Defense requirement. It&#8217;s a whole-of-government one.</p>
<div class="rs-timeline" role="img" aria-label="FAR CUI rule timeline: updated proposed rule published 23 June 2026, comment period closes 23 July 2026, expected to be finalized before end of 2026, and the clause is inserted at contract award with no phase-in.">
<p class="rs-tl-heading">The FAR CUI rule timeline</p>
<div class="rs-tl-track">
<div class="rs-tl-step"><div class="rs-tl-dot"></div><div class="rs-tl-date">23 June 2026</div><div class="rs-tl-label">Updated proposed rule published</div></div>
<div class="rs-tl-step"><div class="rs-tl-dot"></div><div class="rs-tl-date">23 July 2026</div><div class="rs-tl-label">Comment period closes</div></div>
<div class="rs-tl-step"><div class="rs-tl-dot"></div><div class="rs-tl-date">Before end 2026</div><div class="rs-tl-label">Expected to be finalized</div></div>
<div class="rs-tl-step is-terminal"><div class="rs-tl-dot"></div><div class="rs-tl-date">On contract award</div><div class="rs-tl-label">Clause inserted, no phase-in</div></div>
</div>
</div>
<h2>Why &#8220;we have CMMC handled&#8221; is not the same thing</h2>
<p>If you already work with the DoD, CMMC has you thinking about NIST 800-171 through third-party assessment. The FAR CUI rule is the civilian counterpart, and it reaches contractors who have never touched CMMC because they sell to agencies outside defense. The control backbone is the same, but the audience is far larger, and a lot of the newly-covered contractors are starting from a standing stop. One difference cuts the other way. Where CMMC verifies you through a third-party assessor, the FAR CUI rule leans on self-attestation. That sounds lighter, but it just moves the burden of proof onto you, and a false attestation about your own security is not a small thing to sign. If you sell to any federal agency and touch CUI, the same obligations are coming for you. The DoD-specific view is in <a href="https://relationsec.net/cmmc-incident-response-training-game/">why CMMC wants you to test your incident response</a>.</p>
<h2>The part that is about your people, not your GRC tool</h2>
<p>Most of NIST 800-171 is technical implementation, and a policy binder covers the paperwork. But two of its requirements are about human readiness, and those are the ones a document can&#8217;t fake. You have to train your people on their security roles, and you have to test your incident response capability, not just plan it. When a real CUI incident hits, the only question that matters is whether your team can actually run the response, inside the reporting deadlines, without opening the runbook for the first time.</p>
<h2>What readiness looks like</h2>
<p>It looks like the team running the incident, not narrating a plan. That&#8217;s what <a href="https://relationsec.net/malware-monsters/">Malware &amp; Monsters</a> does. It&#8217;s a <a href="https://relationsec.net/serious-games/">tabletop incident response game</a> where the scenario changes because of what the team decides, so you&#8217;re exercising the capability the standard asks you to test, and building the instinct a real CUI incident will demand. There&#8217;s a nice overlap worth naming here: a tabletop exercise is one of the artifacts these rules expect you to be able to produce. Running the game both builds the capability and gives you the evidence that you tested it. It has been run with security teams across Europe and North America.</p>
<p>The FAR CUI rule isn&#8217;t final yet, but the direction is set and there&#8217;s no phase-in waiting for you. The contractors who are ready when the clause appears will be the ones who trained and tested before they had to. If your obligations sit on the European side of the Atlantic instead, the same readiness logic runs through <a href="https://relationsec.net/eu-cyber-regulation-training/">EU cyber regulation training</a>.</p>
<h2>Frequently asked questions</h2>
<h3>What is the FAR CUI rule?</h3>
<p>It is a proposed Federal Acquisition Regulation rule, updated on 23 June 2026, that would require federal contractors whose contracts involve Controlled Unclassified Information to implement NIST SP 800-171 Revision 3. The comment period runs to 23 July 2026 and it is expected to be finalized before the end of 2026.</p>
<h3>Does the FAR CUI rule apply to non-defense contractors?</h3>
<p>Yes, that is the change. It would extend the NIST 800-171 requirement from defense contractors to all federal contractors that handle CUI, across civilian agencies too.</p>
<h3>When does it take effect?</h3>
<p>It is still a proposed rule, expected to be finalized before the end of 2026. Notably, there is no phase-in: once the clause is inserted into a contract, compliance is required from that point.</p>
<h3>How is the FAR CUI rule different from CMMC?</h3>
<p>CMMC is the DoD-specific program that verifies NIST 800-171 compliance through a third-party assessment. The FAR CUI rule applies the same standard across the whole federal government but relies on contractor self-attestation rather than an external assessor. Same control backbone, different audience, different proof.</p></div>
			</div><div class="et_pb_module et_pb_text et_pb_text_1  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><h2>Want to put this in front of your team?</h2>
<p>I run these as games your board and your responders actually take part in, not another slideshow. Tell me where your team is and what they need to practise, and we will set it up.</p></div>
			</div><div class="et_pb_button_module_wrapper et_pb_button_0_wrapper et_pb_button_alignment_left et_pb_module ">
				<a class="et_pb_button et_pb_button_0 et_pb_bg_layout_light" href="/contact/">Book a session</a>
			</div><div class="et_pb_module et_pb_code et_pb_code_0">
				
				
				
				
				<div class="et_pb_code_inner"><script type="application/ld+json">{  "@context": "https://schema.org",  "@type": "FAQPage",  "mainEntity": [    {      "@type": "Question",      "name": "What is the FAR CUI rule?",      "acceptedAnswer": {        "@type": "Answer",        "text": "It is a proposed Federal Acquisition Regulation rule, updated on 23 June 2026, that would require federal contractors whose contracts involve Controlled Unclassified Information to implement NIST SP 800-171 Revision 3. The comment period runs to 23 July 2026 and it is expected to be finalized before the end of 2026."      }    },    {      "@type": "Question",      "name": "Does the FAR CUI rule apply to non-defense contractors?",      "acceptedAnswer": {        "@type": "Answer",        "text": "Yes, that is the change. It would extend the NIST 800-171 requirement from defense contractors to all federal contractors that handle CUI, across civilian agencies too."      }    },    {      "@type": "Question",      "name": "When does it take effect?",      "acceptedAnswer": {        "@type": "Answer",        "text": "It is still a proposed rule, expected to be finalized before the end of 2026. Notably, there is no phase-in: once the clause is inserted into a contract, compliance is required from that point."      }    },    {      "@type": "Question",      "name": "How is the FAR CUI rule different from CMMC?",      "acceptedAnswer": {        "@type": "Answer",        "text": "CMMC is the DoD-specific program that verifies NIST 800-171 compliance through a third-party assessment. The FAR CUI rule applies the same standard across the whole federal government but relies on contractor self-attestation rather than an external assessor. Same control backbone, different audience, different proof."      }    }  ]}</script></div>
			</div>
			</div>
				
				
				
				
			</div>
				
				
			</div>




<p>The post <a href="https://relationsec.net/far-cui-rule-nist-800-171-training/">CUI protection is about to stop being a defense-only problem.</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://relationsec.net/far-cui-rule-nist-800-171-training/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>CMMC does not just want an IR plan. It wants you to test it.</title>
		<link>https://relationsec.net/cmmc-incident-response-training-game/</link>
					<comments>https://relationsec.net/cmmc-incident-response-training-game/#respond</comments>
		
		<dc:creator><![CDATA[alexmtro]]></dc:creator>
		<pubDate>Fri, 03 Jul 2026 14:14:44 +0000</pubDate>
				<category><![CDATA[GRC]]></category>
		<guid isPermaLink="false">https://relationsec.net/cmmc-incident-response-training-game/</guid>

					<description><![CDATA[<p>The post <a href="https://relationsec.net/cmmc-incident-response-training-game/">CMMC does not just want an IR plan. It wants you to test it.</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<div class="et_pb_section et_pb_section_1 et_pb_with_background et_section_regular" >
				
				
				
				
				
				
				<div class="et_pb_row et_pb_row_1">
				<div class="et_pb_column et_pb_column_4_4 et_pb_column_1  et_pb_css_mix_blend_mode_passthrough et-last-child">
				
				
				
