Cybersecurity Training: Why It Has Never Been So Important


Maria Melfa: Welcome everyone to bring out the talent. My name is Maria Melfa, and I am the CEO and president of The Training Associates, otherwise known as TTA.

Jocelyn Allen: And I’m Jocelyn Allen, a talent recruitment manager here at TTA. And we’re so excited to have you with us today.

Maria Melfa: We have a special guest and a longtime partner, Jon O’Keefe from Logical Operations. Welcome, Jon.

Jon O’Keefe: Thanks for having me. Excited to be here.

Maria Melfa: We’re excited to have you. It’s a very exciting topic. Cybersecurity? Maybe not.

Jon O’Keefe: Yes. No. Not only is it exciting, but I think it’s necessary, and it’s one of those things that people don’t always want to lead the conversation with, but once you dig a little deeper, almost everybody has some sort of personal vested interest in cybersecurity. So, I think it is a very important conversation topic.

Jocelyn Allen: Agreed.

Maria Melfa:  It’s all fun and games until somebody gets hacked.

Jon O’Keefe: Right.

Jocelyn Allen: Coin it. Drop the mask, Don. Thanks for having us, Jon.

Jon O’Keefe: Yeah, that’s it. It’s all. It’s all fun and games. Still, you can’t get a house because your credit score is five 20 and you didn’t realize that was happening.

Maria Melfa: Absolutely. Ok, so let’s get into Jon’s background. Jon, as I mentioned, is with Logical Operations, and he is a technology education specialist. Jon is responsible for the design, development and delivery of Logical Operations, Emerging Technology Courseware Portfolio and Certifications. Cybersecurity certifications is a hot topic right now. In 2020, the global pandemic caused all of us to make the shift to remote and hybrid work, forcing many companies to change the way they operate. Many companies had to reactively pivot. Cybercriminals saw our opportunity, so much so that 6 in 10 companies have suffered ransomware attacks in just the past year. With the need for cybersecurity at an all-time high, we wanted to learn from the best on how to proactively address this growing problem. Jon O’Keefe has over 20 years of experience in the I.T. and education space. He holds a master’s in education theory and policy with an emphasis on curriculum design. Jon is also a master modern classroom certified trainer, otherwise known as MDC-T and a master certified virtual educator CBE and has helped over 5000 trainers and K through 12 educators in virtual instruction techniques. Jon has a passion for storytelling and film, and has always informed on the latest and greatest technology.

Jon O’Keefe: Wow. That I don’t know how I can possibly live up to that, but I will do my best. I sent that to you, hoping that you would realize that half of it was false.

Jocelyn Allen: Cybersecurity and hacking, you know, starting with

Jon O’Keefe: You have now been both socially engineered into accepting me onto this podcast?

Maria Melfa: So Jon, you have an interesting title. They call you Jedi Jon.

Jon O’Keefe: Oh.

Maria Melfa: Can you tell us how you got that title?

Jon O’Keefe: Oh, they do call me that. I am fortunate to work for an amazing organization. Logical Operations is a wonderful company. We’re not too big, not too small. I think we’re right in that perfect area of about 75 employees or so globally, and we were trying to define my role. I have a fairly unique skill set that most organizations don’t exactly know what to do with, but LO has been really great, and they kind of created a role for me. And what we wanted to do was some sort of evangelizing role where I would be able to do events like this, speak in public, and also teach courses while helping to guide and develop kind of the delivery of our courses. What were we going to do next? What were people looking for on the market? So, this role was kind of like a product manager plus an evangelist position. And so, we were trying to come up with a title, and the big struggle was, is that everything felt super cliché. But I am a huge nerd. No surprise there. And one of my first and still lifelong passions is Star Wars. So, I have Star Wars tattoos, which you can’t see. I’m holding up on camera. I have some rare and valuable Star Wars memorabilia. It’s just been my thing for so long. So, we were able to settle on a Tech-Ed Jedi, and I am blessed that Logical Operations would let me create that title because it absolutely is a conversation piece and it’s a really interesting way to introduce yourself. Hey, I’m Jon and I’m a Jedi. I bring balance to the education world by combining technology and techniques to help educators and training institutions explore the “training galaxy.”

