Good morning, good afternoon, good evening. Thanks everybody for joining us today. Um, my name is Susan Moore. I'm the community engagement manager. I am joined by Bindu Chakravarthy. Uh, I would I'm going to call you a friend, but also you're a friend to IIBA and um and so I'm going to talk more about Bindu in just a moment so that you get to know her. She's going to be talking about the Certificate in cybersecurity analysis. We also call it the CCA. That's what that stands for. Um, before uh, I hand it over to Bindu, I'm
going to do a little bit of housekeeping. We are recording today's session. You will get a link to this recording in about 24 hours. And then we are going to include that recording and some additional resources including that book that's just over her shoulder. Um, we're going To include a link to that because if you're an IIBA member, you get access to that book. It's in our digital library. Uh, so that will come next week is is when you'll get that. Um, let's see. Let me get back into the swing of things. I distracted my
thinking. Um, okay. So, Zoom. Um, you guys have probably been in Zoom before, but let me tell you a couple of things. We love it when you guys chat. Um, so please, you Know, put put your thoughts there. You can connect with each other and also um let us know where you're dialing in from, what what cybersecurity questions do you have for Bindu. We will try to leave some time at the end for Q&A. So, if you have a question, please put it there. It just makes it a little bit easier to find and we
have reactions turned on and Bindu can see those. So, if there's something that you hear and you want to let her know how You feel about it, you can use those reactions. As I said, we are recording today's session. Okay, and Bindu, I I mentioned that um that you're you're going to probably talk about your book. I'm going to give you a chance to do that. First, let me introduce Bindu. She has uh uh been a business analysis practitioner uh for for more than 15 years. She's doing it today uh still. She's certified with both
IIBA And BCS, and her focus for many of those years has been on cybersecurity. She's also studied security management, and she's an advocating for uh incorporating cybersecurity into our work as business analysis professionals. She is the author of that book that I keep talking about that's right over her shoulder. It's called Cybersecurity and Business Analysis: An Essential Guide to Secure and Robust Business Systems. IIBA members, you have access to that book in The digital library. Um Bindu, thanks for coming to talk about this today. Also, I should mention you had a part in the development
of this um of this certificate program. Absolutely. I was really honored to be part of the team. Yes. Yeah. All right, so I'm going to turn it over to you. Excellent. Thank you, Susan, and all of you uh very warm welcome. Good morning, good evening, good afternoon, wherever you're tuning in. Um I'm calling from the UK, and it's uh nice spring warm day here. Um so, I see all of you from so many different places. Excellent. Thank you so much. Uh if you can put in your questions probably in the Q&A, maybe that might be
easier because I'm just trying to keep track of the messages and see if there's uh any questions there, uh that would be great. So, yes. Thank you very much, Susan, um, once again for referring me as a friend to IIBA. Uh, I Think, yes. In fact, my family says that, um, I have been married to IIBA or because I give more time to my work, uh, particularly IIBA. So, just, uh, some of those work that I do with IIBA is with the local chapter as well and with the international body. Um, so, I've, well, as
Susan mentioned, been here over two decades now. Um, and almost, nearly last, uh, I think from 9 years, uh, nearly a decade now, Um, I've been focusing on cybersecurity for business analysis, again coming from, uh, very first-hand zone experience where I was working on a project which was supposed to be a security project, but however, none of us, including the organization, didn't see that and long story short, that really kind of woke me up to say, "What exactly is this? Who is supposed to do this?" And lot many questions. So, since then, the journey has
been, um, In within this space. Of course, I am a business analysis consultant. That's my day job. Uh, uh, and along with that, in the last, um, 9, 10, 9 years, I've been focusing a lot in advocating why cybersecurity should be part of our holistic business analysis. And it's, it's taken its time to kind of go through and we will see why it is that as well. So, yes, on that journey, uh, it is, uh, the book, uh, that I have, uh, written, particularly how we can Integrate cybersecurity with business analysis. It's a very hands-on
book. Uh, glad that Susan mentioned that it is available on, um, the IIBA library. So, all of us can have access to that. There's uh actually even in it also goes down to how you can use it your day-to-day work at that implementable level as well. Um yes, and along with that um currently I focus a lot on the Cybersecurity integration within business analysis, which is again another training that I offer along with CCA. So, um as we go through you will we will just share and know more about that. So, to set the context,
what is CCA? Why is it important? So, we will also look at how CCA certification can help you progress in your career, and how do we approach it, and the exam structure, type of Questions you can expect, and practical how study strategies, and how um cybersecurity for business analysis can support you on this journey, and we'll take any question and answers after that. So, what is CCA and why is it important? As business analysts, we know that when we understand the big why, the what, how, when, who, all of that can be figured out. It's
always, as they say, the Purpose is important, the why is important. So, let's understand why is this really important to us. Again, I think that's one of the questions um we had. So, using the chat facility, maybe you can share what comes to your mind when you hear the word cybersecurity. >> [clears throat and cough] >> In business analysis, everything is right. So, don't shy away from your answers because there's no correct Answer. So, it is all depending on the context. So, yes, I can see uh protection, complicated. You know, Kathleen, that's the right word.