				
				<div class="et_pb_module et_pb_text et_pb_text_2  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><p>CMMC certification is how a company stays eligible for US Department of Defense contracts, and it asks for more than a binder of policies. To reach Level 2 you have to meet the practices in NIST SP 800-171, and two of them are about your people, not your paperwork. You have to train them, and you have to test your incident response capability. A slide deck and a filed plan satisfy neither one, at least not in the way an assessor actually checks.</p>
<h2>What CMMC asks of your people</h2>
<p>Level 2 aligns to the 110 practices of NIST SP 800-171, and sitting among the technical controls are a couple that are squarely about human readiness. The Awareness and Training family requires you to make your people aware of security risks and train them on their specific roles. The Incident Response family goes further than &#8220;have a plan&#8221;: practice 3.6.3 requires you to test the organizational incident response capability. Not document it. Test it. That&#8217;s a verb an auditor can ask you to evidence.</p>
<div class="rs-compare" role="img" aria-label="What CMMC and NIST 800-171 ask, matched to what a tabletop delivers. CMMC asks you to train people on their security roles under the Awareness and Training family, test the incident response capability under practice 3.6.3, and prove it to a third-party assessor. A tabletop delivers this by having the team run the response rather than a slide deck, changing the scenario with what they decide, and producing the evidence you tested it."><p class="rs-cmp-heading">What CMMC asks, what a tabletop delivers</p><div class="rs-cmp-cols"><div class="rs-cmp-col"><div class="rs-cmp-colhead">What CMMC and NIST 800-171 ask</div><div class="rs-cmp-item">Train people on their security roles (Awareness and Training)</div><div class="rs-cmp-item">Test the incident response capability (practice 3.6.3)</div><div class="rs-cmp-item">Prove it to a third-party assessor (NIST 800-171)</div></div><div class="rs-cmp-col rs-cmp-col-deliver"><div class="rs-cmp-colhead">What a tabletop delivers</div><div class="rs-cmp-item">The team runs the response, not a slide deck</div><div class="rs-cmp-item">The scenario changes with what they decide</div><div class="rs-cmp-item">You produce the evidence you tested it</div></div></div></div>
<h2>Why the checklist is the default</h2>
<p>The checklist is the obvious answer, and for good reasons. A lot of CMMC is genuine technical implementation, and a self-assessment or a tabletop template produces the artefact a C3PAO assessor expects to see. If the goal were to show that an IR plan exists, the template would be enough. But the practice doesn&#8217;t ask whether a plan exists. It asks whether the capability works.</p>
<h2>A tested capability is not a filed plan</h2>
<p>An incident response plan nobody has run is a set of assumptions about how your team will behave during a breach involving controlled unclassified information. Who declares the incident. Who talks to the prime contractor and to the government. Whether the runbook still matches the systems you have now. You don&#8217;t find those gaps by reviewing the document, and neither does the assessor. You find them by running it under pressure, before a real incident and a real audit find them for you.</p>
<h2>What testing your IR capability looks like</h2>
<p>It looks like the team working a real incident, making the calls, and living with the consequences on the table instead of in production. That&#8217;s what <a href="https://relationsec.net/malware-monsters/">Malware &amp; Monsters</a> does. It&#8217;s a tabletop incident response game where the scenario changes because of what the team decides, so you&#8217;re exercising the capability CMMC 3.6.3 asks you to test, not narrating a plan. It has been run with security teams across Europe and North America, and it sits in the wider <a href="https://relationsec.net/serious-games/">serious games</a> catalogue alongside my other facilitated tabletop exercises.</p>
<p>CMMC is US defense contracting today, but the same NIST 800-171 backbone is about to reach every federal contractor under the <a href="https://relationsec.net/far-cui-rule-nist-800-171-training/">proposed FAR CUI rule</a>. The readiness problem is also exactly the one the EU is now legislating for its own entities. If you operate on both sides of the Atlantic, the EU equivalents are in <a href="https://relationsec.net/eu-cyber-regulation-training/">game-based training for EU cyber regulation</a>.</p>
<h2>Frequently asked questions</h2>
<h3>Does CMMC require incident response testing?</h3>
<p>Yes. CMMC Level 2 aligns to NIST SP 800-171, and practice 3.6.3 requires you to test the organizational incident response capability, not just document a plan.</p>
<h3>Does CMMC require security training?</h3>
<p>Yes. The Awareness and Training practices require you to make personnel aware of security risks and train them on their assigned security roles and responsibilities.</p>
<h3>What is CMMC Level 2?</h3>
<p>Level 2 is the Advanced level of CMMC 2.0, aligned to the 110 practices of NIST SP 800-171, required for contractors that handle Controlled Unclassified Information, and assessed by a third party for most.</p>
<h3>Can a game help with CMMC compliance?</h3>
<p>A game does not certify you, but it directly serves the human practices CMMC checks: it tests your incident response capability and trains your people on their roles, which is exactly what a tabletop like Malware &amp; Monsters is built to do.</p></div>
			</div><div class="et_pb_module et_pb_text et_pb_text_3  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><h2>Want to put this in front of your team?</h2>
<p>I run these as games your board and your responders actually take part in, not another slideshow. Tell me where your team is and what they need to practise, and we will set it up.</p></div>
			</div><div class="et_pb_button_module_wrapper et_pb_button_1_wrapper et_pb_button_alignment_left et_pb_module ">
				<a class="et_pb_button et_pb_button_1 et_pb_bg_layout_light" href="/contact/">Book a session</a>
			</div><div class="et_pb_module et_pb_code et_pb_code_1">
				
				
				
				
				<div class="et_pb_code_inner"><script type="application/ld+json">{  "@context": "https://schema.org",  "@type": "FAQPage",  "mainEntity": [    {      "@type": "Question",      "name": "Does CMMC require incident response testing?",      "acceptedAnswer": {        "@type": "Answer",        "text": "Yes. CMMC Level 2 aligns to NIST SP 800-171, and practice 3.6.3 requires you to test the organizational incident response capability, not just document a plan."      }    },    {      "@type": "Question",      "name": "Does CMMC require security training?",      "acceptedAnswer": {        "@type": "Answer",        "text": "Yes. The Awareness and Training practices require you to make personnel aware of security risks and train them on their assigned security roles and responsibilities."      }    },    {      "@type": "Question",      "name": "What is CMMC Level 2?",      "acceptedAnswer": {        "@type": "Answer",        "text": "Level 2 is the Advanced level of CMMC 2.0, aligned to the 110 practices of NIST SP 800-171, required for contractors that handle Controlled Unclassified Information, and assessed by a third party for most."      }    },    {      "@type": "Question",      "name": "Can a game help with CMMC compliance?",      "acceptedAnswer": {        "@type": "Answer",        "text": "A game does not certify you, but it directly serves the human practices CMMC checks: it tests your incident response capability and trains your people on their roles, which is exactly what a tabletop like Malware & Monsters is built to do."      }    }  ]}</script></div>
			</div>
			</div>
				
				
				
				
			</div>
				
				
			</div>





<p>The post <a href="https://relationsec.net/cmmc-incident-response-training-game/">CMMC does not just want an IR plan. It wants you to test it.</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://relationsec.net/cmmc-incident-response-training-game/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>DORA says test your resilience. A document is not a test.</title>
		<link>https://relationsec.net/dora-operational-resilience-testing-tabletop/</link>
					<comments>https://relationsec.net/dora-operational-resilience-testing-tabletop/#respond</comments>
		
		<dc:creator><![CDATA[alexmtro]]></dc:creator>
		<pubDate>Fri, 03 Jul 2026 13:57:31 +0000</pubDate>
				<category><![CDATA[GRC]]></category>
		<guid isPermaLink="false">https://relationsec.net/dora-operational-resilience-testing-tabletop/</guid>

					<description><![CDATA[<p>The post <a href="https://relationsec.net/dora-operational-resilience-testing-tabletop/">DORA says test your resilience. A document is not a test.</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<div class="et_pb_section et_pb_section_2 et_pb_with_background et_section_regular" >
				
				
				
				
				
				
				<div class="et_pb_row et_pb_row_2">
				<div class="et_pb_column et_pb_column_4_4 et_pb_column_2  et_pb_css_mix_blend_mode_passthrough et-last-child">
				
				
				
				
				<div class="et_pb_module et_pb_text et_pb_text_4  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><p>DORA made operational resilience testing a legal duty for financial entities across the EU, not an internal best practice. It expects a real testing programme and business-continuity arrangements that actually work. Plenty of firms are handling that with a documented plan and a checklist. The document proves you have a plan. It proves nothing about whether the plan works, or whether the people who&#8217;d have to run it can.</p>
<h2>What DORA actually requires</h2>
<p>DORA isn&#8217;t a paperwork exercise dressed up as resilience. Article 11 requires ICT business continuity policies and response and recovery plans that are maintained and tested. Articles 24 to 26 require a programme of digital operational resilience testing of your ICT systems, and for the larger entities, advanced threat-led penetration testing. The word doing all the work there is testing. DORA doesn&#8217;t ask you to have a continuity plan. It asks you to prove it holds up.</p>
<div class="rs-compare" role="img" aria-label="What DORA asks, matched to what a tabletop delivers. DORA asks you to maintain and test the continuity and recovery plans under Article 11, run a digital operational resilience testing programme under Articles 24 to 26, and prove the plan holds rather than just file it. A tabletop delivers this by running the plan under a real disruption, finding the gaps before an incident does, and exercising the capability rather than documenting it."><p class="rs-cmp-heading">What DORA asks, what a tabletop delivers</p><div class="rs-cmp-cols"><div class="rs-cmp-col"><div class="rs-cmp-colhead">What DORA asks</div><div class="rs-cmp-item">Maintain and test the continuity and recovery plans (Article 11)</div><div class="rs-cmp-item">Run a resilience testing programme (Articles 24 to 26)</div><div class="rs-cmp-item">Prove the plan holds, do not just file it</div></div><div class="rs-cmp-col rs-cmp-col-deliver"><div class="rs-cmp-colhead">What a tabletop delivers</div><div class="rs-cmp-item">You run the plan under a real disruption</div><div class="rs-cmp-item">You find the gaps before an incident does</div><div class="rs-cmp-item">You exercise the capability, not document it</div></div></div></div>
<h2>Why firms default to the checklist</h2>
<p>The checklist is the obvious answer, and it&#8217;s obvious for good reasons. It&#8217;s auditable, it&#8217;s cheap, and it produces the artefact a supervisor asks for. If the goal were to show that a plan exists on paper, the checklist would be enough. That&#8217;s just not what DORA is testing for.</p>
<h2>A plan you have never run is a hypothesis</h2>
<p>A continuity plan that&#8217;s never been exercised is a set of assumptions about how people will behave in the worst hour of their year. Who makes the call to fail over. Whether the runbook still matches the systems you actually have now. Whether the business owner and the technical team even agree on what &#8220;recovered&#8221; means. You don&#8217;t find those gaps by reviewing the document. You find them by running it, under time pressure, before a real disruption finds them for you.</p>
<h2>What resilience testing looks like when it works</h2>
<p>It looks like the team running the plan, not reading it. You take your actual continuity plan, put it under a realistic disruption with a clock, and watch where it breaks. That&#8217;s what <a href="https://relationsec.net/failover/">FAILOVER</a> does. It&#8217;s a <a href="https://relationsec.net/serious-games/">business-continuity exercise</a> run against your real plan, not a generic case study, so the gaps you find are the gaps you actually have. It&#8217;s the difference between a plan you filed and a plan you trust.</p>
<p>DORA will keep raising the bar on what counts as testing, and a checklist was never going to tell you whether your organisation can actually recover. Test the plan the way you&#8217;d test anything you depend on. Run it.</p>
<p>DORA is one of several EU regimes now demanding tested capability rather than filed documents. <a href="https://relationsec.net/nis2-board-training-game-vs-seminar/">NIS2 makes the same move at board level</a>, and the game-based approach across both sits in <a href="https://relationsec.net/eu-cyber-regulation-training/">training for EU cyber regulation</a>.</p>
<h2>Frequently asked questions</h2>
<h3>Does DORA require operational resilience testing?</h3>
<p>Yes. DORA Articles 24 to 26 require a programme of digital operational resilience testing of ICT systems, and Article 11 requires ICT business continuity plans that are maintained and tested. Larger entities also face threat-led penetration testing.</p>
<h3>Is a documented continuity plan enough for DORA?</h3>
<p>No. DORA is explicit that plans must be tested, not just maintained. A documented plan satisfies the paperwork but does not demonstrate the resilience DORA is asking you to prove.</p>
<h3>What counts as a DORA resilience test?</h3>
<p>Exercising your actual ICT continuity and response plans against a realistic disruption, so you find where they break before an incident does. A facilitated business-continuity exercise against your real plan, such as <a href="https://relationsec.net/failover/">FAILOVER</a>, is one way to do it.</p>
<h3>Who does DORA apply to?</h3>
<p>Financial entities in the EU and their critical ICT third-party providers. If you fall under DORA, the operational resilience testing obligation applies to you.</p></div>
			</div><div class="et_pb_module et_pb_text et_pb_text_5  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><h2>Want to put this in front of your team?</h2>
<p>I run these as games your board and your responders actually take part in, not another slideshow. Tell me where your team is and what they need to practise, and we will set it up.</p></div>
			</div><div class="et_pb_button_module_wrapper et_pb_button_2_wrapper et_pb_button_alignment_left et_pb_module ">
				<a class="et_pb_button et_pb_button_2 et_pb_bg_layout_light" href="/contact/">Book a session</a>
			</div><div class="et_pb_module et_pb_code et_pb_code_2">
				
