Convocourses Podcast: Cybersecurity Consultant versus ISSO

http://convocourses.com

 

All right. I'm testing a new platform called stream yard, and this is convocourse's podcast. I'm gonna do about, I don't know, 20, 30 minutes to test this out and also to inform you guys of  a career move I recently made. I haven't really talked about this.  But about three months ago I was working as a cybersecurity consultant and that's much different from an information system, security officer.

So in the past, Three four months.  I made a big Mo well, not really a big move. I I've, it's not a big move for me.  I've done both jobs before, but all I want to do is  compare the two kind of give you an idea of  what the differences are between  cyber security consultant.

And what I'm going to be doing with information system security officer work, and  what's the daily life of both of those things. How do they compare and give you an idea of  which one you should choose before I start, you should know that  I own a site called combo courses where I teach cyber security compliance and  how to get in this field as a cyber security person.

I've been doing this for 20 years, doing cyber security in  all forms of security, as well as some it information technology stuff  like being a system admin or network. Administrators, stuff like that. I've done a little bit of all that stuff.  But my specialty is really in security compliance.

And so that's what I teach people to do. And. People ask me on YouTube, on, on TikTok questions. And I'll just go ahead and answer them and by the way, if you have any questions during this feel free to ask them and I’ll do my best to answer. them sometimes we have such a great community that they'll actually answer the questions on my behalf.

There’re things I don't know. So, somebody, some other subject matter expert will jump in and then answer those questions and. My favorite times on this, on convo courses, because that's what convo courses in my mind is all about is about the community and us coming together, figuring things out. Okay. So, I wanted to tell you recently I made a huge move.

I was working at a major telecommunications company that does cybersecurity on the side. They have a branch that does cybersecurity and    I did it because it was a great opportunity. One of my former coworkers.  Gave me a they referred me and brought me into the company. It was a great company.

They had great benefits. It was some of the best benefits I've had outside the military.  It was decent pay and the only, probably bad thing was that there was a lot of travel and that eventually was the thing that got me out of there. And it was stressful too. And I was how having too many personal issues that happened at that at the time that I was working there, I worked for there for about two and a half, three years, and I was doing cyber security consulting for them.

So, what we would do is we would. We bring our expertise to smaller companies.  We go to, and it's a lot of companies and banks and hospitals and healthcare industries that you probably use to be honest with you.  that? I Some of I was surprised were like, damn, I use this. We're doing security compliance for them.

And   the security compliance it wasn't just security compliance.  It was basically, we would do a bunch of We would do a bunch of risk assessments and those risk assessments would be things like be we had 15… different risk assessments. So, 12, 12 to 15 different risk assessments, depending on what they chose.

So we would do things like physical security assessments we would do. Of course, network security assessments. There was like three of those. We did cloud-based security assessments. We did…  We did wireless security assessments. We take all of those and we would give them an overall view of what their security looks like.

And then we would prioritize where their major risks were. And then we would talk to the sea level or director or upper-level management to say, hey, this is where you should focus your energy because this is where we see the most risk. And the purpose of that was to reduce their. Their security any kind of vulnerabilities they have, and they can focus all their time, money, and energy and resources to that highest level of risk in their organization.

That's what I was doing. And it wasn't too bad. I actually liked it.      I fit right in over there. The only I, we would do these reports, which were really easy for me, the. Challenging thing I found was sometimes the clients were a bit difficult to work with and it wasn't that they didn't know what they were doing or something like that.

It was just very high strung because cybersecurity.  It could be very stressful because you're dealing with you.   If you have a vulnerability, a major vulnerability and you have to take that to the C CEO and say, Hey, we have. We have a bunch of legacy systems that are   in this area here, there's a lot of stress because you don't want to be the person that to, to barer of bad news, and we'd find those things and we'd say, Hey.

You have this stuff going on. And there was just a lot of stress with that.  That's probably the hardest part of the whole thing.  The travel wouldn't have been a big deal if I hadn't had so many personal issues happening with my family, kids and everything that just all happened at once. So, I had to unfortunately had to leave because I actually really loved the people and everything.

What did my daily life look like?     We were mostly going off east coast time for me, because that's where most of my clients were. They'd give us like two or three clients.  And then you would work directly with them. So, most of your day was coordinating.  The scans and the assessments that you'd have to do, if you had to go to their site, you'd have to coordinate that.

