Video Transcription

00:01
All right, so we have hit 203 on the dot So we're gonna go ahead and get this kicked off. Welcome, everyone. Um, thank you for joining us today. Super excited to be able to present are bringing cyber solutions together for security skills development. Presented from cyber
00:20
as well has a on cyber solutions.
00:24
So today, uh, we have are two speakers, including myself. Gunnar Kurt, I am the senior enterprise account executive here at Psy Berry. I've been here for about two years. I have been working with more of our fortune enterprise clients on providing a solution.
00:42
Um and, ah, skills development program
00:45
on my kick it over to C. J for him to introduce himself.
00:50
Thank you so much. Donor and welcome, everyone. Super excited to see so many attendee TJ Dieteman here with an cyber solutions Formerly with straws Free bird. I have been managing, executing, delivering and leading cyber security and risk management initiatives
01:07
for organizations all over the globe for a lot of years.
01:11
Uh, super excited to be speaking about this. Certainly in the context of the human element there, I say skills development capabilities. So I think it's gonna be a fun session and just want to reiterate. Welcome, everybody.
01:25
Yes, thank you. See, Jake? Super excited. Glad we could be doing this together.
01:37
All right. So the CJ, how about we? Ah, we tell the listeners a little bit more about a on You really talked about how you're you're making impact all over the globe. How about we tell the listeners, you know, a little bit further of what you all do as a company?
01:52
Sure, Absolutely. Thanks for that, Gunner. So
01:55
I know there's a lot of the slide. It's a bit of a placemat, but I think it really tells the story. First things first. A on is a global enterprise risk management and professional services firm. Perhaps the brand is best known for certainly its capabilities in the
02:12
insurance brokerage and supporting the underwriting and risk transference process
02:16
across industry sectors. Having said that, a on is truly a professional services organisation with capabilities never ceases to amaze me. The longer that I work with a on to know all the incredible capabilities in the depth of expertise that we have
02:32
across related processes under the risk risk management umbrella, one of those cyber security
02:38
in cyber risk management. So that's really sort of the story on this particular slide and acquired a firm called Straws Freeburg back in 2016 which was really a specialized incident response digital forensics and security consulting firm
02:55
uh, with significant depth and breadth of capability in that realm.
03:00
Ah, and you know one of the exciting things about being a part of a on Is there an really had some forward thinking and some foresight
03:07
into the realm of combining enterprise risk management with cyber risk management with traditional i t. Security? So that was really one of the underpinnings of the acquisition and fast forward to 2020. Uh, it's kind of a thrilling place to be, and I think it's a unique offering will get into that in the future. But
03:28
we've got practitioners
03:30
across the globe with specialties in cybersecurity, digital forensics, incident response, uh, risk management, brokerage, security, architecture and other specialized cyber related capabilities. If you look a couple of bullets on the screen and then we'll move on. But
03:49
over the over the decades, we've we've worked on some 90% of the highest profile breaches.
03:57
Ah, you can Google straws Freebird, check us out if you haven't heard of us before, We've got folks with capabilities uh, computer science, mathematics, engineering investigations, law enforcement and more. So again, that's kind of who we are in our capabilities now under the A on Cyber Solutions umbrella.
04:16
Yeah, no, really appreciate that seat. And it's amazing. I mean, there's just the individuals that I talk to you from A on and strokes Friedberg you will have present in about 120 countries from what I've seen, which is an amazing amount of reach. And then just
04:33
seeing the additional awards that you guys are earning there on the right
04:39
bottom hand corner of the screen, your top 100 best companies to work for digital forensics and incident response service providers and 2017 as a top leader. Ah, so you guys are really doing, you know, incredible work and super excited to be a really partner with you all.
04:56
So about Sai Buri, So cyber is the world's largest and faster fastest cybersecurity development platform. Ah, so what? Really What? That means we have two point 1,000,000 community members on our platform where we have about over, say, about 1500 instructors that are producing content,
05:14
so that makes us the largest and fastest moving catalogue.
05:15
What that means is we're able to expand from your basic i t fundamentals through cybersecurity. So, um, we can start with entry level into the expert level or sea. So level we've been able to expand into verticals such as cloud and Data Science A i M. L and secured of ups.
05:33
Eso with these thousands of subject matter act experts
05:36
and the best of the best vendors that are integrating into our platform toe, unlock the resource is to test the knowledge, skills and abilities of, say, a team or an individual. Um, what we're able to do with that is really built a skills development program.
05:51
So it's easy to check mark a box that someone watched a video. But how do you really know that they gained those skills that they need to be proficient within their work role,
06:00
but also investing into a in individuals? Ah, future. So what that means is being able to take them from an entry level all the way to an advanced level, and that's investing in the future of the individual within your company meeting that you can retain them longer.
06:17
Um so Sai Buri has been growing. We trained over one million professionals in 2019
06:25
with over 100 million minutes of training. So in 2019 our community network a swell as our catalogue had three ext. So our community team has been growing incredibly, which, like I mentioned the world's largest and fastest cybersecurity development platform.
06:44
So today just we're gonna be hitting on six key things. So starting off with full spectrum information security program over program view from CJ and then we'll dive mawr into the critical coverage areas of a skill development program on how to identify skills and mitigate that risk,
07:02
how to resolve coverage
07:04
area challenges. Ah, learning how to run an effective program, um, importance of a skill development and how psych you fits with integrated learning. So we'll be able to see how a on can runs the skills assessments and how cyber We will be able to, ah, to lay out that skills development program, uh,
07:24
to meet the gaps in the skills there
07:27
and then program framework, identify key results and then determine that are a way around that skills development program.
