Cyber Strategy

This is Part 1 of a two-part review series. Read Part 2.

Demystifying Cybersecurity: A Ransomware Incident is a four-part video series developed by The Cyber Guild in partnership with College Board. Organized around the National Institute of Standards and Technology (NIST) Incident Response Lifecycle (IRL), the series uses a real-world ransomware scenario to illustrate how cybersecurity incidents unfold and how organizations prepare for and respond to them.

The first two videos, Why Cybersecurity Matters and Be Prepared, focus on the importance of cybersecurity and the foundational steps organizations take before an incident occurs.

What is the NIST Incident Response Lifecycle?

The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce and has the mission of promoting American innovation and industrial competitiveness through technological advancement. Their Incident Response Lifecycle model is found in NIST Special Publication 800-61. The four-part model from 800-61 Revision 2 (August 2012) appears below as Figure 1.

The lifecycle consists of four phases:

• Preparation
• Detection & Analysis
• Containment, Eradication, & Recovery
• Post-Incident Activity

As can be seen in Figure 1, Phases 2 and 3 may repeat any number of times before the situation is resolved and post-incident activity can occur. The purpose of that final phase is to prepare for future incidents, thus giving the IRL a cyclic quality.

After all, what would be the point of learning lessons if they did not improve organizational security and incident preparedness?

Preparation includes both preparing to handle incidents (communication protocols, necessary incident response equipment, etc.), as well as general guidance on preventing incidents (risk assessments, user training).

Detection & Analysis includes topics such as attack vectors, indications of compromise, incident analysis and documentation, incident prioritization, and notification procedures.

Containment, Eradication, & Recovery includes containment strategies, evidence gathering/handling, identification of attacking hosts, threat eradication, and system/data recovery.

Post-Incident Activity includes lessons learned, the use of collected incident data, and guidance on evidence retention.

It should be noted that Revision 3 of NIST 800-61 (April 2025) makes some adjustments to the IRL (see Figure 2 below).

The biggest change is that the lessons learned are to be shared as soon as they become clear, not after the recovery process has been completed.

According to the NIST authors, this is because cyber incidents now occur more frequently, with broader scope, and often cause greater damage than they did over a decade ago. However, the authors recommend that organizations pick the IRL model that makes the most sense to them.

---

---

Key Points in Video 1: Why Cybersecurity Matters

Video 1 (Why Cybersecurity Matters) uses the 2021 Colonial Pipeline ransomware incident as an example to provide viewers with real-world context into how cyber attacks can impact our everyday lives.

Key points include:

• Cyber incidents aren’t just technical problems: they have real-world impact (financial, reputational, legal)
• It is hard to know how long an organization will continue to be impacted by one incident, even after threat eradication and system recovery
• Ransomware is like a hostage situation, since your data and operations are essentially held hostage
• It often takes little effort for an attacker to get inside a network using techniques like phishing and other forms of social engineering
• Cyber resiliency is key: critical systems need to be kept running during an attack
• Tabletop exercises (discussion-based simulations to walk through the incident response plan) are important for preparation

Personal Reactions to Video 1: Why Cybersecurity Matters

As someone without years of experience in cybersecurity, but with the knowledge needed to gain Security+ certification, I had already been exposed to all of the concepts presented in this video. I found the presentation to be clear and engaging, with any specialist terminology clearly explained.

When shared with younger viewers (my 8th-grade twins), they noted that:

• There was a lot of information presented that was new to them
• They learned that it is humans who first respond to incidents, not machines
• Cyber incidents can impact real-world things like payment card systems
• New terms were explained clearly (for example, tabletop exercises)

Main Takeaway – Cyber Resiliency is Key

A major theme in Video 1 (Why Cybersecurity Matters) is the importance of cyber resiliency, the ability of organizations and systems to remain operational in the face of challenges, and which will return as a focal topic in the fourth and final video of the series.

Humans play a vital role in cyber resiliency, and two main points from Video 1 are that:

• People are the first responders when an incident occurs
• Good communication between everyone involved in incident response is vital

Communication and preparation in advance of an incident will come into focus in Video 2 (Be Prepared).

---

Key Points in Video 2: Be Prepared

Video 2 (Be Prepared) is about the importance of preparation in advance of a cyber incident, since it is likely that every organization will be impacted at some point in time.

Key points and questions include:

• How do cybersecurity professionals stay ready, prevent attacks, and detect threats before real damage occurs?
• You can’t prevent every attack
• Good incident response plans answer the big questions before an incident occurs, such as who is responsible for what, who talks to whom, etc.
• The first step in response is to categorize the incident: how serious is this?
• Cybersecurity is layered security (defense in depth)
• How you communicate security to senior leaders and build trust with them is an important component of cybersecurity
• Red teams help test your defenses and try to see what is not secured in your environment
• Security tools include things like firewalls and IDS/IPS (intrusion detection/prevention systems)

Personal Reactions to Video 2: Be Prepared

As with Video 1, I found that the content in Video 2 was presented clearly, terms were fully explained, and the pacing was appropriate to sustain viewer interest. I found the observation about the importance of clearly communicating security to and building trust with executives to be especially important.

From a younger audience perspective, it was noted that:

• They liked the detailed information that was given about different types of firewalls
• A key point is that you shouldn’t be communicating with your partners for the first time during an incident, because that means you’ve already lost

Main Takeaway – Cybersecurity is a People Problem

Video 2 (Be Prepared) identifies cybersecurity as a people problem, not a technology problem, since it is a real person who falls for phishing lures. I would add that it is also humans who misconfigure cloud services or inadvertently create code with security flaws. This is one reason why AI is being increasingly used to identify cyber vulnerabilities and help remediate them.

However, I believe it is important not to create a culture of fear where employees are terrified of taking the phishing bait. Incidents should be an opportunity for learning and enhanced training rather than retribution, except in the case of an insider threat or gross negligence.

These videos advocate for incidents as learning opportunities that help build cyber resilience.

Main Takeaway for Business Leaders – Communication is Critical

Video 2 (Be Prepared) includes the observation that it is important to clearly communicate security to and build trust with executives. I found this to be one of the key takeaways in the video.

Indeed, one of the best ways to get adequate funding for security programs is to speak the “business language” that executives understand best, not highly-technical jargon that might confuse executive-level decision makers.

The financial, legal, and operational implications of security failures need to be made crystal clear to those who make business and financial decisions.

---

Final Thoughts

Demystifying Cybersecurity: A Ransomware Incident is a well-produced and excellent introduction to the world of cybersecurity. Viewers with no prior knowledge of the topic will come away with a deeper understanding of why cyber is important and how cyber attacks impact real people and systems that we interact with every day.

Video 1 and 2 set the stage for the final two videos, which will cover the process of responding to an active incident and the post-incident reflection and learning stage.

---

Are you ready to take the next step in your cybersecurity journey?

The Cyber Guild connects leaders, practitioners, and emerging talent through events, mentorship, and community.

👉 Explore upcoming events
👉 Subscribe to our mailing list
👉 Learn more about RISE Mentorship