Training
Training is tailored to the needs of the Client. Training topics and existing content is detailed below. A Client may request custom training based on their requirements.
Presentations at Your Event
Gideon is available to present at conferences, chapter meetings, universities and corporate/government events.
Each session provides practical advice in the areas of cybersecurity and operational risk management. The goal is to provide attendees with information they can use upon return to work.
Gideon creates slide decks in USAF crash course format. The presentation style is fast paced, covering many slides. That keeps the audience's attention and conveys a significant amount of information within the allotted time. Each deck includes resource links at the end which make the PDF a great take-away.
Here are links to strong positive feedback when Gideon presented to large audiences: LinkedIn Post # 1 / LinkedIn Post # 2 / LinkedIn Post # 3
Cybersecurity Assessments
Adaptive Cybersecurity Risk Assessments
This session provides practical cybersecurity assessment advice. It details the end-to-end process including: scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation.
The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy and fraud.
This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures.
Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is focus on areas that have not been evaluated recently and areas that may require enhanced controls due to presence of valuable data. Albert Einstein’s quote applies here “the definition of insanity is doing something over and over again and expecting different results”.
The session will briefly walk through the assessment report framework, providing tips along the way.
The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.
Third Party Risk Management
Designing a Third Party Risk Management Program
Provides practical advice to design a TPRM program. Details the end-to-end process: identify, risk rank, assess, risk treatment, monitor and oversight & escalations. Includes options based on risk tolerance and available funding.
Provides security requirements for vendor contract templates.
Describes how to identify new and existing vendors through existing Supply Chain Management processes and in organizations where it is necessary to leverage financial systems. Includes examples where vendors may slip through the cracks.
Addresses a risk-based approach to tier vendors for assessment when confidentiality and business criticality information is available. Otherwise, includes alternatives such as risky vendor categories and tiering questions.
Assessment options include on-site assessment, questionnaires, artifact reviews, vulnerability scans and acceptance of independent assessments & certifications.
Describes risk treatment: tracking remediation to closure, policy exceptions and risk register entries.
Provides recommendations to reduce residual risk when vendor service is discontinued.
Addresses program architecture: welcome packet, process diagram, procedures manual, message templates, system of record, reporting, metrics, etc.
Includes tips to develop a roadmap to mature the program over three years.
Provides examples that can be leveraged in small, medium and large organizations. Includes real world challenges with recommendations for processes.
Business Risk Assessments
Lines of Business (LOBs) manage data within their span of control and may work directly with vendors. This presentation addresses LOB Risk Assessment, Business Process Risk Assessment and FMEA Process Risk Evaluation.
A LOB Risk Assessment begins with service offerings, following the data flow. LOB processes, technology and administrative controls are assessed to identify areas for improvement:
- Data Management
- Application Governance
- Third parties
- Call Centers
- Access Control
- Process Design
- Insider Threat
- Fraud
Business Process Risk Assessment focuses on cybersecurity, insider threat and fraud. The process is evaluated to include data flow, application governance, Third Party Risk Management and spreadsheet risk. We also validate cybersecurity controls such as access control and business continuity.
Failure Mode and Effects Analysis (FMEA) evaluates process issues by Severity x Occurrence x Detection. The resulting Risk Priority Number is used to address issues with the greatest risk exposure.
Cybersecurity Metrics, KPIs and KRIs
This session provides practical advice to establish cybersecurity metrics, Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). We begin with an explanation of the differences between them and why each are needed.
Examples of how to design metrics, KPIs and KRIs are provided. Areas of focus include cybersecurity measurements for all organizations, for processes & functions and in alignment with a control framework. The end game is to measure if processes and controls are functioning as designed.
We walk through tips for communicating new metrics and go-to-green updates for metrics in red or yellow status.
The session includes metrics, KPIs and KRIs attendees can leverage upon returning to work. Metrics resources are provided as well. All of this saves time and can assist with enhancing your program.
Cybersecurity Risk Management
Cybersecurity Risks and Mitigation Strategies
This session provides practical advice to identify, analyze and classify cybersecurity risks. It begins with an inventory of risk scenarios, resources to identify new scenarios and an example of how to establish a risk scenario.
