It is always important to remember that security is not an IT problem but is an organizational problem. As cybersecurity professionals, our role is to make sure everyone employee understands their role in keeping the organization secure.
This is where your work from the previously weeks comes together in the final project. As you look back at the past assignments you will see the content has been building upon each week. Each of the case studies has been building knowledge and presenting a realistic look at the threat environment and hopefully building confidence in your understanding and adapting to technological threats. Each milestone project is an opportunity to work on the final project in pieces while receiving graded feedback on individual pieces of the final project.
The threats, issues, and weaknesses we have been discussing to date are real and representative of the threats being faced by businesses and organizations today. This is how life in the trenches is experienced and viewed by the cybersecurity professional – as soon as one problem is resolved another presents itself.
When working on the final project remember to review the feedback I have provided through the individual assignments and incorporate those suggestions and improvements into the final project. As a recap, milestone one is an overview of the organization including its main purpose, functions, size and complexity of the organization from a business perspective. With milestone two there is a review of the potential threats facing the organization, such as unintentional human error, malicious behavior, and organizational factors contributing to the risk equation. These two milestone projects set the stage for the final project.
When developing the final project and including the milestone projects remember to include my feedback. I know I am repeating myself but the message is important. I have given everyone feedback to ensure their final project is a success.
One more thought… The final project should be written from the perspective of the cybersecurity professional trying to convenience senior management for the need of a security awareness training program for employees. When approaching this, remember these are business leaders and likely do not understand the technology terminology or jargon . Let me say that again, because it is very important, and we are computer professionals and cannot always help ourselves. 🙂 Our audience will be business leaders and will not know the difference from IPS, IDS, or TCP/IP. We need to remove the technology terms and speak in a manner the business leaders will understand. If we talk over their heads they will not understand the significance of the problem.