And they expect you to go do that on your own.  It was very self-directed where it's you have the client, like you'd run the meetings with them. You'd coordinate when you're going to go there. You'd coordinate how many hours or  how much time it would take to get there and who you're gonna meet and all of that stuff you'd have to do.

And then the scans, we had a, like a separate scan team. We'd work with the scan team. We'd work with the program. Managers we'd work with them and we'd put together this report to deliver. On a quarterly basis and sometimes annually, it depends on what kind of assessment it was. Because obviously you wouldn't do like a physical assessment every quarter.

Because I didn't, that wouldn't really make any sense because it stuff doesn't change. But anyway, so that's what we would do. It is mostly meetings and coordination  and doing scans and reviewing the scans and then writing reports  that's your, that was your whole day as a cybersecurity consultant at this organization.

I was with  where. The main thing we did was deliver these reports and we would do really, most of it was risk assessment type stuff. And I was very familiar with that because in the department of defense, we do a lot of security assessments and stuff.  So that's very different from where my main  core specialties are, which is security compliance.

We would dabble a little bit in security compliance like every now and then. We  I would help them do like a PCI compliant  PCI audit or something like that  or we'd say, okay  here's how you, your system would fit into eight NIST 800 or here's how your system would fit into CIS controls.

You do a little bit of that, but that wasn't really what we're, that would, it was separate from what we were doing was mostly risk assessment type stuff. So seeing where their risks are and determining that.  Now that brings us to the next thing, which is information system security officer. So information system security officer is more in compliance.

It, the compliance space, security compliance and security compliance is making sure an organization is lined up with regulations, laws, industry standards. That doesn't have to be the federal government, which is mostly what I work with. It can be with  hospitals have a certain standard that they're supposed to meet.

One of which is called HIPAA, where they have to make sure that they're protecting their patient's healthcare information and their digital records for the healthcare and stuff like that. Another example of industry standards would be PCI compliance.  That's protection of. Of  credit cards. So whenever  you are at a store and you're using your credit cards, they're supposed to have a separate network for those point of sale devices.

So that doesn't touch,  say the wifi that's in the  that's for the staff or for  guest  to log in. So that has to be a separate protected network so that the credit card data has its has, is protected.  So separate from your. Other networks. That's just one of the things you have to do.

Another things you have to do for PCI compliance is have the adequate  documentation for the security of the system. Like making sure that net, we have network diagrams and making sure you have  asset  and inventory of all the assets, things like that. Those are all    the types of things that you would have to do for PCI.

And that's, those are just two examples, but you've got CIS compliance. You've got. ISO 27,001 compliance. You got many  different countries have their own security compliance and different industries like  have their own compliance. So my, my  specialty is in NIST 800.  Security compliance NIST 800  is what the federal government has created and adopted as the main source of security controls.

Sec security controls is a set of security features that protect the organization's. Primary assets. That means like your main server that has all the social security numbers on it. Your  main server that has all the secret  secret data on it, the main server that's holding all  the maps of different parts of the world.

 Those, that's what you call an asset. So those are just some of the examples of, and those are some of the difference. Now, one of the things that, what the daily, what it looks like from on a day to day basis for an is.  Just to  compare this versus  versus  the consulting I was doing.

So it's also a lot of meetings. Security is a lot  of coordination. Cyber security is a lot of coordination with different organiz because  you're having to meet. Different  subject matter experts like you, you're not necessarily the person who's locking down the, those, that windows server.

That's gonna be a server type person.  That's gonna be a person like a system admin who specializes in Linux, red hat, network, administration and windows  2019. Active directory servers  so  you are gonna coordinate with them. So in ISSO, that's what they do. They're coordinating with these different, the firewall guy, the  the privacy person.

 They're coordinating with all these different people to make sure that the organization has a certain level of. So it is a lot of meetings. It's a lot of meetings with a lot of different people, and that's probably the main difference between  the meetings. Like an ISSO is gonna have a meeting with all kinds of people throughout the organization.

 One organization, whereas a consultant is gonna have a meeting with just a few people at different organizations like me. I had  three or four clients at a, any given time and I would have to coordinate with the there's like a main point of contact. I would talk to big two or three main points of contact and every now and then  I'd meet like a C level exec, but I was talking to three or four different organizations.