Jocelyn Allen: The “training galaxy” closing the loop there. I like it.

Jon O’Keefe: Yeah. Says I’m good at storytelling, so I’d better be all right.

Jocelyn Allen: Yeah, I can see it. I can see the opening intro scrolling with the galaxy in the background, everything you said so. Confirmation as well that we saw the tattoos on the arms. So, Jon LO has a new certification program released on November 1st. Tell us about the cybersecurity maturity model certification CMMC, and what is driving the demand for it exactly?

Jon O’Keefe: Sure. So, CMMC, the Cybersecurity Maturity Model Certification is a DOD, Department of Defense, initiative. It is their move from a self-attestation model on cybersecurity practices and procedures to a third-party assessment model. What does that mean? The Defense Industrial Base, which is all of the companies that do business with the DOD, and they range from size like Boeing and Lockheed, Raytheon, the big players, all the way down to Dave and Don’s garden supply shop, who hold a contract for flower services and mowing on a military installation. There are three hundred and fifty thousand organizations that do business that called the Defense Industrial Base, and in the past, and they’ve wanted to bid on a contract, all they’ve had to do was say, we are good at cybersecurity policies. There have been tons of different guidelines for them to follow, but it’s been a self-attestation process. The Department of Defense has decided based on many things that are going on, including the SolarWinds hack, including the rise in ransomware, including the rise in data breaches, that we need to shore up our supply chain in terms of their cybersecurity practices and procedures. So what CMMC is, is the DOD saying to all of these businesses out there that no longer will you be able to self-attest that your cybersecurity policies are great, you’re going to have to have a third-party organization come in and look at all your policies and procedures and then evaluate you, and that CMMC in a nutshell. It can be more complicated than that, but that is what is driving this new certification process.

Maria Melfa: Who is your main audience for this?

Jon O’Keefe: Well, it’s going to be any member of the Defense Industrial Base. So, any business that bids on federal and DOD contracts. Now, there are some qualifications for that, of course, but we estimate, and the Department of Defense estimates that there are about 50000 prime contractors out globally. And so, these are organizations that bid on federal contracts. Underneath them, there’s a really difficult amount of subcontractors to estimate somewhere in the millions. And then beyond that, there are I.T. service vendors. Again, ranging from the big players like your Google Cloud and your Microsoft Azure down to your small IT shops that work with Dave and Dawn’s Garden Supply Shop, right? So, all of these organizations are going to be impacted by this.

Jocelyn Allen: Now, is this something that individual signs up for to go through the process? Is this something that an organization needs to take on and kind of certify all their people? Because I hear you talking individual contractors, but then at an organizational level, too, because as you say, you know, this can be kind of a vendor service as well. So, what is the actual certification look like from an individual or group perspective?

Jon O’Keefe: That’s a really great question. It’s twofold, right? So, this ecosystem inside of CMMC contains what are called organizations seeking certification. They have an acronym because everything inside of this has an acronym, and those are now called what we call OSC’s, Organizations Seeking Certification. They are everything you just mentioned, right? The three hundred and fifty thousand members of the Defense Industrial Base as prime contractors, the million subcontractors, the I.T. vendors that are out there. They are going to need to follow a rubric of 17 different domains and one hundred and seventy-one best practices of cybersecurity. In order to follow that rubric and achieve mastery in those domains and areas, they’re likely going to pursue some form of training. Now there are official CMMC certifications, there’s domain training, and then there’s unofficial CMMC training. So, it gets pretty complicated pretty quickly, which is why most organizations right now are struggling to figure out exactly how to go about this. A business that wants to do business with the federal government will likely want to have what is called a certified CMMC professional on staff, as a steward, as a guy, as someone who will guide their CMMC strategy. They will likely want to get several of their I.T. employees to skill up into certain areas, like incident response, awareness, and training, physical media protection. There are 17 different of these areas, so they will likely want to skill up in some of those. And then many organizations will want to get a general awareness training around what life will be like under CMMC because there will be changes that will not only impact the I.T. systems, but they will impact sales and marketing of the warehouse. Every department inside an organization is likely going to be impacted by this cybersecurity framework.

Maria Melfa: Are there any prerequisites for somebody taking this class? Like what level do they need to be at?