07:41
Thanks for that. Gonna This is C J again. So now that we've kind of set the stage, I thought, you know, in prepping for this with Gunner, I thought I'd spend just a few minutes talking about what we kind of positioned here. It's full spectrum information, security and guys that promise. And Gunnar and I were joking about this before the session.
08:00
The last thing we want to do is talk at you with slides,
08:03
but nonetheless, I'm gonna put a slide up with a bunch of information on it. And in all seriousness, You know, when I think about cyber security and cyber risk management, what is it?
08:13
It's a series of business objectives and risk management objectives. It's a series of capability. And then as we drill down, we get down to human. Resource is certainly technology controls processes are relevant. But,
08:28
you know, we're not yet at a stage where everything is fully synthesized in automated
08:33
on optimized from a technology and analytics standpoint and automation standpoint, maybe we'll get there fully wing to wing someday. We're not there yet, and most of the organizations I worked with quite candidly are quite far off from that.
08:48
So when we think about it, we wanted Teoh set the stage a bit more and talk about wing toe wing What the key considerations are for setting up a full spectrum information security program. And, you know, I'm presenting it on this slide, aligned with our capabilities within AM Cyber Solutions.
09:07
But I think for those folks on the call, most importantly in your respective organizations,
09:11
you would probably agree that this covers most of your cyber capabilities and concerns as well. And your objectives that might be some others that have smoked, overlap or have a bit of a different lens. But in general, if we work it left to right, certainly in 2020 we absolutely need a capability to respond
09:31
at the, you know, top left of the screen, their digital forensics and incident response. Unfortunately, the ever present threat of ransomware malware, malicious external actors, you know it gets over, the phrase gets overused.
09:46
And, uh, that phrase is It's not a question of if something's going to happen related to cyber ah, cyber incident or cyber attack. It's a question of when,
09:56
Unfortunately, that's proven true for a lot of organizations across industry sectors. So again, we've aligned our capabilities where we have deep and broad expertise
10:07
around digital forensics and incident response, and we strongly encourage our clients have those alignments. Those capabilities at least access to those capabilities as well. Thorough incident response, planning, readiness, tabletop exercises, that type of thing, certainly training and skills development and then, of course, partnership. Would
10:26
partnerships with organizations that can help
10:30
if we work, continue to work towards the right security advisory capability? This would, I would categorize that sort of a general consultative capability specialized in things like security, architecture controls, compliance, remediation planning, the readiness, the assessment
10:48
of cybersecurity, risk and compliance. Ah,
10:52
we've aligned our practice capabilities in this realm, uh, within am cyber solutions. And indeed, our clients, we find organizations that we have the privilege to work with also have aligned their capabilities in these various specialized domain. A zai mentioned architecture, compliance controls technology,
11:11
casting something fairly specific. We break it out and I'll tell you why technical vulnerabilities,
11:18
technology vulnerabilities, software vulnerabilities that could be exploited by malicious parties, Mulet, malicious actors, either external of our networks or internal within our networks or in a Bigness Partners network warrants special focus, as it has for the past 20 years.
11:35
It's certainly relevant today if you Google. If you look at
11:39
any of the cyber breach an incident activity that's going on or that has gone on, unfortunately, far too many of them still involved
11:48
the exploitation of technical vulnerabilities. We've got a practice that's dedicated to penetration, questing red teaming, vulnerability, assessment, application, security and software analysis in this realm just that it's reason on. Many of our clients are aligned along that way as well,
12:07
and we work very closely with them.
12:09
Discovery, you know? What does he discover? You might say, Well, I'm surprised they have that he discovery capability. Well, what we found over the years, it's certainly after you have the technology storm.
12:18
Ah, and all the impact to an organization as it experiences a cyber incident or event. Typically, following the technology storm comes the law, the legal storm.
12:28
Where there's there's a contested element of what transpired. There may be litigation, ah, criminal or civil litigation investigation. So typically there's an element of having to do you know, uh, meaningful, thorough, rigorous, inappropriate
12:48
Elektronik discovery, and we have a practice.
12:50
Ah, and specialized folks capabilities and tools available for our clients to enable that.
12:56
Um, And again, this is where you know, when a cyber incident happened, uh, organizations find themselves not just with security practitioners working on it. Not just with I t folks, but we've got legal at the table. We've got compliance to the table. We've got communications and executive leadership at the table
13:16
just as those things are relevant.
13:18
That's sort of how we've we've aligned our capability.
13:22
Next couple items of just touched on briefly. Certainly. Investigations and intelligence or threat Intelligence. Really leveraging lots of our folks who have relationships and unique contacts.
13:35
Ah, and access into areas of the threat community. Certainly research in the deep dark Web. And then we have folks within our practice who are ex law enforcement,
13:48
uh, who specialize in some of the most sensitive, most critical investigations and intelligence. Uh, exercises and initiatives for clients risk quantification. Let me fast track here. You know, this is one of the really cool things that I think and brings to the table. That's super important folks out there who are attending this event
14:07
in your respecting businesses.
14:09
I'm sure you've been in that situation where leadership really wants a balance sheet analysis of cyber risk. If you go is a technology practitioner and I've been there. If you go in front of senior leadership, whether it's in the retail industry in the manufacturing industry and the health care industry, or fill in the blank
14:26
and you talk to them about technical security and technical vulnerability,
14:31
oftentimes you know those leaders will look at us and say,
14:35
So what? I don't care.