				
				
				
				<div class="et_pb_code_inner"><script type="application/ld+json">{  "@context": "https://schema.org",  "@type": "FAQPage",  "mainEntity": [    {      "@type": "Question",      "name": "Does DORA require operational resilience testing?",      "acceptedAnswer": {        "@type": "Answer",        "text": "Yes. DORA Articles 24 to 26 require a programme of digital operational resilience testing of ICT systems, and Article 11 requires ICT business continuity plans that are maintained and tested. Larger entities also face threat-led penetration testing."      }    },    {      "@type": "Question",      "name": "Is a documented continuity plan enough for DORA?",      "acceptedAnswer": {        "@type": "Answer",        "text": "No. DORA is explicit that plans must be tested, not just maintained. A documented plan satisfies the paperwork but does not demonstrate the resilience DORA is asking you to prove."      }    },    {      "@type": "Question",      "name": "What counts as a DORA resilience test?",      "acceptedAnswer": {        "@type": "Answer",        "text": "Exercising your actual ICT continuity and response plans against a realistic disruption, so you find where they break before an incident does. A facilitated business-continuity exercise against your real plan, such as FAILOVER, is one way to do it."      }    },    {      "@type": "Question",      "name": "Who does DORA apply to?",      "acceptedAnswer": {        "@type": "Answer",        "text": "Financial entities in the EU and their critical ICT third-party providers. If you fall under DORA, the operational resilience testing obligation applies to you."      }    }  ]}</script></div>
			</div>
			</div>
				
				
				
				
			</div>
				
				
			</div>





<p>The post <a href="https://relationsec.net/dora-operational-resilience-testing-tabletop/">DORA says test your resilience. A document is not a test.</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://relationsec.net/dora-operational-resilience-testing-tabletop/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>NIS2 says train your board. A slide deck will not do it.</title>
		<link>https://relationsec.net/nis2-board-training-game-vs-seminar/</link>
					<comments>https://relationsec.net/nis2-board-training-game-vs-seminar/#respond</comments>
		
		<dc:creator><![CDATA[alexmtro]]></dc:creator>
		<pubDate>Fri, 03 Jul 2026 13:51:27 +0000</pubDate>
				<category><![CDATA[GRC]]></category>
		<guid isPermaLink="false">https://relationsec.net/nis2-board-training-game-vs-seminar/</guid>

					<description><![CDATA[<p>The post <a href="https://relationsec.net/nis2-board-training-game-vs-seminar/">NIS2 says train your board. A slide deck will not do it.</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<div class="et_pb_section et_pb_section_3 et_pb_with_background et_section_regular" >
				
				
				
				
				
				
				<div class="et_pb_row et_pb_row_3">
				<div class="et_pb_column et_pb_column_4_4 et_pb_column_3  et_pb_css_mix_blend_mode_passthrough et-last-child">
				
				
				
				
				<div class="et_pb_module et_pb_text et_pb_text_6  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><p>NIS2 turned board-level security training into a legal obligation, not a nice-to-have. Article 20 puts accountability for cyber risk on the management body itself, and Article 20(2) requires those same people to be trained. Most organisations are dealing with that by booking a ninety-minute seminar or an e-learning module. It ticks the box. It does almost nothing for the thing NIS2 actually cares about.</p>
<h2>What NIS2 actually asks of your board</h2>
<p>Article 20 isn&#8217;t a training requirement bolted onto a technical directive. It&#8217;s a governance requirement. The management body has to approve the cyber risk-management measures, oversee how they&#8217;re implemented, and can be held personally liable when they get it wrong. Article 20(2) then says those same managers have to be trained to identify risks and assess the organisation&#8217;s cyber risk-management practices. Read that again. The law doesn&#8217;t ask your board to be aware of cyber risk. It asks them to make and defend decisions about it.</p>
<div class="rs-compare" role="img" aria-label="What NIS2 asks of the board, matched to what a board game delivers. NIS2 asks the board to govern and oversee cyber risk and approve the measures under Article 20, be trained to identify risk and assess practice under Article 20(2), and own the measures under Article 21 and the reporting under Article 23. A board game delivers this by making them make the call in the room, defend it under pressure rather than just hear about it, and remember it because they lived it."><p class="rs-cmp-heading">What NIS2 asks, what a board game delivers</p><div class="rs-cmp-cols"><div class="rs-cmp-col"><div class="rs-cmp-colhead">What NIS2 asks of the board</div><div class="rs-cmp-item">Govern, oversee and approve the risk measures (Article 20)</div><div class="rs-cmp-item">Be trained to identify risk and assess practice (Article 20(2))</div><div class="rs-cmp-item">Own the measures and the reporting they oversee (Articles 21 and 23)</div></div><div class="rs-cmp-col rs-cmp-col-deliver"><div class="rs-cmp-colhead">What a board game delivers</div><div class="rs-cmp-item">They make the call, in the room</div><div class="rs-cmp-item">They defend it under pressure, not just hear about it</div><div class="rs-cmp-item">They remember it, because they lived it</div></div></div></div>
<h2>Why the seminar is the default</h2>
<p>The seminar is the obvious answer, and it&#8217;s obvious for good reasons. It&#8217;s cheap, it scales, one expert can brief a whole leadership team in an afternoon, and it leaves you with an attendance record to show an auditor. If the goal were to inform the board that NIS2 exists and that cyber risk is real, the seminar would be exactly the right tool. That&#8217;s just not the goal.</p>
<h2>Information is not instinct</h2>
<p>A board that has sat through a good NIS2 briefing can tell you what the directive says. That&#8217;s not the same as being able to run the meeting where the CISO asks for budget they don&#8217;t want to give. Or the meeting thirty minutes after a breach, where someone has to decide what to tell the regulator inside the seventy-two hour window. Those are decisions made under pressure, with half the information you&#8217;d like and real consequences either way. You don&#8217;t get better at them by being told about them. You get better at them by making them, getting them wrong somewhere it&#8217;s safe to get them wrong, and making them again. That&#8217;s the training the law has in mind, whether it puts it in those words or not.</p>
<h2>What board training looks like when it works</h2>
<p>It looks like the board actually making the calls. You put a real governance decision in front of them, with a clock and a trade-off, and let the consequences play out on the table instead of in production. That&#8217;s what <a href="https://relationsec.net/exposure/">EXPOSURE</a> does. It&#8217;s a <a href="https://relationsec.net/serious-games/">board-governance game</a> built around the decisions NIS2 Article 20 puts on management, run as a facilitated half-day. The board doesn&#8217;t learn about oversight. They practise it.</p>
<p>NIS2 won&#8217;t accept &#8220;we ran a seminar&#8221; as evidence forever. And even if it did, a seminar was never going to change how your board behaves in the room that actually matters. Train them the way you&#8217;d train anyone for a decision that counts. Let them make it.</p>
<p>NIS2 is not the only EU regime raising this bar. <a href="https://relationsec.net/dora-operational-resilience-testing-tabletop/">DORA does the same for operational resilience</a> in financial services, and the wider case for training over slideware runs through <a href="https://relationsec.net/eu-cyber-regulation-training/">game-based training for EU cyber regulation</a>.</p>
<h2>Frequently asked questions</h2>
<h3>Does NIS2 legally require board-level cybersecurity training?</h3>
<p>Yes. NIS2 Article 20(2) requires members of management bodies to undergo training to identify risks and assess cyber risk-management practices, and Article 20(1) makes them accountable for the measures themselves.</p>
<h3>Is a seminar or e-learning enough for NIS2 management training?</h3>
<p>It satisfies the paper obligation but not the intent. NIS2 holds management accountable for decisions, and a seminar transfers information without ever rehearsing the decisions. It is the minimum, not the goal.</p>
<h3>What is the alternative to a NIS2 board seminar?</h3>
<p>A facilitated exercise where the board actually makes the governance decisions under pressure, such as a board-governance game like <a href="https://relationsec.net/exposure/">EXPOSURE</a>, so they practise the accountability the law assigns them.</p>
<h3>Who is legally accountable under NIS2?</h3>
<p>The management body. Article 20 makes them approve and oversee the risk-management measures and allows them to be held liable, which is why their training has to go beyond awareness.</p></div>
			</div><div class="et_pb_module et_pb_text et_pb_text_7  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><h2>Want to put this in front of your team?</h2>
<p>I run these as games your board and your responders actually take part in, not another slideshow. Tell me where your team is and what they need to practise, and we will set it up.</p></div>
			</div><div class="et_pb_button_module_wrapper et_pb_button_3_wrapper et_pb_button_alignment_left et_pb_module ">
				<a class="et_pb_button et_pb_button_3 et_pb_bg_layout_light" href="/contact/">Book a session</a>
			</div><div class="et_pb_module et_pb_code et_pb_code_3">
				
