All right, we can start with the next slide. So thank you for that introduction.
Well, as I said, I'm, I'm working with experts. I'm working with the management. This presentation today should not be overcomplicated. I want to bring some simple aspects, some simple questions here on the plate. And today we are talking about cybersecurity and how to survive in this channel of regulations, standards, technologies, and avenue attacks.
So this young lady here in this picture, she looks very lost with all the different directions she's facing and just seeing a lot of regulation here, a lot of regulatory requirements, different standards, different view on the topics she's, she's just lost in, in that picture. How do you cope with this at the moment? How is your situation? Do you feel sometimes like that?
So we can go to the next slide, please. Do you still have an overview? That's the big question for global companies in particular, the complexity increases enormously.
You're immediately confronted with the multitude of different standards that you can or must talk about. At this point. I do not even want to think about the different legal and regulatory, perhaps even sector specific requirements, in some cases, the requirements even contradict each other. So what we see here is just a list of famous standards. You can enlarge this list, starting here with the Analyst, CSS CSF, etcetera. You can enlarge this list for many, many lines and you will not get a final list. So do you still have the overview? That's the big question. Next slide, please.
The information overload can be frustrating. I can remember my time when I was a young consultant and had to carry out various projects. Many of these things I had never done before in my life for many of these things and topics, I couldn't call myself even an expert, but there is a lesson from those difficult times which I have successfully applied. Since then, before I get lost to the ugly details, I have to have a clear view of my assist situation. And from this position, I have to formulate the clear goal.
Once I know my position in my goal, I will set a course that takes into account the risks and above all my willingness to take the risks, these simple questions, and this simple model has taken me through many different situations and difficult situations. Of course, the complexity in real life is much higher, but in my opinion, it helps to bring it back to some simple questions and some simple methods. Next slide, please.
Maybe you find yourself in a situation that looks somehow like this. We use more than one standard in our group. We are acting globally. We have to take care of local law.
In many jurisdictions. We acquire new companies every year. We do not know about the cyber maturity level of all of them. And last but not least, this is my favorite. We use suppliers for many tasks around it and business. We have good contracts, but there are a lot of hidden risks. So maybe there are a couple of points which you find yourself and where you think that could be. At least partly my situation.
First, we need to understand that security is a process, not a product. In addition to all the tools and solutions we can buy on the market, it is crucial to understand the big picture that is given in the context of your business. We are having hard times right now, many companies around the world are suffering from COVID 19 measures. Cybersecurity is still very important, but when companies go out of business, there is nothing left to be defended.
However, if we, as cybersecurity managers encounter these problems, we may have limited budgets to invest in cybersecurity measures. This can be frustrating, but it raises only one question, where can we invest the limited budget to achieve the greatest possible risk here, reducing impact. So it's about first things.
First, you have to understand where the risk is, whatever your specific situation looks like. Whether budget is an issue or not a good assessment of cyber maturity gives you the overall picture to understand the value of an investment or the risk of not investing, which is a really important key message. In my opinion, you have to understand your risks and you have to make clear decisions where you invest or where you just take those risks.
Next slide please, which brings me to another question, how good is good enough?
Cybersecurity is an expensive undertaking. More often than not.
It is difficult to prove that the budget is needed. On the other hand, senior management often asks themselves whether they have done enough to discharge their fiduciary duties here, ongoing maturity assessment can help obtain insights into where an organization stance both with the regards to their own planning and with the industry or peer group. So that does not mean immediately that you have to do everything perfect.
As I mentioned, you have to understand your situation, your risks, and you have to define a path and the path does not actually mean you have to go to the highest maturity level in each and every aspect. Next slide please. So another question, how, how do we keep afloat? Which is just related to what I'm seeing is hippo found a good way to keep its head out of the water and stay like this. So it's not drown. We need as cyber security program is no longer good enough in practice. There is limited money time and often we do not have the people needed to bring it all together.
We therefore need to look at the resources we have and maximize the impact. This means addressing the least mature and most exposed areas first, rather than spending in the wrong place or at all places.
If you, if you try to do everything advance at once, you might fail. For sure it is difficult to implement even a basic cybersecurity program. And it is impossible to do all at once. Maturity based practices and indicators focus on areas that are under protected rather than reinforce existing controls and the maturity levers and the components assist in spending money where this most needed. So that's one of my key messages, spend the money there, where you have the greatest impact rather than use the shower and put the money everywhere.
Next slide please.
So don't forget you are on a long journey and this journey will never end, constantly check your current status and adopt your course, which is actually done by regular assessing yourself, be by an external party or be by method. You implemented yourself in, in your company in your first line, second line, or even third line, whoever can help to this topic is highly welcome. So continues improvement might be one of the oldest concepts, but still it is a concept where you can handle limited budget and just improve step by step and day by day.
Next slide.
This brings me to my conclusion and the end of my presentation in order to get an appropriate answer to their buff questions. I would like to emphasize the value of cyber cyber maturity assessments. A good assessment method will guide you through the main aspects, taking into account the risk perspective and especially your personal risk situation in, in your company and will reside in a roadmap. This will be the point. The hard discussions with senior management and board members will start as you will need a budget to improve cyber maturity, according to your roadmap.
At the same time, a cyber maturity assessment based on a recognized and trusted model will enable you to lead effect driven conversation. It makes perfect sense to question proposed investments and compare the costs and value of proposed actions.
Next slide, please, if you feel like bringing it back to some easy questions could be a great idea, but if you think that this presentation sleeves open some or many specific answers, please follow me in the round table slot in the afternoon. The afternoon is much more about how you can achieve that.
We will use as one example, there are many examples on the market, but as ISACA member, I will give you an insight what ISA and the CMI Institute is offering right now. And this is called the cyber maturity assessment platform. And we will exactly discuss how you can assess yourself, how you can include risk assessment and how this helps to discuss with senior management, how this helps to measure improvement and how this helps to elaborate your personal, your company's maturity level. Thank you for the moment.
I hope I could raise your interest for the afternoon session and I would be happy if you meet in the afternoon where I will give a short life insight on the platform itself. And then I will try to answer your specific questions concerning the presented method. Thank you for the moment is my contact detail. If you want to contact me in person, you can write me on the copy, a call platform, or you can write me an email, or of course you can directly add me. I would love to see some invitations on LinkedIn as well. Thank you very much.