In fact, that's the right answer. >> [laughter and gasps] >> Um safety, scam, yes. Risk appetite, risk analysis, hacking, risk capacity, governance. Uh fantastic. Thank you all for sharing That. Uh security relating to web online, viruses, protecting physical and digital assets. So, as you can we can see that Okay, Christopher says a security framework and safeguards for organizational networks and information. Yes. So, when we see here in these responses, all of us have different understanding when we hear the word cybersecurity. So, you know, like for example, if you talk about any Particular subjects like maths,
okay? We understand what it is. It is with numbers. When we talk about business analysis, yeah, it is about analysis, although not many people can get it, but what it is because I have to really explain when I say I'm a business analyst. Really, what do you do? They ask. So, again, when we talk about cybersecurity, it is so wide and spread and today again we will see how that is again Transformed because of that huge landscape that it covers, all of us see it from different perspective. The analogy I would like to use is
that six blind men and an elephant. So, all of them, you know, like one blind person comes, touches the the body of the elephant and says, "You know what? The elephant is like a wall." Another blind person comes and he touches the legs and say, "Looks like a tree trunk for me." And Another person, again, another thing. So, but everybody are correct from where they are coming. But, is that the elephant? It's more of it. It is that and more to it. And that's exactly what cybersecurity is. How much ever we think we understand it,
there is more to it. So, let's take an attempt today to see how we can understand at least what is it. Okay. >> [clears throat] >> So, technology progression as you can see from this slide, when I started my career in the late '90s, I used to work on this particular system, which is a standalone machine, desktop. And other than, you know, the physical security of the machine, we used to use the floppy disks to copy data from one computer to another computer. And that was the only risk of that data or whatever is happening
in That machine. And the solution also was simple. There would be another program, antivirus program, which which when run, it would fix that problem. Simple problem, simple solution. But then we started connecting the computers, the systems come as a LAN network, local area network, wide area network, and then with the internet, today it's everything. I think now looking at this deck, I I am just thinking that I should Update this diagram and include robotics, LLMs, AI, whatever it is now, because today we are there. Um so, anyway, imagine all the things that can go wrong
in today's landscape. Every organization today, we use technologies so very widely, so many systems connected talking to each other, and several other systems, servers located in different locations, on cloud, talking to third-party suppliers. Hundreds of people connecting, accessing System from so many different places, different governance requirements, compliance requirements based on the domains and the place we live. A lot of things. So, today we can do a start and transaction using one gadget on one part of the globe, and we can update the same transaction while we are traveling to another part of the globe and
complete the same transaction in another part of the Globe using another gadget. So, this is exactly how we have expanded. So, just think about what are the things that can all go wrong in just one the single transaction. And those are all the risks that we need to be aware when we talk about cybersecurity. So, which means the more technology expands, the more vulnerable the ecosystem gets and the more security solutions or the controls We call are required. Hence, we need to It is It is that like blind people and that huge elephant and we
need to understand the vulnerability at every single point in that journey. So, again from my own experience, what I have seen when working started working in late '90s as I mentioned, where you know, I was working as a systems analyst developer, which means my job was to work on end-to-end project development life cycle, which included From business analysis, understanding what the business need is, designing the system, creating the databases, writing the code, developing it, training the end users, right? Creating a manual and then move on to another client to kind of work at another client
site cuz I was working for a consulting company. So, all we did was, you know, you create the system, write the documentation, hand it Off to the IT, and you know, we weren't much aware of those risks. So, anything that's called security wasn't really involved. I wasn't doing any of those things. And the next generation, as we call, when we started talking to different systems, then slowly compliance came again in the part of checklist. Okay, have we done this? Have we included this? All of that. But when we started looking at the user journey, you
know, making sure we have fancy user UI integrations and user interface, and also trying to make the user journey simpler uh and much more beneficial, then lot of things started coming in. And again, with the Agile, we started understanding who should have access for what? How What are those permissions? And again, at the application level, infrastructure level, All of them started. And that's when we started becoming more aware of it. And of course, with the compliance as well coming in at that point point in time because there was data involved. But now, today it is
not sufficient. It has to be strategic and embedded. As Susan was mentioning, it is not an afterthought. We just cannot vote cycle's uh security in the end after the application is developed. It has to be earlier. When you say earlier, Exactly, it should go back to left left left. There's a term called shifting left. How far do we shift left? Uh till the point where we kick off the project. When we start working on the project, when we know what the business problem is, that is when we will have to include security or cybersecurity. Why?
