Q&A: New training takes compliance leaders on ‘non-technical’ cyber-journey

Q. Can you explain what it is people who take this course should expect to get out of it?

A. Anyone who takes this course should expect to gain confidence in dealing with all aspects of cyber-security or cyber-risk. The course itself has been designed and developed for business leaders as opposed to more of a technical audience.

Our objective was to bridge the gap between cyber-security, risk management and compliance, and meeting business objectives. It is a bit of a master class that’s intensive but brings people through a multidisciplinary array of topics—everything from dealing with suppliers, legal, cyber-resilience, dealing with remote workers, cyber-strategy, dealing with the board. All of these aspects, so that you can become a catalyst within the business … and also able to empower the business to meet its objectives and goals.

Q. Would you say this class is not for somebody who already has expertise in cyber-security, but rather someone who needs to strategize for those type of people?

A. I think actually there’s something in it for both sides, because if we look at somebody who has expertise in the discipline of cyber-security, that tends to be a silo around the technical cyber-security controls, such as things like firewalls, network management, all of those specific areas. But the reality is in today’s world from a compliance perspective, somebody may come to that expert and say, ‘How are we doing on cyber-risk oversight? How are we doing on cyber-governance?’ Those are difficult questions for any technical expert to ask, because they may not understand those aspects and how they relate to the business model.

Because we take a holistic view and come from the business perspective, we’re actually relating and enabling those cyber-security experts to understand those older intrinsic parts of the cyber-security mission. One of the key messages throughout the eight-module course and one of the deliverables is that everybody develops their own cyber-strategy. You can’t just be doing cyber-security and think you’re doing a great job. You need to know that it’s adequate, appropriate, and contextualized for the business that you’re working for, the business you’re protecting, the business you’re enabling. So somebody in cyber-security, no matter what expertise they have, they’ll definitely get something out of this.

But the vast majority of people that have successfully completed this course are people like data protection officers, compliance officers, anti-money laundering, fraud officers, business leaders, chief risk officers, IT managers, and IT security managers. Those tend to be the job titles of people that have gotten the most out of it.

Cyber-security over the years has widened to encompass everything from cyber-resilience, legal, regulatory, business, governance, oversight, procurement, external vendors, all of these pieces. And we cover all of that in the course. So they may find some parts where they go, ‘Yeah, I know that.’ And other parts they are going to go, ‘Wow, that was a gap in my knowledge, and now I understand what that means.’

Q. What differentiates this course from the many other cyber-security trainings in the market?

A. One of the things that I like to stress to people is that it’s non-technical. We take them gently on this journey. It is a technical subject matter. But if we talk about anything technical, we break it down into bite-sized pieces and explain it to them, because one of the things we want to do is demystify the jargon of the world of cyber-security because cyber-security is full of people who just drop acronyms and buzzwords all over the place.

And we explain to the audience that, ‘Look, you’re actually doing a lot of this stuff anyway. You’re doing compliance. You’re doing risk management.’ We’re going to tell you how you augment those types of processes. How you build them into your business and take care of cyber-threats. It’s not about turning you into a cyber-practitioner overnight or anything like that. It’s not a technical course. But yes, of course, we have to reference some technical material. But we do that in a very gentle way, and we break it down.

The other feedback we get, which I think is important for people to understand, is that the course is actually very entertaining. We use real-life case studies. So we take, for example, a case study maybe of TalkTalk’s hack attack, and then we break that apart and we say, ‘What did the CEO of TalkTalk do wrong in dealing with that instance?’ Here’s the poster child for how not to manage a cyber-instance. And we break those things down right through. We got a huge amount of positive feedback about how engaging people found the material. They didn’t find it hard to get through. Many of them said they look forward to getting the modules every week.

Our mantra is it takes a network to defeat a network.

The bad guys are networked—they train, and they help each other. And we are the antithesis of that. We can enable people and empower them to defeat cyber-evil. And we reference it as cyber-evil because we talk about everything from trafficking endangered species in animals, children, all of those kinds of things. We show you the reality of cyber-evil, how terrorists work together, how ISIS works together, how pedophiles work together with cyber-criminals.

So if you’re protecting credit card data, if you’re protecting someone’s name and address, that’s what you’re defeating. That’s what you’re stopping, and you have to understand the enemy is on a mission and get empowered. It’s not just about protecting your date of birth or an email address or a password. By doing these small things, you’re stopping these evil things happening around the world.

Q. Would you describe this course as more philosophical or practical in your approach to cyber-security?

A. It’s all practical information, it’s not theoretical. It’s about how do you do this in the real world as opposed to just concepts.

We try to take the subjectivity out of this subject, we make it a science as opposed to an art form, so that people can actually understand this stuff and it’s not about, ‘Well, I think that’s good security,’ or, ‘I think that’s safe.’ They’re not terms we want to use. We want to be able to put science behind this. What is the number? What is the metric? What is the risk rating in relation to doing this?

Everything we’ve done is pretty much a finger on the pulse of what’s going on out there presently, what’s happening in the market at the moment, or in geopolitics, even the impact COVID-19 has had on the threat landscape.

Q. So this is an asynchronous, eight-module course that people can take whenever they have time to do it?

A. Yes, for the Certified Cyber Risk Specialist course, you have 90 days to complete it and can do it at your own pace. You have 24/7 access to material and can do the exams when you want to do them. It’s probably about 5-6 hours of effort per module to get through because there’s about roughly about two hours of video material per module. And then there’s the reading material you need to read if you’re going to complete the online exams. All of the answers are in the reading material.

But there’s added information like “jargon busters” and things like that, and everything is closed captioned as well.

Q. Is this class tailored more for a particular region or for a particular set of regulations? Or will someone in the United States get as much out of it as someone in Europe, for example?

A. It’s global. One of the challenges that organizations have both in Europe and the United States is this trans-Atlantic divide in relation to cyber-security. And we tackle that through this content. So we talk about the General Data Protection Regulation (GDPR) and European privacy. We also talk about the new California privacy regulations. We talk about the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We talk about the frameworks being used by the European Central Bank. And we talk about the fact that we all live in a global world. The Internet is flat, and you’re not operating in your small little region, you’re operating in a global market space. And yet you need to understand and observe the regulations in the regions where you have customers. So, for example, if I start selling services into California, I need to know I’m not breaking the laws in California through whatever way I provide those services.

It’s probably about 50 percent American-based because it tends to be the standard-setter. We reference the American National Standards Institute, NIST, International Society of Automation, those kinds of standards, but we pepper them in with standards from other parts of the world as well.