 So we will move from certified special technical specialists to open certified trusted technology practitioners next and it's our most recent addition to the program and to tell us about that we have Jeff Wilkerson who's product security engineer at Seagate Technology. Jeff is a member of the product security office at Seagate where his primary focus is security compliance and managing product certifications. Jeff's background is in project management information security and supply chain security and very glad to have you here Jeff and please tell us more about the open certified trusted technology practitioner program. Hi Steve. Great thanks for the intro appreciate that. Welcome back. Thanks. Hello everyone. Welcome to the overview of the certified trusted technology practitioner certification also known as the open CTTP. My goal here is to explain what the certification is and how it's been beneficial to both me and my extended team here at Seagate. So before I begin maybe a little bit more about me I've been with Seagate Technology since about 2014 originally in IT but joined what we now call the product security office in 2017. During that time period Seagate became really focused on product security attestation and life cycle security. One of my main tasks in the PSO has been to drive alignment certification to the open trusted technology standard both internally and with our own suppliers. Seagate figured out pretty quickly that we wanted our product security effort to be based in a published and recognized standard and so we gravitated towards the OTTPS pretty quickly in that process. For those of you who are not familiar with the OTTPS it is a product life cycle security standard that exists to protect organizations and their products against maliciously tainted or counterfeit components. Don't think I really need to delve into why that's necessary given my audience here today but I will tell you that since we integrated and initiated this program in 2015 we've seen a substantial uptick in product security inquiries and feature requests. Our customers I think are more concerned with product security best practices and product integrity now than really they ever have been and I don't think that that train is really ever going to slow down again. We've found the OTTPS to be an extremely valuable tool to unify security best practices across our whole enterprise across the five phases of the product life cycle that you can see here on your screen and I will maybe brag on us a little bit here by mentioning that we have three product families that are independently certified now with two more in the finishing stages of the process and I could go on and on I think about how the OTTPS has benefited Seagate and how it could benefit your organization but that's kind of a separate topic and today we want to talk about a different but pretty closely related certification which is the open CTP. Product life cycle ass-testation is I think a relatively new concept but it has been around long enough now that there are people with demonstrated expertise in this field and the open CTP exists to verify the individuals have the skill set and experience to act as trusted technology enablers. Tech consumers you know they want to know that the products they purchase are genuine they want to know that they're uncorrupted and practitioners of this type are people who basically know how to implement security practices to best ensure that whether it's risk of tampering somewhere in the supply chain that we're talking about or insertion of malware in the dev process this is one certification that covers product life cycle security so you know what product or excuse me what problem does the open CTP solve well I would say that it kind of directly addresses a pretty major gap in the realm of personal certs I've got a slide here in a minute that covers the proficiencies but basically there's just no there's just no real certification with this same scope you can get a CISM to cover Infosec or CSLP for software dev but neither of those really cover more than one or two of the phases of the product life cycle and the same I think can be said for CSCRM for supply chain and this this dual focus on the oh I see a comment here in the chat sorry are you guys able to hear me okay Steve can you verify that my voice is coming through okay yes it is Jeff at least to me you're clear as a bell and okay good okay appreciate that hopefully the the person who made that comment can hear me me adjust the volume on my microphone real quick just to make sure if it could be their issue locally but this session is recorded so if you're still talking that's fine we'll capture it all okay thanks James yeah so this dual focus on COTS or commercial off-the-shelf product and on life cycle is really interesting because it's both broad and specific at the same time the breadth of the cert is kind of inherently wide but we're also talking about a fairly unique subset of professionals that don't really have many other options for demonstrating competency in what they do so the CTTP much like the standard that inspired it was designed to be as widely applicable as possible across the tech space if a practitioner has worked on products that have you know logic bearing components embedded software or products that have been shown to be a potential target for counterfeit there's definitely a room for them and then this large tent and I don't think that that tent is getting smaller anytime soon one of the first decisions that you know the team that that designed and created this standard came to a consensus on was that we wanted this to be based on experience I think part of the rationale there at least for me was that there really isn't a huge body of literature out there that covers this particular scope of proficiency but we do have professionals with life cycle experience that go back a long ways you know maybe someone worked in supplier security product development or physical security at various stages of their career and you know these experiences can be separated by time but still speak to the practitioner's skill set in a way that you know passing a written exam can't really address and ultimately we're looking to certify people who can demonstrate competency in implementation rather than kind of pure knowledge it's the executive and support functions that we're really aiming for so these are the core competencies pulled straight from the cert document sorry about the how loud this orange is by the way it didn't look quite as overpowering when I was putting it together but anyway I think this this shows what I'm kind of trying to get at many of these skills have certifications