Podcasts about business continuity management

Prevention and recovery from threats that might affect a company

  • 40PODCASTS
  • 160EPISODES
  • 45mAVG DURATION
  • 1MONTHLY NEW EPISODE
  • Mar 12, 2025LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about business continuity management

Latest podcast episodes about business continuity management

durch die bank
Anwendungsbeginn DORA: Wie weit ist die Finanzbranche?

durch die bank

Play Episode Listen Later Mar 12, 2025 21:56


Seit dem 17. Januar 2025 ist der Digital Operational Resilience Act (DORA) anzuwenden. Schonfrist gibt es keine. Doch wie ist der Umsetzungsstand im Finanzsektor und welche Herausforderungen gab und gibt es möglicherweise immer noch? Darüber sprechen wir mit Professor Dr. Patrik Buchmüller von der DHBW Villingen-Schwenningen und Johannes Haupt (DZ Bank AG). Unsere Gäste geben außerdem einen Ausblick, wie es im regulatorischen Umfeld von DORA in den nächsten Monaten weitergeht.

KPMG on air Financial Services - Insights für die Finanzbranche
Wie verändert sich die Rolle des Business Continuity Management? #45

KPMG on air Financial Services - Insights für die Finanzbranche

Play Episode Listen Later Feb 11, 2025 20:52


DORA, Resilienz und das BCM 2.0: Stefanie Fekonja (KPMG) im Gespräch mit Christian Rings (Münchener Hyp)Die DORA-Verordnung hat den Finanzinstituten in Europa viele neue Anforderungen gebracht und legt die Messlatte für IT-Compliance und Sicherheit noch einmal deutlich höher als vorherige Regulierungen. Das zeigt auch ein KPMG-Benchmark zum Auslaufen der Umsetzungsfrist am 17. Januar 2025. DORA ist aber nur der Anfang, sagt Christian Rings, Business Continuity Manager bei der Münchner Hypothekenbank. Die fortlaufende Arbeit an der digitalen Resilienz eines Instituts sei nun eine interdisziplinäre, teamübergreifende Herausforderung. Dabei immer wichtiger: Das umfassende Testen. Mit Stefanie Fekonja (KPMG) spricht Christian bei uns im Podcast über Geschäftsfortführungs- und Notfallpläne, über Bedrohungslagen und Krisensituationen und die Zukunft des BCM in Zeiten von DORA.Jetzt die Folge #45 unseres Podcasts „KPMG on air Financial Services“ hören und mehr erfahren.Und hier für den im Podcast erwähnten Newsletter anmelden: https://klardenker.kpmg.de/financialservices-hub/newsletter/Das Gespräch in der Übersicht:[00:00] Intro und Begrüßung[02:00] DORA „legt eine Schippe drauf“[03:50] Ergebnisse des KPMG-Benchmarks [05:20] DORA-Umsetzung in der Münchener Hyp[08:00] So hat die Münchener Hyp Resilienz neu durchdacht[10:00] „Machen wir genug?“ – Der Cyber-Stresstest der EZB als Prüfmarke[11:30] Warum Testen so wichtig ist[12:30] Die neue Rolle des BCM [15:00] Testen und das ideale BCM unter der Lupe[18:45] Eine Jahresagenda mit Krisensimulationen[19:40] Verabschiedung

The God Cast
Church Of England Safeguarding and Independence with Clive Billenness - The God Cast Interview.

The God Cast

Play Episode Listen Later Feb 3, 2025 35:15


Follow Fr Alex on X @alexdjfrost Follow Clive on X @cliveatsynod Clive Billeness is a Specialist in Project / Programme / Risk / Business Continuity Management Practitioner Qualified in Prince2, MSP (Managing Successful Programmes) and M_o_R (Management of Risk) as well as Financial Management and Audit within the context of European FP7 and Horizon 2020 projects. also Certified Information Systems Auditor (CISA) also Retired Lay Minister in the Anglican Diocese of Europe Elected Member of House of Laity of Synod of the Diocese of Europe Hon. Secretary of ECO - the Ecumenical Church of the Occitanie (an online mission initiative) Specialties: EC FP7/H2020 Project Financial Regulations, IT Projects and Programmes, Risk Management, Business Continuity Management, Digital Preservation, GDPR Governance and Compliance. Recently: Researching bullying in worship communities Member of the Save The Parish Financial Scrutiny Board at General Synod of Church of England Member of the House of Laity of the General Synod of the Church of England. Supporting an inclusive church which is free of bullying. Member of Audit Committee.

The ISO Show
#205 Building AI Resilience with Cloud Direct

The ISO Show

Play Episode Listen Later Jan 29, 2025 30:44


AI usage has skyrocketed in the past 2 years, with many commonplace apps and software now featuring an AI integration in some form.  With the rapid development and possibilities unlocked with this powerful technology, it can be tempting to go full steam ahead with implementing AI use into your day-to-day business activities. However, new technologies come with new risks that need to be understood and mitigated before any potential incidents. In this episode Mark Philip, Information Security Manager at Cloud Direct, joins Ian to discuss emerging AI risks and how you can build AI resilience into your existing practices. You'll learn ·      Who is Mark? ·      Who is Cloud Direct? ·      How can you assess your current level of AI resilience? ·      What are some of the key threats that AI systems currently face, and how can you mitigate these? ·      How can you utilise AI to enhance your security? ·      What is best practice when responding to an AI related security incident?   Resources ·      Cloud Direct ·      Isologyhub    In this episode, we talk about: [02:05] Episode Summary – We invite Cloud Direct's Information Security Manager, Mark Philip, onto the show to discuss AI risks and how to build in AI resilience into your existing security practices.   [03:25] Who is Mark Philip?: While his primary role is as an Information Security Manager at Cloud Direct, a little known fact about him is that he is an amateur triathlete! At London earlier in 2024, he was lucky enough to bump into Alistair Brownlee, who is the UK's two time gold olympic medalist in triathlon. [05:10] Who are Cloud Direct? – Founded in 2003, Cloud Direct are a Microsoft Azure expert MSP that is the top of Microsoft accreditation that any partner can hold, putting them in the top 5% of Microsoft partners globally. They offer consultancy and professional managed services, specialising in Microsoft Cloud, which is all underpinned with security across the whole Microsoft stack. They also assist with digital transformation and modernisation. [06:30] Assessing the current AI risk landscape: Ian points out that a recent report from the Capgemini Research Institute found that 97% or organisations are using generative AI. With this increase in AI use, there is a correlation with an increase in security incidents related to AI. Mark adds that this technology is so new, with a lot of larger software companies such as Microsoft pushing AI elements into their tools. So there is a learning curve involved with utilising the technology. There is also a lack of Risk Assessment being done in relation to AI, not a lot of though is going into the use of AI on a day-to-day basis. If you're using an AI platform, you need to ask yourself: What is this platform actually doing with the data I'm inputting? There is also the fact that shady individuals are already leveraging this technology with the likes of deep fakes, bad bots and more sophisticated phishing schemes – and the harsh truth is that they're going to get better at it over time. [08:20] What is AI resilience and why is it so important? – AI resilience is about equipping businesses with the processes that control the use and deployment of AI usage, so that they can anticipate and mitigate any AI risks effectively. Similar to ISO Standards, this would involve a risk-based approach. However, this will look very different depending on your business and how you are using AI. For example, the risks of someone using AI to generate a transcript of meeting notes will be much lower in comparison to a healthcare company using complex sets of data with AI to synthesize new medicines. So, if you are using AI you need to consider what the inherent risks could be, and that would be dependent on the data you're processing i.e. is it sensitive data? And then factor in if the software is publicly available (such as ChatGPT), or it is a closed model under your control? Asking these types of questions will give you a more realistic outlook on the risk landscape you face. [10:35] How can a business assess their current level of AI resilience? AI is here to stay, so you won't be able to avoid if forever. So first, you need to embrace and understand it, and that includes creating a clear picture of your use cases. Mark states they did this exercise internally at Cloud Direct when they were starting to use Microsoft's Co-Pilot. They asked themselves: ·      What sort of data is the software interacting with? ·      What data are we putting into it? ·      How do Microsoft manage the program and related security? ·      Are Mircrosoft storing any of that data? It's not just about the security either, you need to understand why your using AI and if it will actually be to your benefit. A lot of people are using it because it's new and shiny, but if it's not actively helping you achieve your business goals, then it's more of a distraction than anything else. For those looking for additional guidance on AI policies, risks and resilience, there's a lot of guidance provided by both ISO and the NCSC. ISO 42001 in particular is useful for both people using AI and developers creating AI. If you're stuck on where to start, a Gap Analysis is a fantastic tool to see where you are currently and what gaps you need to bridge in your security to cover any AI usage, and to see how well you are complying with current legal requirements (the EU AI Act is now in effect!). Another tool is a Risk Assessment. You may not process what many would consider sensitive data, such as healthcare information, but even if you store and hold customer data, then you need to ensure that any AI you use doesn't pose a risk to it. [14:30] How can AI improve security and resilience? – Sticking with Microsoft as an example, as they are releasing a lot of AI driven tools, they can be used to fill gaps that humans may not have the time to do. Once example of this is monitoring and sending security alerts, previously a system may have just sent this to a human member of staff to resolve, but now AI security tools can act on those alerts on your behalf. So, if you have limited IT resources, this could be a fantastic addition to your security set-up. It also eliminates the lag of human response, and AI can look at things in a way a human wouldn't think to.   [17:55] How do people stay ahead of the curve in the evolving AI landscape? – You should be using the myriad of resources available to learn about AI, as there are webinars, social media feeds, blogs and videos released constantly. Microsoft in particular are offering a comprehensive feed of information relating to AI, the risks and new technologies in development. The key is to understand AI before integrating it into your business. Don't just jump at the new shiny toys being advertised to you, go to reputable sources such as the ICO, NCSC, Cyber Essentials and regulatory bodies to learn about the technology, the benefits it can bring in addition to the risks you need to mitigate against. Mark can vouch for Microsoft's though leadership in this field, as they keep all of their customers up-to-date with all of their AI related developments. Cloud Direct themselves are also putting out some great content, so don't forget to check out their resources. If you are already utilising Microsoft's tools, the Cloud Direct can help explain how their new tools can apply to your business. If you're looking for assistance with ISO 42001, then Blackmores can help you with implementing a robust AI Management System. [21:40] What is best practice when responding to an AI related incident? – To be honest, there's no reason to not treat it like any other security incident. We've already adapted to more sophisticated security risks as a result of the move towards home and hybrid working over the pandemic. This simply another stage along in this ever changing security landscape. You should treat it like assessing any new step, and you likely have all the processes in place for analysing risk already in place, simply apply them to the usage of AI and put in place the necessary governance based on your findings. Standards such as ISO 20000 IT Service Management and ISO 22301 Business Continuity are fantastic tools of you're new to this sort of incident response planning. If you've already been certified to these standards, then you likely have the following in place already: ·      Risk Assessments ·      Business Impact Assessments ·      Business Continuity Plans ·      Recovery Plans Simply add AI as an additional risk factor into your existing management system and update the necessary documentation to include actions and considerations for its use. If you update your Business Continuity and recovery plans, then make sure to test them! Don't just assume that they will work, put them to the test and adjust until you're comfortable that in a real incident, everyone in the business knows how to react, what to communicate and how to get back up and running. [24:00] What are Mark's predictions for the field of AI resilience? – People need to look at the opportunities in utilising AI, a lot of people are using it without really understanding it so there's a lot of learning still to do. So, he expects to see a lot of businesses fully grasping how they can use AI to their advantage in the coming years. With that comes the challenge of ensuring it's integrated safely, with the right governance embedded to ensure its safe and ethical usage across entire organisations. Another big challenge is the handling data privacy within AI. Scams are only going to get more complex as AI develops, and you need to ensure your business can protect against that as much as possible. Also businesses should carefully consider what AI platforms they choose to use. Ensure you understand what data is being input and stored, and the level of control you have over it. All of this to say, there are a lot of massive benefits of using AI and you should shy away from it. But, you need to ensure you are using it safely and ethically. [27:30] What is Mark's book recommendation? – The hunt for Red October by Tom Clancy [28:45] What is Mark's favorite quote? – “I have a bad feeling about this…” – Star Wars Want to learn more about Cloud Direct? Check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ●     Share the ISO Show on Twitter or Linkedin ●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Preparing for the Unexpected
Business Continuity, Security, Emergency & Crisis Management