14:39
And unless we can carry that message and make it matter to the balance sheet with that balance sheet quantitative dollars and cents analysis of cyber risk
14:48
very difficult to get anything done whether it's justifying, uh, you know, adding, resource is technology, resource is human resource is or skills enhancement. So it's one of the neat things that and does bringing, bringing the best of the broader an enterprise risk management capability, coupling it with some of the technical security capability
15:07
from the straws, Freeburg and Cyber Solutions team.
15:11
Pretty cool stuff. And I've seen it really open some eyes and help help climb, do some really cool things, and then finally, uh,
15:18
super important the concept of cyber insurance
15:22
A on a zoo, global insurance broker, certainly huge and in the global cyber broken environment. You know, it's the convergence of realms, the convergence of the cyber insurance realm, the overall risk management realm with the cyber security realm. And
15:39
many see so see Io's are working with the risk management counterparts and organizations like yours
15:45
to make sure that not only do we have our foundation solid around control, security capability training but also cyber insurance. So
15:54
that's kind of how we think about the broader cyber program at the bottom of the slide, and I promise we'll move on from here. But is the various capabilities you know, the old saying the cliche it takes a village. It certainly takes the diverse skill set of practitioners and leaders not just technology
16:12
but risk managers, forensic accountant investigators, criminologist privacy professionals, certainly human re sources and skills development professionals. These assumed the critical underpinnings of a cybersecurity program in 2020.
16:30
You know, the CJ really stuck out to me when you talked about the quantification, um, really optimizing your total cost of the rest. So you're pointing out around the balance sheet I mean, if you're able to put numbers around and we see that all the time here, it's cyber as well. When were building these skills development programs is
16:45
you know, you need to be able to lay out why, why you need to invest in a skill development program, what kind of value that's gonna bring.
16:52
And then ultimately being able to show that return on your investment on why you need to continue investing in that and how that really benefits the organization. So it really that really stuck out to me there.
17:07
Thanks for that, Gunner. Appreciate it. And, you know, we can probably fast tracked through through this slide. But really, what? We're looking at some of the same information presented in a bit of a different way. You know, uh, seek shield solved in a very high level. We've sort of categorized our capabilities and,
17:26
you know, if one of the folks in the call were toe
17:29
kind of pin me down, it's a T. J. Where you guys, uh, working with clients today across industry sectors with impact helping them, I say, in the far end of the continuing the concept of seeking related to cyber risk. And that's assessment.
17:44
You know, you don't want to be in that position where, whether it's related to skills development and training or implementing rolling out cybersecurity controls where it's ready. Fire, aim Hey, there's there's a problem. Let me, uh, let me throw some sort of ah, random solution at it.
18:00
First things first, let's evaluate where we're at strengths, weaknesses,
18:04
opportunities for improvement where the burning platforms were the significant gaps. And if you look at some of the things I want a numerator, all of them, that you can take a look at the Mont screen and feel free to reach out whether it's around, uh, you know the cyber impact analysis that would be the balance sheet evaluation, incident response, readiness on planning.
18:25
Ah, we find. Unfortunately, a lot of organizations are not ready. They're not only from a skill
18:30
development standpoint, but from a process from a controls. From a procedural standpoint, they've got gaps, and we've got capability to assess that. Certainly privacy compliance assessment. Inside a risk assessment that testing capability we talked about earlier. We need to look at technical
18:48
ah security vulnerabilities to evaluate our technical environments, whether there
18:52
our own legacy infrastructure, whether they're in the cloud, whether they're at a business partner. You know, while it can be said that you know, true cyber risk management is not I t is not just technical security. That's still a core component of it, which we can't ignore
19:07
moving very quickly through the rest of the slide The concept of shield and that's protecting the organization. It's critical asset, certainly broader. A on brings to bear significant cyber insurance and broker broken capabilities for a client.
19:22
Couple that couple that with our ability to help our clients were mediate evaluate remediated with, ah, you know, swiftly there incident response, readiness, looking at things like cyber threat simulations and table top. You know, the readiness is all,
19:40
uh, if you if you you you prepare your plan, then you work your plan. You test your plan that you update your plan wash, rinse, repeat. Otherwise get scale is what we found. Unfortunately, uh, cyber due diligence in advance of a potential M and a act activity
19:59
optimizing capabilities in the organization. Whether it's the sock
20:03
ah software development life cycle, we also help our clients from a strategic security strategy Consulting board advisory standpoint, of course, that point where cybersecurity risk intersects with fraud risk and business process risk. So
20:19
we help our clients kind of wing to wing in that realm and just in the
20:22
in the final bucket there before we move on. Guys,
20:26
when and if something happens. Ah, the ability to
20:30
parachute in and assist our clients in their in their darkest hour
20:34
and their most challenging our whether it's ransom. Where now where a network intrusion,
20:41
a data breach, other cyber event are straws. Freeburg Incident Response. Our digital forensics R E Discovery. I myself have had the opportunity and the privilege to serve very sensitive engagements related to expert witness testimony.
20:56
Um, you know, we certainly do our share of the broader A on team. My colleagues come forward to assist with claims advocacy. Ah, and anyway, so that's a bit on what we categorize the solve bucket. Where were there to partner with our clients when, when and if they experience
21:15
a catastrophic or significant cyber event.