Because today all of our projects involve technology. So, when there's technology, I always say, you know, it's like the two ends of the stick. We just can't Have one end and not pick up the other end. So, when we pick up technology, we also pick up cybersecurity. It goes without saying. So, this is how why this is really really important. So, what is cybersecurity then? We have worked on so many different cybersecurity projects, or we might have seen somebody else working or we might have just been aware of what are those. But at least I'm
sure all of us would Have worked in an application where we the user needs to log in and put in a password. Yes, that is not only to identify who the user is, but that is a security feature. So, which means whether we have a security mindset or not, whether we think we're working on a security project or not, we would have unconsciously worked on it. It could be as, you know, an authentication or some requirements where you enter the Password or some kind of access, some kind of permissions. And another next level is again
how we protect that, how we communicate because we are capturing some data, how the data goes into the system or goes to third-party systems or somebody accessing it. So, all of that again, the firewalls, the how we encrypt the data and what are those gateways when we are connecting between organizations. And another level above that is what are The frameworks again, like one of you have commented on on on the chat to say there are different frame frameworks that we need to use. Yes, those frameworks will help us to go through a process to say,
"Okay, we have it's like a checklist. Have we done this? Have we not done this?" And also it is a reputation where in organizations have some kind of standards, they have a reputation, people trust them. So, that is again another level. The next one is the legal and regulatory. We have governance based on different uh places, different domains. Why? Because as part of all of this, we need a governance body to make sure this is important and we need to tick all those boxes and we need to make sure that everything happens the way it
should happen. And finally, analysis, risk analysis. So, security is nothing but risk Analysis because we know something is a danger and we need to protect it. So, which means risk analysis will become the core of it. Again, as part of that information analysis. Why? Because we need to understand what is that information that we have within our organization. So, when we see all of them together, then we can say something is secured when the systems, data, networks, processes, people are all secured or Protected within the cyberspace in line with the governance and the compliance that
it demands. So, it is just not one aspect. Now, we put the whole elephant together to say all of these should come in. And that is what we try to bring in through the CCA to say all of these aspects should be included. And of course, these are all just uh concepts here, but there's a lot as we go into these things. So, IIBA in collaboration With IEEE, that is the uh Institute of Electronic and Electrical Engineering body uh who actually uh advance technology for the humankind. They are the Computing Society uh part of that
body focusing more on technology and how to guard the technology, what are those standards uh that we can use to use that technology safely and as as as part of in a secured way. So, they have a lot of standards in so many different areas and of course, in cybersecurity as well. So, IIBA and IEEE collaborated and we have this particular knowledge base that is called the CCA which has a lot of cybersecurity or the key cybersecurity concepts and the tools that we need as business analysts so that we can learn those, use those in
our day-to-day activities, and help the cybersecurity team in securing the organization's informational assets. So, that is all about why we need this uh certification. So, the next part is how CCA can help progress in your career. >> [clears throat] >> Yes, that is right. According to uh IIBA's global uh business analysis survey report, it says that 21% of people who have certified uh earn more than more um 21% more in comparison to those people who have not certified. So, >> [clears throat] >> that means in fact, now if you look at That, when you present
your CV for a particular business analysis role, and you also have along with the BA certification, you have the CCA certification, obviously your application takes precedence. Why that happens is because today going forward, probably each and every as we have just understood that when we talk about technology, cybersecurity has to be part of it. So, which means each And every BA should include this within their analysis. That's exactly where our end goal is. That's what the journey we are taking um towards it. But today, even before we reach, you will be those cream of people
who have this particular certification along with the BA certification. And that's exactly why, as an organization, you're bringing that an added value to them. So, that's exactly because we all create Co- or co-create the value, you know, for our organizations to find something of benefit for the for our organizations. But, why do we leave security to somebody else? In fact, I have it on my office wall here to say business analysis is about enabling confident decision-making. I feel somewhere that is the core of the things that we do and I remind myself every single day.
