An audience with EC-Council Learning: Sean Lim
By Gary Duffield
Greetings and welcome to the third of an occasional series of articles, where DDLS's Alliances Director, Gary Duffield, catches up with some of the movers and shakers from the world of partners, technology, process and learning. This month we chat to Sean Lim, Chief Operating Officer at EC-Council. Whilst as a brand, that might not immediately resonate, if I were to say "Certified Ethical Hacker" you'd know who I meant.
Sean, we have a readership approaching 70,000 people so as is customary, go ahead and introduce yourself....
Straight out of school, I had the opportunity to work for a training and education organisation where I spent the first 16 years of my working life working on managing organisational learning and personal development through training specific to the IT space. That gave me a chance to appreciate first-hand the people challenges organisations faced, how professionals preferred to learn and how skills transfer impact any organisation's ability to compete, across more than 60 countries globally where we operated. My move to EC-Council was natural, in that the cybersecurity training and certification sector was booming (and still is) and I felt then and now a particular passion in working with partners to help organisations, large and small, learn how to protect themselves. As the Chief Operating Officer of EC-Council, my primary role is to ensure that the innovations and services at EC-Council are always available to partners and customers globally.
I think it may come as a surprise just what EC-Council has achieved since the original Certified Hacker programme back in 2001. You now operate in over 145 countries and have certified 200,000+ individuals? Tell us about the organisation.
EC-Council is a globally trusted cybersecurity credentialing body and is the creators of titles such as the Certified Ethical Hacking and Countermeasures (CEH), EC-Council Certified Security Analyst (ECSA) and many others. Based out of the US, EC-Council grew to establish offices in Malaysia, UK, India, Indonesia, Singapore and has representations globally. We certify professionals from the likes of the Pentagon, United States Department of Defence, Microsoft, Citigroup, Deloitte and IBM. Today you can find an EC-Council certified professional in virtually every Fortune 500 globally.
We work with hundreds of Subject Matter Experts to ensure that our programs are not only current but are approached from the perspective of an attacker (offensive posture) in order to keep learning, especially in this critical sector. Our programs are unique, they are very skills oriented (over 50% of class time is spent on labs) and even the exams are practical, to ensure that the credentials are relevant, respected and trusted by employers.
Ok, we have to address the elephant in the room. Everyone knows their organisation is being targeted every hour of the day, be that via phishing emails, website spoofing or good old-fashioned Denial of Service attacks. You are closer to this than most, what do you see out there on the business battlefield? I'm going to be honest, our Principal Technologist (Security), Terry Griffin, showed me how easy it was to "steal" a website's look and feel. Do you get a sense that business leaders know that its more about when, than if, when it comes to breaches? Or that their reputation depends on the internet being flooded with credit card details of their organisation's customers?
Nearly everyday, we have companies calling EC-Council post suffering ransomware attacks, phishing attacks, stolen data and I can tell you that listening to their voices over the phone is like the ER in a hospital receiving an urgent call for help. Trust me, you don't want to find yourself in those situations.
What we find surprising is that despite all the bad news that abound with organisations, large and small, falling prey to hacking, data leakage, malware (and the list goes on...), many SMEs, in particular, are yet to take any real definitive response. A simple breach in any company can easily cost tens of thousands of dollars to mitigate. Many of the breaches we hear about daily could have been remediated had they invested a few thousand dollars into training and certifying their staff. Saving a few thousand dollars and putting the business at risk is an unacceptable position today, as employers have a responsibility to their customers, their staff, their investors, and even their own brand reputation.
Now I'm scared. I never want to have to tell my CEO or my shareholders that we've been encrypted, defaced, distributed. What is the answer Sean.... I suspect it's all about the learning?
Programs like the Certified Ethical Hacker offer an IT professional their first step into the cybersecurity world, exposing them to literally hundreds of attack vectors, in order that they learn how to identify gaps in their companies and plug the weaknesses before the hackers do. They literally walk back to their offices a week post training with a new mindset centred around how to protect the organisation's networks, applications and systems!
Typically, SMBs or SMEs are concerned about investing in cybersecurity training and certification because of two key reasons:
Budget. Certain research demonstrated that remediating a breach or data loss can cost an organisation seven times the amount as compared to putting your security in place initially. Spending less than ten thousand dollars to train two to three IT personnel to manage the overall security of a business is completely justified. Think about it, if your company's IT system is down for a day, and you have more than twenty-five staff, the loss due to productivity would itself be more than ten thousand dollars!
Manpower. They have a wrong impression that they need to create dedicated cyber roles within their organisation and that this may not be required "at this point in time". That is not the case! SMBs today can train their system administrators and/or network engineers in cybersecurity as these skills add to their current roles. They remain in their roles doing the same job but with the added skills to ensure there is security consideration in everything they do. There is no real need to create a dedicated cyber role if the organisation is not big enough to require one.
So, training is critical because in-sourcing cyberskills is much more palatable than getting help when you are in trouble. You pay a premium for that and there is no saying that it will not happen again, and again.
DDLS is about to launch the EC-Council CCISO credential, I'm excited about that. We'll have a solution in market soon and move on to in-person events once a quarter. Remind me who this certification is for.
The CCISO credential was built post consultation with leaders in many of the largest cyber practices, defence and military units, and multinationals that pointed out to one huge gap in the cybersecurity space – Cyber Leadership. This is critical because in today's highly regulated CII, tech and financial sectors, CISOs are required to lead in developing an organisation's cyber strategies, operations and budgets. This program and certification was built by a body of leading CISOs from across various industries globally, representing the critical leadership skills and ability required in today's cyberworld. The five-day program is highly interactive and are led by practitioners with years of experience culminating in a "War Game" on the final day, providing a platform for senior executives to simulate real life scenarios that require their leadership. It is exciting to watch participants form teams to compete against each other to provide their solutions, and defending their solutions against other teams. That allows CISOs to not only learn quickly how other CISOs react but the five-day workshop helps CISOs network with other CISOs to form lifetime alliances and friendships.
This program is suitable for all CISOs, IT Directors and Senior Managers.
And finally, Sean, my stock standard question. What's next? We've all become connected, gone to the cloud and virtualised or containerised everything – what will "cyber security" mean next year, next decade? I predict we'll drop cyber and simply have "Security"....
You're right. There is no stopping innovation and how IT connects everything to everyone everywhere. Today, economies are reshaped to take on smart nation capabilities, fintech is taking off quickly, AI and Machine Learning will become a staple moving forward.
Organisations will be "forced" to embrace IT and the Internet to grow and remain relevant. As they do that, cybersecurity will be a critical component of their IT strategy.
Quoting ex-President Obama, "We meet today at a transformational moment, a moment in our history where our interconnected world presents us, at once, with great promise, but also great peril....Cyber threat is one of the most serious economic, and national security challenges we face as a nation. In short, our prosperity in the 21st century will depend on cybersecurity."
For more information on EC-Council courses offered at DDLS, please visit our website.