21:21
Thank you for that, CJ. Yeah, I mean, it's great, and it's easy to see how you lay it out. Within the Sikh Shield saw from the previous slide where you were like Oh, you know, there's a lot of writing up there. It really makes sense as you lay out your understanding and quantifying the risk protecting the organization in critical assets and then
21:40
seeking out the truth and recovery
21:41
quickly. Like you said when they're in their darkest times. Um, so you know a little bit around statistics on the cybersecurity training landscape? Um, that's really where Cyber has been able to learn where 74% of organizations are still acknowledging
22:00
that the security skills shortage is worsening for the third year in a row.
22:03
So it's understanding identifying the skills, gaps and then building that skills program around. Um, and a swell as our 43% of employees time to learn is the biggest obstacle to job related learning or professional development. So in our industry,
22:22
a lot of people say I don't have the time. I don't have the time to busy.
22:26
Um, just because so many professionals in our industry are wearing multiple different hats and having to do so many different jobs and tasks, Um, so we're seeing that they're saying I don't have time, so being able to build a skills development program that you can tie into their data day job is also very important. And that kind of ties into
22:45
individuals saying, Do I build a program internally, or do I buy it out there? You know, using a ah partner? Ah Teoh, provide this for our organization. And so we found that building this internally, um, can cost as much as six times more than the hire an outside partner to build within
23:06
eso. Lack of guidance is also a
23:08
a big gap that we found. So 61% would find a lining learning to skills gaps most helpful in making learning more relevant to their job or career goals. So being able to tie this around, um, into their career goals such like I mentioned cyber being a creative only platform, being able to scale them up within,
23:29
um and then also a big
23:32
challenge that we had found within the cybersecurity training landscape is
23:36
money and budget allocation. How do you make the most of it? How do you allocate that? To be able to invest into a skill development program and like you mentioned earlier, is the quantification so being able to show that in a business case in the balance sheet and then being able to show that return on investment. So this is just a couple stats that we've we've found that
23:56
that organizations are really struggling with
23:59
on how do you really facilitate a skills development program?
24:10
So this kind of shows here where we are trending So we as you hit into that a on really focuses into in many different areas. Um, and this is where
24:22
where you identify those skills, gaps. And this is where cyber is able to really come in and understand and be able to lay out that skill development program. So in 2019 we discovered, um, that you risk management risk assessment, internal auditing, Um, a lot of risk management frameworks,
24:40
even automation around python Splunk.
24:41
These were all very, ah high demand skills in the cybersecurity field, and they continuing continuing to be. But we understand that the cybersecurity and industry is
24:52
evolving it. It's such a fast pace, rapid pace. So how do you keep up with the skills that your employees need with to be proficient within their job role? And so what? That means is you around the projected demand for cybersecurity skills. So this is what we found, um, from a burning glass report
25:11
that the projected demand for several security killed skills around public cloud security. So we hear that all the time. Cloud Cloud is a huge thing that we're hearing more and more I o t network security cybersecurity strategy. So strategy is also becoming
25:26
a ah huge area like you'd mention a swell having that security strategy, understanding what your main security strategy is. And that's one of the big questions that I talk. Teoh. Ah, my partners All the time is
25:38
what is your security strategy? Not just now, but what is it, 3 to 5 years down the road? You know, how are you keeping up? How are you gonna hit this strategy? And if they can't answer that,
25:48
I'm like, we gotta sit down. We gotta figure this out because, ah, that is super important. Important to protect your data, your infrastructure. But also, you were also seeing them this cybersecurity workforce framework, Um, so even around that you have the 50 Tunis nice work roles where we've been able to map fully around
26:07
the chaos is
26:10
that are required within those work roles? Um, another one is sales for security and Open Web application Security Project. So, really, what this shows is
26:19
that
26:21
the skills are always evolving. There's new skills being pulled in.
26:26
And so that's really where we focus on cyber enabled jobs, meaning that we want a few cyber security or security within all job roles. Um, so we see a big opportunity for companies to exploit this trend. Ah, within building a skills development program
26:45
and one of the ways where we're really able to keep up with the
26:48
The ever evolving industry is with that fastest growing catalogue, our community network, where we are able to see the trends and leverage our 1500
27:00
instructors and professionals to be able to build these frameworks. These courses, we have the hands on applications. So ah, you know that they have the skills and then the assessment tools to be able to show that they are gaining these skills.
27:18
All right, thank you so much for that gunner. And, you know, before we get into the next, uh, section here, one thing and that I wanted to mention is as a security and risk practitioner. I know many folks in the call, uh, come from a similar or related background
27:37
as I meet with the ladies and gentlemen who work out in the field across all of my clients, including last week I was
27:45
I was out west and then I was on the East Coast with a couple of clients and some closed door session. You know, this concept of what motivates a security and risk management professional a big part of it is ongoing skills development. And I know certainly in my career that's been the case. And
28:00
of all the things we're talking about optimizing and enhancing capabilities, I think there's also a play here and certainly the balance sheet our ally for some of these things. But there's also a play around general staff and employee morale and retention.
28:15
Ah, this concept that if if we're continuing to invest in our staff and our practitioners and our leaders
28:21
within and across the organization, it just holds so much value for them never ceases to amaze me how important that is for individuals across levels.
28:30
Um, if you don't mind, I would like to do a bit of a polling question for folks on the call. We've got a great audience, and we've got an incredible population of folks participating in the Webinar today. Like Teoh put a polling question out there related to assessments
28:45
on what you've done around assessing writ cyber risk for your organization. So if you don't mind folks, uh, you, uh,
28:52
promise The results are anonymous, But if you wouldn't mind participating in our poll here, has your organisation completed an assessment of its cyber security and risk management capabilities in the past 12 months?
