Good then. Thank you guys. Thank you for not leaving. It's the last presentation for this session before the break and yeah, I decided to not do a typical technical discussion about tools or about techniques, but to talk about lit of a little bit of the problems that a lot of companies are facing. And that's why it's called the knowledge gap, because we face a very big knowledge gap and I put automotive in bracket because you could use, it's just an example that I will explain, but you can apply this to all other industries.
And the most important thing is I would talk about embedded engineering and not about it. And a lot of you are working in a environment and I just added this slide yesterday evening to let's say, explain it a little bit to there two different worlds somehow.
So the, it is more dealing with data and embedded is dealing with security in an cyber-physical environment.
And I like this joke I found years ago on LinkedIn, I say, yeah, in case of cyber security tech, just cyber attack, just braid the glass and pull the cables and always telling to our guys, what do you do if this happens to the pacemaker, if someone hacks the pacemaker and you cannot just pull the cables, because then you're definitely gonna die. And what about autonomous driving cars? What if something happens with them?
So it's, it's not, let's say that easy. We heard yesterday that if a hospital, the Lucas hospital got hacked and then the change, the medical records, and then you can also have a safety impact. So injuries or raw medications that could lead to death. But I was saying more it world is dealing with standardized software and, and servers and, and data where embedded is dealing with proprietary code and OS and stuff like this, which is different total different world.
And keep in mind these two things, because they will come back to this afterwards.
And I'm gonna talk about two things, two problems that I see all the time when I speak with companies and when we are advising companies and they have two major problems, the first one is the awareness. So the cyber security, let's say the management cyber security awareness, because the management has to the money. And if you wanna do something, you need the budget. So first we have to create awareness in cyber security and management, and that's a very huge problem. And for one company, we did the kind of survey and we asked decision makers. We asked more than 50 people.
So VPs directors and team leaders, project managers, and we asked them, yeah, what do you think about security? How important is security in your, in nowadays and in the future and in your company, in your department, in your role.
And as you can see here, the funny thing is everybody's saying in the future, cybersecurity will be important, but right now, yeah, maybe, and it's alarming because if you're developing and if we have autonomous driving cars driving on the streets in two years, and we are already developing for one year now, this system, so we don't think about security.
I will not buy these CARSs and not drive them because I'm scared that there's some lack of security in this kind of systems. So it's quite scary today. Everybody's thinking in the future will important, but not right now. And the most funniest thing is everybody's saying, yeah, for company should be important. We are doing autonomous driving systems. We are dealing with whatever stuff is security, but for my department, less than for my role, I'm not doing security. So I don't have to take care about this.
And all everybody's saying, it's not for my business.
Some of them say, yeah, the D department is doing security. We are just developers. We developing stuff, but we are not doing security. And the alarming thing is we only asked decision makers, they're actually developing product or safety and security critical.
So we, we didn't ask everybody or the facility management. So like this, we asked only the people that are actually working on this stuff, and everybody should say, it's very important. We have to do something. So that's the alarming thing. And this is the first thing we see that companies struggling because we need to create the awareness. And there was a lot of interesting thoughts also today in the panel where they said, okay, even some politicians there have to decide stuff. They didn't understand what to do and why we have to do this.
And the second, second big problem is even okay.
If we manage to ha to get this first hurdle and we have the money from management, we still need people to implement all this stuff without a lot during this two days about tools, about how to do this and that, but who, who is gonna implement this in, in our company. So you need people trained and skilled people able to do this. And yeah. What do you do if you have this lack of, of knowledge in your company, you go and hire people. That's the first thing you do. And talk with a few companies and a smaller one told me once, yeah, we are looking for cybersecurity for over one year.
Now we cannot find anybody. So nobody is applying for this position. We don't have anyone. And I read in the cybersecurity job reports that they're forecasting three and a half million of open and unfilled positions by the end of 2021.
So a lot of positions that will remain open and nobody could fill them because we have actually, we don't have to skill people do that. And I'm coming or I'm advising lot automotive industry. That's why I put automotive in bracket at the beginning. And the automotive industry is doing, if they don't find people, usually they just outsource.
So half of the engineering engineers in engineering departments are from outsource company. So it's quite common to say, okay, I look for a company that could help us and then hire people from Excel, what you face there. And what the supplier for example was telling is you can do that. You can ask, but there are just a few companies outside doing actually this kind of embedded security stuff. If we look around here, a lot of good it consulting companies where they're doing purely it development and not this kind of embedded.
So it's very, very difficult for, for just embedded to find a few consultancy companies that could help you. So the idea was of time. They told me, we will now look for trainings and actually try to close this gap and to train the people. And in discussion, he said, yeah, we, we just send, the people can do two things. You can send the people to external trainings, or you can actually try to develop with a few experts. You have maybe one in your, in your company can develop a training.