Whereas an ISSO is talking maybe one organization and there might be other sub organizations, but they're all one you're talking about many people in that organization. So you're going really deep in, in all of the details  and stuff and making sure that all the securities is  is in place. Now it wasn't, it's not like an enforcement role.

Typically you are more like a news reporter. What I mean by that is a lot of people think that you're the police and you're gonna come and busting down doors and say, Hey, this, we gotta secure this server. That's not really  your job. Like you might point things out, but the person who has to be the enforcer is gonna be the management, because they're the ones, things come down from management.

So they have to be the ones to enforce that stuff. Now  if you happen to be the voice piece, the mouthpiece to tell them, Hey, the CEO just said.  You're just a reporter. You're just reporting to them. Hey, this is what happened. We have to obey what is going on with this organization's policies.

Here's what we have to do. So that's the main differences between a security consultant and information system, security officer. The reason why I quit my job as. A consultant and went over to, and now I'm going to back to information to security officers has more to do with. Not the work per se. It was, it is more like the travel, like the organization I was at was paid really good, had great.

One of the best benefit packages I've ever had, but it was too much travel and I had too much stuff going on.    And I had too many clients, it was getting a little stressful plus I had family stuff I had to deal with. So that's the reason why  I transitioned over.  And now  I'm going to somewhere where it's a little bit more  It's gonna be  a better fit  for me and my new family situation.

So that's  what's going on. Okay. I've got some questions here. Let me see for Mike. Thanks Mike, for your question. I really appreciate that. And Mike says  he says quick question  the ISSM role coming from being an ISSO. What is what's your suggestion? Quick question is S. A ism role coming from, are you gonna be doing an ISSM role from being an is O I'm assuming that's what you mean?

So you were an ISSO and now you're about to be an ISS O  sorry. You were an is O you're about to be an ISSM that's I'm trying to interpret your questionnaire.  Any suggestions.  Yeah. So the biggest difference between these two roles is that  one is a manager information systems, creating manager.

 You're gonna have more of  you're gonna have even more meetings.  I'm just gonna tell you like the differences. So an ISSO is more like they, they both have a lot of meetings, but an ISSOs has to be more in the weeds because ISSO has to be able to say, give an example of an issue.    A vulnerability comes down the vulnerability.

 Is let's make something up.  A vulnerability is a zero day exploit on windows 2019 or something.  And  now the ISSO gets wind into this and that comes from the vulnerability team. Now they have to meet directly with the vulnerability team to figure out what's going on with this thing. And they might have to spend some time researching what the zero day exploit is.

 What's the criticality of it. Like how quickly do we need to fix this thing? They have to be in the weed. So they have to go probably go to the CVE.  CVEs and then figure out what type of what this affects. And they have to probably look at  a list of every, all the systems that this is going to touch.

And how quickly can we fix this? So there. And if so is more in the weeds in that they have to know  what is going on in a, on a technical level, they have to get more in the weeds and be more technical if you get what I mean.  They might not have to touch the system. A lot of times, they're not the ones implementing the security controls, but they're coordinating with the people who have to implement those security controls.

Compared to that, to  an information system, security manager, their meetings are more with upper level people. So they're dealing with stuff that's more broad   and stuff. That's touching the entire organization and making sure you have enough making sure the security team has all the resources in that they need all the time and resources that they need to do their work.

So your. Gonna have the same amount of meetings or more, but they're gonna be with upper level management from. Fields like you're gonna be talking to the it manager, the information technology manager who, whom  the network manager, the network engineering manager. You're gonna be talk, coordinate with them.

And you guys are gonna be talking about like resources. How many resources do we have to do this work? Okay. We just had this zero date on windows, 2019. Do you guys have the resources and time to do this? How much time do you guys need to actually get this? So  you're talking about like on a broader scale, how do we manage the resources that our team needs to get this job done?

And can we get it done and effectively  in a reasonable amount of time? And you're trying to, your main job is managing expectations to upper level management, the C level execs, the directors and all that stuff, managing their expectation. That is your main job, as well as taking care of the people  who are.

You work for the ISSOs like your job is working for the, ISSOs managing the expectations of upper level management. So you're still in cyber security, but it's more of a management. You're not in the weeds. You're not having you. You'll never, you're not ever touching any technology. Whereas in ISSO they might have to touch something at some point like, and so they might have to touch the  EMA system where they're inputting information there, they might have to mess around with creating.