29:07
All right, so we will let that go on for Let's say we'll give it up the 45 55 seconds it looks like people are answering the poll.
29:18
Uh,
29:18
and you know, and as that kind of technology you really hit on a great point there, CJ around morale and just really investing into your your employees. It's so important. We see that that every day where you know, we have
29:33
teams that aren't able to fill these positions. I mean, we see by 2021 it's gonna be over three million open jobs. I know their statistics everywhere around that,
29:42
Um, but that's also super important as well. Um, so it looks like we are hitting that one minute mark. So again, we're gonna hit onto Ah, CJ's question again. Has your organisation ah completed an assessment of its cyber security and risk management capabilities in the past 12 months. So it looks like 37 people
30:03
answered Yes, 50
30:03
7% actually Now 58%. 13 people said no. And 15 people said, I don't know. Eso majority is yes, but it looks like there's more that are I don't know that. No, CJ
30:18
got it. Thank you so much for that gunner. And thanks folks for participating, you know,
30:23
um, what I'll say you're not alone. Anyone in that population, you're not alone. And where you're at and to that 0.1 of the exciting things that an has developed over the past few years and something that we've rolled out and continue to present to our clients. And I think it's relevant certainly in the context of
30:44
skills development and an evaluation of where you're at and where there might be gaps in the organization generally around capability,
30:51
eyes are our psych. You are cyber quotient evaluation. Uh,
30:56
platform. Basically, this is Ah, portal technology enabled a series of questions. Think of it as an online questionnaire targeted toward cybersecurity and cyber risk management capabilities that enables you to quickly evaluate the cybersecurity posture. Ah, of the environment capabilities. Um,
31:18
it provides immediate benchmarking against industry clears. We'll take a look at an example. Report includes instant cyber maturity scoring on evaluation.
31:27
Uh, one of the many uses and I want to talk about potential benefits not only to, uh, the organization around security and cyber risk management, but also potentially to your underwriting effort.
31:41
Ah, your potential leverage of the psyche reports as an insurance application quote unquote questionnaire,
31:48
uh, be extremely useful for that. In addition to enabling, uh, enabling the organization to decide where to focus for something like a learning and development program for cybersecurity.
32:00
So we think it's absolutely relevant. The cool thing about thank you guys for me, is that it?
32:07
You know, there, I say, low cost around resource time. Ah, light touch self assessment. Leveraging our platform enables you to do some high impact things, though, for not a lot of effort, you get a
32:22
pretty interesting unuseful result. Let's go ahead in advance. If you don't mind.
32:28
Here's an example. Psyche report, and we'll get right into slide. 12. If we can go OK, you can stop right there.
32:35
You'll see that you know this is an example. Report sort of gives an overview of the organization. The results of the psyche assessment stood a very high level. Ah, you know some key parameters and attributes of the organization based on the self assessment questionnaire.
32:52
Business information, Critical applications. Ah, network architecture of that type of thing. As you continue to advance,
33:00
keep going next light. Yet we can take a look at you the results of your organization like you, which is very much a capability maturity. Score 2.5. You can see the scale across the bottom. What we do is we tied, and here's where it gets useful if you're a retailer, if you're a manufacturer, if you're a real estate
33:19
commercial real estate organization, if your healthcare organization
33:22
we'll tie it into your industry average based on the full database and population of other psyche reports, we anonima eyes the results. We do some preliminary and analytics, and when we produce your report, you'll be able to see sort of where you sit in relation to your peers in this case for this particular side. You example reports
33:42
there were 13 industry peers
33:44
that we bumped this organization up against. And then, of course, ah Global average 254 peers for this particular one.
33:52
I could keep going, Um, but advanced, uh, give a bit of a game board around the overall psych you results, and we align it with certainly the mist CSF and other best practices.
34:06
So, uh, folks who are security and risk management practitioners of my call will know that the next key SF is a fairly well regarded
34:14
cybersecurity risk management framework that's out there. And we've incorporated the best principles of mist and some other guidance, certainly within psych you. So you'll recognize these various domains. You can keep going. You can advance, please.
34:30
And this is kind of where we get to the nitty gritty, if you will, or the useful results. As you can see, let's take a topic. For example, data security.
34:39
You can see your results, and it's kind of a classic red amber green with a new marriage score around maturity. But data classification peers at 2.5 in this particular organization was actually quite high. Excuse me,
34:52
but then, if we go down to access control, you know, if I think about clients and organizations that have unfortunately been compromised recently, one of the attack vectors is to compromise accounts
35:05
account, takeover and one of the controls that that significantly mitigate that risk is to implement something like to factor or multi factor authentication without getting overly complex. On this coal. It's a key security, control, control objective in control.
35:22
As you can see, this particular organization scored quite low.
35:25
They didn't have two factor authentication in place for mission critical infrastructure and applications. The Pierce did slightly better so at a high level, this this aspect of the report of the psych you gives you this type of you for how you're doing as an organization across these key cybersecurity domain,
35:45
ah, versus your peers and we can go in advance.
35:50
All right, So if you don't mind, can we put up that second polling question? Let's let's go out and get that one up there, which now, now that we've talked about assessment and assessments important, but we certainly don't WANT to JUST ASSESS, assess, assess, assess. We've got to get into action. We've got to get into remediation whether that's around skills development
36:08
or security control. So the question
36:12
Does your organization have a holistic approach
36:15
to continuous improvement and enhancement for cybersecurity, incident, response,
36:20
risk management and controls?