So, if my work, my analysis is enabling the decision-making, just not a normal decision-making, a confident decision-making. So, if our senior leadership team or if our decision-makers within our organizations are taking a decision based on our analysis, isn't it important for us that our analysis should be complete? If we leave security outside and just talk about The value that this particular change will bring in, does our analysis is complete or do we really say that is it is complete? And that is the question we all have to ask for ourselves. Like when I encountered for
the first time that this particular problem, you know, when we were talking about the change, but that was a data leak and which was happening multiple times and I was working for a Reputed organization and this organization exists for over more than 100 years. So, imagine their reputation, do imagine the trust the customers have and their information was being leaked many, many times in different part of the world. So, it really, you know, I started asking "Who is responsible to bring this part, you know, to the attention of those decision makers? How can you really
make them see that this is Something important?" And when I started looking at it, it was my analysis. Because if somebody is making a decision based on this analysis, it is my responsibility as a BA to include security also to say, "If this is not done, what is the damage that can happen?" And that's exactly how it spans out as we go forward. And well, that's why I say every business analyst should include that holistically as part of our Work. So, again, just to give you a talent shortage in the cybersecurity industry, so around, you
know, 4 to 4.5 million is needed to fill in that gap. So, today's cybersecurity team are really, really under pressure, especially with the things, you know, at the pace that technology is expanding. So, there is a huge talent gap. And by 2032, there's a projected 32% of increase in the growth as well. And Again, these are some of the key domains, banking, finance, healthcare, energy, because you can see how with technology, how we are expanding, how we support our customers. So, again, as technology expands, security is required. So, again, CCA will be a starting point
for you from business analysis to understand. We will see that as well, how. And from there, it will also lead you to work in the Cybersecurity area as well. So, what's the required shift here? So, today, we are business analysts, but we are not focusing more on cybersecurity. Probably, we might still be doing who has access or some non-functional requirements, but not everything that is required. So, with the CCA, we will make that shift where from a business analyst, we will become the business analyst with the cybersecurity knowledge. From there, we Can still continue to
be that business analyst or we can also look at to be working within the cybersecurity domain. That really opens the door to work within the cybersecurity domain. So, what are the those opportunities if I start here, it can take me. Again, um you can see this diagram on IBM website as well where when we talk about cybersecurity, it will really open the door from where you can become a cybersecurity or the information Security analyst, risk manager. Uh if you are more technical oriented, you can get into becoming the architect whether it's the cloud architect, uh
information architect, the operational analyst, or maybe even progress in that domain to become a CISO as well. Again, our core BA skills are required no matter what we do. All of these um roles will still need the core BA Skills. So, as we see here is the cybersecurity knowledge areas. The orange part here is our core BA skills which will still remain no matter what different roles that we take. So, now with the CCA or the additional layer of knowledge that we get is the security knowledge. Um that's the blue area where we will be
comfortably and confidently working with the cybersecurity teams, the technical teams anyway we work with, but we we can Also collaborate with them for all the cybersecurity or security related requirements as well. And all of these outside boxes are the subject matter experts. You know, like let's say if you're working in insurance domain as an example. Uh if I need to, you know, as a business analyst, I'll be working with all the teams, but if I need a bit more information, I go to the subject matter Expert who is an expert in the insurance business who
been there for a long time. And I work with those SMEs. So, similarly, technical, I do write technical requirements, but if I need more information, I go to the subject matter experts. I might go to the technical architect or whoever is senior to understand more about it. So, similarly, with the cybersecurity knowledge, we will be capable to write cybersecurity requirements, but if we Need more information, let's say governance, I need to get into more I need to understand more. Is it enough or we need to understand more? Then, of course, we go to those SMEs.
So, as we are doing currently, we will continue doing the same thing, but with the security knowledge area experts. So, this is what our core CCA talks about. In terms of the certifications, as the risk shift is required, the first and foremost is the CCA from here because There's no other business analysis and cybersecurity certification currently. So, it is uh many other certifications are there, but primarily focused on cybersecurity, but maybe a little bit of analysis because analysis is something everybody needs, but only IIBA has this certification currently. And uh again, for those people who
really want just the hands-on experience, who doesn't want the certification, again, I'm offering them That integration uh based on the book I've written and and the um trainings that I offer. So, other than this, we don't have any business analysis specific certifications existing currently. And once we do the transition, again, when you're if you want to work towards cybersecurity domain, again, there are so many different cybersecurity certifications again at foundation, advanced, and specialized Level if you're interested. So, now, the core question. How to prepare for CCA? Um just a quick question. How many of you
here are pursuing CCA or do you want to pursue the pursue CCA? Bendu, we've got someone who is taking the exam tomorrow. Oh, wow. >> Ahmed is taking the exam tomorrow and he wants to know any advice for someone taking the exam tomorrow. Uh probably yes, you might find something um to help you at the end. I will be pursuing in the summer. Yes, thank you for sharing that, Christopher. Excellent. I'm also exploring it. Would like to pursue. Um planning to. Excellent. I'll do soon. Okay, [clears throat] I will sit the exam in July. Okay,
in the process. So, excellent. So, let's see Uh what actually really helps them and maybe you can also share so far how is your journey going on? How are you finding it? Uh plan for next month. Okay, excellent. So, just in the chat, let us know how is that journey for you? Um and how are you enjoying the process? It'll be good to know. Okay, while we get more responses, so How do we prepare for CCA? What is the best approach? Like as I said, I've been working on this for such a long time. I
have tried so many different ways and tested some work, some doesn't work or something I learn. So I think somewhere I have found that right concoction which really helps to understand how to approach CCA. It took me a while to understand how the book is structured. >> [laughter] >> But okay, I think you have come really far and you're taking the exam. And why risk for a sample is defined more than 10 times in the book, okay? Example. >> [clears throat] [snorts] >> Yes, this is one of the practical um problems, not problems, a challenge
I Could say. Um and thank you for sharing that I met. That's again one of the key things that I have identified working with many, many learners and that is where I said I have identified that right concoction so that your journey can be enjoyable rather than, you know, really struggling how to understand, how to even structure this book. And that is one of the reasons is because we worked with IEEE who are coming from an engineering Background. So they have led the team and that's why we have more technology technology focused. We talk about