 They might have to create a security policy, might help create the security policy review, the security policy. They might look at audit logs. They might. Help enable audit logs. They might be the person who's doing threat detection and stuff. The managers, they're not doing that kind of stuff. They're working on resources for the information system, security officers.

So it's a great move because it is    is SMS are ma are legit managers. And so they're paid typically paid a lot more. They're paid more. And if you.  If you're a first time manager, you'll get, you should get a pay bump. But if you have been doing a management for a while, you get a significant  pay bump, like if you've been doing it for  a year or two, then you'll be able to like, if forever you move or.

Those are the guys who eventually become directors. That's the path directly to directors and see C level execs and things like that who gets paid a lot of money. So  that's really good.  That's a really good move.  If that's the case, if that's what you're doing, then  that's awesome, man.

And Mike says  got it. ISSOs  ISSO I worked  with EAs and C  C Sam  and tenable. Yep. Tenable NEIS and all that kind of stuff. That's right. Exactly. You got it. They're more hands on   and touching stuff. Whereas managers, they're not,  they're gonna ask about, Hey, you have access to eMASS.

Okay, cool. Great.  They might look in there since, okay. Let's make sure that the system security plan is there. All right.  And any problems with the system security plan. Okay, good. There's no problems. Let's go  or, Hey  Does the new guy have access to EASs. Does the new guy have access to tenable?

Okay, cool.  Or  let me help out. Make sure that we have, let me coordinate with the person who controls access to tenable to make sure the new guy has it. Okay. The new guy  we just have some people leave. Let's make sure  that person is not, no longer has access to eMASS or tenable stuff like that.

That's the manager. They're not like putting things. Into EASs or running the scans necessarily.  Sometimes  I've been with some managers who did do that kind of stuff, but it was because they wanted to do it. And  they were very sharp, very technical, and they wanted to do it and they, but they te they totally didn't have to.

And they had other things to do by the way. All right. Let me shift gears. If you guys have any questions, go ahead and feel free to, to ask me any questions. I'm testing out this new platform. That's why it all looks a little bit different. So if you want, have any questions whatsoever, feel free to ask me in the meantime, let me show you that I have  a book out called R MF is O where walks you through  it's a bird's eye view of what NIST 800 is all.

And it's very quick, and this is actually the audio version, which is only like one hour long. And then also I've got  a deeper dive into the NIST 800 security controls, but I'm not hitting every single control. What I do is I hit the families and give you a practical understanding of what the families are and how you navigate those.

And interpretation of the families of controls. And I focus from an ISSOs perspective. What parts of that family do you really need to know? That's the kind of stuff that I'm focusing on. And another thing you guys should know, if you didn't know already is I have a podcast here. It is right here. The podcast is, I'm doing the podcast right now.

So this the type of stuff that you hear me talk about here is the kind of stuff that I actually is gonna be on the odd. But this, the difference is  on a podcast, you could just be in your car, on your commute and listen to it, or when you're cleaning or something like that, you can actually just listen to it.

Listen to our conversation as we're, as you're doing your thing. So, that's the good thing about doing a podcast? I actually really like podcasts. I'm listening to one right now, learning a new language. And I really like it. Okay. Let me see. There's another question here from Mike. He says, can I book you for a consultant for my ISSO role  ISSO role  you know what  I'm actually in the middle of a couple of other consultations, you can email me  feel free to email me and I'll see if I can  find some.

For you, I'm not saying no, but let me see what I can do. Here's my I'm gonna send you my contact. My contact is scrolling across the bottom. There is contact@convocourses.com. If you're interested in getting some kind of consulting and stuff like that, I'm  I'm getting back into the work field.

 I'm not gonna be able to do as much consulting as I was doing before.  Because my hours are gonna get tapped, but Hey, who knows? Like maybe we can do it before I actually start my job right now. I'm going through the background.  The  background investigation process. Okay. I got another questions from.

Mr.  Fernandez. He says, so I'm getting my bachelor's degree  in, in cyber security in December, I'm currently working on physical in wor working in physical security for government contracting. So I'm dealing with classified documents and D O D things  will. Will I be able to, okay, let me see the next rest of this question  to get an entry level is ISS O I think you mean ISS O job  in your opinion, yes or no.