36:23
All right, go ahead. And it looks like oats air flowing in. So, like I said, we'll give it another 40 40 of 50 seconds. Let everyone get their their vote in. Um, but you know, like like you've mentioned, you guys really dive into an understanding and assessing there's different areas.
36:43
And then, you know, really, where cyber is able to come in is
36:46
where you all have identified those gaps. We can build that skills program. Teoh, you know, improve the skills where you know where mitigate that risk. So, um, really, really incredible what you all are able to do with your assessment tools. So, uh, we'll give it a couple more seconds as thea votes are coming in.
37:06
Eso again?
37:07
Um, the question is, does your organization have a holistic approach to continuous improvement and enhancement for cybersecurity, incident, response, readiness, risk management and controls so looks like we have 58%. Yes,
37:23
29% No and 12%. I don't know. So this is coming out pretty pretty ahead with the Yes, there, CJ,
37:32
I'll tell you this is the high octane group gonna impressive. Uh, I got you know, it brings a smile to my face in all sincerity and honesty, but coming back to the example report, you know, that's what it takes. It absolutely takes that heavy focus. It's refreshing for me to see that as you can see, our psych you report
37:51
includes the summary of improvement opportunities.
37:53
And you can see it's quite holistic across the cybersecurity domains. And it's not just about the technical security controls. You know, if I take a look at this, pick a topic, um, network security.
38:07
Maybe the organization needs to consider bolstering its wireless security penetration, testing, vulnerability, management
38:16
that skill set. Forget about the technology. The technical aspect that skill set may not exist within the organization. Maybe you've got some really good up and comers or, you know, folks who are focused part time on that. That's where the library aspect can come in to bolster those skills and to develop
38:34
be certainly quite often when I would. I see. It's sort of it.
38:37
The, um
38:38
the constrained resource is on our teams, in addition to considering the technology enablement where you might need to look to the outside. So if you go ahead, advance to the next slide as well. This is where we sort of prioritize it a bit. Ah, and you know, if if you were to ask, Hey, where
38:57
what are my next five moves? My areas that really need focused
39:00
on. It's a bit subjective, and that's where typically will weigh, spend some time in a consultative way, debriefing with our clients and the results of the psych You with someone like me or one of my colleagues here, he will spend some time with you talking through it, whether it's, you know, the broader discipline of risk management
39:20
or user awareness in training,
39:22
where something like Sai Buri would would be so important and crucial to be that missing piece, the bolster that you know, the human element, due diligence, network penetration, testing, incident, response, uh, really guiding you on what's most important, which are those sort of next steps.
39:40
We'll go ahead and in advance,
39:45
alright? And just, you know, we talked a little bit about this, but where is it useful? Um, and I won't read at you, I promise. But certainty around remediation prioritization. Road mapping budget in investment could be used as a framework for other analysis. Vendor assessment,
40:02
risk management. Certainly. Insurance market preparation. Um, you know, pre quantification analysis. And of course, I claim will be extremely useful. And I'll turn it back to Gunner here in a moment to talk about how something like psych you could help illuminate next steps for skills development and training program.
40:23
Yes. Thank you, CJ. So, yeah, I mean, building out that skill development program framework. It is important. So Ah, a on with the psych, you was able to identify, um where the gaps were in the skills. So seeing that a risk management was at a 1.7 or a network penetration testings at a 1.0.
40:43
This is where cyber is able to also go and have that consultation, approach
40:47
and understanding and going through the results on seeing where those gaps are. And this is where we're able to build that skills development program. So incident response. We have a full incidence response program to be able to send, um, that team or individuals through a structured skills development program to make sure that
41:07
we can build up those skills to make Teoh
41:09
obviously fill those gaps a swell as, say, network penetration, testing that pendant that, um, penetration, testing career path. Um, we can lay out where we're able to tie in, uh, the courses and hands on labs for the hands on experiential learning
41:27
and then be able to assess them to make sure that they have gained those skills they need,
41:30
Um, you know, to fill those gaps. So obviously identifying the roles and skills as you can see here from the ah, one of the
41:38
the results from the psych you you can see that the user awareness training came in as hot the highest, um, so we can assess the workforce so we can even pre assess someone within a skills development programme before we actually align that role
41:52
and a sign that out. So then we develop that pathway. And like I said, we do that consultation approach where it's not just, you know, saying you have access to all this stuff. We want to build this around. We want to tailor it, Uh, toe what a best fit for, say an organization is and then the individual or teams.
42:12
Well, then, um, acquire those skills through going through their their pathway.
42:16
And then you adapt and revised. So you go through another assessment and then this is where you can also, with the skill development program, continue to invest in that employees and we mentioned earlier in the conversation Retention is huge. So you can invest in this employees as they skill up. They can move to say another, Uh,
42:37
another level, Ah, promotion. We even focus on if they want to make a career change
42:43
that also retains an employee where we can actually lay out that program if someone wants to go from ah, no, within instant response into penetration, testing. And so we can actually really build this program around the work roles within all organizations.
42:59
So what's the best fit? So this is really where we're able to tie this skills development programme, Teoh,
43:05
where you all have identified those gaps we can lay out a the skills development program and the mid aggregate that risk where we're protecting the organization and the individuals have the skills, they feel like the companies investing them where you retain them. And so you know that there's so much that goes into it from
43:22
you know, where you go through the psych you with with a on and then kind of get into the skills about my program with Cyber Eri
43:30
so a little bit more about around our why That's something that I hit on and to many times through this conversation, where return on investment of a is it important.