Preparing for the Unexpected

Play Episode Listen Later Oct 10, 2024 60:00


Join me as I talk with globally recognized Crisis, Conflict, and Emergency Management (CCEM) expert, Kyle King, as we talk about a couple of important subjects. In segment 1 we talk about The Role of Business Continuity in International Security. 1. BCM and economic stability. 2. Geopolitical risks, 3. International security and BCM, 4. Public and Private partnerships, 5. Operational continuity, 6. The inward / outward view of Business Continuity, 7. Regulations...and much more! For the second segment we talk about Emergency Management or Crisis Management: Is it Time to Evolve? 1. More complexity in crisis, 2. Redefining incidents (small events growing to large-scale events), 3. Dealing with past Emergency Mgmt. and Crisis Mgmt. doctrine, 4. Catastrophes, 5. Communications, 6. Bringing BCM, Emergency Mgmt. and Crisis Mgmt. together, 7. Clarifying authorities (vs responsibilities), 8. A change in mindset...and much more! Kyle shares some great insights about BCM involvement in International Security and how the ERM and CM professions need - and must - evolve to address our changing times. Don't miss what Kyle has to share. Enjoy!

The ISO Show
#186 Business Continuity lessons learnt from CrowdStrike

The ISO Show

Play Episode Listen Later Aug 13, 2024 37:01


In July 2024, A logic error in an update for CrowdStrike's Falcon software caused 8.5 million windows computers to crash. While a fix was pushed out shortly after, the nature of the error meant that a full recovery of all effected machines took weeks to complete. Many businesses were caught up in the disruption, regardless of if this affected them directly or by proxy due to affected suppliers. So, what can businesses learn from this? Today, Ian Battersby and Steve Mason discuss the aftermath of the CrowdStrike crash, the importance of good business continuity and what actions all businesses should take to ensure they are prepared in the event of an IT incident. You'll learn ·      What happened following the CrowdStrike crash? ·      How long did it take businesses to recover? ·      Which ISO management system standards would this impact? ·      How can you use your Management System to address the affects of an IT incident? ·      How would this change your understanding of the needs and expectations of interested parties? ·      How do risk assessments factor in where IT incidents are concerned?   Resources ·      Isologyhub ·      ISO 22301 Business Continuity     In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby is joined by Steve Mason to discuss the recent CrowdStrike crash, the implications on your Management system and business continuity lessons learned that you can apply ahead of any potential future incidents.   [03:00] What happened following the CrowdStrike crash?– In short, An update to CrowdStrike's Falcon software brought down computer systems globally. 8.5 million windows systems, which in reality is less than 1% of windows systems, were affected as a result of this error. Even still, the damage could still be felt from key pillars of our societal infrastructure, with a lot of hospitals and transportation like trains and airlines being the worst affected. [04:45] How long did it take CrowdStrike to issue a fix? – CrowdStrike fixed the issue in about 30 minutes, but this didn't mean that computers affected would be automatically fixed. In many cases applying the fix meant that engineers had to go on site to many different locations which is both time consuming and costly. In some cases Microsoft said that some computers might need as many as 15 reboots to clear the problem. So, a fix that many were hoping would solve the issue ended up taking a few weeks to fully resolve as not everyone has IT or tech support in the field to issue a manual reboot. A lot of businesses were caught out as they don't factor this into their recovery time, some assuming that an issue like this is guaranteed to be fixed within 48 hours, which is not something you can promise. You need to be realistic when filling out a Business Impact Assessment (BIA). [07:55] How do you know in advance if an outage will need physical intervention to resolve? – There is a lesson to be learnt from this most recent issue. You need to take a look at your current business continuity plans and ask yourself: ·      What systems to you use? ·      How reliable are the third-party applications that you use? ·      If an issue like this to reoccur, how would it affect us? ·      Do we have the necessary resource to fix it? i.e. staff on site if needed? Third-parties will have a lot of clients, some may even prioritise those that pay a more premium package, so you can't always count on them for a quick fix. [09:10] How does this impact out businesses in terms of our management standards? – When we begin to analyse how this has impacted our management systems, we can't afford to say ‘We don't use CrowdStrike therefore it did not impact us' – it may have impacted your suppliers or your customers. Even if there was zero impact, lessons can be learned from this event for all companies. Standards that were directly affected by the outage were: ·      ISO 22301 – Business Continuity: Recovery times RPO and RTO; BIA; Risk Assessments ·      ISO 27001 – Information Security: Risk Assessment; Likelihood; Severity; BCP; ICT readiness ·      ISO 20000-1 – IT Service Management; Risk Assessment of service delivery; Service continuity; Service Availability Remember, our management systems should reflect reality and not aspiration [11:30] How do we use our Management Systems to navigate a path of corrective action and continual improvement? – First and foremost an event like this must be raised as an Incident – in this case it would no doubt have been a Major Incident for some companies. This incident will typically be recorded in the company's system for capturing non-conformities or continual improvement. You could liken this to how ISO 45001 requires you to report accidents and incidents. From the Incident a plan can be created which should include changes to be considered or made to the management system. The Incident should lead us to conducting a lessons learned activity to determine where changes and improvements need to be made. We are directed in all standards to Understanding the Organisation and its context The key requirement here is to determine the internal and external issues that can impact your management system, and prevent it from being effective. Whatever method a company uses for this, perhaps a SWOT and PESTLE; the CrowdStrike/Microsoft Outage should be included in this analysis as a threat and/or Technical issue. [15:15] What are the lessons learned from our supply chain? – In many ISO Standards, such as ISO 9001 and ISO 27001, there is a requirement to review your suppliers and the effectiveness of the service they're delivering. So you could send them an e-mail to ask how they have dealt with the issue, what actions did they take and how long did it take to fully restore services. This is a collaborative process that you can factor into your own risk assessments, as you can make a better judgement on future risk level if you are privy to their recovery plans. Many people still think of that requirement only in relation to goods and products. i.e. has my order been delivered ect. However, it relates to services such as IT infrastructure as well. You rely on that service, so evaluate how well it's being delivered. [17:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [19:50] Once you have established lessons learnt, what's next?  – The Standards provide a logical path to work through. One of the first steps is to conduct a SWOT and PESTLE, and doing so after a major incident is recommended, as your threats and weaknesses may have changed as a result. Do not simply put the sole blame on a third-party who an incident may of originated from. This is about your response and recovery, your plans coming into effect to deal with the situation, not about who is at fault. One such finding may be your lack of business continuity plans, in which case, looking at implementing aspects of ISO 22301 may be an action to consider. It's also important to note down any positives from the incident too. You may have dealt with something very fast, communicated the issue effectively and worked with clients to ensure that their level of service was minimally impacted. If a team dealt with a situation particularly well, they should be recognised for that, as it really does go a long way. [23:55] The importance of revisiting your SWOT and PESTLE: These exercises shouldn't just be a one time thing. You should be addressing these after incidents and any major changes within the business. Ideally, you should be looking at these in all your meetings, as many actions may need to be escalated to a strategic level. If you'd like to learn about how one of our clients embraced SWOT and PESTLE, and used it to their advantage, check out episode 53. [25:20] How has our understanding of the needs and expectations of Interested Parties been changed? - How has the Outage impacted the needs and expectations of interested parties? Understanding this might lead companies to ask questions about the robustness and effectiveness of different parts of the management system: ·      Risk Assessment ·      BIA for BCP ·      Recovery Plans ·      DR plans ·      Service Continuity [27:50] What should you be considering with your risks assessments? - Risk Assessments, if they follow the traditional methodology, with have Likelihood and Impact/Severity scores an in the light of this outage, and any event, the likelihood and Impact scores should be updated. If a company has set the likelihood as ‘once every 5 years' it should seriously consider changing this to ‘once every 6 months' or 'once every year' to understand if this poses any new risks to the business. The likelihood score would of course be updated every year until it has recovered to ‘once every 5 years'. The impact is important to look at. If a company has been impacted by this outage, what has it cost the company to recover – talk to finance and other departments to understand the cost and change the scoring accordingly. [33:20] Why should a business carry out a risks assessment as part of lessons learnt? - Our risk assessments are not a one-off, but should be living documents that reflect the status of threats to the business. In ISO 27001 there is a statement to identify the ‘Consequences of  unintended changes,' and it could be argued that an Outage on the level of the CrowdStrike/Microsoft outage was an ‘unintended change that led to consequences in many businesses. So, use your risk assessments as live tools to report on the reality facing the organisation. Similarly, BIA assessments for BCP should be reviewed to determine if the assumed impact reflects the real impact; also look at the recovery plans to see if they are effective. If a recovery plan has stated that this type of incident could be recovered in 48 hours, and in reality it has taken 2 weeks, it means that recovery times in terms of RPO and RTO should be reviewed. Remember - your management system should reflect reality and not aspiration. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ●     Share the ISO Show on Twitter or Linkedin ●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Crisis. Conflict. Emergency Management
Harnessing Business Continuity For Effective Community Crisis Response with Alex Fullick

Crisis. Conflict. Emergency Management

Play Episode Listen Later Jul 28, 2024 49:24


In this episode of the Crisis Lab Podcast, host Kyle King interviews Alex Fullick, an expert in business continuity planning and the Founder and Managing Director of Stone Road Inc. In the first part of our discussion, hosted on the 'Preparing for the Unexpected' channel, Alex and Kyle covered the macro-level impact of BCP on global stability, including economic stability, supply chain security, crisis management, and geopolitical risks. Be sure to check out and subscribe to Alex's podcast, Preparing for the Unexpected. Now in part two of the podcast series, Kyle and Alex delve into the practical aspects of business continuity at a community level. They explore the role of BCP in preparing for and responding to local crises and discuss the importance of coordination between local businesses, governments, and organizations. Alex Fullick is a seasoned expert in business continuity planning with over 26 years of experience. As the Founder and Managing Director of Stone Road Inc., he specializes in Business Continuity Management and Resilience, offering consulting and training services. Alex is an accomplished author of eight books and the host of "Preparing for the Unexpected," a global internet talk radio show and YouTube channel focusing on preparing for and overcoming adverse situations. Tune in for insights on how small businesses can effectively plan for and mitigate risks, build networks, and support community resilience. Show Highlights [04:27] Building Local Business Resilience [10:43] Shared Responsibility in Community Resilience [17:28] Workforce Considerations in Business Continuity [22:59] Testing and Exercising for Resilience [25:27] Understanding Federal Contracts and Small Business Contributions [26:01] Identifying Business Threats and Risk Assessment [27:57] Mitigating Risks and Contingency Planning [30:41] Resources for Risk Assessment and Business Continuity [33:47] The Importance of Training and Education [35:33] Practical Training and Real-World Simulations [41:18] Aligning Business Continuity with Daily Operations [43:16] Trends in Business Continuity Management Connect with Alex Fullick -Linkedin Listen to Part 1: The Role of Business Continuity in International Security

Preparing for the Unexpected
Starting a BCM Program from Scratch w/ Yusus Ukaye

Preparing for the Unexpected

Play Episode Listen Later Jul 18, 2024 60:00


Join me as I talk with experienced Operational Resilience and Business Continuity professional, Yusuf Ukaye, as we talk on the topic of Starting a BCM Program from Scratch. During our discussion we talk about: 1. Asking the right questions (What are we protecting? and more), 2. Impacts of not doing what you do, 3. Feeling about risk, 4. Good governance, 5. RACI, 6. It's NOT a project, 7. Everyday BC usage, 8. Building roadmaps, 9. Articulating needs, 10. Standards and guidelines, 11. Stakeholders, 12. Soft Skills, 13. Escalate and communicate w/ leaders, 14. Looking for support, 15. Listen more, 16. Be aware of the human element, 17. Validating you're on the right track, 18. Understanding assumptions and dependencies, 19. Communications...and more! Yusuf provides lots of great insights for those new to the field to help them get started, but also some insights to those that might be wondering why their program isn't as effective as it could be. Don't miss what Yusuf has to share. Enjoy!