lot of concepts and we talk about lot of tools, but less of a business analysis approach to it because that that's what um okay, six blind men what and used a gen AI a lot. Yes, exactly. Okay. So I think now let's see to avoid what I might went through, let's see what are The things that we can do to avoid that and make it much more easier process. So, what I have found is, you know, two types of learners come to me. One category first category is they say, "You know what? Can I get
the certificate next week?" Why? Because my organization needs it or I can I want to apply for this new role. I would like to know something about it so that I can apply. And I have the second set of learners Who say, "I'm not interested in any certification, but I really need to understand what is it all about because I want to use it because there's a you know, cyber security project or you know, we are we've got this new project especially for corporates." This is the kind of inquiry I get. "We have a new
project and I need but [clears throat] I always say to all my learners, "If you're coming here for you can come For whatever the reason, that's absolutely fine. That's your choice. Having a certification definitely career progression, it will give you, you know, you know, kind of an upstage there. But it will also take you inside the door because you have a you're certified. A body is telling you that you can do this role and you have passed the exam. That means you can. But once you get into that inside the door, there's a lot more
things that Your role demands and that only comes or you can only serve all of those purposes or you can only perform, you can go far if you actually have the real knowledge of how to implement it in all of those situations because when it comes to security, there is no one solution. Like business analysis, you know, like every project is different. We have all the tools, but we apply those tools, those techniques, those frameworks, whatever it is based on the context. So, Similarly here also it is all contextual. So, unless and until we understand
how we implement it, certification only takes us so far. So, our approach is something that irrespective of what you do, you will get the full package. You take the certification part or you take the real knowledge, you use it or you don't use it. So, because that real knowledge is what really matters. So, the key strategy is a holistic Approach. So, first and foremost is understanding what are we creating. Okay? And then value is the foundation. We will see what these are. Integrate not bad security and structured training is the right way to learn. Um
okay, I'm just looking at the message if there's anything so that I can include that. Um Okay, excellent. Thank you for sharing. Okay. So, when we are creating something, um especially, okay? We What What are we creating? We need to understand that. So, CCA, as I was mentioning, it talks about a lot of concepts or the key concepts and also all the tools that are used. So, it is something like these are all the ingredients To create a recipe, to create a food or menu, whatever it is. So, this is this particular herb. It is
It has this taste. It has this texture. If you add this, you get this flavor. So, our content actually gives you all the ingredients. But, having knowing the and all, all the ingredients, having the knowledge of the ingredients is completely different to cooking Of uh of food or creating a recipe or creating a menu. Because every time you want to create a dish, it depends on who you're serving, what is the occasion, what uh do you fancy at that particular day, time, season, whatever it is. That means there are so many different factors that we
need to take into consideration. So, when you're approaching CCA, first and foremost, have that end goal as what is that you're trying to create? What is That you're trying to secure? So, have a case study with you. So, having a case study will really help you, "Okay, I'm learning about this ingredient, where can I apply? I want to know, oh, this particular taste, do we need that or not in my recipe?" So, similarly, understand a concept, "Where does this apply within my context?" So, always have an end goal, a vision, a case study, and that
is the approach that we take as well. So, at the end of The training, CCA training, people will have a hands-on experience. They would have built They've written the requirements. They've done something. They've built something. And then they next day when they go, it doesn't feel new to them because they they know the ingredients. Also, they have created a recipe. So, it's it's more of a hands-on. So, when you're doing, always have that end vision. When you have end vision, as Hamed was talking how it is Structured and all that, then you can easily start
putting, "Okay, this goes in there, this goes in there." And that's the first strategy. The second strategy is value is the foundation. So, let's understand this value with an example. Um Susan, can I pick you at this point in time? I'm ready. Okay, I'm going to ask you uh again, you Can tell me exactly or you can just make it up. What What does your phone cost? What does my phone cost? What's the price of your phone? Oh, of the device itself or my um oh gosh, I $800. $800? Yeah. So, I'm going to ask
you the same question. Um what is the utility of your phone? What are the things you do with your phone? I uh send and receive text messages. I make appointments for my dog. >> [laughter] >> I um I stream my fitness classes through my phone. I check email. I keep up with friends. I call my parents. Okay, do you do any uh banking with your phone? I do some banking with my phone. Excellent. So, now you do your banking, let's say. You do some important stuff, let's say. Work is also confidential, let's say. All of
that. So, now you know where I'm going, right? I can see the smile on your face. So, you want to buy something. You're very hungry. You want to eat the food or you want something very valuable you're buying and you want to pay from your phone. You don't have your phone. Or you want to check your bank transaction. You don't have your phone. Or you are somewhere all by yourself. You want to reach someone. Situation is not so good. At that point in time, what is the cost of your phone or the price of your
phone? Well, it would be priceless at that point. Exactly. So, the same phone which you said $800 is priceless Right. given the situation. So, the value let's say another let's take another example. Okay, my mom she uses the phone um just to make calls. No text messages, nothing. Of course, she has WhatsApp just because she can use internet cuz she lives in India. So, she can you know make internet free calls. Um so, she has WhatsApp on that. Other than that There's no no other application. She talks to her family and she has WhatsApp. And
if she loses her phone, okay, or the or any initial cost if it is the same $800 and if she loses the loss is probably a depreciated value of the phone because she doesn't use the phone for anything else. The same 800 was priceless in your case and with my mom's case maybe depreciated value. And if if I ask my son, a teenager, who is on his phone the whole day uh the cost same $800 phone for him it could be a lot more emotional damage if the phone is gone. That's true. So, the point
here is the same $800 device the value of it becomes completely different depending on the situation. So, the same data that we hold within our organization but the value of that data changes based on how we are going to use the value or how we are going to use that data. So, everything that we do within our organization needs to be protected based on the benefit. So, if your priceless device if your device is priceless, so how much Of protection you need to really think for that? Maybe from a physical hard case to taking an
insurance, making sure you back up, what all the things, depending on your requirements. So, similarly, for my mom's phone, probably no need of any protection. If he loses, that's okay. Maybe we are just losing that depreciated value. We can buy another one. But again, for different so Understanding what is that value that we are holding within our organization, we try to secure it. So, when we are approaching again CCA or any kind of security learning, this becomes the foundation. And apply the same thing when you're doing the CCA preparation as well. So, thank you, Susan.