				
				
				
				<div class="et_pb_code_inner"><script type="application/ld+json">{  "@context": "https://schema.org",  "@type": "FAQPage",  "mainEntity": [    {      "@type": "Question",      "name": "Does NIS2 legally require board-level cybersecurity training?",      "acceptedAnswer": {        "@type": "Answer",        "text": "Yes. NIS2 Article 20(2) requires members of management bodies to undergo training to identify risks and assess cyber risk-management practices, and Article 20(1) makes them accountable for the measures themselves."      }    },    {      "@type": "Question",      "name": "Is a seminar or e-learning enough for NIS2 management training?",      "acceptedAnswer": {        "@type": "Answer",        "text": "It satisfies the paper obligation but not the intent. NIS2 holds management accountable for decisions, and a seminar transfers information without ever rehearsing the decisions. It is the minimum, not the goal."      }    },    {      "@type": "Question",      "name": "What is the alternative to a NIS2 board seminar?",      "acceptedAnswer": {        "@type": "Answer",        "text": "A facilitated exercise where the board actually makes the governance decisions under pressure, such as a board-governance game like EXPOSURE, so they practise the accountability the law assigns them."      }    },    {      "@type": "Question",      "name": "Who is legally accountable under NIS2?",      "acceptedAnswer": {        "@type": "Answer",        "text": "The management body. Article 20 makes them approve and oversee the risk-management measures and allows them to be held liable, which is why their training has to go beyond awareness."      }    }  ]}</script></div>
			</div>
			</div>
				
				
				
				
			</div>
				
				
			</div>





<p>The post <a href="https://relationsec.net/nis2-board-training-game-vs-seminar/">NIS2 says train your board. A slide deck will not do it.</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://relationsec.net/nis2-board-training-game-vs-seminar/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Stop Running Boring Incident Response Tabletop Exercises</title>
		<link>https://relationsec.net/stop-running-boring-incident-response-tabletop-exercises/</link>
		
		<dc:creator><![CDATA[alexmtro]]></dc:creator>
		<pubDate>Mon, 18 May 2026 08:32:38 +0000</pubDate>
				<category><![CDATA[HackBack]]></category>
		<guid isPermaLink="false">https://relationsec.net/?p=26043653</guid>

					<description><![CDATA[<p>The post <a href="https://relationsec.net/stop-running-boring-incident-response-tabletop-exercises/">Stop Running Boring Incident Response Tabletop Exercises</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><div class="et_pb_section et_pb_section_4 et_pb_with_background et_section_regular" >
				
				
				
				
				
				
				<div class="et_pb_row et_pb_row_4">
				<div class="et_pb_column et_pb_column_4_4 et_pb_column_4  et_pb_css_mix_blend_mode_passthrough et-last-child">
				
				
				
				
				<div class="et_pb_module et_pb_text et_pb_text_8  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><p>I have seen this scene too many times.<br />A group of people in a meeting room. Coffee on the table. Laptops open. A slide deck on the screen. The title says something like Ransomware Scenario Q2.<br />Someone from security reads the scenario. People nod. A few people answer questions. Someone says, “we would escalate to management.” Someone else says, “we would contact legal.” A note-taker captures the obvious points.<br />Then everyone goes back to work.<br />That is not incident response training.<br />That is corporate theatre with a cybersecurity theme.<br />The problem is not that tabletop exercises are useless. They can be extremely useful. The problem is that too many of them are designed to be comfortable. They are scripted, predictable and passive. They produce meeting notes, but they do not show how people actually behave when the situation gets messy.<br />And real incidents are messy.<br />People hesitate. Information is missing. Authority is unclear. Communication breaks. The plan says one thing, but the situation demands something else. Someone needs to make a decision before the team feels ready to make it.<br />That is the part I want an exercise to reveal.<br />Not during a real breach. Not when production is down and the CEO is asking for answers.<br />In a safe room, before it happens for real.</p>
<h2>Why Most Tabletop Exercises Don’t Work</h2>
<p>A good incident response tabletop exercise should show people how they behave when the situation is unclear, uncomfortable and moving faster than they would like.<br />Most exercises do not do that.</p>
<h3>They Are Too Scripted</h3>
<p>A bad tabletop exercise has a beginning, middle and end that were decided before anyone entered the room.<br />The team can say almost anything and the scenario still lands in the same place. The attacker does not adapt. The pressure does not increase. Bad decisions do not really matter. Good decisions do not change much either.<br />That is comfortable.<br />It is also the problem.<br />In a real incident, the situation reacts to what you do. If you are slow, the attacker gains time. If you communicate poorly, confusion spreads. If you make the wrong assumption, the next decision is built on weak ground.<br />An exercise should reflect that.<br />I am not interested in punishing people during training. That is not the point. But the scenario should behave like a system, not like a script. Decisions should move the situation somewhere. Inaction should also move the situation somewhere.<br />Sometimes the most valuable part of an exercise is the moment when the team realizes that its plan only works on paper.<br />That is uncomfortable.<br />Good.<br />That is where the learning starts.</p>
<h3>They Don’t Create Real Pressure</h3>
<p>Competent people behave differently when they face genuine uncertainty.<br />That is one of the main reasons I run these exercises.<br />It is easy to look prepared when the scenario is clean, the timeline is obvious and every action succeeds. It is much harder when logs are missing, the CEO wants an answer, the press team is asking for a statement, and nobody knows whether the attacker is still inside the environment.<br />That is incident response.<br />Uncertainty is not an annoying side effect. It is the job.<br />So when tabletop exercises remove uncertainty, they remove the thing people actually need to practice.<br />A good exercise does not need to traumatize anyone. It does not need fake drama. But it should create enough pressure for people to notice their own habits.<br />Who freezes?<br />Who dominates the room?<br />Who asks useful questions?<br />Who waits for permission?<br />Who starts coordinating without being asked?<br />Who avoids making a decision by asking for more information that may not arrive?<br />That is useful information. You do not always see it in a normal meeting. You see it when time matters and the answer is not obvious.</p>
<h3>They Train Inside the Silo</h3>
<p>Most incident response exercises involve the security team. Sometimes it is just the security team.<br />That works until the moment it does not.<br />A real incident does not stay inside the security team. Legal gets involved. Communications gets involved. Privacy gets involved. Leadership gets involved. None of those people have been in the same room, running the same scenario, making decisions together under pressure.<br />I ran a <a href="https://relationsec.net/malware-monsters/">Malware and Monsters</a> session where the scenario was a flood of fraudulent GDPR data subject requests: a privacy compliance issue on the surface, a coordinated cyberattack underneath.<br />The privacy team had been sitting on the anomaly for four days before they brought in security. Why? Because in their minds, this was a compliance issue. Not a security issue.<br />Meanwhile, the SOC had been seeing unusual outbound traffic alerts for 72 hours. They deprioritized those alerts because they were told to focus on the DSAR emergency.<br />By the time both teams were in the same room, 2.17 gigabytes of data had already left the building.<br />When security finally walked in, the first thing Marcus said was: we could have helped. We should have been looped in earlier. Morgan from privacy was defensive. Her team had been overwhelmed. They had not thought to escalate because they had never needed to before.<br />That is not a failure of individual competence. That is what happens when teams train in silos, exercise in silos, and have no shared language for when a problem crosses from one domain into another.<br />The exercise made that visible. That is exactly what it was supposed to do.</p>
<h2>Cyber Incidents Are Human Before They Are Technical</h2>
<p>Many organizations still treat incident response as a technical discipline with a bit of communication added at the end.<br />I think that is backwards.<br />Of course the technical side matters. Logs matter. Detection matters. Backups matter. Forensics matter. Endpoint data matters. Network visibility matters.<br />But when things get ugly, the hardest problems are often human.<br />Who is allowed to make the call?<br />Who decides whether to isolate a system?<br />Who tells the board?<br />Who speaks to customers?<br />Who decides whether the business can operate tomorrow?<br />Who writes down what has already been decided?<br />Who has the authority to say, “we are doing this now”?<br />That is incident response.<br />Not just finding the malware. Not just checking the EDR. Not just reading from a playbook.<br />The technical investigation matters, but the organization still has to make decisions around it. If the humans cannot coordinate, the tools will not save them.</p></div>
			</div><div class="et_pb_module dipi_masonry_gallery dipi_masonry_gallery_0">
				