CISO Tradecraft
#175 - Navigating NYDFS Cyber Regulation

CISO Tradecraft

Play Episode Listen Later Apr 1, 2024 33:24 Transcription Available


This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements. AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/ NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity  Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud Chapters 00:00 Introduction 00:35 Why Part 500 Matters Beyond New York 01:48 The Evolution of Financial Cybersecurity Regulations 03:20 Understanding Part 500: Definitions and Amendments 08:44 The Importance of Multi-Factor Authentication 14:33 Navigating the Complexities of Cybersecurity Regulations 20:23 The Critical Role of Asset Management and Access Privileges 25:37 The Essentials of Application Security and Risk Assessment 31:11 Incident Response and Business Continuity Management 32:36 Concluding Thoughts on NYDFS Cybersecurity Regulation

The ISO Show
#167 How Lifelong Learner embedded ISO 22301 in just 4 months

The ISO Show

Play Episode Listen Later Mar 5, 2024 24:01


According to the ISO Survey, there's been a 82.9% increase in worldwide ISO 22301 certificates issued following 2020. Business Continuity is a must have for businesses who want to ensure long-term survivability following a disruptive event. Many turn to ISO 22301 to help put a framework in place, including today's guest – Lifelong Learner. However, what usually takes businesses a minimum of 6 months, Lifelong Learner managed to accomplish in just 4 months across an international organisation! That is no small part due to the tremendous effort of Lifelong Learner's Manager of Information Security, Governance, Risk and Compliance, Lauren Taylor. Lauren joins Mel on this weeks' episode to share her journey and explains the challenges associated with implementing a Business Continuity Management System in just 4 months. You'll learn ·       Who are Lifelong Learner? ·       Why did they decide to Implement ISO 22301? ·       What did they learn from implementing ISO 22301? ·       What was the biggest challenge with Implementation? ·       What are the benefits of implementing ISO 22301?   Resources ·       Isologyhub ·       Lifelong Learner ·       PSI Testing Excellence ·       Talogy   In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Lauren Taylor who is the Manager of Information Security, Governance, Risk and Compliance at Lifelong Learner Holdings LLC. Lifelong Learner and it's brands represent a fusion of comprehensive workforce solutions, with a human-first focus of changing lives through assessment. This includes helping people advance in educational and career aspirations, earning or maintaining licensing or certifications, or providing the tools to develop future leaders. Lauren has helped Lifelong Learner accomplish a massive milestone, and that's the implementation of the Business Continuity Standard ISO 22301 across an international organisation, which she managed to do in just 4 months! She's here to share her journey and lessons learned from implementing ISO 22301. [03:30] Not many people know this about Lauren  – She had previously trained to be a mental health counsellor. [04:05] Who are Lifelong Learner LLC? – Lifelong Learner is the parent company of two subsidiaries: PSI Testing Excellence: a leading provider of assessment solutions for the licensing and certification markets, to Educational Testing Services. Talogy: A market leader in the talent management space whose core purpose is helping organizations achieve their potential. They manage the talent management side of the business. So what they'll do is they'll put together psychometric tests that help companies find the right person for the right job, and will assist with skills development. [05:00] Adding to Lifelong Learner's ISO Collection: Lifelong Learner already have an impressive ISO Library, being certified to: ·       ISO 9001 – Quality Management ·       ISO 14001 – Environmental Management ·       ISO 27001 – Information Security Management [05:20] What was the main driver behind obtaining ISO 22301? – The main driver, as with most companies, is usually a client contractor requirement, but business continuity has been something that we've wanted to look further into for a while, just because there's elements of ISO 27001 that cover the business continuity. While we were able to get through the audits with what we had, we just felt that it just needed a little bit more building out. Business Continuity is a requirement in part of ISO 27001, but for Stakeholders that want assurance that a business has robust business continuity plans in place, ISO 22301 is the next step. [06:10] The Implementation Timeline  – In October 2023, we began with the context workshop where we could kind of get a better idea of the scope of the management system. This was followed by a number of SWOT and PESTLE workshops to help identify what the perceived risks would be. Next came the Business Impact Analysis (BIA) - So essentially what you're needing to find out from these workshops is, the core activities that each of the teams perform on the day-to-day basis. You also need to understand what their systems are that they use, if they have any dependencies, and essentially it all comes down to understanding that if the business cannot perform those activities, what would be the impact overtime if those activities were to stop. Once you have all that information, the next step was to map it across into a risk assessment, which really helps you to understand the granular risks to your business when it comes to business continuity planning. This risk assessment helped to highlight some weaknesses that we hadn't considered before, and gave us a point in the right direction as to what we needed to work on to bridge those gaps. Next was the creation and revamping of documentation inline with ISO 22301 requirements. Thankfully, due to the other ISO's we hold, we already had a lot in place. Same goes for Internal Audits, so this was more a case of integrating ISO 22301 into our existing Management System. Once we had all the documentation, we conducted a ransomware test exercise, which we also documented all the findings from. Then we were we were ready for stage 1! [09:15] What were the biggest gaps Lifelong Leaner needed to address?: Following the BIA and Risk Assessment, we were able to see where we needed response plans because business continuity is always your Plan B. So in our minds, we had an idea of what kind of response plans we would need in terms of i.e. a malware response plan, a ransomware response plan, those sorts of things. But until we actually looked at the BIA we released we needed a few more. [10:25] What difference did addressing those gaps make? – For us it was understanding the real risks to our business. We already had ISO 27001 in place, and we figured if there were to be another pandemic for example, that we'd be covered. However, it wasn't until we did those exercises did we realise that there was a lot we could improve on.   [13:25] What did Lauren learn from Implementing ISO 22301? – How much people underestimate the importance of a good business impact analysis. After going through this in a very, very short space of time, I realised that it is actually the driving force behind a good business continuity management system. Also, it highlighted just how many people believe business continuity is just all about IT and physical security, they completely loft out the human element. An example of this is having a single point of failure, which is where if somebody left there would be a gap. [14:40] What benefits have Lifelong Learner experienced since implementing ISO 22301? – Lauren has noticed that more clients are requesting to see their Business Continuity Plans. It's helped with the introduction of the latest ISO 27001:2022 controls – as these too also focus on elements of business continuity. [15:50] Lauren's top tips for implementing ISO 22301 – Definitely give yourself longer than 4 months! Logically think about how everything links together, the clauses all have purpose and flow in a logical pattern to help create a Management System. Your Management Review can be your best friend. It's your opportunity to really engage with senior management and help them understand what your risks are to the business, how your internal audit is coming along, how you manage your nonconformities and it can be all neatly wrapped up in that nice management review bow. [18:00] Lauren's book recommendation – The Matthew Perry Autobiography, Friends, Lovers and the Big Terrible Thing. [19:30] Lauren's favorite quote – “You catch more flies with honey than vinegar.” If You'd like to learn more about Lifelong Learner, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ●      Share the ISO Show on Twitter or Linkedin ●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

durch die bank
BCM (Business Continuity Management) im Kontext von DORA (Digital Operational Resilience Act)

durch die bank

Play Episode Listen Later Oct 11, 2023 12:25


Johannes Haupt verantwortet in der DZ BANK das bankweite Business Continuity Management (BCM) und leitet zudem in der DZ BANK AG die fachliche Umsetzung des Digital Operational Resilience Acts, kurz DORA. Für uns ein guter Grund mit Johannes Haupt über Wichtiges zum BCM im Kontext von DORA zu sprechen und der Frage nachzugehen, ob DORA ein etabliertes BCM-System auf den Kopf stellt.

CYBERSNACS
#20 Criminal Minds - mit Mustererkennung auf Spurensuche nach den Cyber-Kriminellen

CYBERSNACS

Play Episode Listen Later Aug 16, 2023 19:32


In letzter Zeit hört man viel von Resilienz im Zusammenhang mit IT-Sicherheit. Aber was bedeutet das genau? Wie kann sich ein Unternehmen cyber-resilient aufstellen und wie können Security Frameworks dabei helfen? Diesmal ist Le-Khanh Au von Splunk bei Salsabil und Tobias zu Gast. Sie erklärt uns, wie das MITRE ATT&CK-Framework Unternehmen dabei helfen kann, eine zielführende Cybersicherheits-Strategie anzuwenden.

Association of Insurance Compliance Professionals
Planning for a Catastrophe to Happen? Yes for Insurance Companies

Association of Insurance Compliance Professionals

Play Episode Listen Later Jul 24, 2023 13:05


When catastrophes happen, insurance companies are expected to respond quickly to assist insureds who have suffered a loss as a result of the catastrophe.  Many states require that these companies have plans in place prior to the event and that these plans are filed with the state, including contact information. Join Sam Garro, Senior Vice President of the Compliance Department at Philadelphia Insurance Companies, as he sits down with James Bryant, Sr. Manager of Business Continuity Management for Tokio Marine North America Services, to discuss those requirements and how insurance companies get ready for the next catastrophe whether it is a hurricane, earthquake, flood, or any other catastrophic event. Featuring: James Bryant, Sr. Manager of Business Continuity Management, Tokio Marine North America Services Hosted by: Sam Garro, Sr. Vice President, Compliance Department, Philadelphia Insurance Companies

Der Performance Manager Podcast | Für Controller & CFO, die noch erfolgreicher sein wollen
#530 Business Continuity Management und Controlling – Preview in die Ausgabe 3/2023 der Zeitschrift Controlling

Der Performance Manager Podcast | Für Controller & CFO, die noch erfolgreicher sein wollen

Play Episode Listen Later Jun 6, 2023 37:00


Business Continuity Management ist ein ganzheitlicher Ansatz, der darauf abzielt, die Fortführung der Geschäftstätigkeit und insbesondere die Bereitstellung der Produkte und Services eines Unternehmens auch bei Eintreten schwerwiegender Ereignisse und Entwicklungen sicherzustellen. Welche Rolle spielt dabei das Controlling? Wie können Controlling-Instrumente unterstützen? Und welche Praxisbeispiele gibt es? Diesen Fragen widmet sich die aktuelle Ausgabe der Fachzeitschrift CONTROLLING. Prof. Dr. Burkhard Pedell von der Universität Stuttgart stellt das Heft im Podcast vor.  Als Mit-Herausgeber der Fachzeitschrift hat er das Thema „Business Continuity Management und Controlling“ in der dritten Ausgabe des Jahres 2023 federführend begleitet und die Aufsätze der verschiedenen Autoren koordiniert.  Ihr Probeabonnement bestellen: https://bit.ly/Probeabo-controlling-zeitschrift 

Krisenmeisterei
Was zuerst?