Jon O’Keefe: That’s again, a complicated answer, but I’ll break it down. The first thing that an individual can look at taking is the certified CMMC professional certification. That’s about forty hours’ worth of training, and the people that are looking to get that certification will likely have several years of it experience. They may hold comparable certifications like CISM, CISM, or CISSP. They may hold the CompTIA Holy Trinity a plus net plus security plus. They will likely have some experience in it. That being said, there is nothing stopping other than the difficulty of the class and the exam for anyone from becoming a certified CMMC professional. So, there are no hard and fast prerequisites, but the challenge level is fairly high for this certification. You will likely see advanced candidates, people that have been inside organizations for several years who are familiar with IT systems and IT structure and IT practices as the stewards who will be leading an organization’s adoption strategy so they will be most likely to get the certified CMMC professional certification. From an awareness perspective, there’s no prerequisite, and anyone inside an organization who is seeking to be part of the Defense Industrial Base is already part of the Defense Industrial Base would benefit from a general CMMC awareness training the same way that health organizations benefit from a General HIPA training the same way that a bank, for example, would benefit from having PCIDSS awareness training or Sox training, et cetera.

Maria Melfa: So you mentioned CISSP certification. How do you believe this certification, CMMMC, compares to CISSP?

Jon O’Keefe: Well, there’s certainly similar. They’re both minds on certifications designed for IT professionals who are either looking at a further career as an assessment professional or looking to guide their organization through an assessment process. So, they’re very high level in that regard. The difference is that CISSP, as a certification, is kind of an industry standard across the board, whereas CMMC is a necessary certification for an assessment professional and a very helpful certification for an I.T. professional who wants to guide his organization through the CMMC assessment process.

Jocelyn Allen: So you had mentioned when we were talking about the prerequisites that there’s 40 hours’ worth of training for this. So how long exactly does it take for somebody to get certified as just the training and then they’re done? Or is there are an additional process after that 40 hours is completed?

Jon O’Keefe: There’s no additional process after the 40 hours of training. The Logical Operations course was for this training. And Logical Operations, by the way, is a licensed partner publisher, which is an important part of the process. Our courseware is certified by the CMMC-AB, The Accreditation Board is authorized training materials, and we’ve scoped this out to be about 40 hours’ worth of training, which is fairly industry standard for a course like this. CISSP also is about 40 hours of in-classroom training using Logical Operations materials. We always recommend that for candidates to spend a two-to-one ratio when preparing for an exam. So, if you’re in a classroom for 40 hours, you should probably spend about 80 hours preparing for the exam. Now this, of course, is a very vague guideline. There are people that could sit in a class like this and pass the exam the next day, and there are people who may take hundreds of hours worth of exam prep to pass. We can’t speak for an individual skillset. In terms of answering your very, very specific question. Once you have taken training and you have gone through the hoops of registering yourself at the CMMC-AB, there are no additional requirements to sit for the exam. You could at that moment purchase an exam voucher, sit for the exam, pass it, and become a CMK certified professional.

Maria Melfa: So Jon, we briefly mentioned in the intro that there has been a tremendous increase in cybersecurity threats over the past two years. What do you believe has led to this?

Jon O’Keefe: You’ve got multiple factors. The first is obviously COVID. The move to a remote workforce causes IT challenges. IT systems are designed mostly to be used on-premises. When you’re in your office, you’re behind certain firewalls. There are data loss prevention solutions, your organization as data at rest, and data in transit security. There are all sorts of things that your organization can do to protect you. However, when you make the move to virtual: one, you have employees at their own homes on their own Wi-Fis. Oftentimes, there are issues there. But more importantly, what you see is that people in their own environment become infinitely more comfortable. Maria, 90 percent of cybersecurity incidences are the result of an end-user. You or me or Sara in the warehouse just having a bad day, not reading something, not paying attention to a prompt, thinking an email was coming from our boss when it’s not. That probably doesn’t happen to you, Maria, but to the rest of us. And so, what has happened is that people are having more and more bad days. And when you’re at home, you become infinitely more comfortable with the technology. So, you’re, you know, you’re working from your couch. There isn’t the same kind of tension in your best practices when you’re doing that type of thing. So, that is a huge contributing factor. We’re just more comfortable. We’re having more bad days. We’re at home and that is what most social engineers and cybercriminals are hoping for. For us to have a bad day to not recognize that an email is bad, et cetera, et cetera, et cetera.