				
				
				
				
				
				<div class="et_pb_module_inner">
					<div class="dipi_masonry_gallery_wrapper" data-config="{&quot;infinite_scroll_viewport&quot;:&quot;25%&quot;}">
                
            <div
                class="dipi_masonry_gallery_container animated none"
                
                data-count="4"
                data-anim="none"
            >
                <div class="grid show_lightbox show_lightbox_tablet show_lightbox_phone hide_overlay " data-lazy="false" >
                    <div class="grid-sizer"></div><div class="gutter-sizer"></div><div class="grid-item et_pb_gallery_image ">
                       
                        <div class="img-container dipi-mg-animation dipi-mg-none" href="https://relationsec.net/wp-content/uploads/2026/06/Hackback_Screens-v1-20-scaled.jpg">
                            <img decoding="async" src="https://relationsec.net/wp-content/uploads/2026/06/Hackback_Screens-v1-20-scaled.jpg"
                                alt="Cybersecurity facilitator leading a tabletop exercise"
                                loading="lazy"
                            />
                            <span class="dipi_masonry_gallery_overlay background"></span>
                <span class="dipi_masonry_gallery_overlay background-hover"></span>
                <span class="dipi_masonry_gallery_overlay content" style="transition-duration: 0ms;">
                    
                    
                    
                </span>
                        </div>
                    
                </div><div class="grid-item et_pb_gallery_image ">
                       
                        <div class="img-container dipi-mg-animation dipi-mg-none" href="https://relationsec.net/wp-content/uploads/2026/06/Hackback_Screens-v1-23-scaled.jpg">
                            <img decoding="async" src="https://relationsec.net/wp-content/uploads/2026/06/Hackback_Screens-v1-23-scaled.jpg"
                                alt="Participants reacting during a cybersecurity tabletop game"
                                loading="lazy"
                            />
                            <span class="dipi_masonry_gallery_overlay background"></span>
                <span class="dipi_masonry_gallery_overlay background-hover"></span>
                <span class="dipi_masonry_gallery_overlay content" style="transition-duration: 0ms;">
                    
                    
                    
                </span>
                        </div>
                    
                </div><div class="grid-item et_pb_gallery_image ">
                       
                        <div class="img-container dipi-mg-animation dipi-mg-none" href="https://relationsec.net/wp-content/uploads/2026/06/Hackback_Screens-v1-28-scaled.jpg">
                            <img decoding="async" src="https://relationsec.net/wp-content/uploads/2026/06/Hackback_Screens-v1-28-scaled.jpg"
                                alt="Incident response tabletop exercise with printed scenario materials"
                                loading="lazy"
                            />
                            <span class="dipi_masonry_gallery_overlay background"></span>
                <span class="dipi_masonry_gallery_overlay background-hover"></span>
                <span class="dipi_masonry_gallery_overlay content" style="transition-duration: 0ms;">
                    
                    
                    
                </span>
                        </div>
                    
                </div><div class="grid-item et_pb_gallery_image ">
                       
                        <div class="img-container dipi-mg-animation dipi-mg-none" href="https://relationsec.net/wp-content/uploads/2026/06/Hackback_Screens-v1-41-scaled.jpg">
                            <img decoding="async" src="https://relationsec.net/wp-content/uploads/2026/06/Hackback_Screens-v1-41-scaled.jpg"
                                alt="Team members discussing decisions during a cyber incident simulation"
                                loading="lazy"
                            />
                            <span class="dipi_masonry_gallery_overlay background"></span>
                <span class="dipi_masonry_gallery_overlay background-hover"></span>
                <span class="dipi_masonry_gallery_overlay content" style="transition-duration: 0ms;">
                    
                    
                    
                </span>
                        </div>
                    
                </div>
                </div>
                
            </div>
            
            </div>
             
				</div>
			</div><div class="et_pb_module et_pb_text et_pb_text_9  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><h3>Decisions Happen With Incomplete Information</h3>
<p>One of the clearest examples I have seen came during a HackBack game I ran for four experienced practitioners: an IT admin, a CTO, a security architect and an ISM.<br />The scenario was simple enough on paper.<br />Ransomware on the CEO’s laptop. Friday afternoon.<br />Halfway through the exercise, someone asked the question that should have been easy to answer:<br />Do we even have a backup?<br />The CTO opened the incident response plan.<br />There were detection mechanisms. There were response steps. There was process. But there was nothing useful about data protection in that moment.<br />Nobody could confirm the backup status.<br />The security architect thought there might be something, somewhere. But that was the problem. The backup was unknown while ransomware was spreading.<br />Then the conversation moved to the next question, which was even more important:<br />Even if the backup exists, can we trust it?<br />The CTO said it plainly:<br />“We don’t know how long they’ve had access to those endpoints before they triggered the ransomware.”<br />That is the part many tabletop exercises fail to train.<br />“Restore from backup” sounds like a decision. But it is only a decision when you know the backup predates the compromise. In that room, they did not know that.<br />At the start of round two, I told them what I had observed.<br />Nobody had really taken the lead.<br />There had been a lot of discussion, but no clear ownership. In a real incident, that uncertainty would have cost them time they did not have.<br />These were not beginners. They were experienced practitioners with an incident response plan open in front of them.<br />The problem was not that they were unskilled.<br />The problem was that the information they needed was not there.<br />That is why I care so much about making incident response exercises realistic. Real incidents do not wait until you have perfect information. They force you to make decisions while the picture is still incomplete.<br />A useful tabletop exercise should train that moment.</p>
<h3>Communication Breaks Before Technology Does</h3>
<p>In a ransomware tabletop exercise, people often want to focus on the ransomware.<br />I understand why. Ransomware is visible. Encryption is dramatic. Business impact is easy to understand. It creates urgency very quickly.<br />But the ransomware is not always the most interesting part.<br />The interesting part is what happens to the organization around it.<br />The escalation path becomes unclear. The technical team gets busy and stops communicating. Management wants certainty that does not exist. Legal asks careful questions. Communications wants approved wording. The board wants an update. Someone asks whether cyber insurance has been notified. Someone else asks whether systems can be taken offline.<br />And then the room discovers that nobody knows who owns the final decision.<br />That is not only a technical failure.<br />That is a coordination failure.<br />A good exercise can reveal that before an actual breach does.<br />If the first time your leadership team discusses ransomware decision-making is during a real ransomware incident, that is not preparedness.<br />That is gambling.</p>
<h3>Emotional Load Is What Nobody Trains</h3>
<p>Real incidents create emotion.<br />Fear. Frustration. Silence. Overconfidence. Blame-deflection. Decision paralysis. The sudden need to look very busy while avoiding the hard question.<br />People do not become perfectly rational because the incident is serious.<br />Often, they become less rational.<br />That is normal. They are human.<br />But many tabletop exercises are designed as if humans are calm information-processing machines. They are not.<br />If an exercise creates no emotional activation, it does not train the responses people will need when pressure arrives. I do not mean that people should be scared for entertainment. That is useless. I also do not mean humiliation. That is worse than useless.<br />The goal is to make the first moment of pressure happen in a safe room, not during an actual breach.<br />A safe exercise can still be uncomfortable.<br />In fact, it probably should be.<br />If nobody felt any tension, if nobody had to defend a decision, if nobody realized something important was missing, the exercise may have been pleasant.<br />But pleasant is not the same as useful.</p>
<h2>How Game-Based Learning Changes the Room</h2>
<p>This is where <a href="https://relationsec.net/serious-games/">game-based cybersecurity training</a> becomes interesting.<br />Not because games are fun.<br />Fun is fine, but it is not the main point.<br />The point is that a game-based exercise can create structure, pressure, feedback and memory in a way that slide-driven exercises often fail to do.<br />People need something to do. They need roles. They need constraints. They need imperfect information. They need time pressure. They need decisions that matter. They need consequences they can see.<br />That changes the room.<br />People stop watching and start acting.<br />And once they start acting, you can observe how the team really works.<br />Not how they say they work.<br />How they actually work.</p>
<h3>Give People Roles, Not Slides</h3>
<p>Slides explain responsibilities.<br />Roles make people inhabit them.<br />That difference matters.<br />When someone has a defined role, they become accountable for something. They cannot just nod along. They have to decide, communicate, prioritize and sometimes admit they do not know.<br />That is much closer to reality.<br />A communicator should communicate. A technical investigator should investigate. A decision-maker should make decisions. A coordinator should coordinate.<br />If everyone is responsible for everything, nobody is really responsible for anything.<br />This is one of the reasons I built Malware &amp; Monsters around distinct incident response roles. Each role has specific responsibilities. Each role can contribute. Each role can also fail the team if it does not act.<br />When the Communicator fails to brief leadership, that should matter.<br />When the Detective misses a critical signal, that should matter.<br />When the team discusses endlessly without someone taking the lead, that should matter too.<br />Not because we want to blame people.<br />Because in real incidents, those things matter.</p>
<h3>Make Decisions Have Consequences</h3>
<p>In many exercises, teams can say the right words and move on.<br />“We would block that.”<br />“We would restore from backup.”<br />“We would inform stakeholders.”<br />“We would investigate further.”<br />Fine.<br />But what happens next?<br />A decision without consequence is just a sentence.<br />If the team chooses the wrong control, it should not magically work. If escalation is slow, time should be lost. If communication is poor, confusion should spread. If the team makes an assumption without checking it, that assumption should be tested later.<br />That feedback loop changes behavior.<br />In Malware &amp; Monsters, applying the wrong security control against the wrong threat type produces a measurable result. Not because the facilitator decides to punish the team, but because the system responds.<br />That neutrality matters.<br />People often accept mechanical consequences more easily than personal criticism. It is not “I think your team made a poor choice.” It is “this is what happened because of the choice.”<br />That is much harder to argue with.<br />And it is closer to how incidents work.<br />The attacker does not care that your decision sounded reasonable in the room. The environment responds to what you actually did.</p>
<h3>Let Teams Fail Safely</h3>
<p>Most organizations do not like seeing their teams fail in an exercise.<br />I understand that.<br />I also think it is exactly why they should do it.<br />Failure in a safe training environment is not a disaster. It is a gift. It shows you where the plan is vague, where authority is unclear, where communication breaks, where assumptions are hiding and where people need support.<br />The alternative is discovering all of that during a real incident.<br />That is the expensive version.<br />The sweet spot is psychological safety plus visible consequence.<br />People need to know the exercise is not a trap. They need to understand that the goal is not to embarrass them. But they also need to see that decisions matter.<br />Remove safety, and people become defensive.<br />Remove consequence, and the exercise becomes theatre.<br />Safe failure in training means fewer catastrophic failures in production.<br />This is obvious in aviation, medicine, emergency response and military training. Somehow, in cybersecurity, many organizations still act as if reading the plan is close enough.<br />It is not.<br />You do not build incident response capability by discussing what you would do in theory. You build it by practicing what you will do when the theory stops being enough.</p>
<h3>Make the Exercise Memorable, or Don’t Bother</h3>
<p>People remember what they felt.<br />They forget what they read.<br />That is uncomfortable for people who design exercises as documents and slide decks, but it is true.<br />If your incident response tabletop exercise feels like a normal meeting, it will be remembered like a normal meeting. Barely.<br />People may remember that it happened. They may remember the coffee. They may remember that security had a lot of slides.<br />But will they remember the decision point that exposed a gap in escalation?<br />Will they remember the moment nobody could confirm the backup status?<br />Will they remember how it felt to make a decision without enough information?<br />Will they remember what they personally need to do differently next time?<br />That is the standard.<br />A good exercise leaves signals behind.<br />People are still talking about it the next day. Someone realized the plan did not say what everyone assumed it said. A process owner discovered that “we will escalate” is not a strategy. Leadership understood that asking for certainty does not create certainty. The technical team saw that silence creates its own incident.<br />That is useful.<br />That is what I want from an exercise.<br />Not a perfect performance.<br />A better understanding of reality.</p>
<h2>Stop Mistaking Attendance for Preparedness</h2>
<p>So yes, stop running boring incident response tabletop exercises.<br />Stop mistaking attendance for participation.<br />Stop mistaking slides for simulation.<br />Stop mistaking compliance evidence for preparedness.<br />Run exercises that make people decide.<br />Make them communicate.<br />Make them feel pressure while failure is still safe.<br />Make the scenario respond.<br />Make the consequences visible.<br />Make the debrief honest.<br />Because if nobody remembers the exercise, the attacker probably got more value from it than you did.</p>
<p>If a compliance framework is the reason you are running these at all, the same logic sits underneath it: <a href="https://relationsec.net/cmmc-incident-response-training-game/">CMMC asks you to test your incident response capability</a>, and <a href="https://relationsec.net/dora-operational-resilience-testing-tabletop/">DORA asks financial entities to prove their resilience holds</a>. Both want a tested capability, not a filed plan.</p>
<h2>Want to Run an Exercise People Actually Remember?</h2>
<p>This is why I built Malware &amp; Monsters the way I did.<br />I do not want people to leave an exercise saying, “that was interesting.”<br />I want them to leave saying, “we need to fix this before it happens for real.”<br />Malware &amp; Monsters is built around the things most exercises avoid: real roles, incomplete information, decisions with consequences, and pressure that is uncomfortable on purpose.<br />Run it before the attacker runs the real version.<br />Reach out at <a href="mailto:klaus@relationssec.net">klaus@relationssec.net</a> or visit <a href="https://malwareandmonsters.com">malwareandmonsters.com</a>.</p></div>
			</div><div class="et_pb_module dipi_masonry_gallery dipi_masonry_gallery_1">
				