Krisenmeisterei

Play Episode Listen Later Apr 5, 2023 12:30


Wenn ich Notfallpläne und Krisenmanagement entwickeln will – wie gehe ich am besten vor? Zuerst Notfallpläne und dann das Krisenmanagement? Oder umgekehrt? Weder noch! Warum und wie es besser läuft – darüber mehr in der 96. Episode meines Podcasts.

The ISO Show
#128 What's new with ISO 27001:2022?

The ISO Show

Play Episode Listen Later Jan 18, 2023 24:44


The long-awaited update of ISO 27001 arrived in October 2022, having gone 9 years since its previous 2013 iteration. Needless to say, it was much overdue. The new 2022 version of the Standard includes 11 new controls and sees around 56 other controls combined into 24 newly titled controls. In order to cover every aspect of the new Standard, we'll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version. Starting off the series strong, Mel is joined once again by Steve Mason, our very own Information Security guru, to broadly discuss the changes to ISO 27001:2022. You'll learn Who is ISO 27001:2022 applicable to? An overview of the changes to ISO 27001:2022 What is Steve's favorite change to ISO 27001:2022? What are the challenges involved with updating to the 2022 version?   Resources Isologyhub ISO 27031 (Guidelines for information and communication technology readiness for business continuity) ISO 27005 (Risk assessment) ISO 22301 (Business Continuity)   In this episode, we talk about: [01:50] Steve Gives an overview of what's new in ISO 27001:2022 – The updated version of ISO 27001 was released on the 26th Oct 2022. The new version included 24 changes and clarifications within the main clauses.  [02:50] The controls for the new standard are now categorised into 4 groups: Organisation, People, Physical and Technology   [05:50] We covered some of the new controls in more detail in previous episodes: #109, #110, #111, #112, #113 and #114 [06:17] The 24 changes and clarifications to Clauses include older existing clauses which have been tidied up to be more transparent. We recommend reviewing to ensure that you are complying in a way that aligns with the Standard. [06:35] There are 11 new Controls. 56 controls from the 2013 version have been reduced to 24 with 58 remaining unchanged. So, in short, Annex A has been simplified with less duplication of controls. [07:44] Steve highlights section A.9 for Access Control as one of the much-improved controls – due to the lack of repetition and simplified requirements for compliance. [08:35] Steve's favourite update to the Standard: The whole Standard now collectively encourages incorporation into your business. Your ISMS should not feel like a bolt on, it should be a part of your businesses DNA. [10:36] Steve's favourite update to the Standard #2: It's not a static Standard, it encourages development and continual improvement.   [13:45] For those completely new to ISO 27001 – check out our 3-part Steps to Success series which explains the Implementation process from start to finish. [14:38] Listen to some of our client interviews to hear the challenges others faced when Implementing ISO 27001 in addition to the benefits gained as a result of adopting the Standard:    [14:50] Why would the business continuity elements of ISO 27001:2022 pose a challenge?  There used to be a clause in the 2005 version of the standard which documented the need for a business impact analysis – this was removed in the 2013 version. The new ‘ICT readiness for business continuity' control will require at the very least, a risk assessment.    [16:48] Steve recommends checking out the Plan, Do, Act, Check diagram in ISO 27031 (Guidelines for information and communication technology readiness for business continuity). It also includes some great guidance on business impact analysis. [18:40] The ICT readiness control is not designed to be an all encompassing business continuity strategy – it's designed to work in tandem with as existing one (you may already be certified to ISO 22301 Business Continuity Management).  [19:50] It's highly recommended that if you don't have a Business Continuity Plan or strategy – at least have a framework in place. Disasters by their nature are unpredictable, as is the resulting damage to an extent. You will not know the full extent until you've lived it – so don't write an exhaustive 80+ page manual that no-one will read, document the what, who and how of getting yourself back up and running again. [21:11] There has also been an update to ISO 27005 (Risk assessment in relation to info sec). It includes a new set of threat categories: physical threats, natural threats, infrastructure failures, technical failures, human actions, compromised services or functions and organisational threats. These may help you when putting a business continuity framework in place. [22:05] Above all else – ISO 27001:2022 has modernised and aligned itself more with the likes of cyber essentials and NIST. Keep an eye out for next weeks episode where we dive into the clause updates… We'd love to hear your views and comments about the ISO Show, here's how: Share the ISO Show on Twitter or Linkedin Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Business Resilience Decoded
How to Build a Business Continuity Management Program That Lasts

Business Resilience Decoded

Play Episode Listen Later Nov 3, 2022 19:54


Episode 129: How to Build a Business Continuity Management Program That Lasts This episode is brought to you by Fusion Risk Management, Building a More Resilient World Together. Request a demo at https://bit.ly/FusionDECODED today! With a recession looming, climate change, and political strife ever present, more and more organizations are looking to an uncertain future. One way to help mitigate this uncertainty is to build a lasting business continuity program. But how exactly do we do this? Vanessa talks with business continuity expert Shane Mathew about key steps to take when building a program that will last. Shane Mathew has years of experience working in public health building emergency response plans and is currently the head of enterprise resilience for Zoom. Connect with Shane Mathew LinkedIn - https://www.linkedin.com/in/shanemathew/ Failover Plan Podcast - failoverpodcast.com Sign up for our Four Corners newsletter for opportunities to connect, access to exclusive content, bonus interviews, and more at https://bit.ly/BRDFourCorners. Three things to consider when building a lasting business continuity program: Don't just jump in. Develop a transformational statement of where the business currently stands and where they would like to be in the future. Look at the culture and big picture of an organization and make sure your business continuity program matches that culture. Make sure your purpose is in alignment with what they want. What they say is not always what they want. For example, they may say they want a business resilience plan, when in fact, they want a compliance program. Scope and order. Scope needs to be clearly defined in terms of what comes first and what comes afterwards. Prioritize your timeline and then you'll know where and how to proceed. Disaster Recovery Journal: Register for DRJ's weekly (Wednesday) webinar series: https://drj.com/webinars/up-coming/ Register for DRJ Spring 2023: Solutions for a Resilient Tomorrow: https://www.drj.com/spring2023 Asfalis Advisors: Visit our website here: https://www.asfalisadvisors.com Apply to be a guest on the podcast: https://www.asfalisadvisors.com/decoded/ Download the 5 Step Crisis Strategy: https://www.asfalisadvisors.com/services/ Connect with the podcast! Email us: podcast@drj.com Podcast website: https://drj.com/decoded/ Twitter: https://twitter.com/BRDecoded LinkedIn: https://www.linkedin.com/showcase/business-resilience-decoded/ YouTube: https://www.youtube.com/channel/UCNEIrqWlxuyDvkXB24h6Obw/videos Vanessa Mathews, host Vanessa Mathews is the founder and chief resilience officer of Asfalis Advisors, where they are focused on protecting the legacy of the leaders they serve through business resilience. Before becoming an entrepreneur, Mathews developed global crisis management and business continuity programs for government and private sector organizations to include Lowe's Companies, Gulfstream Aerospace, and the Department of Homeland Security. LinkedIn: https://www.linkedin.com/in/vanessa-vaughn-mathews-mba-cbcp-70916b4b/ Book Mathews as a speaker: https://bit.ly/VanessaMathews Jon Seals, producer Jon Seals is the editor in chief at Disaster Recovery Journal, the leading magazine/event in business continuity. Seals is an award-winning journalist with a background in publication design, business media, content management, sports journalism, social media, and podcasting. LinkedIn: https://www.linkedin.com/in/jonseals/ Disaster Recovery Journal: https://drj.com/

Level Up Your Career with APMG International
Level Up your Career – How to build a Business Resilience Plan

Level Up Your Career with APMG International

Play Episode Listen Later Oct 24, 2022 58:21


APMG International presents our popular weekly panel Q&A show. Episode 105 is about how to build a Business Resilience Plan. Hosted by Nick Houlton and Question Master Charlotte Miller. Answering your questions are Shelia Roberts, Mart Rovers, Sarbojit Bose, David Roberts and Dierk Söllner. An opportunity to have your real-life questions answered.

Krisenmeisterei
Wir sind alle abhängig!

Krisenmeisterei

Play Episode Listen Later Oct 19, 2022 16:01


Der Grad unserer Abhängigkeiten wird in letzter Zeit immer stärker thematisiert und diskutiert. Allerdings ist diese Diskussion zum Zeitpunkt der Krise eigentlich viel zu spät. Außerordentlich resiliente Unternehmen haben auch ihre Abhängigkeiten, aber sie gehen damit anders um.

Preparing for the Unexpected
Shifting Baselines with Regina Phelps

Preparing for the Unexpected

Play Episode Listen Later Sep 29, 2022 51:03


It's time once again for my regularly scheduled chat with globally recognized resilience and business continuity management expert, Regina Phelps. For this episode we talk about Shifting Baselines, defined as failure to notice change over time. We also touch on ROI vs VOI, which means how resilience, BCM, and DR professionals showing value, rather than trying to 'guess' at ROI dollars. It's a great conversation with Regina, and there is allot here to capture and take back to your own organizations to ensure your programs display value - and increase your own value. Don't miss this episode! Enjoy!

Preparing for the Unexpected
Shifting Baselines with Regina Phelps

Preparing for the Unexpected

Play Episode Listen Later Sep 29, 2022 51:03


It's time once again for my regularly scheduled chat with globally recognized resilience and business continuity management expert, Regina Phelps. For this episode we talk about Shifting Baselines, defined as failure to notice change over time. We also touch on ROI vs VOI, which means how resilience, BCM, and DR professionals showing value, rather than trying to 'guess' at ROI dollars. It's a great conversation with Regina, and there is allot here to capture and take back to your own organizations to ensure your programs display value - and increase your own value. Don't miss this episode! Enjoy!