Um that was quite helpful. So, understand the value, understand the risk Of losing it, and then find the solution. So, security means protecting something. We protect something because it is valuable. And value depends on the cost, not only upfront cost, but the cost if we lose it. So, have this So, that means when you're creating your case study, what is that value you have? What are those risks? So, the moment when you see that, you will understand again going back to Ahmed's point, why risk at the different Levels. So, at the application level, probably at
the project level, and the organization level, and all of those levels come into picture. So, that is again have that strategy, understand, have that practical thing. Because when you start looking at just the controls, yes, CCA has a lot of controls, do this, do that, we are probably solving the wrong problem again if you're trying to implement it because we have we are certified to implement Somewhere that be the long wrong approach. But when we start looking at the problem, which is again like a business analyst, we think, then we will be able to have
the right approach to what we are doing. Again, the third trial strategies integrate security, not just patch. Yes, we have lot of this concepts. We have these tools. Don't just start applying Okay, this will go there wherever it is. Have an Integrated approach from your initial discussion, from the project kickoff start. How do you do that? So, what again in the book you will have this framework as well, which I've created. That means whatever whenever we are learning CCA, we talk about the BA mindset and the security mindset. What is that fundamental mindset that we
need as business analysts to understand security. So, again, the way kind of I approach like I'm sure We have experienced that both business analysis and cyber security are very very dry subjects. So, to induce life into it, I've included a lot of stories and analogies at every even to understand the concept. Data security is again completely dry subject, but there's a story behind it, which means you can really understand the concept just like that. And that's the feedback what I get as well. So, going through a Framework, how we integrate, and as you can see
in this particular framework, the foundation becomes the mindset, and then we have the two pillars here, risk analysis and business analysis, because security is all about identifying that risk. So, again, it can Security can only be one of the trickiest part of risk analysis is identifying the risk. So, you can only secure something as long as your risk identification is strong. So, that means How to even identify risk itself is an art. So, we go into a very detailed exercise and we learn that. And of course, business analysis at every step at every step of
the project of project life cycle phases, how security should be integrated and not bolted at end. So, these are all some of the knowledge areas which will fit into what we do in our day-to-day work as business analysis. You saw the knowledge areas earlier slide. Here, all these Things that we as business analysts will can work with the cybersecurity teams and the technical teams to protect our organizational strategy. So, there is an article on this. So, this is the I think it's on IIBA's blog. There's a blog post. So, this is the link. Probably you
can have a read to that blog post as well. And finally, structured training. How structured training really helps because All of us come from different backgrounds. So, to understand what is the expectation of a CCA because it's going There's a lot of concepts we're going to cover in CCA. So, to understand that, we need to bring ourselves to a certain speed and that is again with the pre-reading materials. So, it doesn't matter whether you're self-studying, you're going to any of the training training structured training organizations, Always go for those who can provide you a kind
of a stage prepared so that you can learn that. Again, it happens the learning happens in layered because security is not just one layer. You know, it it goes in different layers because even if one layer is compromised, the second layer comes and if that is compromised, the third layer comes. So, security always happens in layers and that's exactly how this happens as well. And go through that Learning module as well. So, as part of what we provide is like in the pre-reading material, how this layered approach happens uh and there are 50-plus pages of
terminology and technology so that we understand what are those technologies even before we understand the security concept so that all of our learners come, you know, like every cohort, everybody in the cohort should have an similar understanding and that's exactly What the pre-reading materials are. And like as I said, always have a real-life incident and analyze so that's exactly what we do. Even before we learn, we see what is a problem. So, we analyze a situation, real-life incident to see what is that problem there and how we can fix that. And as we go through
those modules um within our CCA, we can understand how that will work. And again, lot of hands-on exercise because at the end of the training, see, Certification or passing the certification is a byproduct of this training. So, you don't do that because you learn the knowledge, you anyway get the certification. So, that is how we are uh actually shaping or designed this particular training. So, again, a workbook which will not only give all the answers plus additional material for you to read as you go forward implementing within your organization and your projects. So, a comprehensive
practice questions which again, the there's so uh many questions in the question bank that if you're confidently able to ans- understand and answer all of them, then you're you can pass um the certification. That is guaranteed. So, probably Ahmed, you can use I think there are 20 or something uh questions which are again at the different levels, easy, medium, and hard. You can go through That. I will just share you the link as well. So, and also after that you will have two months support. Again, go to any trainer, but make sure that you get
