SlideShare a Scribd company logo

Cybersecurity Skills Audit

Vilius Benetis
Vilius Benetis

The presentation discusses how auditors can conduct cybersecurity skills audits to improve organizational cybersecurity. It outlines challenges with current controls and the need to audit skills in addition to technology and processes. Various cybersecurity skills frameworks are presented, including NIST NICE, the EU e-CF, and SFIA models. Methods for implementing a skills audit through questionnaires and skills assessments are described. The output of a skills audit would be a list of existing skills coverage and identification of skills gaps to guide remediation actions.

Technology
1 of 30
Dr. Vilius Benetis, CISA, CRISC NRD CS, vb@nrd.no Mon. 10:30-11:45
#EUROCACS Problem • Cybersecurity controls are failing to protect organizations. • Controls consist of skills, process, and technology. • Audit of technology and process is well understood. • Audit is expected to assist organizations. • How to approach the skills audit for better cybersecurity result?
#EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs
#EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs Automation of business functions
#EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs Automation of business functions Ex. Assess org/IS resilience to cyber treats
#EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs Should we include skills audit? Automation of business functions Ex. Assess org/IS resilience to cyber treats
#EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs 1) Risk: Lack of skilled people 2) Skills required to assess Should we include skills audit? Automation of business functions Ex. Assess org/IS resilience to cyber treats
#EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs 1) Risk: Lack of skilled people 2) Skills required to assess Methodologies (NICE, CSC, e- CF, SFIA) Should we include skills audit? Automation of business functions Ex. Assess org/IS resilience to cyber treats
#EUROCACS Other Reasons for Skills Audit HR: • Re-organization preparation. What skillsets we need to plan? • What skillset to hire? CISO office: • Information security should be handled better. What skills are missing? Career planning: • What should I focus for my cybersecurity career?
#EUROCACS Cybersecurity Skills Models • NIST NICE United States • e-CF European Union / Dutch • SFIA6 – Matthew Burrows / SFIA6 Design Authority, design@sfia- online.org / EuroCACS/ISRM 2015 presentation
#EUROCACS NIST NICE
#EUROCACS NIST NICE
#EUROCACS NIST NICE
#EUROCACS What skills required for Cybersecurity? https://www.cisecurity.org/workforce/workplace/
#EUROCACS
#EUROCACS EU model e-CF www.ecompetences.eu 16
#EUROCACS
#EUROCACS CSC operation: Security vs. IT roles 18 2% 17% 25% 17% 39% 0% Total Developer ICT Security Manager ICT Security Specialist Network Specialist Systems Administrator Systems Architect (blank)
#EUROCACS CSC operation: Alternatively 1%1% 5% 67% 7% 1% 14% 1%3% Total Developer Enterprise Architect ICT Security Manager ICT Security Specialist Network Specialist Service Desk Agent Systems Administrator Systems Architect Trainer (blank)
#EUROCACS PvIB/e-CF modelISACA CISM e-Competences Job Profiles D.1. Information Security Strategy Development Domains E.3. Risk Management E.8. Information Security Management CISO ICTSMISO ICTSS D1. Information Security Governance D3. Information Security Program Development and Management D2. Information Risk Management and Compliance D4. Incident Management and Response Not Available Level 5 Level 4 Level 5 Level 3 Level 4 Level 3 Level 4 Level 3