Jon O’Keefe: The second thing that’s causing a rise in this is a cryptocurrency, and you can see there’s a direct correlation in the creation and rise of cryptocurrencies starting in 2021 with the Silk Road on the Dark Web, which was shut about a year later, but now there are literally dozens of marketplaces on the dark web where people can purchase things using cryptocurrency, whether it’s Ethereum or Bitcoin or any one of the other number of cryptos. I’m not a huge crypto guy, but there are so many out there so people can use this currency to safely transact, and buy illegal goods and services. And one of the most popular illegal goods and services that you can purchase now is hacking efforts. You can go onto the dark web, you can find a forum, and I can pay someone using a bitcoin or some sort of other cryptocurrency to go and hack an organization, and they will go out and do it. So that’s a scary landscape. So, we’ve got people that are more vulnerable, that are more susceptible to social engineering, that are more often having bad days. Plus, we have this rise in cybercrime coming from the dark web, from hacking collectives that can now take payment in Bitcoin. So those are the two major contributing factors that are going on right now, which is why we’ve seen such a huge increase in cybercrime over the last couple of years.

Maria Melfa: That’s wild.

Jocelyn Allen:  It is wild. And I was speaking, we were actually just speaking with somebody on our tech team about this episode, kind of poking fun that we were going to be techies for the day instead of them. And I was mentioning that one of the big things that I’ve learned over the last couple of years with cybersecurity issues is that social media is a huge contributor to that because of the surveys, the fund surveys that people put out there like, “Oh, what’s your celebrity acting name?” “Give us your mom’s maiden name in the street you lived on. And it’s like, “Oh, you mean the security questions to every login website that I have.” You know? And it’s it seems fun at the time, but literally, I mean, what if you think about the purpose of those being out there, it’s probably just for hacking purposes.

Jon O’Keefe: It certainly is. And sharing information like that can be absolutely detrimental. I teach a class called Cyber Safe, which is an end-user awareness training class. And typically, it’s delivered to organizations to all of their employees. So that way they can be better about this type of stuff. And one of the things that I always do in the class, as I say, “Don’t raise your hand, but I’m willing to bet at least one of you in here has the following for a password, some combination of child name or pet name and important year or date or location.” Maybe there’s a hashtag thrown in, but and then you can look across the room and you can see a couple of people smiling because, you know, it’s clicked in their brain that their password is Rufus2023 because Rufus is their dog’s name. And then I say, “OK, what if that information can I find by just being your friend on Facebook?” If I’m your friend on Facebook, do I know your pet’s name? Sure. Do I know your birthday? Probably. Do I know where you live? Probably. Do I know other places you’ve lived? Yeah, ’cause you post that photo from seven years ago when you lived at that other address. So now I know that information. And so, it’s not hard to find all of this information on social media because Jocelyn, everybody puts it out there willingly. And so that is a huge problem. And one of the reasons why social media and why end-users are targeted so frequently is because, quite simply, it’s a numbers game. And if you have one hundred employees and I can guarantee at least one of them has a password, that’s Rufus2023, then I can figure that out pretty quickly.

Maria Melfa: So what do you think the psychological profile is for all of these hackers? I just find it just unbelievable that people actually want to do this…

Jocelyn Allen: Right.

Maria Melfa: In their life.

Jocelyn Allen: Well, some of the coolest jobs that were on like Criminal Minds were the people who got in trouble for hacking and then got an elite job.

Maria Melfa: Oh yeah, for sure.