				
				
				
				
				
				<div class="et_pb_module_inner">
					<div class="dipi_masonry_gallery_wrapper" data-config="{&quot;infinite_scroll_viewport&quot;:&quot;25%&quot;}">
                
            <div
                class="dipi_masonry_gallery_container animated none"
                
                data-count="1"
                data-anim="none"
            >
                <div class="grid show_lightbox show_lightbox_tablet show_lightbox_phone hide_overlay " data-lazy="false" >
                    <div class="grid-sizer"></div><div class="gutter-sizer"></div>
                </div>
                
            </div>
            
            </div>
             
				</div>
			</div>
			</div>
				
				
				
				
			</div>
				
				
			</div></p>
<p>The post <a href="https://relationsec.net/stop-running-boring-incident-response-tabletop-exercises/">Stop Running Boring Incident Response Tabletop Exercises</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Want commercial success in infosec? Stop doing marketing! (like everyone else)</title>
		<link>https://relationsec.net/want-commercial-success-in-infosec-stop-doing-marketing-like-everyone-else/</link>
		
		<dc:creator><![CDATA[Klaus Agnoletti]]></dc:creator>
		<pubDate>Thu, 01 Feb 2024 12:00:42 +0000</pubDate>
				<category><![CDATA[Marketing]]></category>
		<guid isPermaLink="false">https://relationsec.net/?p=3339</guid>

					<description><![CDATA[<p>The post <a href="https://relationsec.net/want-commercial-success-in-infosec-stop-doing-marketing-like-everyone-else/">Want commercial success in infosec? Stop doing marketing! (like everyone else)</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<div class="et_pb_section et_pb_section_5 et_pb_with_background et_section_regular" >
				
				
				
				
				
				
				<div class="et_pb_row et_pb_row_5">
				<div class="et_pb_column et_pb_column_4_4 et_pb_column_5  et_pb_css_mix_blend_mode_passthrough et-last-child">
				
				
				