#EUROCACS C. RUN (ICTSS e-CF only: C.2 Change Support, C.3 Service Delivery) PvIB/e-CF modelISACA CISA e-Competences Job Profiles, proficiency E.8. Information Security Management Domains E.9. IS Governance B. BUILD (ICTSS: B.4. Solution Deployment) CISO ICTSMISO ICTSS D1. The Process of Auditing Information Systems (14%) D3. Information Systems Acquisition, Development, and Implementation (19%) D2. Governance and Management of IT (14%) D4. Information Systems Operations, Maintenance and Support (23%) Level 5 Level 4 Level 4 Level 4 (e-CF only) Level 3 Level 2 Level 3 (e-CF only)
#EUROCACS PvIB/e-CF modelISACA CRISC e-Competences Job Profiles, proficiency E.3. Risk Management Domains CISO ICTSMISO ICTSS D1. Risk Identification (27%) D3. Risk Response and Mitigation (23%) D2. Risk Assessment (28%) D4. Risk and Control Monitoring and Reporting (22%) Level 4 Level 3 Level 3
#EUROCACS PvIB REALM ISACA REALM PvIB does not cover PvIB Model e-Competences A.7. Technology Trend Monitoring B.4. Solution Deployment D.1. Information Security Strategy Development E.3. Risk Management E.4. Relationship Management E.8. Information Security Management General competences: G.1. Leadership G.2. Project management G.3. Communication and persuasion G.4. Technical research G.5. Organisational sensitivity G.6. Management G.7. Analytical skills G.8. Integrity ISACA CISM Domains D1. Information Security Governance (24%) D3. Information Security Program Development and Management (25%) D2. Information Risk Management and Compliance (33%) D4. Incident Management and Response (18%) Generic competences, proven experience and continuous education D1. The Process of Auditing Information Systems (14%) D3. Information Systems Acquisition, Development, and Implementation(19%) D2. Governance and Management of IT (14%) D4. Information Systems Operations, Maintenance and Support (23%) D1. Risk Identification (27%) D3. Risk Response and Mitigation (23%) D2. Risk Assessment (28%) D4. Risk and Control Monitoring and Reporting (22%) D1. Framework for the Governance of Enterprise IT (25%) D3. Benefits Realization (16%) D2. Strategic Management (20%) D4. Risk Optimization (24%) ISACA CISA ISACA CRISCISACA CGEIT E.9. IS Governance NA NA PvIB Job Profiles, Proficiency levels CISO ICTSMISO ICTSS Level 3 Level 3 Level 2 Level 5 Level 4 Level 3 Level 3 Level 4 Level 5 Level 4 Level 4 Level 3 Level 4 Level~3 Level~3 Level~3
#EUROCACS SFIA6
#EUROCACS SFIA6 (sample)
#EUROCACS How to run skills audit? Simplest: • Ask: what skills are missing to reach the goals? Medium: • Inventory/assess existing skills via questionnaires (list competences, ask to self-assess) Sophisticated: • Run serious tests to assess
#EUROCACS Output of skills audit Simplest: • List of skills/competences and who covers them • Items without people – missing competences Medium: • Skills/competences with required levels, and fulfilled levels • Gap is visible Sophisticated: • Detail report of professional skills assessors
#EUROCACS Summary Main cybersecurity challenges are in governance, workforce skillset, and technology inability to be resilient. Presentation is geared for auditors to learn how to use different cybersecurity workforce models to prepare better for cybersecurity audits. Differences of the NIST NICE, EU e-CF, SFIA models are presented, along with how to modify these frameworks for own use, along with Critical Security Controls integration
#EUROCACS Assertion on your capabilities after presentation: 1. create own adjustments to cybersecurity workforce skillset 2. connect cybersecurity tasks with skills 3. recommend to organizations remediation actions for cybersecurity workforce problems 4. apply US and EU cybersecurity skills, job profiles and e- competences models to own internal and external audits
#EUROCACS Thank you! • Dr. Vilius Benetis, CISA, CISM • vb@nrd.no, NRD CS • https://www.linkedin.com/in/viliusbenetis