And yeah, there are some certain and some problems also with these two points, if we take the external trainings, and if we talk about a T security there, a lot of certifications training, online courses, you can do a lot of, of things, but in embedded world, there are just a few ones. And the ones we have found, just a few ones in the market.
We have a handful of trainings you can attend in Germany, few, wanna be a embedded security engineer. And they're all focusing on old guidelines, not the new standards. And a lot of them are just a conversion from safety to security.
So not covering the whole life cycle. So basically in safety, what you do, you do product safe until they start producing it.
Not, not thinking about what is after production. That's like in a T sinking just until the code is done and deployed and not thinking about incident response. And that's a problem cuz you have to teach also this kind of stuff. And most of the trainings are just focusing on risk assessment, which is the first part. But then you have to also develop secure designs and think about controls and the testing all the rest. So they're not complete. And of course, if you go to a pure training company, they know how to do trainings, but they lack of practical now.
So he, he sent a few guys to this training, to his external trainings and wasn't happen said, okay, it's actually, it's not working with, we will do. The guy told him to speak supplier.
We will, we will develop an in-house training, our own training. And we keep on talking and say, okay, you know, you can do this internal training and you can use one of your experts and he can just create a bunch of slide and train the people. But it's actually the usual thing. If you ask the guy in the seller to, to come up and how the training, he is not the one of the best social skills with the training skills to teach people for eight hours in a row.
And, and that's why usually the expert has a lot of knowledge, but doesn't have to training skills and the trainer, if you invite a trainer to create a training, it's usually not the one with the, with the practical experience.
And so you have this, this kind of problem.
Also, if you wanna create an internal training and, and this is where we then thought about what can we do actually to, to close this knowledge gap? And we said, okay, we can work together and, and say, try to create synergies and to bring both things on a table, as a consulting advising company. And you were a big supplier and, and she had a resources and we said, okay, we can, we have a few trainers in our company for the academy. And they know how to efficiently collect the data and they know what they should collect and how to structure trainings usually. So they can do that part.
And on your side, you have up to date knowledge, and the suppliers like the OEMs, they're all in big CS and know all the up to date.
They have up to date knowledge, and they have a lot of practical examples. So they can bring this to the table. And on the other side, we can then consolidate the knowledge because we know how to do it. And we have also skilled trainer there. They know how to build also educational material. Because if you want train people for eight hours in a row, you cannot just create 200 slides and then go one by one because everybody will just fall asleep, leave the room.
That's why it's quite difficult to create a nice training and to keep everybody awake for a few hours. And we said, we can bring this to the, to the table. On the other side, you have a lot of people, a lot of engineers, and we can create workshop with you to extract additional knowledge, to ask them what it's, what they really need, where you can, can help them. They can also review the whole training material. And from our side is that we can bring, because we master the complexity, we do a lot of different projects in different companies. So we know the different topics quite well.
We can structure the whole, the whole training and master this complexity. On the other side, you have a lot of specialists in different fields. You have hardware engineers, you have software engineers, guys dealing with functions, features, and systems, and we can use them to bring in a lot of advisors.
Then of course, we have a few trainers in our company that could teach them actually afterwards because they have teaching skills and we can do a few pilot trainings in your company with all them and validate the content. Let's see if it's actually working.
See if what we built is actually working for a supplier or a OEM and automotive environment. And yeah, and after all, of course, as a return of investment, we can reuse the training also for other clients and for, for public trainings.
And, and they have of course less cost compared to normal external trainings because made this kind of deal. And this was actually our idea how to try to close the gap we saw in of knowledge and, and of skills. And the result was a comprehensive training with nine different lecture blocks from the awareness and regulations.
So to cover all the stuff that management needs to know, to understand why they have to come up with new things, where they have to invest money in cybersecurity process and cybersecurity development for products, not only for the, for the it department and a lot of trainings for deep dives for engineers.
And we made this in a modular way. So from a two hour, let's say more awareness training to four days, deep dive. And we put more in 2000 hours of work to build the whole training, to have a comprehensive training.
And there was more than 35 people involved, actively involved to bring the actual knowledge to see what, how can we structure the training? How is it done?
And yeah, and this was our, our response, our, our first trial to first try to close the gap, the awareness, so that to train people, to train management so that they know that they have to invest in the right thing. And the second thing is to give people, of course you cannot teach or create hackers in four days, but at least you can give them the right direction. Tell them what to do, give them the overview, give them a lot of material and the right direction, how to move on afterwards.
It was very fast run through slides, but I hope you, you got my point that we have this, this two problems we we face. And I'm very happy to discuss with you and see your experiences in this field and to answer all the questions.