				
				<div class="et_pb_module et_pb_text et_pb_text_10  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><p>In the rapidly evolving digital landscape, traditional marketing strategies no longer suffice in the InfoSec sector. This article explores a transformative approach based on deep community engagement, demonstrating how genuine support and understanding of the InfoSec community can lead to unparalleled marketing success. This piece is intended for InfoSec marketers and those interested in leveraging community support for business success.</p>
<p>Disclaimer: For simplicity, this discussion treats the InfoSec community as a unified entity, though it is diverse and multifaceted.</p>
<p>I have a long-term vision rooted in my passion for the community: I aim to convince companies of the benefits of supporting it. In those rare cases where management understands, I seek to enhance their marketing departments’ understanding of the community, its members, and the most effective targeting strategies.</p>
<p>This article is designed to contribute to the debate, primarily engaging InfoSec marketers, but of course, it is open for all to read. Should you have any questions or wish to discuss further, please feel free to reach out.</p>
<p>So, are you an InfoSec marketer? Interestingly, I never envisioned myself in that role. My background is deeply rooted in the technical aspects of InfoSec, and I’ve always viewed its commercial side with skepticism. I never found marketing particularly intriguing or relevant, until now.</p>
<p>Marketing indeed comes in many forms. The traditional methods never captured my interest, but I discovered the power of community-focused content marketing.</p>
<p>If you’re unfamiliar with this term, there’s a good reason. I devised it when I realized that content marketing in InfoSec could take on various forms.</p>
<h2>Starting My Journey in InfoSec</h2>
<p>Let’s backtrack to the beginning of my engagement with the InfoSec community. It started when I began organizing OWASP meetings in my local chapter. I’m not entirely sure why I started. It just felt natural. But I know why I continued: I relished organizing insightful talks, bringing people together, and witnessing the joy in their eyes when they learned something new or made meaningful connections. Assisting the community provides me with immense satisfaction. Thus, when the opportunity arose to help bring the non-profit InfoSec conference Security BSides to Copenhagen, I seized it without hesitation.</p>
<p>Imagine my elation when I realized that combining my extensive background in InfoSec with my love for the community could evolve into a genuine profession, something as exciting as ‘marketing’.</p>
<h2>The Power of Community Engagement in InfoSec</h2>
<p>Over the years, my active participation has shown me the immense power of the InfoSec community. My recent role as the head of community for an emerging FOSS project only reinforces this:</p>
<ul>
<li>Influences Company Trends: The community decides which companies and individuals are trending.</li>
<li>Shapes Service Perceptions: It determines who provides excellent service.</li>
<li>Defines Desirable Workplaces: Influences which companies are considered great places to work.</li>
</ul>
<p>This influence can be subtly shaped through content marketing.</p>
<p>As the name suggests, content marketing revolves around content. Though it might sound unusual, it’s not focused on converting customers, generating leads, or making sales. Rather, it’s about building familiarity, likability, and trust toward your brand, all while genuinely supporting the InfoSec community.</p>
<p>The InfoSec community generally seeks to support those who appreciate it. If your marketing strategy involves loving the community, it will reciprocate by promoting how excellent your products are, how skilled your specialists are, and what a great place your company is to work. Or to put it another way:</p>
<p>When people trust your content and recognize you as an expert, you effectively eliminate your competition.</p>
<p>In a market where it’s challenging to sell products and services and even harder to attract qualified employees, this approach is invaluable.</p>
<h2>Defining Effective Content in InfoSec Marketing</h2>
<p>Fundamentally, content is anything that immediately adds value to the community. When your marketing strategy is built on this premise, it goes without saying that it must be produced consistently with high quality so that the InfoSec community recognizes and values your contributions over time. Types of content include:</p>
<ul>
<li>Blog Articles: In-depth discussions on relevant InfoSec topics.</li>
<li>Podcasts/Webcasts: Engaging audio and video content.</li>
<li>Talks and Workshops: Interactive sessions that provide valuable knowledge.</li>
<li>Innovative Formats: Memes and jokes that resonate with the community’s culture.</li>
</ul>
<p>Essentially, anything that resonates with the inner InfoSec geek in your target group is valuable. It’s crucial to foster a culture where people are encouraged to have ‘stupid ideas’: ideas so unique they might be either ridiculous or brilliant. If they work, the rewards can be significant. And honestly, what’s the worst that could happen if they fail?</p>
<p>I am immensely grateful to Jason Blanchard from Black Hills Information Security for his inspiration and guidance. He has been instrumental in helping me discover this path and make it my own, particularly now as I’ve begun a consultancy to assist companies and their marketers in adopting this approach. Thank you, Jason!</p>
<p>Jason directed me to a workshop he conducted with Jon Barnes titled “Infosec Marketing in 2021: Hacking the New Normal,” which offers an overview of content strategies and examples of how to create compelling content. I highly recommend watching it if you’re interested in this approach &#8211; in spite of it being a few years old it&#8217;s still relevant today.</p>
<h2>InfoSec Marketing: Not for Everyone</h2>
<p>Indeed, there’s a catch: This field is challenging. Particularly if you lack experience in InfoSec and are unfamiliar with the community’s dynamics, it requires significant time and effort.</p>
<p>Creating content that truly engages InfoSec professionals isn’t easy, unless you know exactly what will captivate an InfoSec geek. And gaining that knowledge is often the hardest part if you don’t inherently possess InfoSec geekiness. From my experience, such a blend of skills is rare among marketers.</p>
<p>The more you understand about InfoSec and geek culture, the better equipped you’ll be as a content producer or editor here. But all this expertise won’t amount to much without solid communication skills and an intuitive understanding of what makes a compelling talk or blog article.</p>
<p>In other words, this field is neither purely marketing nor purely InfoSec. It’s both. And those who master both are indeed rare.</p>
<p>Embracing community-focused content marketing is a long-term strategy. When engaging the InfoSec community (or any community), it takes time before you see significant results. The upside is that once you achieve success, that reputation tends to persist within the community.</p>
<p><strong>Ready to Transform Your InfoSec Marketing Strategy?</strong></p>
<p>Navigating the complex world of InfoSec marketing requires a nuanced approach tailored to your unique business needs. As a seasoned consultant specializing in community-driven marketing strategies, I am here to help your company connect deeply with the InfoSec community and achieve sustainable success. If you’re looking to revolutionize your marketing efforts and build lasting relationships within the industry, don’t hesitate to reach out. Together, we can craft a marketing strategy that not only meets but exceeds your expectations.</p>
<p>Good luck on your journey to revolutionize InfoSec marketing!</p></div>
			</div>
			</div>
				
				
				
				
			</div>
				
				
			</div>

<p>The post <a href="https://relationsec.net/want-commercial-success-in-infosec-stop-doing-marketing-like-everyone-else/">Want commercial success in infosec? Stop doing marketing! (like everyone else)</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Got problems attracting infosec talent? It’s time for your organization to learn geek!</title>
		<link>https://relationsec.net/got-problems-attracting-infosec-talent-its-time-for-your-organization-to-learn-geek/</link>
		
		<dc:creator><![CDATA[Klaus Agnoletti]]></dc:creator>
		<pubDate>Thu, 01 Feb 2024 11:58:07 +0000</pubDate>
				<category><![CDATA[Employer Branding]]></category>
		<guid isPermaLink="false">https://relationsec.net/?p=3333</guid>

					<description><![CDATA[<p>The post <a href="https://relationsec.net/got-problems-attracting-infosec-talent-its-time-for-your-organization-to-learn-geek/">Got problems attracting infosec talent? It’s time for your organization to learn geek!</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<div class="et_pb_section et_pb_section_6 et_pb_with_background et_section_regular" >
				
				
				
				
				
				
				<div class="et_pb_row et_pb_row_6">
				<div class="et_pb_column et_pb_column_4_4 et_pb_column_6  et_pb_css_mix_blend_mode_passthrough et-last-child">
				
				
				
				
				<div class="et_pb_module et_pb_text et_pb_text_11  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><p id="ember39" class="ember-view reader-content-blocks__paragraph"><em>Embracing the infosec community and people in it is important if you want to attract the talent you need. Learning to understand geeks and geek subculture is an important skill here. Read on and understand why both your HR and marketing departments need to learn geek.</em></p>
<p><span style="font-weight: 400;">So you’re one of those companies that has problems attracting talent? Or keeping it. Maybe even both?</span></p>
<p><span style="font-weight: 400;">Here’s some comfort in a sense: You’re not alone. That’s the new normal everywhere in IT. Luckily, there are ways to improve your situation. The infosec community holds the key: Embrace its culture and language, show people in it that you understand and respect them, and demonstrate that everybody in your organization takes security seriously. The community will love you back by spreading the word about how great it is to work at your company and how much fun people have there. Succeed, and all your challenges with attracting and retaining talent will be a thing of the past.</span></p>
<h2><span style="font-weight: 400;">Marketing and Employer Branding Are Often Overlooked</span></h2>
<p><span style="font-weight: 400;">In reality, this is marketing and for some reason it’s vastly overlooked in talent acquisition and employer branding. Is it because talent professionals know little about tech culture? Probably, but that can be fixed.</span></p>
<p><span style="font-weight: 400;">Let’s start from the beginning: What is this community, why is it important, and how does one communicate with it and make it do all those amazing things I mentioned earlier?</span></p>
<h2><span style="font-weight: 400;">The Infosec Community</span></h2>
<p><span style="font-weight: 400;">In short (and hugely oversimplified), the infosec community consists of all those passionate, geeky personalities who love infosec so much that they just have to make it part of their careers. Many of them can’t leave it at that and meet up with like-minded people in their spare time to discuss infosec, watch talks, and get to know more people like them.</span></p>
<p><span style="font-weight: 400;">Because of these passionate people, the infosec community consists of many of those security wizards every company wants to hire. And they’re in short supply.</span></p>
<h2><span style="font-weight: 400;">Providing Value and Getting Respect</span></h2>
<p><span style="font-weight: 400;">The way to get their attention is actually quite simple: Provide them with content that gives immediate value. If you succeed, the community will help you out, recognizing you as a friend.</span></p>
<p><span style="font-weight: 400;">Providing value to the community is done by creating meaningful, inspiring, or just fun content of high quality. An important thing is to not take yourself too seriously. If you have an edge, it’s appreciated and rewarded.</span></p>
<h2><span style="font-weight: 400;">Real-Life Examples of Building Credibility</span></h2>
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Reddit Outreach: When working on a FOSS project aiming to replace Fail2Ban, I monitored Reddit for mentions and subtly suggested our alternative where it added value. This helped gain direct interest and awareness.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Stickers and Humor: Designing stickers that reference geeky jokes or sci-fi like Star Wars can surprise people. At BSides Prishtina, I was introduced as &#8220;the guy with the coolest stickers.&#8221;</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Talks and Meetups: I’ve given talks on living with ADHD in infosec to dispel myths, share personal stories, and build connections. It’s been a way to showcase my expertise while building my authority in the community.</span></li>
</ul>
<p id="ember64" class="ember-view reader-content-blocks__paragraph"></p></div>
			</div><div class="et_pb_module dipi_image_magnifier dipi_image_magnifier_0">
				
				
				
				
				