Recommended

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 

Recommended

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedMike Chapple
 

More Related Content

What's hot

Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 

What's hot (20)

Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
information security management
information security managementinformation security management
information security management
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and Challenges
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 

Viewers also liked

Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedMike Chapple
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Raul Soto
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
Meet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudMeet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudAppian
 
ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls Dyan Cornacchio
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsKristian Alisasis Pura
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Regulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsRegulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsInstitute of Validation Technology
 
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le..."Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...Dataconomy Media
 
Principals of IoT security
Principals of IoT securityPrincipals of IoT security
Principals of IoT securityIoT613
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
IT Validation Training
IT Validation TrainingIT Validation Training
IT Validation TrainingRobert Sturm
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 

Viewers also liked (20)

Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons Learned
 
Company Product Sheet
Company Product SheetCompany Product Sheet
Company Product Sheet
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)
 
Ispe Article
Ispe ArticleIspe Article
Ispe Article
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
Meet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudMeet You GxP Compliance in the Cloud
Meet You GxP Compliance in the Cloud
 
ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls
 
Virtual infrastructure qualification
Virtual infrastructure qualificationVirtual infrastructure qualification
Virtual infrastructure qualification
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security Controls
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Regulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsRegulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS Environments
 
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le..."Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Principals of IoT security
Principals of IoT securityPrincipals of IoT security
Principals of IoT security
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
IT Validation Training
IT Validation TrainingIT Validation Training
IT Validation Training
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 

Similar to Cybersecurity Skills Audit

Isaca career paths - the highest paying certifications in the industry
Isaca career paths - the highest paying certifications in the industryIsaca career paths - the highest paying certifications in the industry
Isaca career paths - the highest paying certifications in the industryInfosec
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure ProtectionPriyanka Aash
 
AppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangeAppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangePriyanka Aash
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Agile London at Ticketmaster
Agile London at TicketmasterAgile London at Ticketmaster
Agile London at TicketmasterBilly Jenkins
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleRishi Kant
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
The Next Normal: CTEK's New Services to Support Adapting in 2020 & Beyond
The Next Normal: CTEK's New Services to Support Adapting in 2020 & BeyondThe Next Normal: CTEK's New Services to Support Adapting in 2020 & Beyond
The Next Normal: CTEK's New Services to Support Adapting in 2020 & BeyondSophiaPalmira
 
The Connors Group Cyber Security Infographic
The Connors Group Cyber Security Infographic The Connors Group Cyber Security Infographic
The Connors Group Cyber Security Infographic The Connors Group
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
CRISC_v1_2021_Course_Content & description
CRISC_v1_2021_Course_Content & descriptionCRISC_v1_2021_Course_Content & description
CRISC_v1_2021_Course_Content & descriptionInfosec train
 
CRISC_certification_training_course_content
CRISC_certification_training_course_contentCRISC_certification_training_course_content
CRISC_certification_training_course_contentpriyanshamadhwal2
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 
Professional Designations in IT Governance
Professional Designations in IT GovernanceProfessional Designations in IT Governance
Professional Designations in IT Governancejkllee
 

Similar to Cybersecurity Skills Audit (20)

Isaca career paths - the highest paying certifications in the industry
Isaca career paths - the highest paying certifications in the industryIsaca career paths - the highest paying certifications in the industry
Isaca career paths - the highest paying certifications in the industry
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure Protection
 
AppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangeAppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture Change
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Agile London at Ticketmaster
Agile London at TicketmasterAgile London at Ticketmaster
Agile London at Ticketmaster
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
The Next Normal: CTEK's New Services to Support Adapting in 2020 & Beyond
The Next Normal: CTEK's New Services to Support Adapting in 2020 & BeyondThe Next Normal: CTEK's New Services to Support Adapting in 2020 & Beyond
The Next Normal: CTEK's New Services to Support Adapting in 2020 & Beyond
 
Ecsa LPT V8 brochure
Ecsa LPT V8 brochureEcsa LPT V8 brochure
Ecsa LPT V8 brochure
 
The Connors Group Cyber Security Infographic
The Connors Group Cyber Security Infographic The Connors Group Cyber Security Infographic
The Connors Group Cyber Security Infographic
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
CRISC_v1_2021_Course_Content & description
CRISC_v1_2021_Course_Content & descriptionCRISC_v1_2021_Course_Content & description
CRISC_v1_2021_Course_Content & description
 
CRISC_certification_training_course_content
CRISC_certification_training_course_contentCRISC_certification_training_course_content
CRISC_certification_training_course_content
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
 
Sarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_apr
Sarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_aprSarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_apr
Sarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_apr
 
The Eucip system
The Eucip systemThe Eucip system
The Eucip system
 
Professional Designations in IT Governance
Professional Designations in IT GovernanceProfessional Designations in IT Governance
Professional Designations in IT Governance
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Product School
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfChristopherTHyatt
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Product School
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 

Recently uploaded (20)