CISO Tradecraft
#93 - How to Become a Cyber Security Expert

CISO Tradecraft

Play Episode Listen Later Aug 29, 2022 29:43


How do you become a Cyber Security Expert? Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to talk about how to provide advice and mentoring to help people understand how to become a cybersecurity expert.  As always, please follow us on LinkedIn, and subscribe to our podcasts. As a security leader, part of your role is to develop your people.  That may not be written anywhere in your job description and will probably never be on a formal interview or evaluation, but after years of being entrusted with leadership positions, I have learned what differentiates true leaders from those who just accomplish a great deal is the making of the effort to develop your people. Now, you may have heard the phrase, "take care of your people," but I'll take issue with that.  I take care of my dog.  I take care of a family member who is sick, injured, or incapacitated.  Why?  Because they are not capable of performing all of life's requirements on their own.  For the most part, your people can do this.  If you are constantly doing things for people who could have otherwise done it themselves, you run the risk of creating learned helplessness syndrome.  People, and even animals, can become conditioned to not do what they otherwise could do out of a belief that someone else will do it for them.  I am NOT going to get political here, so don't worry about that.  Rather, I want to point out that effective leaders develop their people so that they may become independent actors and eventually become effective leaders themselves.  In my opinion, you should measure your success by the promotion rate of the people entrusted to you, not by your own personal career advancement or financial success. That brings me to the subject of today's podcast -- how do you counsel and mentor others on how to become a cyber security expert?  If you are listening to this podcast, there's a very good chance that you already are an expert in our field, but if not, keep listening and imagine that you are mentoring yourself, because these lessons can apply to you without having seek out a mentor.  Some people figure it out, and when asked their secret, they're like Bill Murray in the movie Stripes, "We trained ourselves, sir!"  But most of the time, career mastery involves learning from a number of others. Today on CISO Tradecraft we are going to analyze the question, " How do you become a Cyber Security Expert?"  I'm going to address this topic as if I were addressing someone in search of an answer.  Don't tune out early because you feel you've already accomplished this.  Keep listening so you can get a sense of what more you could be doing for your direct reports and any proteges you may have. Let's start at the beginning.  Imagine being a high school kid with absolutely zero work experience (other than maybe a paper route -- do kids still do that?)  You see someone that tells you they have a cool job where they get paid to ethically hack into computers.  Later on, you meet a second person that says they make really good money stopping bad actors from breaking into banks.  Somehow these ideas stick into your brain, and you start to say to yourself, you know both of those jobs sound pretty cool.  You begin to see yourself having a career in Cyber Security.  You definitely prefer it to jobs that require a lot of manual labor and start at a low pay.  So, you start thinking, "how I can gain the skills necessary to land a dream job in cyber security that also pays well?" At CISO Tradecraft we believe that there are really four building blocks that create subject matter experts in most jobs.  The four building blocks are: Getting an education Getting certifications Getting relevant job experience, and Building your personal brand So, let's explore these in detail. Number 1:  Getting an education.  When most people think about getting an education after high school, they usually talk about getting an associate's or a bachelor's degree.  If you were to look at most Chief Information Security Officers, you will see the majority of them earn a bachelor's degree in Computer Science, an Information Systems or Technology degree from a college of business such as a BS in Management of Information Systems (MIS) or Computer Information Systems, or more recently a related discipline such as a degree in Cyber Security. An associate degree is a great start for many, particularly if you don't have the money to pay for a four-year university degree right out of high school.  Tuition and debt can rack up pretty quickly, leaving some students deeply in debt, and for some, that huge bill is a non-starter.  Fortunately, community colleges offer quality educational opportunities at very competitive rates relative to four-year degree institutions.  For example, Baltimore County Community College charges $122 per credit hour for in-county residents.  A couple of miles away, Johns Hopkins University charges $2,016 per credit hour.  Now, that's a HUGE difference -- over 16 times if you do the math.  Now, Hopkins does have some wonderful facilities and excellent faculty, but when it comes to first- and second-year undergraduate studies, is the quality and content of the education THAT different?  Well, that's up to you to decide. The important take-away is, no one should decide NOT to pursue a cybersecurity education because of lack of money.  You can get started at any age on an associate degree, and that may give you enough to go on to get your first job.  However, if you want to continue on to bachelor's degree, don't give up.  Later I'll explain about a program that has been around since 2000 and has provided over 3,300 students with scholarships AND job placement after graduation. Back to those going directly for a bachelor's degree.  Now, the good news is that your chosen profession is likely to pay quite well, so not only are you likely to be able to pay off the investment you make in your education, but it will return dividends many times that which you paid, for the rest of your career.  Think of financing a degree like financing a house.  In exchange for your monthly mortgage payment, you get to enjoy a roof over your head and anything else you do with your home.  As a cybersecurity professional, in exchange for your monthly student loan payment, you get to earn well-above average incomes relative to your non-security peers, and hopefully enjoy a rewarding career.  And, like the right house, the value of your career should increase over time making your investment in your own education one of your best performing assets. Does this mean that you 100% need a bachelor's degree to get a job in cyber?  No, it does not.  There are plenty of cyber professionals that speak at Blackhat and DEF CON who have never obtained a college degree.  However, if ten applicants are going for an extremely competitive job and only seven of the ten applicants have a college degree in IT or Cyber, you shouldn't be surprised when HR shortens the list of qualified applicants to only the top five applicants all having college degrees.  It may not be fair, but it's common.  Plus, a U.S. Census Bureau study showed that folks who have a bachelor's degree make half a million dollars more over a career than those with an associate degree, and 1.6 times what a high school diploma holder may earn over a lifetime.  So, if you want more career opportunities and want to monetize your future, get past that HR checkbox that looks for a 4-year degree. Now, some people (usually those who don't want to do academic work) will say that a formal education isn't necessary for success.  After all, Bill Gates and Mark Zuckerberg were college dropouts, and they're both worth billions.  True, but that's a false argument that there's a cause-and-effect relationship there.  Both were undergraduates at Harvard University when they developed their business ideas.  So, if someone wants to assert a degree isn't necessary, counter with you'll agree once they are accepted into Harvard, and they produce a viable business plan as a teenager while attending classes. You see, completing four years of education in a field of study proves a few things.  I've interviewed candidates that said they took all of the computer science and cybersecurity courses they wanted and didn't feel a need to "waste time" with fuzzy studies such as history and English composition.  Okay, I'll accept that that person had a more focused education.  But consider the precedent here.  When a course looked uninteresting or difficult, that candidate just passed on the opportunity.  In the world of jobs and careers, there are going to be tasks that are uninteresting or difficult, and no one wants to do them, but they have to get done.  As a boss, do you want someone who has shown the pe  d completed it with an A (or maybe even a B), or do you want someone who passed when the going got a little rough?  The business world isn't academia where you're free to pick and choose whether to complete requirements.  Stuff has to get done, and someone who has a modified form of learned helplessness will most likely not follow through when that boring task comes due.   Remember I said I was going to tell you how to deal with the unfortunate situation where a prospective student doesn't have enough money to pay for college?  There are a couple of ways to meet that challenge.  It's time to talk to your rich uncle about paying for college.  That uncle is Uncle Sam.  Uncle Sam can easily finance your college so you can earn your degrees in Cyber Security.  However, Uncle Sam will want you to work for the government in return for paying for your education.  Two example scholarships that you could look into are the Reserve Officer Training Corps (ROTC) and Scholarship for Service (SFS).  ROTC is an officer accession program offered at more than 1,700 colleges and universities   across the United States to prepare young adults to become officers in the U.S. Military.  For scholarship students, ROTC pays 100% of tuition, fees, books, and a modest stipend for living expenses.  A successful degree program can qualify an Army second lieutenant for a Military Occupation Specialty (or MOS) such as a 17A Cyber Operations Officer, a 17B Cyber and Electronic Warfare Officer, or a 17D Cyber Capabilities Development Officer, a great start to a cybersecurity career. For the Navy, a graduating Ensign may commission as an 1810 Cryptologic Warfare Officer, 1820 Information Professional Officer, 1830 Intelligence Officer, or an 1840 Cyber Warfare Engineer.  The Navy uses designators rather than MOS's to delineate career patterns.  These designators have changed significantly over the last dozen years and may continue to evolve.  The Marine Corps has a 1702 cyberspace officer MOS.  Note that the Navy and the Marine Corps share a commissioning source in NROTC (Navy ROTC), and unlike the Army that has over 1,000 schools that participate in AROTC and the Air Force that has 1,100 associated universities in 145 detachments, there are only 63 Navy ROTC units or consortiums, although cross-town affiliates include nearly one hundred more colleges and universities. There are a lot of details that pertain to ROTC, and if you're serious about entering upon a military officer career, it's well worth the time and effort to do your research.  Not all ROTC students receive a scholarship; some receive military instruction throughout their four years and are offered a commission upon graduation.  Three- and four-year scholarship students incur a military obligation at the beginning of sophomore year, two-year scholarship students at the beginning of junior year, and one-year scholarship students at the start of senior year.  The military obligation today is eight years, usually the first four of which are on active duty; the rest may be completed in the reserves.  If you flunk out of school, you are rewarded with an enlistment rather than a commission.  These numbers were different when I was in ROTC, and they may have changed since this podcast was recorded, so make sure you get the latest information to make an informed decision. What if you want to serve your country but you're not inclined to serve in the military, or have some medical condition that may keep you from vigorous physical activity, or had engaged in recreational chemical use or other youthful indiscretions that may have disqualified you from further ROTC consideration?  There is another program worth investigating.   The National Science Foundation provides educational grants through the Scholarship For Service program or SFS for short.  SFS is a government scholarship that will pay up to 3 years of costs for undergraduate and even graduate (MS or PhD) educational degree programs.  It's understood that government agencies do not have the flexibility to match private sector salaries in cyber security.  However, by offering scholarships up front, qualified professionals may choose to stay in government service; hence SFS continues as a sourcing engine for Federal employees.  Unlike ROTC, a participant in SFS will incur an obligation to work in a non-DoD branch of the Federal government for a duration equal to the number of years of scholarship provided. In addition to tuition and education-related fees, undergraduate scholarship recipients receive $25,000 in annual academic stipends, while graduate students receive $34,000 per year.  In addition, an additional $6,000 is provided for certifications, and even travel to the SFS Job Fair in Washington DC. That job fair is an interesting affair.  I was honored to be the keynote speaker at the SFS job fair back in 2008.  I saw entities and agencies of the Federal government that I didn't even know existed, but they all had a cybersecurity requirement, and they all were actively hiring.  SFS students qualify for "excepted service" appointments, which means they can be hired through an expedited process.  These have been virtual the last couple of years due to COVID-19 but expect in-person events to resume in the future. I wrote a recommendation for a young lady whom I've known since she was born (her mom is a childhood friend of mine), and as an electrical engineering student in her sophomore year, she was selected for a two-year SFS scholarship.  A good way to make mom and dad happy knowing they're not going to be working until 80 to pay off their kid's education bills. In exchange for a two-year scholarship, SFS will usually require a student to complete a summer internship between the first and second years of school and then work two years in a government agency after graduation.  The biggest benefit to the Scholarship for Service is you can work at a variety of places.  So, if your dream is to be a nation state hacker for the NSA, CIA, or the FBI then this offers a great chance of getting in.  These three-letter agencies heavily recruit from these programs.  As I mentioned, there are a lot of other agencies as well.  You could find work at the State Department, Department of Health and Human Services, the Department of Education, the Federal Reserve Board, and I think I remember the United States Agency for International Development (USAID).  Federal executive agencies, Congress, interstate agencies, and even state, local, or tribal governments can satisfy the service requirement.  So, you can get paid to go to college and have a rewarding job in the government that builds a nice background for your career. How would you put all this together?  I spent nine years as an advisor to the National CyberWatch Center.  Founded as CyberWatch I in 2005, it started as a Washington D.C. and Mid-Atlantic regional effort to increase the quantity and quality of the information assurance workforce.  In 2009, we received a National Science Foundation award and grants that allowed the program to go nationwide.  Today, over 370 colleges and universities are in the program.  So why the history lesson? What we did was align curriculum between two-year colleges and four-year universities, such that a student who took the designated courses in an associate degree program would have 100% of those credits transfer to the four-year university.  That is HUGE.  Without getting into the boring details, schools would certify to the Committee on National Security Systems (CNSS) (formerly known as the National Security Telecommunications and Information Systems Security Committee or NSTISSC) national training standard for INFOSEC professionals known as NSTISSI 4011.  Now with the help of an SFS scholarship, a student with little to no financial resources can earn an associate degree locally, proceed to a bachelor's degree from a respected university, have a guaranteed job coming out of school, and HAVE NO STUDENT DEBT.  Parents, are you listening carefully?  Successfully following that advice can save $100,000 and place your child on course for success. OK, so let's fast forward 3 years and say that you are getting closer to finishing a degree in Cyber Security or Computer Science.  Is there anything else that you can do while performing a summer internship?    That brings us to our second building block.  Getting certifications.   Number Two:  Getting a Certification  Earning certifications are another key step to demonstrate that you have technical skills in cyber security.  Usually, technology changes rapidly.  That means that universities typically don't provide specialized training in Windows 11, Oracle Databases, Amazon Web Services, or the latest programming language.  Thus, while you may come out of a computer science degree with knowledge on how to write C++ and JavaScript, there are a lot of skills that you often lack to be quite knowledgeable in the workforce.  Additionally, most colleges teach only the free version of software.  In class you don't expect to learn how to deploy Antivirus software to thousands of endpoints from a vendor that would be in a Gartner Magic quadrant, yet that is exactly what you might encounter in the workplace.  So, let's look at some certifications that can help you establish your expertise as a cyber professional.  We usually recommend entry level certifications from CompTIA as a great starting point.  CompTIA has some good certifications that can teach you the basics in technology.  For example: CompTIA A+ can teach you how to work an IT Help Desk.  CompTIA Network+ can teach you about troubleshooting, configuring, and managing networks CompTIA Linux+ can help you learn how to perform as a system administrator supporting Linux Systems CompTIA Server+ ensures you have the skills to work in data centers as well as on-premises or hybrid environments. Remember it's really hard to protect a technology that you know nothing about so these are easy ways to get great experience in a technology.  If you want a certification such as these from CompTIA, we recommend going to a bookstore such as Amazon, buying the official study guidebook, and setting a goal to read every day.  Once you have read the official study guide go and buy a set of practice exam questions from a site like Whiz Labs or Udemy.  Note this usually retails for about $10.  So far this represents a total cost of about $50 ($40 dollars to buy a book and $10 to buy practice exams.)  For that small investment, you can gain the knowledge base to pass a certification.  You just need to pay for the exam and meet eligibility requirements. Now after you get a good grasp of important technologies such as Servers, Networks, and Operating Systems, we recommend adding several types of certifications to your resume.  The first is a certification in the Cloud.  One notable example of that is AWS Certified Solutions Architect - Associate.  Note you can find solution architect certifications from Azure and GCP, but AWS is the most popular cloud provider, so we recommend starting there.  Learning how the cloud works is extremely important.  Chances are you will be asked to defend it and you need to understand what an EC-2 server is, types of storage to make backups, and how to provide proper access control.  So, spend the time and get certified.  One course author who provides a great course is Adrian Cantrill.  You can find his course link for AWS Solutions Architect in our show notes or by visiting learn.cantrill.io.  The course costs $40 and has some of the best diagrams you will ever see in IT.  Once again go through a course like this and supplement with practice exam questions before going for the official certification. The last type of certifications we will mention is an entry cyber security certification.  We usually see college students pick up a Security+ or Certified Ethical Hacker as a foundation to establish their knowledge in cyber security.  Now the one thing that you really gain out of Security+ is a list of technical terms and concepts in cyber security.  You need to be able to understand the difference between Access Control, Authentication, and Authorization if you are to consult with a developer on what is needed before allowing access to a site.  These types of certifications will help you to speak fluently as a cyber professional.  That means you get more job offers, better opportunities, and interesting work.  It's next to impossible to establish yourself as a cyber expert if you don't even understand the technical jargon correctly. Number Three:  Getting Relevant Job Experience OK, so you have a college degree and an IT certification or two. What's next?  At this point in time, you are eligible for most entry level jobs.  So, let's find interesting work in Cyber Security.  If you are looking for jobs in cyber security, there are two places we recommend.  The first is LinkedIn.  Almost all companies post there and there's a wealth of opportunities.  Build out an interesting profile and look professional.  Then apply, apply, apply.  It will take a while to find the role you want.  Also post that you are looking for opportunities and need help finding your first role.  You will be surprised at how helpful the cyber community is.  Here's a pro tip:  add some hashtags with your post to increase its visibility. Another interesting place to consider is your local government.  The government spends a lot of time investing in their employees.  So go there, work a few years, and gain valuable experience.  You can start by going to your local government webpage such as USAJobs.Gov  and search for the Career Codes that map to cyber security.  For example, search using the keyword “2210” to find the job family of Information Technology Management where most cyber security opportunities can be found.  If you find that you get one of these government jobs, be sure to look into college repayment programs.  Most government jobs will help you pay off student loans, finance master's degrees in Cyber Security, or pay for your certifications.  It's a great win-win to learn the trade. Once you get into an organization and begin working your first job out of college, you then generally get one big opportunity to set the direction of your career.  What type of cyber professional do you want to be?  Usually, we see most Cyber Careerists fall into one of three basic paths.   Offensive Security Defensive Security Security Auditing The reason these three are the most common is they have the largest amount of job opportunities.  So, from a pure numbers game it's likely where you are to spend the bulk of your career.  Although we do recommend cross training.  Mike Miller who is the vCISO for Appalachia Technologies put out a great LinkedIn post on this where he goes into more detail.  Note we have a link to it in our show notes.  Here's some of our own thoughts on these three common cyber pathways: Offensive Security is for those that like to find vulnerabilities in things before the bad guys do.  It's fun to learn how to hack and take jobs in penetration testing and the red team.  Usually if you choose this career, you will spend time learning offensive tools like Nmap, Kali Linux, Metasploit, Burp Suite, and others.  You need to know how technology works, common flaws such as the OWASP Top Ten web application security risks, and how to find those vulnerabilities in technology.  Once you do, there's a lot of interesting work awaiting.  Note if these roles interest you then try to obtain the Offensive Security Certified Professional (OSCP) certification to gain relevant skill sets that you can use at work. Defensive Security is for the protectors.  These are the people who work in the Security Operations Center (SOC) or Incident Response Teams.  They look for anomalies, intrusions, and signals across the whole IT network.  If something is wrong, they need to find it and identify how to fix it.  Similar to Offensive Security professionals they need to understand technology, but they differ in the types of tools they need to look at.  You can find a defender looking at logs.  Logs can come from an Intrusion Detection System, a Firewall, a SIEM, Antivirus, Data Loss Prevention Tools, an EDR, and many other sources.  Defenders will become an expert in one of these tools that needs to be constantly monitored.  Note if you are interested in these types of opportunities look for cyber certifications such as the MITRE ATT&CK Defender (MAD) or SANS GIAC Certified Incident Handler GCIH to gain relevant expertise. Security Auditing is a third common discipline.  Usually reporting to the Governance, Risk, and Compliance organization, this role is usually the least technical.  This discipline is about understanding a relevant standard or regulation and making sure the organization follows the intent of the standard/regulation.  You will spend a lot of time learning the standards, policies, and best practices of an industry.  You will perform risk assessments and third-party reviews to understand how we certify as an industry.  If you would like to learn about the information systems auditing process, governance and management of IT systems, business processes such as Disaster Recovery and Business Continuity Management, and compliance activities, then we recommend obtaining the Certified Information Systems Auditor (CISA) certification from ISACA.   Ok, so you have a degree, you have certifications, you are in a promising job role, WHAT's Next?  If you want to really become an expert, we recommend you focus on… Number Four: Building your personal brand.   Essentially find a way to give back to the industry by blogging, writing open-source software, creating a podcast, building cybersecurity tutorials, creating YouTube videos, or presenting a lecture topic to your local OWASP chapter on cyber security.  Every time you do you will get smarter on a subject.  Imagine spending three hours a week reading books in cyber security.  If you did that for ten years, think of how many books you could read and how much smarter you would become.  Now as you share that knowledge with others two things happen:   People begin to recognize you as an industry expert.  You will get invited to opportunities to connect with other smart people which allows you to become even smarter.  If you spend your time listening to smart people and reading their works, it rubs off.  You will absorb knowledge from them that will spark new ideas and increase your understanding The second thing is when you present your ideas to others you often get feedback.  Sometimes you learn that you are actually misunderstanding something.  Other times you get different viewpoints.  Yes, this works in the financial sector, but it doesn't work in the government sector or in the university setting.  This feedback also helps you become smarter as you understand more angles of approaching a problem. Trust us, the greatest minds in cyber spend a lot of time researching, learning, and teaching others.  They all know G Mark's law, which I wrote nearly twenty years ago:  "Half of what you know about security will be obsolete in eighteen months." OK so let's recap a bit.  If you want to become an expert in something, then you should do four things. 1) Get a college education so that you have the greatest amount of opportunities open to you, 2) get certifications to build up your technical knowledge base, 3) find relevant job experiences that allow you to grow your skill sets, and 4) finally share what you know and build your personal brand.  All of these make you smarter and will help you become a cyber expert.   Thanks again for listening to us at CISO Tradecraft.  We wish you the best on your journey as you Learn to Earn.  If you enjoyed the show, tell one person about it this week.  It could be your child, a friend looking to get into cyber security, or even a coworker.  We would love to help more people and we need your help to reach a larger audience.  This is your host, G. Mark Hardy, and thanks again for listening and stay safe out there. References: https://www.todaysmilitary.com/education-training/rotc-programs  www.sfs.opm.gov  https://www.comptia.org/home  https://www.whizlabs.com/ https://www.udemy.com/ https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c03  https://www.linkedin.com/feed/update/urn:li:activity:6965305453987737600/ https://www.offensive-security.com/pwk-oscp/  https://mitre-engenuity.org/cybersecurity/mad/ https://www.giac.org/certifications/certified-incident-handler-gcih/  https://www.ccbcmd.edu/Costs-and-Paying-for-College/Tuition-and-fees/In-County-tuition-and-fees.aspx https://www.educationcorner.com/value-of-a-college-degree.html  https://www.collegexpress.com/lists/list/us-colleges-with-army-rotc/2580/  https://www.af.mil/About-Us/Fact-Sheets/Display/Article/104478/air-force-reserve-officer-training-corps/ https://www.netc.navy.mil/Commands/Naval-Service-Training-Command/NROTC https://armypubs.army.mil/pub/eforms/DR_a/NOCASE-DA_FORM_597-3-000-EFILE-2.pdf https://niccs.cisa.gov/sites/default/files/documents/SFS%20Flyer%20FINAL.pdf https://www.nationalcyberwatch.org/  