Jon O’Keefe: You know, and it’s funny that that’s right. That’s how the media portrays it, right? Like, we think of Criminal Minds, and we think of CSI, and we think of all of this. And your typical hacker probably has a little bit of a God complex, and they probably are very interested in puzzles because to them, this is a puzzle, right? This is a game. It’s a way of figuring something out. It’s challenging because for some people, there aren’t a lot of challenges left, and this type of thing really appeals to that type of person. But what’s really scary is that those people are now essentially running their own businesses on the dark web. And when I say dark web, I want to be very clear it is not hard to get there. It is not some mysterious place that no one can find. And so, it does not take a lot of effort to end up on the dark web to find one of these forums and as long as you have the money to pay someone to do these nefarious activities for you. When we’re talking about CMMC, one of the reasons why it’s so important is this because, you know, I make a joke about Dave and Don’s garden supply shop, but that is not an unrealistic expectation of some of the members of the Defense Industrial Base that there are a small business. They outsource it. They’re probably run by two or three people.

Jon O’Keefe: And for years and years and years, they have some federal contract that is the majority of their business. There is a company in Buffalo, New York, that I believe makes glass and they make, and you know, them as like they make windows. But what they actually do is they make the glass canopies for certain fighter jets. So, their mainstream income actually comes from the DOD. You would never know that they’re a small company. But in our process of CMMC, we realize that, oh geez, this is an organization that not only will need to be assessed, but we’ll need to be assessed at a high level because they’re part of the supply chain for certain fighter jets. And that’s something that I think gets lost is that Dave and Don’s Guarded Supply Shop, which outsources their it to a small little vendor that’s down the street, could be doing something that’s very important. And therefore, when we talk about these cybersecurity incidents is going out and getting, you know, hacking a business or any of that. Why wouldn’t China or North Korea or Iran want to target those small businesses that have less practices in place just by the nature of their size? And that’s what we’ve seen with certain technologies that have been leaked in China that the United States was developing. And we know they’re coming from not the Lockheed’s of the world necessarily, but the smaller businesses of the world.

Maria Melfa: Very interesting. I remember many years ago when we started teaching cybersecurity training, and I believe the first vendor was Certified Ethical Hacker. I remember looking into that and actually teaching these students how to hack

Jon O’Keefe: TH has been around for almost 20 years now. Concept of, yep, middle mid-2000. So, we’re getting close to 20 years now for Certified Ethical Hacker for easy counsel, and that type of certification, along with obviously CompTIA and Certain Access. These cybersecurity certifications are more important than ever because it is incredibly important that organizations be doing the best that they can around this. You can’t prevent an attack, necessarily, but the more training you have for both your end-users and your IT staff, the quicker you can remediate an attack. It typically takes businesses a hundred and seventy days to deal with a cybersecurity incident. And so that’s a long time.

Maria Melfa: Oh, yes, yeah. How does the Certified Ethical Hacker certification compare to the CMMC certification?

Jon O’Keefe: Well, I think that it’s important to recognize the place that C.H. and other security certifications have had in the marketplace building up to this. CMMC, as a certification, is really the culmination of a series of best practices and procedures, some of which we could argue date all the way back into the 1980s’ and 1990s’. But it is the government’s attempt at creating a rubric of policies and procedures what we call a cybersecurity maturity model that any organization should have, whether they’re part of the DOD supply chain or not. I firmly believe that security, cybersecurity, maturity modeling will become an important part of the next few years. So, this is a term you’re going to hear over and over again, but we have to thank the early certifications that came out like CEH for helping to pave the way for the federal government to be able to put out a standard like this. That’s what’s really important. We now have the ability to say these are 17 things. These are 17 areas that are important, and inside of each of those areas are a list of practices and procedures. And if you’re not doing these, you are putting controlled unclassified information, federal contract information, classified information at risk.

Jocelyn Allen: And there’s a lot of different ways to align this certification to an organization as far as why it’s necessary. So, I mean, it could be, you know, based on the fact that, like you said, they have government-level contracts, they need to make sure that they’re secure in all of their interactions. As far as general cybersecurity and protection for an organization, obviously, we would try to encourage this as more of a proactive kind of solution and knowledge for an organization to have. But how do you find current customers are behaving with this or is it more reactive? You’re coming to people saying, “Hey, I need this.”, or is it, you know, we want to be prepared? What do you what are you seeing from people wanting to get their hands on this?