associated with them kind of individually but this comprehensive implementer role is what the open CTP really gets at so now we'll get into kind of what I view to be the benefits of this certification both in kind of a general sense and maybe some specifics from my own experience there are a lot of companies out there that are just now looking into life cycle security and I don't have the exact numbers handy but when when Seagate first looked at the OTTPS in 2015 there were fewer than 10 product lines listed on the cert registry now I think that number is maybe somewhere in the 80s and growing each month and this personal cert is the perfect way to express competency in that certification process I mean does anyone in the audience today think that product integrity is going to become less of an issue going forward I tend to think not new products mean new dev processes and as we've seen in 2020 supply chains are prone to disruption and sudden change so I really feel that the market for this skill set is going to grow over time and there's no better way to signify it speaking personally the certification has increased my own marketability and having a certification that speaks to my experience profile you know kind of makes it easier to articulate what the profile consists of one of our biggest challenges at Seagate has been aligning best practices across teams I don't think that we're really unique in this either any large organization is going to have some degree of siloing and especially those who have numerous product lines maybe spread out geographically across the world and it's been highly advantageous for us to align these practices in a global sense we've been to and we've been able to increase our overall security posture and become much more transparent in reporting best practices but I think also this effort has created some really noticeable efficiencies when it comes to managing business processes our policy governance is way more streamlined and uniform than it was a few years ago as a result of this and we have a maturity in our reporting metrics which we've never really been able to achieve prior to this all of this has been made possible by identifying individuals with trusted technology experience and placing them in roles where they can kind of exercise that experience but it took our company a little while to put the right team together because when we started we didn't have an identifier for this job function for companies beginning this journey now they get to leverage this advantage which is great and something I maybe forgot to mention on the skill set slide a few minutes ago experience with the OTTPS specifically is not a requirement for this certification that standard may be the best example for a full life cycle security standard that I can think of but you know as I mentioned earlier there are professionals out there who have done this work in segments over time and this cert was designed with those people in mind as well all right so let's cover what the cert process actually looks like at a at least at a high level there are three steps an applicant has to take and the good news is that none of these involve cramming for a test or flashcards or anything like that the process weighs your relevant experience against the cert requirements candidates can also complete these steps at their own pace which is great so depending on whatever your your preference is in terms of timeline and your level of readiness you can kind of customize it to what you want so for the first step you have to submit a milestone application form or a series of those I should say in order to receive individual badges there are currently two levels of certification certified trusted technology practitioner which is level one and master trusted technology practitioner which is level two level one requires four badges and level two requires five the second step is pretty straightforward there's an application form that asks candidates to detail their practitioner experience against the guidelines and this is where you get to tie in various experiences over your career and paint a picture of implementing best practices across product lifecycle and speaking from experience this is where kind of a vast majority of the actual work is but I have to mention that even though I've only been in the product security business for about seven years I was able to draw an experience that predated that and I was pretty surprised at how my previous experiences in IT and supply chain even though they weren't necessarily product centric ended up being quite relevant and then we have the final step here which is essentially a panel interview where the board reviews and discusses an applicant and their their relevant experience and at least for me this was a pretty highly enjoyable session I'd never given such a thorough accounting of my professional history to a single group before so that was really interesting and I have to admit that I I emerged from that process with a greater level of confidence in my work and a better understanding of its value not only to see gate but any potential other employer I might have so speaking only for myself I would say that in addition to gaining the cert I now have the ability to articulate my skill set in a clearer and more concise way and that secondary benefit has been really useful in my cross-functional work our product security team here at CEH is constantly engaging new teams and new individuals and after going through this certification I have a really easy way to kind of articulate and demonstrate what I do which really starts those engagements off on a better footing so hopefully this has been a helpful overview of the open CTP if you or anyone on your team works in the field of product security or product lifecycle security there really is no substitute for the certification it is the only one of its kind and there's really never been a better time to get started so thank you to both Steve and James for the chance to speak here today and if you have any questions about this certification please feel free to speak up in the panel or if you'd like to contact me offline I'd be happy to speak more on this topic with any of you individually thanks thank you Jeff great great job and yes as Jeff said please if you have any questions ask them in the Q&A and if we if we don't get to every question then we will do our best to get your question answered remotely after the event but in the meantime Jeff thank you that's a great summary as you say there is there is nothing else of its kind so get involved so a warm virtual round of applause for Jeff Wilkerson please thanks Jeff see you on the panel. Thanks Steve all right