Preparing for the Unexpected
What You Should Know About Supply Chain Continuity Management

Preparing for the Unexpected

Play Episode Listen Later Jul 14, 2022 54:45


If the COVID19 global pandemic has taught organizations anything, it's to develop a stronger focus on their supply chain. I speak with Supply Chain Management (SCM) expert Matthias Rosenberg about what you should know about SCM to help your organizations and communities deal with disruptions in a proactive and positive manner. We talk about: 1. Defining Supply Chain Management, 2. The different perspectives on Supply Chain (e.g., Corporate view vs. SCM view), 3. SCM complexities, 4. Supply Chain Continuity Management (SCCM), 5. The SCCM Lifecycle (Analysis, Design, Implementation, Validation...), 6. SCCM solution options, 7. SCCM/SCM challenges, and 8. Some quick tips for professionals and organizations. It's an in depth talk about SCM you don't want to miss. Enjoy!

Preparing for the Unexpected
What You Should Know About Supply Chain Continuity Management

Preparing for the Unexpected

Play Episode Listen Later Jul 14, 2022 54:45


If the COVID19 global pandemic has taught organizations anything, it's to develop a stronger focus on their supply chain. I speak with Supply Chain Management (SCM) expert Matthias Rosenberg about what you should know about SCM to help your organizations and communities deal with disruptions in a proactive and positive manner. We talk about: 1. Defining Supply Chain Management, 2. The different perspectives on Supply Chain (e.g., Corporate view vs. SCM view), 3. SCM complexities, 4. Supply Chain Continuity Management (SCCM), 5. The SCCM Lifecycle (Analysis, Design, Implementation, Validation...), 6. SCCM solution options, 7. SCCM/SCM challenges, and 8. Some quick tips for professionals and organizations. It's an in depth talk about SCM you don't want to miss. Enjoy!