Jon O’Keefe: [So right now, the DOD has put out a deadline and that is the fiscal year 2026, which means September, at the end of September 2025, at that point, all DOD contracts that go out into the Defense Industrial Base, which contain either FCI, Federal Contract Information, or CUI, Controlled Unclassified Information, will require anyone who’s bidding to have a CMMC level. So, everything right now is a proactive move to get ready by September of 2025 because at that point, regardless of your previous status, regardless of whether or not you’ve held a contract for 50 years when you have to rebid on that contract, you have to demonstrate your CMMC readiness level. And if you cannot show that if you’ve not been properly assessed, if you haven’t gone through the process of getting ready for it, that you will no longer be eligible but on that contract, and that goes from the big players all the way down to the small players. So, every organization, whether you’re a Lockheed or a Boeing or a Raytheon or a Dave and Dawn’s Garden supply shop, this is something that they need to proactively prepare for because once it goes into effect, you will lose out on business if you are not prepared for this.

Jocelyn Allen: What an incredible opportunity, you know, for that organization. I mean, really, it is. It’s I mean, it’s exciting for you. And LO, it’s really exciting for, you know, all of the security trainers the TTA has. I mean, you said you were talking about this and mentioned CISSP, and I was like, “Oh, those are literally all of the people in our network that I’m thinking of that would love this certification model.” I think it’s a very cool opportunity, and kudos to the organization into Logical Operations for taking on such a large undertaking, and you’re presenting it incredibly well, Jon. I like it.

Jon O’Keefe: We have estimated that there’s about a billion dollars’ worth of training in the next four years based on the amount of organizations based on the amount of people. We think that will need the certification. So, for trainers that are listening or training organizations, this is a billion-dollar global opportunity, and I need to remind everyone that the Defense Industrial Base is not. There are laws that operate in Europe and North Africa, so this is a global effort. A fun number for you. A phone number for you is fourteen hundred. There are fourteen hundred vendors that worked on the U.S. F Thirty-Five Fighter Strike platform. It takes fourteen hundred companies just to put the thing together, just to make the aircraft that says nothing about the countless number of companies that are required to support it with fuels and weapons and training and all of this. So just one element that we use in our military, the F-35, takes fourteen hundred organizations to build. So, the scope and scale of this is truly massive, and it’s something that as a technology trainer if you’re not familiar with within the next couple of years, you should absolutely get yourself familiar with it. Because Logical Operations has already seen five hundred thousand dollars’ worth of training go out the door in the first three weeks since the certification was launched. It actually started a little early. It started in October, and so that has been an explosive amount of growth. And those numbers will continue to grow and grow and grow as we go because there’s simply too many organizations out there that need training. There’s simply too many people. The bottleneck right now is in the amount of training providers that we have. So, this is the perfect opportunity to get in at the ground floor,

Jocelyn Allen: And that’s when you have to get in. You know, you always realize too late that you should have jumped at the beginning, you know?

Jon O’Keefe: Absolutely.

Maria Melfa: You made a good point earlier, Jocelyn, about getting a lot of our security trainers up to speed on this.

Jocelyn Allen: Absolutely. I know I’m excited to partner and see how we can provide more certifications and education to our trainers with Logical Operations in this model.

Maria Melfa: Jon, you mentioned the cyber-safe credential. Can you tell us a little bit more about that?

Jon O’Keefe: Cyber safe is a credential from Certain Access. This is a provider of emerging technology certifications and business-level credentials. Cyber Safe is designed to help any or any person inside an organization reach a level of cybersecurity awareness. So that way they will be prepared to protect your company’s most valuable resources, your data and your PII, your personally identifiable information, from things like social engineering attacks and basic malware and email hacks and all of that. And it fits really nicely inside of CMMC because one of the domains inside of CMMC is awareness and training, and Cyber Safe covers everything that’s on that rubric. All of the policies and procedures that go along with awareness and training, Cyber Safe does so. If you’re looking to check that box off as an organization seeking certification, the Cyber Safe class for your employees can be absolutely beneficial to you.

Maria Melfa: Are there other classes that you teach in the cybersecurity area?