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 

Cybersecurity Skills Audit

  • 1. Dr. Vilius Benetis, CISA, CRISC NRD CS, vb@nrd.no Mon. 10:30-11:45
  • 2. #EUROCACS Problem • Cybersecurity controls are failing to protect organizations. • Controls consist of skills, process, and technology. • Audit of technology and process is well understood. • Audit is expected to assist organizations. • How to approach the skills audit for better cybersecurity result?
  • 3. #EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs
  • 4. #EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs Automation of business functions
  • 5. #EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs Automation of business functions Ex. Assess org/IS resilience to cyber treats
  • 6. #EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs Should we include skills audit? Automation of business functions Ex. Assess org/IS resilience to cyber treats
  • 7. #EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs 1) Risk: Lack of skilled people 2) Skills required to assess Should we include skills audit? Automation of business functions Ex. Assess org/IS resilience to cyber treats
  • 8. #EUROCACS Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques—Creating Audit Programs 1) Risk: Lack of skilled people 2) Skills required to assess Methodologies (NICE, CSC, e- CF, SFIA) Should we include skills audit? Automation of business functions Ex. Assess org/IS resilience to cyber treats
  • 9. #EUROCACS Other Reasons for Skills Audit HR: • Re-organization preparation. What skillsets we need to plan? • What skillset to hire? CISO office: • Information security should be handled better. What skills are missing? Career planning: • What should I focus for my cybersecurity career?
  • 10. #EUROCACS Cybersecurity Skills Models • NIST NICE United States • e-CF European Union / Dutch • SFIA6 – Matthew Burrows / SFIA6 Design Authority, design@sfia- online.org / EuroCACS/ISRM 2015 presentation
  • 14. #EUROCACS What skills required for Cybersecurity? https://www.cisecurity.org/workforce/workplace/
  • 18. #EUROCACS CSC operation: Security vs. IT roles 18 2% 17% 25% 17% 39% 0% Total Developer ICT Security Manager ICT Security Specialist Network Specialist Systems Administrator Systems Architect (blank)
  • 19. #EUROCACS CSC operation: Alternatively 1%1% 5% 67% 7% 1% 14% 1%3% Total Developer Enterprise Architect ICT Security Manager ICT Security Specialist Network Specialist Service Desk Agent Systems Administrator Systems Architect Trainer (blank)
  • 20. #EUROCACS PvIB/e-CF modelISACA CISM e-Competences Job Profiles D.1. Information Security Strategy Development Domains E.3. Risk Management E.8. Information Security Management CISO ICTSMISO ICTSS D1. Information Security Governance D3. Information Security Program Development and Management D2. Information Risk Management and Compliance D4. Incident Management and Response Not Available Level 5 Level 4 Level 5 Level 3 Level 4 Level 3 Level 4 Level 3
  • 21. #EUROCACS C. RUN (ICTSS e-CF only: C.2 Change Support, C.3 Service Delivery) PvIB/e-CF modelISACA CISA e-Competences Job Profiles, proficiency E.8. Information Security Management Domains E.9. IS Governance B. BUILD (ICTSS: B.4. Solution Deployment) CISO ICTSMISO ICTSS D1. The Process of Auditing Information Systems (14%) D3. Information Systems Acquisition, Development, and Implementation (19%) D2. Governance and Management of IT (14%) D4. Information Systems Operations, Maintenance and Support (23%) Level 5 Level 4 Level 4 Level 4 (e-CF only) Level 3 Level 2 Level 3 (e-CF only)
  • 22. #EUROCACS PvIB/e-CF modelISACA CRISC e-Competences Job Profiles, proficiency E.3. Risk Management Domains CISO ICTSMISO ICTSS D1. Risk Identification (27%) D3. Risk Response and Mitigation (23%) D2. Risk Assessment (28%) D4. Risk and Control Monitoring and Reporting (22%) Level 4 Level 3 Level 3
  • 23. #EUROCACS PvIB REALM ISACA REALM PvIB does not cover PvIB Model e-Competences A.7. Technology Trend Monitoring B.4. Solution Deployment D.1. Information Security Strategy Development E.3. Risk Management E.4. Relationship Management E.8. Information Security Management General competences: G.1. Leadership G.2. Project management G.3. Communication and persuasion G.4. Technical research G.5. Organisational sensitivity G.6. Management G.7. Analytical skills G.8. Integrity ISACA CISM Domains D1. Information Security Governance (24%) D3. Information Security Program Development and Management (25%) D2. Information Risk Management and Compliance (33%) D4. Incident Management and Response (18%) Generic competences, proven experience and continuous education D1. The Process of Auditing Information Systems (14%) D3. Information Systems Acquisition, Development, and Implementation(19%) D2. Governance and Management of IT (14%) D4. Information Systems Operations, Maintenance and Support (23%) D1. Risk Identification (27%) D3. Risk Response and Mitigation (23%) D2. Risk Assessment (28%) D4. Risk and Control Monitoring and Reporting (22%) D1. Framework for the Governance of Enterprise IT (25%) D3. Benefits Realization (16%) D2. Strategic Management (20%) D4. Risk Optimization (24%) ISACA CISA ISACA CRISCISACA CGEIT E.9. IS Governance NA NA PvIB Job Profiles, Proficiency levels CISO ICTSMISO ICTSS Level 3 Level 3 Level 2 Level 5 Level 4 Level 3 Level 3 Level 4 Level 5 Level 4 Level 4 Level 3 Level 4 Level~3 Level~3 Level~3
  • 26. #EUROCACS How to run skills audit? Simplest: • Ask: what skills are missing to reach the goals? Medium: • Inventory/assess existing skills via questionnaires (list competences, ask to self-assess) Sophisticated: • Run serious tests to assess
  • 27. #EUROCACS Output of skills audit Simplest: • List of skills/competences and who covers them • Items without people – missing competences Medium: • Skills/competences with required levels, and fulfilled levels • Gap is visible Sophisticated: • Detail report of professional skills assessors
  • 28. #EUROCACS Summary Main cybersecurity challenges are in governance, workforce skillset, and technology inability to be resilient. Presentation is geared for auditors to learn how to use different cybersecurity workforce models to prepare better for cybersecurity audits. Differences of the NIST NICE, EU e-CF, SFIA models are presented, along with how to modify these frameworks for own use, along with Critical Security Controls integration
  • 29. #EUROCACS Assertion on your capabilities after presentation: 1. create own adjustments to cybersecurity workforce skillset 2. connect cybersecurity tasks with skills 3. recommend to organizations remediation actions for cybersecurity workforce problems 4. apply US and EU cybersecurity skills, job profiles and e- competences models to own internal and external audits
  • 30. #EUROCACS Thank you! • Dr. Vilius Benetis, CISA, CISM • vb@nrd.no, NRD CS • https://www.linkedin.com/in/viliusbenetis