We walk through three risk analysis methodologies. Techniques to classify risk are provided, including a risk scoring visualization used to gain funding for new controls. Maturity models are discussed, along with a methodology for quantifying and managing risk.
We discuss attack centric controls and a tiered approach to influence risk mitigation based on real world experiences. Two examples of risk summary slides are discussed, with executives as the intended audience. We also cover how a risk register can be used to influence mitigation of cybersecurity issues.
The session concludes with a call to action and 10 takeaways attendees can leverage upon returning to work.
Career Advice: Cybersecurity Professionals
Prove Yourself Ready Now for Promotion - Cybersecurity
This session provides practical advice to prove yourself 'ready now' for a cybersecurity management role. There are 10 takeaways attendees can leverage upon returning to work.
The session begins with ways to align and partner with executives. It includes details of their perspectives and motivations. There are tips for communicating program statuses in ways that resonate with leadership. Program architecture and planning are addressed at a mid-level. Professional development and C-Level presentation round out the session.
Here is the framework of the presentation:
- Understand Executives' Perspective
- Speak in Terms of Risk
- Have Communications Routines
- Communicate Program Statuses
- Have a Focus on the Program
- Plan to Drive the Program Forward
- Use Executive Tools
- Focus on Professional Development
- Be Known
- Prepare for C-Level Presentation
Career Advice: Cybersecurity Leaders
Cybersecurity Team Development and Retention
This session provides InfoSec leaders with practical advice for developing employees in their current
role, with tips to help them move laterally or to pursue promotion to management.
Management routines will be discussed to help attendees with efficiency. Time management tips and
a communications plan template will be provided.
The session also addresses tough questions such as "Are we secure" and "What is the value-add of
the cybersecurity program".
Annual program goals and performance & development plans are addressed at a mid-level.
The session closes with performance calibration, succession planning, promotions and retention risk.
Program Maturity - Cybersecurity and Operational Risk Management
Business executives leverage cybersecurity programs to understand residual risk. That helps them make informed decisions to mitigate risk to an acceptable level. This session provides guidance to improve program maturity in stages.
Maturity Level 1.
Minimal Compliance Development of an information security program
should begin with a reputable baseline such as the NIST Cybersecurity Framework.
A framework communicates the minimum controls required to protect an organization. It is also necessary to include control requirements from applicable
laws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program.
Maturity Level 2.
Common Controls Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them. Gap analysis: Deploy controls based on proven methodologies such as the 20 CIS Controls.
- Patching
- Penetration testing
- Web application firewall
Establish a risk-based approach for implementing controls.
Maturity Level 3.
Risk Management It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape. We discuss 'Threat Landscape and Controls Analysis' and a Risk Register process.
Maturity Level 4.
Strong Risk management At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.
- The cybersecurity program maintains controls specific to line of business products, services and assets
- An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis
- Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers
A multi-generational plan can be used to improve program maturity. Strong risk management pays dividends over time with low occurrence of harsh negative events. When incidents do occur, controls are in place to limit business impact.
Influence Remediation Through a Risk Register Process
This session provides practical advice to implement a Risk Register. Related processes influence security issue remediation by requiring leaders to sign-off on risk acceptance. That reduces skeletons in the closet and helps to provide visibility at the appropriate leadership tier. This session addresses processes, risk register form, log, tollgates and an executive risk forum.
The session begins with an overview of risk management concepts. Risk categories and a sample risk tolerance slide will be discussed. A roles and responsibilities slide will address how employees and contractors support risk management. Reference to information security standards and regulations include requirements for strong risk management and documented risk acceptance.
A process diagram is used to establish a basic understanding of Risk Registers. This will provide context before addressing meeting routines such as Risk Tollgates and an Executive Risk Forum.
The session transitions into a detailed review of a Risk Register Form. The example provided helps to ensure risk is clearly articulated. A structured format addresses which control should be in place, the current state, root cause, consequence, corrective actions and more. Risk mitigate entries include a framework for milestones and artifacts. Remaining sections include risk ratings and required approvals.
The executive risk forum section addresses risk decisioning. Executives have the option to approve risk mitigation plans, provide resources, sign-off on risk acceptance or to request revision of the risk register entry. A sample meeting agenda and risk register reporting are provided. The session concludes with a summary of Risk Register benefits and a call to action.