Briefly describe what the company does.
I work for Welsh Water, which is a non-profit utility company that provides clean water to most of Wales and parts of England as well wastewater services and retail services. We manage the customer base from an individual household perspective, and also businesses as well.
Our business is split into three core areas: clean water, wastewater, and retail. There are also specialist areas within this structure, such as energy and Integrated Technology Services. As a business we need to ensure effective delivery of services across this broad operational focus; throughout considering safety, the environment, and building the trust of our customers.
Was there a primary motivator for selecting SANS?
There are a few unique components of the SANS offer that meet our training requirements really well. The first reason would be the industry-leading technical instruction that you get with SANS. Technical material is high quality, and genuine leaders in the field deliver the training. The practical labs you get with most of the courses are high quality. This is something that's extremely valuable, particularly when you're dealing with quite niche and complex skill sets, like cyber or operational technology.
The second reason for selecting SANS courses is the aligning certifications. The GIAC certifications validate our skills and are an important retention and career development tool for us. It is something that our staff takes seriously and it motivates them to spend, not just time within work with training, but their own time to work towards getting this qualification. This makes it a win-win.
The third reason is SANS courses tend to be vendor relevant, but not vendor specific, which I think is important for us. We do vendor-specific training, tools and technologies but we also need to make sure that people understand the foundational elements that sit underneath any technology.
What problem(s) are you trying to solve with the SANS training?
There are a few areas in which SANS will help us out over the next few years. Firstly, with the core technical cyber defence skill set. When we get graduates, junior analysts or even those developing their careers at a more senior level, core tactical cyber skills need to be constantly worked on with high-quality training. Whether that's forensics, incident response, offensive security or purple teaming these foundational skills are vital.
I think the primary driver for our investment in training though, is improving our knowledge and skills in areas of emerging security concern and technology focus. A real focus area in this regard is ICS/SCADA and the wider OT environment. Specifically how we ensure our cyber specialists get greater expertise in OT and ICS and conversely how our OT teams can be upskilled in cyber. Beyond OT we have invested in cloud and need to ensure we have skills to effectively secure modern environments with modern attack surfaces.
One of the things that I think SANS training is useful for is if you have got an engineer that wants to progress to a senior SOC role, then we can help fill some of the gaps in what they do day to day, versus what they'd be doing in a SOC with somebody's training as well.
Why/When was the decision made to implement new training and select SANS?
We have used SANS for a number of years, in particular to support development plans of junior staff. When analysing our wider cyber program requirements for this year, we felt that we needed to accelerate the training of our team more generally. Particularly around key technology challenge areas, such as IoT and cloud, to make sure that we can make the most of our wider technology investments.
Having the right technology in place is one thing but we need to make sure that those who are operating and managing it have the right understanding, and the right skills to leverage it to the fullest. We’ve tried to align the SANS training with our wider security program so it’s focused on delivering tangible security value, business value, and ultimately value to our customers.
Were there any goals or specific metrics by which you measured your success with SANS training? What were they and why?
As alluded to in the last question, SANS training forms part of our wider strategy to develop our cyber function. We need our people, our processes and our technology to be working effectively and this is key to the people component. We monitor our wider performance and capability using various frameworks, governance processes and formal technical assurance testing. SANS plays a role in supporting our ability to deliver in all of these respects.
Why is SANS appealing over competitors?
SANS expertise in the ICS domain is significant and genuine industry leaders deliver the ICS courses. That is something that's very hard to find outside of the vendor specific space. It's also got what are arguably the most renowned certifications in cyber defence and ICS and an ability to validate skills is essential.
Also, the fact that the courses can be delivered remotely and OnDemand gives us the flexibility to manage our costs and for people to conduct training around their day jobs. OnDemand really helps people like me, who find it difficult to get time away to conduct blocks of training.