43:45
And so the statistic around it costs an employer 33% of an annual salary.
43:51
So this is based on a $75,000 average salaries. That's $24,000 to bring into higher replacement worker if a worker leads, so retention is is very important. Um, so this kind of breaks down here where if you send an employee to a one week,
44:09
you know, boot camp class, where they're just getting one skill or one certification on average, you're costing about $4000 to 2 500 this is being being, ah,
44:23
you know, kind on it but cost of travels 2 to 500 cost of the employees being out of the office for the week. You know, paycheck, um, for the week and then average annual cost of maintaining certifications. So continued education is very important on as individuals are gaining these skills or gaining these certifications,
44:42
then they need to maintain these certifications.
44:45
So then organizations air paying you around on average, $1000 for individuals go to conferences to, you know, to maintain these certifications, um, and then estimated attrition savings to you know that 24,000 that I mentioned, um, and then
45:00
your average return on your investment per employee is just shy of $18,000. Um, you know, a lot of these air estimated numbers, but it really shows you how we're able to a late build this program, build this case on how you can on why you should invest into it and what that return on investment is.
45:21
Um, so it just kind of gives you some some numbers on what you can really get a return out of
45:25
building that skills development program.
45:30
So we are also going to ask a another polling question here So, uh, So it's gonna be Does your organization have a programmatic approach to ongoing cybersecurity training and awareness for all staff employees and business partners? Eso we're gonna We're gonna
45:49
let it go for another 40 to 50 seconds, see what?
45:52
Make sure everyone gets their votes in, and we'll, uh, reveal the ah, the results.
46:07
All right.
46:09
So let Thea let them keep coming ends to get your vote, and we'll be revealing the results here momentarily. So does your organization have a programmatic approach to ongoing cybersecurity training and awareness for all steps employees and business partners? So we are looking at
46:29
46% Yes, and 40%. No
46:32
on then. 13%. I don't know. So this is this kind of worries me a little bit coming from the skills development side just because it is so important. Teoh, invest in your company. Your employees, um,
46:47
and business partners. I mean, it is super important to make sure that they are gaining the skills to be proficient within their their work roles because this ultimately provides the
46:59
B company. I mean, this provides security. What are your thoughts on that? C. J?
47:07
Yeah. You know, I'll say, You know, there's also the intangible, which is Ah,
47:14
you know, the human element here, which I think it's so important. Um,
47:21
you know, the qualitative evaluation of risk and the quantitative evaluation of risk. You know, perhaps we can assign
47:28
dollars and cents in our ally and leverage that in a quantitative evaluation of risk, no doubt.
47:34
But more often than not, when I look at some of the cyber incidents and events, um,
47:39
that I'm involved with and that were involved with working with our clients,
47:44
the human beings involved, you know there's technology, there's controls, there's all of these things. But more often than not, there is most certainly Ah, you know,
47:54
a human being involved with certain behaviors activities in a knowledge based, anything we can do to expand and enhance that knowledge space to influence their behaviour is gonna have a positive impact on qualitative risk and ultimately, quantitative risk. The other thing I'll say, is retention. No doubt. Um, you know the number one risk? Well,
48:15
one of the top three risks
48:15
most folks I talked to in the cybersecurity risk management realm is talent.
48:22
The shortage of talent, the criticality of talent and everything that we lose when when we invested and way higher someone bring them on board all that organizational knowledge that they have and they leave anything weaken due to invest in that individual that drives retention,
48:38
uh, end up giving us, ah, net savings in positive impact overall on the organization when we can retain them.
48:47
Yes, absolutely. And just it was super interesting. So by the final poll, it was 45%. Yes, 45% No. And then the other was I don't know. So super interesting how that you know yes and no lined up. Ah, very, you know, just the same. But, you know, just
49:05
I want to make sure that we leave enough a couple of minutes there at the end t to be able to answer any questions.
49:10
You know, we're getting close on time, but I just kind of want to run through characteristics of a strong program. Um, so, you know, we laid out how you can identify those roles and skills and assessing your workforce, aligning those work roles and developing this pathways, which gives them a structure pathway from start to finish
49:30
acquiring, invalidating those skills and then ultimately adapting and revising.
49:35
But some other characteristics of a stroke strong program goes around the core belief in the importance of security. So I mentioned Security enablement, infusing that security through all work roles and having that mindset a super important that we've seen through a lot of our enterprise clients and hair
49:51
value and are y for employer and employee. So we've talked about that many times today. Quantitative that return on your investment training focused on practical, relevant skills, outcome based training system. So being able to see those results being able to see, um, you know
50:07
in depth analytics on what your employees air doing and this skills that they're gaining
50:12
adaptive curriculums, ongoing year round development. So I mentioned that continued education being able to get those seat use CPS, the road map for the team and each member, giving them a pathway on how they will, where they will start and where they can end up and giving someone a structured path of growth
50:29
so they aren't just lost and not knowing what's next. And ultimately,
50:34
like you mentioned, the retention is important. So if someone doesn't really know where they're going they're going to get what they need, and they're gonna end up leaving, essentially manage So having that one centralized location to facilitate skills development and then regular assessments and validation. Um, so there are these air the core characteristics of running a strong program.
50:52
Um, and then you're really a summary. And next steps from what we've learned today is
50:58
assess your environment with a on evaluate priorities for cybersecurity, understanding prioritized control gaps and then dive deeper into your people skills and capabilities and bolster it with meaningful training. So being able to assess, identify those skills gap,
51:15
mitigate the risk and skill up your your workforce, which is super important.