				
				<div class="et_pb_module_inner">
					<div class="dipi-image-magnifier" data-speed='300' data-touchbottomoffset='0'>
                    <img decoding="async" data-magnify-src="https://relationsec.net/wp-content/uploads/2024/02/1676319609670.jpg" src="https://relationsec.net/wp-content/uploads/2024/02/1676319609670.jpg" srcset="https://relationsec.net/wp-content/uploads/2024/02/1676319609670.jpg 1333w, https://relationsec.net/wp-content/uploads/2024/02/1676319609670-1280x960.jpg 1280w, https://relationsec.net/wp-content/uploads/2024/02/1676319609670-980x735.jpg 980w, https://relationsec.net/wp-content/uploads/2024/02/1676319609670-480x360.jpg 480w" alt="Examples of stickers with geek appeal. The stickers mentioned in the story are not among these." title="Examples of stickers with geek appeal. The stickers mentioned in the story are not among these."/>
                </div>
				</div>
			</div><div class="et_pb_module et_pb_text et_pb_text_12  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><div class="reader-image-block reader-image-block--right-align"></div>
<blockquote id="ember52" class="ember-view">
<p>Providing value to the community is done by creating meaningful, inspiring (or just fun) content of high quality</p>
</blockquote>
<h2><span style="font-weight: 400;">Getting HR, Marketing, Communications, and the Security Pros to Work in Sync</span></h2>
<p><span style="font-weight: 400;">For this strategy to work best, HR, marketing, communications, and your security team need to be in harmony. Here’s how to make this collaboration happen:</span></p>
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Cross-Department Workshops: Get everyone together to share their perspectives. Your security team can explain the challenges they face, while marketing and HR can help craft messaging.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Joint Strategy Development: Build a strategy with common goals that align everyone’s strengths. Let your security team highlight key points while HR and marketing turn these into compelling job descriptions and campaigns.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Content Creation: Security experts provide technical depth, while marketing ensures it’s clear and engaging. Share behind-the-scenes stories and thought leadership pieces that spark curiosity.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Feedback Loop: Set up a feedback loop to improve your strategy. Share findings across departments so that adjustments can be made based on community feedback.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Internal Advocates: Find internal advocates to bridge the gap between technical and non-technical teams. They’ll ensure your message remains authentic and appealing.</span></li>
</ul>
<h2><span style="font-weight: 400;">More Ways to Engage</span></h2>
<p><span style="font-weight: 400;">I’ve been involved with my local infosec community for a long time, arranging events and talks for peers to show up, grab some pizza, and get inspired for new projects. This has helped me build a network of peers, many in decision-making positions, whom I can reach out to and leverage to my advantage. I can only do that because my involvement in the community has helped me build trust and authority over time.</span></p>
<p><span style="font-weight: 400;">Other ways to engage include arranging CTF (Capture the Flag) competitions for your employees and the local infosec community, contacting universities to sponsor student events, or interviewing an employee who maintains an open-source security tool that your organization uses.</span></p>
<h2><span style="font-weight: 400;">Content Marketing for the Infosec Community</span></h2>
<p><span style="font-weight: 400;">All these examples are forms of content marketing. Conceptually, it&#8217;s nothing new, but using it specifically for the infosec community is still relatively uncommon. When used well, it’s an effective way to speak directly to the community, provide them with valuable content, and show that you understand their needs. This helps you build brand recognition and earn their trust.</span></p>
<h2><span style="font-weight: 400;">Conclusion</span></h2>
<p><span style="font-weight: 400;">Dare to step out of your corporate image and show the infosec community who you really are. Embrace their culture, show respect, and connect authentically. Your company will be seen as an attractive place to work. And if you need help combining these skills, feel free to reach out to me.</span></p></div>
			</div>
			</div>
				
				
				
				
			</div>
				
				
			</div>
<p>The post <a href="https://relationsec.net/got-problems-attracting-infosec-talent-its-time-for-your-organization-to-learn-geek/">Got problems attracting infosec talent? It’s time for your organization to learn geek!</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Employer Branding: Why Anthropology matters in your efforts to hire cyber security talent</title>
		<link>https://relationsec.net/employer-branding-why-anthropology-matters-in-your-efforts-to-hire-cyber-security-talent/</link>
		
		<dc:creator><![CDATA[Klaus Agnoletti]]></dc:creator>
		<pubDate>Thu, 01 Feb 2024 11:52:52 +0000</pubDate>
				<category><![CDATA[Employer Branding]]></category>
		<guid isPermaLink="false">https://relationsec.net/?p=3329</guid>

					<description><![CDATA[<p>The post <a href="https://relationsec.net/employer-branding-why-anthropology-matters-in-your-efforts-to-hire-cyber-security-talent/">Employer Branding: Why Anthropology matters in your efforts to hire cyber security talent</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<div class="et_pb_section et_pb_section_7 et_pb_with_background et_section_regular" >
				
				
				
				
				
				
				<div class="et_pb_row et_pb_row_7">
				<div class="et_pb_column et_pb_column_4_4 et_pb_column_7  et_pb_css_mix_blend_mode_passthrough et-last-child">
				
				
				
				
				<div class="et_pb_module et_pb_text et_pb_text_13  et_pb_text_align_left et_pb_bg_layout_light">
				
				
				
				
				<div class="et_pb_text_inner"><p id="ember39" class="ember-view reader-content-blocks__paragraph">There’s a lack of talent in<span class="white-space-pre"> </span>cybersecurity. Nobody seems to be able to hire enough qualified specialists. Nothing’s new in that.<span class="white-space-pre"> </span></p>
<p id="ember40" class="ember-view reader-content-blocks__paragraph">
<p id="ember41" class="ember-view reader-content-blocks__paragraph">What’s really strange when speaking of this lack of talent is that no one seems to do anything about that and their situation. While you can’t magically snap your fingers to make the specialists you need magically disappear, what you<span class="white-space-pre"> </span><em>can</em><span class="white-space-pre"> </span>do is to stand out among the companies looking to hire talent and talk to them in a language they understand.</p>
<p id="ember42" class="ember-view reader-content-blocks__paragraph">
<blockquote id="ember43" class="ember-view">
<p>There’s too many job ads out there that are too formal and neither show the true spirit of the workplace and the specialists already working there nor the specialist they’re trying to attract. Also, there’s practically no companies who understand that engaging with the cyber security community could be a part of their employer branding strategy.</p>
</blockquote>
<blockquote id="ember44" class="ember-view">
<p>To me that makes absolutely no sense.</p>
</blockquote>
<p id="ember45" class="ember-view reader-content-blocks__paragraph">
<p id="ember46" class="ember-view reader-content-blocks__paragraph">In reality,<span class="white-space-pre"> </span>employer branding<span class="white-space-pre"> </span>is marketing and like any other types of marketing it’s about creating immediate value to the recipient who in this case is the cyber security community.<span class="white-space-pre"> </span></p>
<p id="ember47" class="ember-view reader-content-blocks__paragraph">
<p id="ember48" class="ember-view reader-content-blocks__paragraph">If you think about it, it makes sense: the cyber security community is full of those engaged, talented professionals your company needs to make your business strategy become reality. Those professionals who simply love cyber security so much that they are submerged in pet projects in their spare time, who love seeing other community members with the same passions to share inspiration, knowledge and to feel togetherness in an uncertain world.</p>
<p id="ember49" class="ember-view reader-content-blocks__paragraph">
<p id="ember50" class="ember-view reader-content-blocks__paragraph">By hooking into this community professionally, you show members of the community that you share their values and beliefs; that you are part of the tribe. Tribes are the cornerstone of civilization; people in the same tribe look out for each other, they help and support each other when they can. They truly care for each other. These are the feelings you want to awaken in the cyber security community.</p>
<p id="ember51" class="ember-view reader-content-blocks__paragraph">
<p id="ember52" class="ember-view reader-content-blocks__paragraph">Basically you want sentiment, you want the cyber security community to look up to you as a company, to your specialists. You want to make the cyber security community want to work with you.<span class="white-space-pre"> </span></p>
<p id="ember53" class="ember-view reader-content-blocks__paragraph">
<p id="ember54" class="ember-view reader-content-blocks__paragraph">The good news is that it’s not hard to do this as long as you know the language of the community, which defines the rules and the tone of your communication and you can predict what community members will find interesting. And, admitted, that last part is quite hard. But basically it’s about knowing about cyber security and knowing about subcultures, about geekiness. Being a geek yourself, regardless of type, is definitely not a disadvantage.</p>
<p id="ember55" class="ember-view reader-content-blocks__paragraph">
<p id="ember56" class="ember-view reader-content-blocks__paragraph">So how do you create value? You give the community what fuels it:</p>
<ul>
<li>Knowledge in the shape of videos, talks, articles, workshops, courses and more.</li>
<li>Humor is a tough element to get right but important. It’s important to show that you as a company dare to show a human side of yourself and that you don’t take yourself too seriously. If you’re capable of that and of doing jokes at your own expense, you win.</li>
<li>Meetups are where the magic happens; where people interact and get inspired. Your company can support it by sponsoring food and drinks, engaging in planning and doing talks. Those two last ones are always the hardest ones and are typically the reasons for community meetup groups to hibernate or dissolve.</li>
</ul>
<p id="ember58" class="ember-view reader-content-blocks__paragraph">
<p id="ember59" class="ember-view reader-content-blocks__paragraph">To be frank, community employer branding is not for everyone. Honesty and transparency are important factors. Let me explain:</p>
<p id="ember60" class="ember-view reader-content-blocks__paragraph">As a cyber security professional nothing is worse than not being taken seriously; to be hired to help increase security, to see that there is a need and that significant risks need to be addressed but not being able to. What usually happens is that management in theory finds security important but in reality finds other things, like making money, more important. I’m not saying that that isn’t fair to do if it’s done in complete transparency, if all risks have been assessed and addressed on management level and it has been decided. Unfortunately that is rarely the reason. More often than not, it’s the result of incompetent management, bad communication and reporting by people who are not very good at explaining exactly what impact this or that threat has on business risk.</p>
<p id="ember61" class="ember-view reader-content-blocks__paragraph">So if you’re not one of those companies that truly does take cyber security seriously in every part of the business, you can’t go around pretending to be. Not forever, at least. And when the community finds out, your efforts will backfire.<span class="white-space-pre"> </span></p>
<p id="ember62" class="ember-view reader-content-blocks__paragraph">
<p id="ember63" class="ember-view reader-content-blocks__paragraph">So in other words: If your company’s management truly mean it, and you have an organization that supports it, the effort you put into this will pay off if done in the right way.<span class="white-space-pre"> </span></p></div>
			</div>
			</div>
				
				
				
				
			</div>
				
				
			</div>

<p>The post <a href="https://relationsec.net/employer-branding-why-anthropology-matters-in-your-efforts-to-hire-cyber-security-talent/">Employer Branding: Why Anthropology matters in your efforts to hire cyber security talent</a> appeared first on <a href="https://relationsec.net">Relations Security</a>.</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>

<!--
Object Caching 36/127 objects using Disk
Page Caching using Disk: Enhanced 

Served from: relationsec.net @ 2026-07-15 22:38:45 by W3 Total Cache
-->