that support as well because CCA, like as I said, it is something we are not actually using it. So, when we start learning, there could be some challenges going through the journey. So, go to any trainer who can support you after the training as well. And find a specialist Trainer in the domain because they will know the art of how to approach CCA and how to teach. So, this is probably the QR code. You can find some practice questions. Again, like as I said, I've been working on this CCA module. So, when I create those
questions, I know how exactly uh you will be tested as well and what level you'll be tested. So, there are three different levels, easy, medium, And hard, so which can help you for tomorrow's. And I wish you all the best for that. So, like as I said, this is another article to talk which talks about the art of approaching cybersecurity, which not only helps how to approach CCA, but the whole subject of cybersecurity is something that you can check. So, some very briefly exam-related information. Again, it'll be the 90-minutes multiple-choice questions, which again You will
need to book in advance. But, the this is the link on IIBA which gives a very detailed It's a guide, and it is so very detailed. I just cannot add anything to that. So, I thought I'll just include that link here so that you can use this link and get all the exam in terms of how to how to book even, you know, the UI is also given which button to press, what to do to book those exams. But one thing, yes, on the exam day, make sure Again, these are also practical ones, but some
somewhere, you know, sometimes we think, "Yeah, I have a laptop, what else?" But yes, some these are the things where you probably it's advisable to check earlier because when you're using your work laptop, like even in my trainings, the same thing happens. People say, "Yeah, I have a laptop." Even though I have told them earlier to check. They start using the work laptop and I cannot Send them any documents, I cannot say share any things because there are restrictions. So, always try to use a personal. If you're using a work laptop, make sure you do
the technical tests beforehand. Um IDs again, government-issued photo ID is something you require. Always don't have anything else to say this is your ID. Keep that. Uh room and workspace requirements, which is again not only on that day. I always Say have this preparation few days before as well. Um because the way the mind and, you know, we have accustomed like, for example, I need a table like this so that I know I have this here, I have that there. But on the exam day, that can change. That means somewhere in my mind my struggle
to say, "How do I work this? You know, this is not comfortable." So, make get your mind comfortable. This is a very subtle, not Very important, but it does impact because it is, you know, tight without any breaks. You have this exam. So, make sure that you are accustomed to mentally to that work environment where, you know, everything is very clean. You have probably a clear water bottle or probably a white page if you need to do. So, just just keep that, you know, minimalistic without anything and get accustomed as well. Some one of very
subtle, but still Important. >> [clears throat] >> So, again, if you are interested, thank you for joining and you will get 30% off discount if you want to take the trainings from my company where I've created a wrapper around CCA which actually takes you through the BA knowledge. You just go through like how your BA activities Using the frameworks as I shared here and certification passing the certification will be a byproduct of that and if you use this discount code, you will get 30% discount as well. And of course the book you have it, but
if you wish wish to purchase again with the author code you get a discount as well. But for IIBA members, when you're getting free of course you might use from the library as well. That's the Member benefits of becoming an IIBA member as well. So, I wasn't too sure if that was available, so hence this slide. >> [sighs] >> So, like as I said, I remind myself which I put on my wall to say business analysis is to enable confident decision making because somewhere somebody trusts the analysis. So, which means it has to be complete.
So, business analysis is a Responsibility in which I have to deliver complete analysis and that complete analysis includes security as well. So, with that said, thank you all for joining and I'm happy to take any questions that you may have. All right. Well, let's see. We've got We've got some questions in our Q&A box. Muhammad asked, "When we talk about cybersecurity, does that also encompass Social engineering?" And maybe the the answer is more from a from a CCA perspective. Is there anything about social engineering that's part of that exam? Not really. As you can see
in that guide, you also have the knowledge areas as we saw because when you talk about social engineering are we still seeing it as people? Because again, if a phishing link is that social engineering or not? Again, it depends how you see it. So similarly, whether it is people related or it is technology related. So today when we say, okay, social engineering maybe somebody using an AI, they've created a video and that is also social engineering the way we see it. But of course, we don't have that included in CCA because we wrote CCA probably
2016-2017ish. So maybe in the refresh, maybe when we have the updated version, we will Include the new threat landscape. But as of now, we don't have that. Okay, good to know. Next question is from Artur. By the way, Artur, I hope to see you in Warsaw at the summit this year. He asked, does the framework cover the topics of the Dora regulations which are in force in the EDU? Sorry, can you repeat the question? I was just distracted with the comments Here. Sorry, it's a chat. I know, there's lots of good There's also lots of
good stuff happening in chat. Does the framework Or maybe I'll just say maybe does the exam cover topics of the Dora regulations which are in force in the EU? >> Oh, no, no, no, no. We don't like Okay, when we talk about CCA, we don't get involved to the solutions. Like as I said, framework is also a solution to something to say this is a control, use This framework. We are not getting in into any of those solutions because here we are talking about what is a problem and like we are giving you the ingredients.