The Resilient Journey
Episode 44 - Michele Turner. A Methodology for Business Continuity Management

The Resilient Journey

Play Episode Listen Later Jun 27, 2022 30:23


If I'm 100% honest, I don't know why cheerleaders have to spell everything. “Be aggressive. B-E aggressive. B-E  A-G-G-R-E-S-S-I-V-E.  What's the point? Hello everyone, welcome to episode 44 -  as the Resilience Think Tank presents the Resilient Journey podcast! This week I'm joined by Michele Turner. Michele is going to spell for us today as she walks us through her methodology for business continuity program development. This is based on Michele's latest book Lessons Learned: Short Stories of Continuity and Resilience. As we work our way through the word “PARSE”, we will discuss: Tips if you're having trouble getting executive level support Making sure your program demonstrates VALUE The use of Risk Assessments  How sometimes we need to slow down to speed up Why it's important for you to have a personal career strategy How our unique view of the organization can help develop resilience strategies Be sure to follow The Resilient Journey!  We sure do appreciate it! Learn more about the Resilience Think Tank here. Connect with Michele here. Want to learn more about Mark? Click here or on LinkedIn or Twitter. Special thanks to Bensound for the music.

Preparing for the Unexpected
Supply Chain Mgmt: Creating Resilience w/ 3rd Party Vendors

Preparing for the Unexpected

Play Episode Listen Later Jun 23, 2022 52:03


If there's one thing organizations have learned throughout the COVID19 global pandemic, it's how fragile our supply chains are. I speak with longtime noted Business Continuity Management and Risk expert, and global award winning industry personality R. Vaidhyanathan (RV), about how to create resilience within our Supply Chains. We touch subject such as: a) Risks identification and management, b) Evaluating vendors and partners, c) Trends in Supply Chain Mgmt., d) Strategizing alternatives, e) Linking compliance and 3rd party arrangements, f) Contracts and regulatory obligations, and much, much more, Enjoy!

Preparing for the Unexpected
Supply Chain Mgmt: Creating Resilience w/ 3rd Party Vendors

Preparing for the Unexpected

Play Episode Listen Later Jun 23, 2022 52:03


If there's one thing organizations have learned throughout the COVID19 global pandemic, it's how fragile our supply chains are. I speak with longtime noted Business Continuity Management and Risk expert, and global award winning industry personality R. Vaidhyanathan (RV), about how to create resilience within our Supply Chains. We touch subject such as: a) Risks identification and management, b) Evaluating vendors and partners, c) Trends in Supply Chain Mgmt., d) Strategizing alternatives, e) Linking compliance and 3rd party arrangements, f) Contracts and regulatory obligations, and much, much more, Enjoy!

Software Lifecycle Stories
Getting the bigger picture with Satyendra Kumar-Part1

Software Lifecycle Stories

Play Episode Listen Later May 26, 2022 27:34


In this first part of the conversation with an IT industry veteran, Satyendra Kumar, he sharesComing from a humble background and doing his initial education in a villageGetting into Delhi University based on his good academic performanceHaving to take up a job, to meet some family needsHow he chose a job in a defence agency and rising to a senior levelLeaving his job and getting into consulting and qualitySetting up the Tata Business Excellence Model for the groupWorking with different business units in different domainsSwitching to an IT organization before joining and spending 14 years at InfosysContinuing to work with different organizations post retirement from InfosysHow learning came naturally to him, particularly in very new, challenging and different environmentsHow he gains confidence about being able to do anything, amidst uncertaintyThe experience based on a major decision to switch from the comforts of a government jab, to a small apartment in a distant suburbHow he thinks scale in conceiving and implementing organization wide initiatives, while making sure he has enough bandwidth to plan for the future and growing his team to 700His experience of recruiting people from non IT organizationsHow to get comfortable with delegation, with trust in the teamHis experience of creating an awareness and acceptance of processes among technical teamsThe tendency in quality professionals to become more of audit persons than having a direct connect with the senior leadership, to help them steer the businessWhy there should be shared goals for improvement between the quality function and the business unitsIn the next part, Kumar shares the answer to the question on his experience and perspectives related to Agile approaches and many more interesting points. Do not miss that..Independent Advisor and Consultant to several large and medium scale institutions and enterprises since 2013. Was the Global Head and Senior Vice President– Productivity & Quality, Technology Tools & Software Reuse at Infosys Limited ( 2000 – 2013). Worked as Vice President at IMR Global, USA between 1998 and 2000. Worked as Deputy Chief Executive for Tata Quality Management Services – Tata Group between 1996 and 1998. Has consulted for over 50 national and multi-national clients in areas of Business Excellence, Operational Efficiencies, Customer Satisfaction Management, Business Continuity Management, Project and Program Management, and Quality Management. Had been Board member ( QuEST USA) , On the Panel of Judges - Wisconsin State Award ( USA) , Administrative Reforms Committee of Indian Institute of Science, Bangalore and Chief Technical Advisor to the Confederation of Indian Industry – Institute of Quality.Has been a recipient of IEEE-Software Engineering Institute ( Carnegie Mellon University) International award (2011) and honoured with the “ Life Time Achievement Award for Quality and Business Excellence “ by a IT Industry association

Preparing for the Unexpected
My Experiments with BCM (Business Continuity Mgmt) w/ Daman Sood

Preparing for the Unexpected

Play Episode Listen Later Mar 24, 2022 53:06


We do something a little different for this episode. Globally recognized Business Continuity Management and Resilience expert and author of 'My Experiments with BCM', Daman Dev Sood, will read a few chapters from his new book, and then we'll talk about the chapter content after each reading. We touch on chapters titled: a) And a Million Dollar Question, Answering While I Close this Book (What do Business Continuity Mangers Do?), b) Communication and Commitment (Continued Commitment) c) I am the Boss, I know the Business, and d) My Principles Valued @ Half a Million INR. All the chapters are from Daman's own personal experiences in the BCM industry, and you're sure to relate to the stories and follow up discussions, as we talk about each experience (Chapter) in detail. Enjoy!

Preparing for the Unexpected
My Experiments with BCM (Business Continuity Mgmt) w/ Daman Sood

Preparing for the Unexpected

Play Episode Listen Later Mar 24, 2022 53:06


We do something a little different for this episode. Globally recognized Business Continuity Management and Resilience expert and author of 'My Experiments with BCM', Daman Dev Sood, will read a few chapters from his new book, and then we'll talk about the chapter content after each reading. We touch on chapters titled: a) And a Million Dollar Question, Answering While I Close this Book (What do Business Continuity Mangers Do?), b) Communication and Commitment (Continued Commitment) c) I am the Boss, I know the Business, and d) My Principles Valued @ Half a Million INR. All the chapters are from Daman's own personal experiences in the BCM industry, and you're sure to relate to the stories and follow up discussions, as we talk about each experience (Chapter) in detail. Enjoy!

Preparing for the Unexpected
The Effects of Climate Change on Organizational Resilience

Preparing for the Unexpected

Play Episode Listen Later Mar 17, 2022 48:13


Climate Change is one of the hottest topics in news headlines and in the business world. I talk to climate change evangelist Pinaki Bhaduri about the effects of climate change on organizational resilience. We touch on: a) how businesses can reposition themselves b) Changing BCM and Resilience strategies c) the impacts on supply chains and risk management d) Environmental, Sustainability, Governance (ESG) e) mitigation activities f) the Board room, and much more. Pinaki shares many thoughts and ideas for organizational leadership and industry professionals about what they need to consider with regards to climate change. Either organizations will adopt climate change into their plans, or they won't...and end up failing. A very enlightening talk, so don't miss it. Enjoy!

Preparing for the Unexpected
The Effects of Climate Change on Organizational Resilience

Preparing for the Unexpected

Play Episode Listen Later Mar 17, 2022 48:13


Climate Change is one of the hottest topics in news headlines and in the business world. I talk to climate change evangelist Pinaki Bhaduri about the effects of climate change on organizational resilience. We touch on: a) how businesses can reposition themselves b) Changing BCM and Resilience strategies c) the impacts on supply chains and risk management d) Environmental, Sustainability, Governance (ESG) e) mitigation activities f) the Board room, and much more. Pinaki shares many thoughts and ideas for organizational leadership and industry professionals about what they need to consider with regards to climate change. Either organizations will adopt climate change into their plans, or they won't...and end up failing. A very enlightening talk, so don't miss it. Enjoy!

Preparing for the Unexpected
Opportunities in the BCM Industry to be and Stay Relevant!

Preparing for the Unexpected

Play Episode Listen Later Feb 3, 2022 53:58


What opportunities are there in the Resilience / Business Continuity Management (BCM) industry that enable professionals to be - and stay - relevant? The answer to that that question and many more, are discussed as I talk with the CEO of Crisis Ally, Alexandra Hoffmann. In this episode, Alexandra talks about: a) the role of Diversity and Inclusion, b) soft (Human) skills c) linking activity to the organization's purpose (and the overall culture), d) the differences between resilience and sustainability...or the lack thereof, and so much more. Alexandra's passion for the Resilience, Business Continuity Management, and Security industries is easily apparent, as she shares many great insights into how industry professionals can shine before, during, and after, an adverse event. Don't miss it!

Preparing for the Unexpected
Opportunities in the BCM Industry to be and Stay Relevant!

Preparing for the Unexpected

Play Episode Listen Later Feb 3, 2022 53:58


What opportunities are there in the Resilience / Business Continuity Management (BCM) industry that enable professionals to be - and stay - relevant? The answer to that that question and many more, are discussed as I talk with the CEO of Crisis Ally, Alexandra Hoffmann. In this episode, Alexandra talks about: a) the role of Diversity and Inclusion, b) soft (Human) skills c) linking activity to the organization's purpose (and the overall culture), d) the differences between resilience and sustainability...or the lack thereof, and so much more. Alexandra's passion for the Resilience, Business Continuity Management, and Security industries is easily apparent, as she shares many great insights into how industry professionals can shine before, during, and after, an adverse event. Don't miss it!

Preparing for the Unexpected
Encore Practical Business Continuity Management: Top Tips for Real-World BCM

Preparing for the Unexpected

Play Episode Listen Later Dec 30, 2021 53:24


Whether you're a new or an experienced BCM practitioner, and whatever your specific role within your organization, if you have an interest in implementing and maintaining an effective BCM program, this episode is for you. We speak with highly recognized BCM, Risk, and Crisis Mgmt. industry expert and author, Andy Osborne. We'll talk about many of the concepts, tips, and ideas contained in his book Practical Business Continuity Management: Tops Tips for Effective, Real-World Business Continuity Management. Andy provides some great insights and examples when discussing the BIA, RA, BCP, and even how to work with Executive Management. Regardless of your level of BCM experience, you're sure to enjoy this episode with Andy.

Preparing for the Unexpected
Cyber Resilience and Leveraging AI in Business Continuity

Preparing for the Unexpected

Play Episode Listen Later Sep 30, 2021 51:44


Artificial Intelligence (AI) is becoming a key component in many components of our daily lives and that includes Technology Plans and Business Continuity Management. I talk with longtime security expert Agnidipta (Agni) Sarkar about how AI can help the BC industry in the future and what AI is doing for us now. Agni will also talk to us about Cyber Resilience, and how it differs from Cybersecurity. He will provide an overview of what organization's need to have in place to address Cyber attacks (e.g. Ransomware) prior to any actual instance occurring. An information chat about AI and Cyber Resilience you don't want to miss.