Editor's Notes

  1. 1. Determine audit subject. Identify the area to be audited (e.g., business function, system, physical location). 2. Define audit objective. Identify the purpose of the audit. For example, an objective might be to determine whether program source code changes occur in a well-defined and controlled environment. 3. Set audit scope. Identify the specific systems, function or unit of the organization to be included in the review. For example, in the previous example (program changes), the scope statement might limit the review to a single application, system or a limited period of time. 4. Perform preaudit planning. • Conduct a risk assessment, which is critical in setting the final scope of a risk-based audit. For other types of audits (e.g., compliance), conducting a risk assessment is a good practice because the results can help the IS audit team to justify the engagement and further refine the scope and preplanning focus. • Interview the auditee to inquire about activities or areas of concern that should be included in the scope of the engagement. • Identify regulatory compliance requirements. • Once the subject, objective and scope are defined, the audit team can identify the resources that will be needed to perform the audit work. Some of the resources that need to be defined follow: – Technical skills and resources needed – Budget and effort needed to complete the engagement – Locations or facilities to be audited – Roles and responsibilities among the audit team – Time frame for the various stages of the audit – Sources of information for test or review, such as functional flowcharts, policies, standards, procedures and prior audit work papers – Points of contact for administrative and logistics arrangements – A communication plan that describes to whom to communicate, when, how often and for what purposes