51:21
Um, And then ultimately, we want to thank you for joining. We do want to ask, you know, see if anyone has any questions. So type in your questions there in the chat chat bubble, but you can reach out to C. J as well as myself. Um, CJ, all of our contact information is here. I know his email phone number as well as lengthen.
51:39
You can reach out to me as well my email and lengthen. I'm always available to answer any questions on then
51:46
C J. If you want to add anything in and then it once, Once we're finished with that, we'll see if anyone has any. Any questions for us before we wrap up here?
51:58
No, I think Gunner, thanks for that. Uh oh. Police was helpful, everybody. And let's see if we have any any good questions from the group.
52:08
All right,
52:15
let's see here. So,
52:17
you know, it kind of talks about someone someone just mentioned you. Asked here. It kind of hits into a lot of what what we've talked about on How do you find the right talent but also retain your current employees? Because we have mentioned that the skills gap, the open jobs are everywhere.
52:36
And so it's really finding that right talent which, you know, cyber is really,
52:39
really identifying on how we can find the right talent to place them in the right jobs. So we're super excited about being able to do that. But as well as retaining your employees and organizations have identified the need to support the learning of cyber professionals, especially giving the constant change of the emerging field.
53:00
So find the right people and retain staff organizations need to invest in their training.
53:04
Um, and and we've talked about that that today and really around Cyber offers that career development program and delivers a personalized path forever. User. Um, so what this means is this allows full support of current and future cyber professionals within an organization organization wanting new people to join
53:22
and existing employees to stay and thrive. Ultimately, it's really investing into that that belt
53:28
program for for your employees
53:30
in Gunner, if I may, there are a couple of questions about thank you. I'll just very quickly try to touch on them so that one of the neat things about psych you there was a question asked whether or not it's on site procedures. How do we collect the information
53:45
like you is very light touch. It's it's remote self assessment questionnaire done through an app. So no on site procedures. We will do a consultative read out of the report. Sometimes we come on site with our clients. For those just depending. We also do deeper dive assessments. But the side he was really meant for that sort of. Hey, what's next? Where do I begin?
54:05
And there was another question asked
54:07
Comptel, You know the depth of some of the folks we have on the call there asking about whether it was fit for purpose, for stock to audit. And the answer is no Asterix. I've done Ah, that type of work over the years and certainly the predecessor, the fast 70 oriented work quote unquote. What I will tell you is that it would be a good primer
54:25
for an organization considering soccer, too,
54:29
pursuing a sock to. But there's no substitute for a deeper dive evaluation of your specific controls that they're gonna be in that service service organization report. So
54:40
I'll kind of leave it at that and that You gonna Yes. Thank you. See you mentioned. I mean, that the questions that air that air coming through our our great um, so it looks like we are the to get into our last couple minutes here,
54:58
um, going to see just double check here. Let's take a look if we have any other last last question.
55:04
Yeah. So Joel asked. You talked about time to learn as a barrier. How does Sai Buri as a learning solution? Address that. And you kind of mentioned it throughout the throughout the presentation. But
55:15
you could It's that one. Yeah. So really, you know, mentioned time to learn. Um and so way had really actually seen that around? Um,
55:25
the lack of guidance as well. So really being able to build a this customized program of that fits
55:35
the organization or the team that that is going to be that is going through the skills development program. So we found that
55:43
that structure is super important and just giving someone a license to access such a a vast catalog. They're not going to really, um,
55:53
prioritize it as as something they need to dio. But being able to lay this out and tie this into their everyday job, Um, also being able to incentivize it, being able to show that, you know, if that structured pathway, um, it really
56:10
ultimately helps on individuals. Well, as a team start to prioritise Ah, that this is a need within the company that it's a requirement. And so, um, just
56:22
and you know that there's a lot of different things that can tie into that, but really, it's just being able to prioritize a skills development programme as a priority and not just, uh oh You know, I just need I need to do it because I need to get, um I want to get
56:40
this certification. Teoh do this. It's just being able to tighter that everyday job. So thank you, Tatiana, for our ah, pointing that question out for us. Um, but, CJ, if you have anything else that you want, include, it looks like we are. Ah,
56:54
we're starting toe hit into time. Here. Um, just
57:00
one a just double check. If you had anything else that you want to include in.
57:04
That's it for me. Thanks. Going. Thanks. Everybody really appreciate it on past succession, Hopefully useful to folks and, uh, yeah, turn it back to you. All right. Thank you, CJ. It was really great being able to do this with you. I look forward to multiple more.
57:21
Um, it was super excited to be ableto join this partnership between cyber and a on. It's very exciting
57:29
being able to assess the skills development program. Ah, Like I said, if you all want to reach out to sea Jr myself, our contact information is here. We will make sure that we get the recorded version. Ah, sent out to everyone that registered as well as attended. And give us some feedback. We want to hear from you. Reach out to us,
57:49
Ask questions and we Ah, again
57:51
thank you again for attending and hope you all have a Ah ah, great rest of your day.

Seeing 2020: Bringing Cyber Solutions Together for Security Skills Development

In this free webinar, Cybrary and Aon Cyber Solutions have teamed up to bring you an inside look into what makes a successful holistic cybersecurity program; a proven framework for helping organizations reduce, manage, and respond to cyber risk.

Instructed By

Instructor Profile Image
Gunner Kerr
Instructor
Instructor Profile Image
CJ Dietzman
Senior Cyber Security, Risk, and Compliance Practitioner and Leader
Instructor