These are the solutions. It could be frameworks, okay? Dora is one of the frameworks. They could be ISO's framework, they could be uh framework, they could be many other frameworks. So, yes, there are different frameworks that you could use. Yes, I also in CCA we have used NIST as an example as well. But, frameworks depends on again, because it's a global product. But, if you're in Europe, you might use a different. If you're in US, you might use different. If you're in India, you might use a different frameworks or a certification bodies. So, that is
where those would be the controls or the solutions. We don't get into within CCA what those do. Ah, okay. Um so, we had a variety of questions Around people that are getting into cybersecurity or that are in cybersecurity and wanting to get into business analysis. And so, the question was how does this certificate prepare them for for that? Like, how would And I know that you had a slide that kind of listed the progression of cybersecurity, but from a you know, from a somebody that's wanting to get this to take their career in a Different
level, how do you see it positioning that person for cybersecurity work in their organization? Yeah. Okay. So, from as we understand, business analysis is just not for business analysts. We know everybody needs business analysis. It's a very Yeah, blanket statement. Yes, even if you're a parent, you still need to analyze few things. So, business analysis is everywhere. I think that's What we call, isn't it? Business analysis is everywhere. The tagline. So, which means our core skills we definitely need irrespective of whichever domain we move into. But, the very first, you know, like somewhere like as
I said, it's the huge elephant. Which way you need to kind of approach it is a longer journey. But, CCA is something where we will handhold you and bring you into that domain saying, "Okay, this is exactly what it is. Here you go. You understand few things. From here you can shape up your career by We saw some of those roles as well on one of those slides where I ABS created those roles. So, which means from there you can become a cybersecurity analyst as the first step. Uh and from there you can go into
any specialized areas. Because as we saw the knowledge areas, it's huge. You If somebody says I'm an expert in Cybersecurity, that ain't happening. Nobody can be an expert in cybersecurity. Because there are so many different knowledge areas within that. You can say I'm an expert in compliance. I'm an expert in cloud computing. I'm an expert Sorry, cloud security. I'm an expert in one area, but you cannot be expert in everything. So, once you are into it, find which area, whether technical, non-technical, what exactly is your Leaning towards, and from there you pick it up. Yes,
and I know we are technically at the end of our time, but I know we had somebody ask in the in the chat about what if I'm not technical, is this certificate right for me? And I think your answer would be yes. 100% because today you're not technical, but we still write technical requirements. We still say the password should do this. We still say the data Should go into this or it should come on that UI. We are still doing that. But if we don't say how the data should go, then that is not technical.
We are still because we are not writing technical requirements or we're not writing technical solutions. When we write a requirement to say the data should be shown on the dashboard, that means there's a lot of fund in need security requirements. And as a We are even without security, we are not going To say how the data should go there because that's somebody the technical team is going to decide. But from a user perspective, I need that. But at the same time, I also need to say, "Okay, that data because it is confidential data, only uh
this team should see that." Or even if in that team, some credit card like as we see, it will be masked as an example. So, even those are not technical, but they are all security related. And That's exactly is the myth here. And that that's why although as BAs, we have to include that holistically, we are not doing it because somewhere we have that myth or an understanding that says it is technical in nature, but it isn't. Right. It isn't. And this this certificate program also is not testing you on technical knowledge. All right. We
are at the end of our time. So, just a reminder you guys, I'm going to send The link out uh to this recording so that you can um if some of you have questions about some of the QR codes, you'll be able to get that from the um from the recording. Also, we'll get an email out next week because Bindu has given us a ton of uh resources. And so, I'm going to pack those into that webinar extra that you guys will get next week. Bindu, thank you again for joining us today. Thank you, Susan,
for inviting. And I'm Glad we made the first CCA. Yay! >> [laughter] >> Uh and this shouldn't be the first. Um uh this shouldn't be the last, sorry. And I was just wanted to say Godi, thank you so much. It's 3:00 a.m. in Australia and you have joined us at this time. You know what? This is that shows your commitment to the uh subject and commitment to learning. Well done for that. And everybody else, thank you very much. And All of you who are taking the exam either tomorrow, summer, July, whenever, all the very best.
And if you need any help, you know where to find us. Um and we are always happy to help. And um yes. That's it. All right. All right. Thank you, everyone. Take care and we'll see you all soon. Thank you. Thank you all. Bye-bye.