CyberHub Engage Podcast
Ep. 115 - Sam Phillips, SVP and Head of Enterprise Information Security Architecture at Wells Fargo Part II

CyberHub Engage Podcast

Play Episode Listen Later May 12, 2021 56:56 Transcription Available


In this episode of CISO Talk, James Azar is joined by Sam Phillips, SVP and Head of Enterprise Information Security Architecture at Wells Fargo to talk about cybersecurity innovation and the drastic changes by consumers and employees and what does this mean for practitioners. Tune in to this amazing podcast and make sure to subscribe and comment Bio: Senior Technology Executive with extensive experience in establishing and growing technology, security and risk programs in large international corporations as well as medium sized companies, including establishing and developing business requirements, creating and implementing governance and architecture models, infrastructure development and executing critical processes, products, and services with a strong focus on security, quality and availability. Specialties: Business Strategy, Technology Strategy & Innovation, Business Operations Management, Mobile Solutions and Services, Security Integration (physical and logical), Information Security, Cyber Security, Identity, Authentication, Systems Security, Supply Chain Security, Business Continuity Management, Threat and Risk Management, Online & Mobile Commerce.  Linkedin Profile: https://www.linkedin.com/in/samphillipscissp/   CISOTalk Webinar Series: Modernizing the Vendor Risk Management with Airbnb and Whistic Webinar on May 25th, 2021 register here: https://zoom.us/webinar/register/WN_Frugj1ehRbOa3v05tTP7Qw   CISOTalk Paisley Shirt Challenge Donate now to support the wounded warrior project and get James to wear an ugly paisley shirt for one or all of his shows: https://tiltify.com/@cisotalk/ciso-talk-paisley-shirt-challenge   “The Microsoft Doctrine” by James Azar now on Substack https://jamesazar.substack.com/p/the-microsoft-doctrine   CISO Talk is supported by: KnowBe4: https://info.knowbe4.com/phishing-security-test-cyberhub  Whistic: www.whistic.com/cyberhub Attivo Networks: www.attivonetworks.com **** Find James Azar Host of CyberHub Podcast, CISO Talk, Goodbye Privacy, Tech Town Square, Other Side of Cyber and CISOs Secrets James on Linkedin: https://www.linkedin.com/in/james-azar-a1655316/ James on Parler: @realjamesazar Telegram: CyberHub Podcast ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU8iZfKFIsJ1gk0UrvGFw Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen here: https://linktr.ee/CISOtalk   The Hub of the Infosec Community. Our mission is to provide substantive and quality content that's more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.  

CyberHub Engage Podcast
Ep. 111 - Sam Phillips, SVP Head of Enterprise Information Security Architecture at Wells Fargo

CyberHub Engage Podcast

Play Episode Listen Later Apr 14, 2021 25:44 Transcription Available


In this episode of CISO Talk, James Azar is joined by Sam Phillips, SVP and Head of Enterprise Information Security Architecture at Wells Fargo to talk about cybersecurity innovation and the drastic changes by consumers and employees and what does this mean for practitioners, this is a preview to our full Fireside chat for the Cyber FinTech Conference hosted by Atlanta Tech Park and CyberHub Summit. The Event is on April 27th, 2021 and the rest of the episode will be available then to watch…   Tune in to this amazing podcast and make sure to subscribe and comment Bio: Senior Technology Executive with extensive experience in establishing and growing technology, security and risk programs in large international corporations as well as medium sized companies, including establishing and developing business requirements, creating and implementing governance and architecture models, infrastructure development and executing critical processes, products, and services with a strong focus on security, quality and availability. Specialties: Business Strategy, Technology Strategy & Innovation, Business Operations Management, Mobile Solutions and Services, Security Integration (physical and logical), Information Security, Cyber Security, Identity, Authentication, Systems Security, Supply Chain Security, Business Continuity Management, Threat and Risk Management, Online & Mobile Commerce.    Linkedin Profile: https://www.linkedin.com/in/samphillipscissp/   CISOTalk Paisley Shirt Challenge Donate now to support the wounded warrior project and get James to wear an ugly paisley shirt for one or all of his shows: https://tiltify.com/@cisotalk/ciso-talk-paisley-shirt-challenge   April 27th, 2021 –  Cyber FinTech Conference in hybrid mode, tickets are available at atpcyberfintech.com   The Practitioner Brief is sponsored by: KnowBe4: https://info.knowbe4.com/phishing-security-test-cyberhub  Whistic: www.whistic.com/cyberhub Attivo Networks: www.attivonetworks.com   **** Find James Azar Host of CyberHub Podcast, CISO Talk, Goodbye Privacy, Tech Town Square, Other Side of Cyber and CISOs Secrets James on Linkedin: https://www.linkedin.com/in/james-azar-a1655316/ James on Parler: @realjamesazar Telegram: CyberHub Podcast ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU8iZfKFIsJ1gk0UrvGFw Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen here: https://linktr.ee/CISOtalk   The Hub of the Infosec Community. Our mission is to provide substantive and quality content that's more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Preparing for the Unexpected
Business Continuity: Cultural Change and Awarenss

Preparing for the Unexpected

Play Episode Listen Later Apr 8, 2021 52:51


Each organization has its own culture and how it perceives Business Continuity, sometimes in a positive light and others no so. BCM industry expert Dwayne Grizzle will talk about his presentation from the BCI World Virtual 2020 conference entitled 'Cultural Change and Awareness'. We'll learn about the definition of Culture and how through change triggers and awareness measures, organizations can change their organization's thinking, participation, and culture surrounding Business Continuity Management.

Preparing for the Unexpected
Business Continuity Management: In Practice w/ Stuart Hotchkiss

Preparing for the Unexpected

Play Episode Listen Later Feb 18, 2021 57:27


Successful business continuity requires the creation of and adherence to a plan, which ensure an organization's critical functions are maintained or restored in the event of disruption (e.g. fires, natural disasters, etc.). Join me as I talk with recognized industry expert and author Stuart Hotchkiss and his book 'Business Continuity Management: In Practice. BCM can be made very over-complicated and Stuart provides a clear and simple approach to understanding what BCM is, and what it isn't. We'll touch on such subjects as the BCP, testing, audit, awareness, and the problems associated with the Business Impact Assessment (BIA) and the establishment of recovery time objectives. Some may consider this a controversial episode - I think it's one not to be missed!

Preparing for the Unexpected
COVID-19: Business Response, Recovery, and Sustainability

Preparing for the Unexpected

Play Episode Listen Later Feb 4, 2021 55:48


COVID-19 has forever changed the way we do business, think about business, adapt to business needs, and think about our responses to crisis and disaster situations. I speak to renown industry expert, entrepreneur, trainer, and author, Geary Sikich, as we chat about some of the COVID-19 related thoughts he presented at the Continuity & Resilience Today (CRT) conference in Oct/20. Geary touches on some key themes relating to COVID, from Supply Chain Mgmt. to Risk Management to the growing needs for an 'all-hazards' approach to help build resilience, Be sure to tune in and listen to Geary's incredible insights on COVID-19, and the future of the Risk and Business Continuity Management industries, including how Governments and the Private sector will need to work together going forward. Don't miss it!

Preparing for the Unexpected
Conquering the Top 5 BCM Roadblocks

Preparing for the Unexpected

Play Episode Listen Later Jan 21, 2021 55:05


There's no doubt that business continuity has evolved into a critical team that helps organizations become - and stay - resilient. As the risk to reputational damages moves into the forefront for corporations, many BC teams are faced with growing the scope and scale of their programs to meet new demands. Many are struggling with finding the best and fastest path forward, as there are always roadblocks that tend to get in the way. I talk with renown industry expert James Green, who presented the topic 'Conquering the Top 5 Roadblocks' at the 2020 Continuity & Resilience Today conference. James will talk about the top roadblocks BCM professionals face and what we can do to overcome them; from obtaining and keeping executive attention to continuity, resilience, and our well-being. It's a lively discussion with James you won't want to miss.

Preparing for the Unexpected
Practical Business Continuity Management: Top Tips for Real-World BCM

Preparing for the Unexpected

Play Episode Listen Later Jan 7, 2021 53:24


Whether you're a new or an experienced BCM practitioner, and whatever your specific role within your organization, if you have an interest in implementing and maintaining an effective BCM program, this episode is for you. We speak with highly recognized BCM, Risk, and Crisis Mgmt. industry expert and author, Andy Osborne. We'll talk about many of the concepts, tips, and ideas contained in his book Practical Business Continuity Management: Tops Tips for Effective, Real-World Business Continuity Management. (Volume 2 is expected in early 2021) Andy provides some great insights and examples when discussing the BIA, RA, BCP, and even how to work with Executive Management. Regardless of your level of BCM experience, you're sure to enjoy this episode with Andy.

The Ncast
Taking the Reins in Building Out a BCM Program | The Ncast Episode 6

The Ncast

Play Episode Listen Later Dec 17, 2020 25:47


What happens when someone moves from the vendor management team to spearhead and expand an FI's business continuity management program? We found out first-hand from Ronnie Emmanoulakis, CRVPM II, Manager, Data Operation and Business Continuity Management who shared what it was like to step into the new role, how he approached the comprehensive strategy from management oversight to training, and how challenges were addressed along the way.

Preparing for the Unexpected
Business Continuity and Organizational Resiliency in Latin America

Preparing for the Unexpected

Play Episode Listen Later Oct 1, 2020 56:02


We hear allot about Business Continuity Management and Organizational Resilience but usually the examples are from Europe and/or North America. We'll talk with Organizational Resilience and Business Continuity expert Timothe Graziani, who is headquartered in the Dominican Republic, and chat about BCM in the Latin America (LATAM) region. We'll chat about some of the different challenges LATAM countries face with BCM and what's driving the push to move BCM and Org Resilience to the forefront. We'll also touch on how Covid-19 has impacted the LATAM region and what countries and their resilience people are doing to address it. It's a very information show with some new perspectives on some traditional ideas. Don't miss it!

The ISO Show
Episode 49 - How EMCOR is Embedding Business Continuity

The ISO Show

Play Episode Listen Later Jul 29, 2020 23:01


EMCOR has gone from strength to strength over the years, so Alex is joining us today to discuss ISO 22301 (Business Continuity Management) and how the system is helping them to not just survive, but thrive during these difficult times.

Preparing for the Unexpected
Covid-19 and Business Continuity Management

Preparing for the Unexpected

Play Episode Listen Later Jul 16, 2020 55:42


The global Business Continuity Management (BCM) landscape is changing; from supply chain management to disaster response to the effects and impacts of the Covid-19 global pandemic. We talk to internationally recognized BCM industry leader and expert, Patrick (Pat) Corcoran from IBM. Pat will talk to us about the changing BCM landscape and what BCM planning aspects - and program components - organizations will need to revisit and refocus, as a result of the global Covid-19 pandemic. From the new challenges of Working from Home (WFH) strategies to IT Disaster Recovery to the ever increasing potential of Cyber Threats, Pat will give us all something to think about, as we move our BCM programs forward through the pandemic...and beyond.

The ISO Show
Episode 42 - What is Business Continuity Management?

The ISO Show

Play Episode Listen Later May 14, 2020 17:19


Join Mel this week as she discusses ISO 22301 (Business Continuity), a standard that is completely focused on resuming operations to get back to ‘business as usual'.

Preparing for the Unexpected
Mastering Business Continuity Management

Preparing for the Unexpected

Play Episode Listen Later Oct 31, 2019 55:47


Mastering Business Continuity Management (BCM) can be a very tough goal since professionals are not just dealing with a couple of departments within an organization, they are working with the entire organization, including its 34rd party external partners and their local communities. We talk to globallay recognized Business Continuity expert, speaker, trainer, consultant and author, Dr. Michael D Redmond as we talk about some of the key foundational components of a good BCM program that all BCM professionals must know and understand. will touch on Project Management, Risk Assessments and Risk Analyses (and the difference between them) and the Business Impact Analysis.

Preparing for the Unexpected
Technology and Emergency Management

Preparing for the Unexpected

Play Episode Listen Later Jun 6, 2019 56:24


Technology is present in every aspect of our daily and business lives; this includes being an important factor in Emergency Management. We speak with the author Dr. John C Pine about his book Technology and Emergency Management. We'll discuss how technology is changing Emergency Management and how it can be leveraged to better aid our Emergency Planning, Response, Recovery and Mitigation capabilities. Dr. Pine will also tell us about some of the existing technologies being utilized, as well as some of the operational challenges when utilizing technology in Emergency Management.