1
00:00:00,05 --> 00:00:03,07
- [Narrator] You made it. Wow!

2
00:00:03,07 --> 00:00:06,09
I assume that if you're watching this video,

3
00:00:06,09 --> 00:00:09,04
the last video in this course,

4
00:00:09,04 --> 00:00:11,09
I've either convinced you to consider making room

5
00:00:11,09 --> 00:00:14,07
for entry level cybersecurity talent on your team,

6
00:00:14,07 --> 00:00:16,09
or at the very least,

7
00:00:16,09 --> 00:00:20,03
I've kept you moderately entertained up to this point.

8
00:00:20,03 --> 00:00:23,04
(chuckles) I'm actually hoping it's a bit of both.

9
00:00:23,04 --> 00:00:26,07
All right, now, assuming you've decided

10
00:00:26,07 --> 00:00:29,01
to charge down the path of creating opportunities

11
00:00:29,01 --> 00:00:31,04
for the newcomers to the industry,

12
00:00:31,04 --> 00:00:34,09
you may need to convince other leaders in your organization

13
00:00:34,09 --> 00:00:37,01
that this is the right approach.

14
00:00:37,01 --> 00:00:38,04
You could, of course,

15
00:00:38,04 --> 00:00:39,09
(chuckles) send them the link to this course,

16
00:00:39,09 --> 00:00:43,01
but my guess is that's not very high on your list

17
00:00:43,01 --> 00:00:46,08
of potential options for creating a business case.

18
00:00:46,08 --> 00:00:48,08
Even if you have full autonomy

19
00:00:48,08 --> 00:00:50,07
when it comes to staffing your team,

20
00:00:50,07 --> 00:00:52,08
I imagine you'll still need to communicate

21
00:00:52,08 --> 00:00:55,08
the overall effectiveness of the security program

22
00:00:55,08 --> 00:00:58,07
or the area of the program you're responsible for

23
00:00:58,07 --> 00:01:00,08
to the appropriate stakeholders.

24
00:01:00,08 --> 00:01:03,04
Security program effectiveness is often measured

25
00:01:03,04 --> 00:01:06,03
in terms of how secure the organization

26
00:01:06,03 --> 00:01:08,07
believes itself to be.

27
00:01:08,07 --> 00:01:11,04
Effectiveness can also be measured, however,

28
00:01:11,04 --> 00:01:14,03
based on the stability and maturity capabilities

29
00:01:14,03 --> 00:01:17,03
of the program, both of which are directly linked

30
00:01:17,03 --> 00:01:18,05
to the teams responsible

31
00:01:18,05 --> 00:01:21,06
for the day-to-day security operations.

32
00:01:21,06 --> 00:01:24,00
Let's unpack that a bit.

33
00:01:24,00 --> 00:01:26,01
Regardless of which of the two situations

34
00:01:26,01 --> 00:01:29,08
you find yourself in, part of your business justification

35
00:01:29,08 --> 00:01:33,04
should include the security program's ROI.

36
00:01:33,04 --> 00:01:35,09
When you calculate the program's return on investment,

37
00:01:35,09 --> 00:01:40,00
however, it's important to think beyond dollars and cents.

38
00:01:40,00 --> 00:01:43,07
Consider the volatility of the program as well.

39
00:01:43,07 --> 00:01:47,00
An example of a highly volatile security program

40
00:01:47,00 --> 00:01:49,04
is one with high employee turnover,

41
00:01:49,04 --> 00:01:52,00
several open roles that need to be filled,

42
00:01:52,00 --> 00:01:55,04
and a handful of disgruntled mid to senior level resources

43
00:01:55,04 --> 00:01:58,02
handling all of the day-to-day operations.

44
00:01:58,02 --> 00:02:00,05
At any moment, this program,

45
00:02:00,05 --> 00:02:03,02
(chuckles) which is currently hanging on by a thread,

46
00:02:03,02 --> 00:02:06,08
could take a rapid and unpredictable turn for the worst,

47
00:02:06,08 --> 00:02:11,00
leaving the company exposed to a dangerous amount of risk.

48
00:02:11,00 --> 00:02:12,09
On the opposite end of the spectrum,

49
00:02:12,09 --> 00:02:16,06
an example of a low volatility security program

50
00:02:16,06 --> 00:02:19,03
is one that's supported by a fully staffed team

51
00:02:19,03 --> 00:02:21,03
with a healthy mix of employees

52
00:02:21,03 --> 00:02:23,02
having varying levels of skills.

53
00:02:23,02 --> 00:02:25,02
And the average tenure with the company,

54
00:02:25,02 --> 00:02:28,00
let's say, it's about five years.

55
00:02:28,00 --> 00:02:30,07
Employee morale and retention is trending up,

56
00:02:30,07 --> 00:02:33,07
internal promotions are at an all time high,

57
00:02:33,07 --> 00:02:36,00
and external candidates are waiting in line

58
00:02:36,00 --> 00:02:39,02
for an opportunity to interview for open roles.

59
00:02:39,02 --> 00:02:41,04
This program appears to be stable,

60
00:02:41,04 --> 00:02:44,07
and therefore presents very little, if any, inherent risk

61
00:02:44,07 --> 00:02:46,04
to the company.

62
00:02:46,04 --> 00:02:49,09
Now I know these examples are extreme.

63
00:02:49,09 --> 00:02:52,09
But the fact of the matter is your security program's

64
00:02:52,09 --> 00:02:56,08
level of volatility lies somewhere between the two.

65
00:02:56,08 --> 00:02:59,01
I'm even going to push my luck a bit

66
00:02:59,01 --> 00:03:02,06
and guess that your program's volatility level

67
00:03:02,06 --> 00:03:05,07
is not quite as low as you'd like.

68
00:03:05,07 --> 00:03:08,04
Building an external pool of entry level talent

69
00:03:08,04 --> 00:03:10,07
that you can feed into your pipeline

70
00:03:10,07 --> 00:03:13,01
as you promote internal resources

71
00:03:13,01 --> 00:03:16,03
can drastically reduce your program's volatility

72
00:03:16,03 --> 00:03:19,07
by increasing its stability and maturity capabilities.

73
00:03:19,07 --> 00:03:22,04
Your return on investment becomes clear

74
00:03:22,04 --> 00:03:25,02
when you're able to directly correlate the effectiveness

75
00:03:25,02 --> 00:03:26,09
of your security program

76
00:03:26,09 --> 00:03:29,07
to the effectiveness of your security team.

77
00:03:29,07 --> 00:03:33,02
And with that, we've reached the end of the course.

78
00:03:33,02 --> 00:03:36,08
I wish you much success in your future hiring endeavors,

79
00:03:36,08 --> 00:03:39,03
and I hope you've enjoyed your time with me

80
00:03:39,03 --> 00:03:42,00
as much as I've enjoyed my time with you.