Jon O’Keefe: There are plenty of classes. There is the Cyber SEC first responder, which is an incident response certification and maps to the incident response domain inside of CMMC. That’s another domain that’s in there. There is a cybersecurity coder, which maps to several different domains inside of CMMC. So, we’ve got those are both high stakes certifications from our partner companies, Certain Access again, an Emerging Technologies Certification House. And then there’s any other number of cybersecurity classes that can help an individual stand up for this. The biggest one that is super important is the CMMC Awareness class. CMMC Awareness is for the whole organization. We found that while organizations seeking certification will want to get someone with the high stake’s certification, the certified CMMC professional, they’ll want to have one or many of them on staff to help guide them through this process. What organizations really also need the kind of nuts-and-bolts training, the kind of here’s what life is going to be like under CMMC. Whether you work at the help desk, you’re in marketing, you’re in sales, you’re in the warehouse. Here are some of the general changes you’ll see coming. Here’s why we’re doing this. Here’s what’s going to your future is going to look like so that CMMC awareness training is a huge piece of this puzzle, and it’s something that any organization can really benefit from, even if you’re not part of the CMMC ecosystem because it really helps with organizations best practices

Jocelyn Allen: Throughout this discussion, obviously we’ve talked about CMMC being a huge trend upcoming. As you know, the DOD specifically works towards a goal in five years’ time of having every single one of their partners certified in this in order to move forward with any opportunities, if you will. But what other trends do you see happening in the upcoming years centered around cybersecurity? Do you get any inklings of things to come or what could be changing, whether that be, I guess, more attacks on the rise, or even things getting better? What do you see out there as possibilities for the future in this space?

Jon O’Keefe: Sure, absolutely. I see a couple of things and I want to use one word to describe it, and that word is data. Ok, the next 5 to 10 years will be very data-focused, and there are three things you can really do with data from an organizational perspective. The first is you can understand it. So, I’m talking data science, right going into analysis, understanding what your data is doing for you. The second is securing it, and that’s kind of what we’re talking about today. So, it’s keeping that data safe. That’s keeping that PII behind closed doors. That will be a huge trend and we’ll continue to be a huge trend. And then the third is data ethics. It’s what do we do with this data that we have? How do we behave ethically? So that’s one of your major trends that you’re going to see with a huge component of that being cybersecurity, it’s going to be analyzing data, securing data, and ethically handling data. That’s one major trend with an emphasis on security, of course, because if you can’t keep it secure, then you shouldn’t have it in the first place. The second major trend I see is this concept of maturity models. The Cybersecurity Maturity Model Certification and Cybersecurity Maturity Modeling, in general, is going to, I believe, become a trend the Department of Homeland Security is investigating.

Jon O’Keefe: Doing a similar approach to CMMC, and the Small Business Association of America recently received a grant from Congress for some odd millions of dollars in order to train in general Cybersecurity Maturity Modeling. This concept of having a best practices rubric with domains and specific steps in each of those domains as to what you should be doing, I think is very beneficial to organizations because the past 20 years have seen us all trying to figure out what that should look like. And now we’re at a point where we kind of know what it looks like, and now it’s time to put it into practice. So, all of the knowledge we’ve accumulated since the internet age started, we are now at a point where we can start saying, “This is how you keep your organization safe. This is how you keep your personally identifiable information under lock and key. And this is how you analyze data, and this is how you use it ethically.” And all of that will start coming together into the I.T. sphere and by 2030. I’m truly hopeful that we will see a decrease in the amount of cybercrime due to this type of modeling.

Jocelyn Allen: Well, thank you, Jon. I, for one, really appreciate all the information and the way that you were able to explain it to us. Even though we pretended to be techies for today, it was just pretending. And you’ve been able to explain why all of this stuff is so important, and I’m excited to see this new avenue in the training and development world. It’s really exciting. So, thank you so much for all of this. It’s been great.

Maria Melfa: You could see why they call you Jedi Jon.

Jocelyn Allen: I know I’m disappointed that we haven’t seen a lightsaber come out or anything.

Jon O’Keefe: I have the lights that you can’t see it.

Jocelyn Allen: I absolutely believe you when you tell me you have a lightsaber.

Maria Melfa: But this really was very interesting. I enjoy learning more about this topic. That’s obviously very important for us personally and professionally. And we thank you so much, Jon, for being a guest on Bring Out the Talent today.

Jon O’Keefe: Thank you guys for having me.

Jocelyn Allen: Bring Out The Talent is a Muddhouse Media production.