Okay. So L Ludwig  let me give you an example and I hope that my example  can give you an idea. First of all, short answer is yes. Okay. I know this because I actually start off in physical security myself. So  I was a. Security forces member in the air force. And basically what  I was really, I was a weapon expert.

Like I don't even know if they have that, that it was called 3P0X1. That was my AFSC.  It's a specialty code that they have had in the military at that time.  I don't know if they I've been following it, but basically what I did was I was a weapon specialist  and. I guarded planes. I guarded    if the president came in to our base or whatever, I'd do that, I'd be on that detail.

 Not much personnel security, to be honest, it was mostly garden resources. And then I also did some law enforcement. So I knew a lot about the UCMJ  use of force, all that kind of  weapons, training, combat training, all that work with the army and the Marines  and all branches and  different  countries.

 Security people, but it was mostly physical security and I trans we call it cross train. I cross trained from physical security to cyber security. There's a lot of crossover. I was surprised to, to learn that.  Some I'll just tell you a few things that are gonna help you going from physical security over into cyber security into it in general.

Number one  you are, you're gonna have a very sound understanding of security overall because it's not really that much. When you get into cyber security, it's just a lot of more layers and there's, it's more complex because you got defense in depth. Physical security still applies in cyber security, which is crazy.

But when you think about it's common sense, if anybody can touch a system, then they own it. You can own a system. You can take the hard drive out, put it in another device you can use  password crackers you could use.  Oh man, you, you could  do forensics tools on it and then extract all the bits on it and figure out what people try to delete is that as a matter of fact, that's what forensics is all about.

 And speaking of forensics  some of the laws that pertain to, to you, like  when you're talking about chain of custody, when you're talking about  Making sure that things that, that  things aren't tampered with during the investigations, all those things apply.  So some of the laws still apply.

 What else applies, man?  Physical security checks, physical security assessments is it's. The concept is similar and actually is still used in cyber security. You has to still do physical security to make sure that the facility and the room that the information system resides in is protected so that all that stuff still applies.

So it is gonna help you out. And then the main thing is that if you dealt with classified documentation before, and if you have a security clearance, all of that will also help you.   To get an entry level job in cyber security. And if specifically, in information to security officer, but any kind of entry level position, because you have a security clearance, if you have one  that helps.

A lot of people confuse like security. They think that if you're in cyber security, you have to have a security clearance. No  that's not the case. Two different things. The security, they should just call it a clearance. It's very confusing. A clearance just does a background check on you to make sure that you are trustworthy to make sure that you don't have any criminal background that might that might.

Cause a conflict of interest where you're working like a bank doesn't want somebody who robbed the bank. You know what I mean?    It's stuff like that.  A hospital probably doesn't want somebody who had malpractice it's stuff. Like they don't, there's certain criminal things that not to say that you  if you had some kind of.

You had a case on you in the past that you couldn't work in cyber security? It's not what they're saying. It's basically, there's certain things that cause a conflict of interest. So I have to do a background check on you to make sure that there's nothing that might allow you to be exploited.

 Or something that deems you as untrustworthy to do that particular job. So if you have a clearance  that really helps out a lot  if you've handled classified information before that actually helps you quite a bit as well, because some people don't have any experience with that and they don't know how that world works, but you knowing that, how that world works,  that helps you quite a bit.

The main thing that you need to focus on now is technical. Because me going from physical security over to cyber security, that was the biggest challenge is learning all the terminology, learning information, technology, learning how computer works learning how Ram CPU and storage all works together.

Learning how to protect those components of  information system. Those are the main things, all the layers  and the minutia  of learning networks, how to networks work  how you protect those networks, stuff like that. Porch protocols, and services. Those are the things that you need to be really focusing your mind on the security stuff will come very naturally to you.

So the answer to your question is, yes, it will help you to get an entry level job when you get your, that bachelor's degree. Only thing I would recommend that you do while you're in school. And this is what I tell everybody is try to get experience. If you. Hands on technical experience, if you can. That means if you're whatever college you're going to, or if you happen to be in the military or wherever, whatever, wherever you're at, try to get hands on.

 If you see the, we call them work group managers, fixing a computer, ask if you can help them out. If you can, if they will allow you to help them to fix that computer, whether it's update and virus, definitions, updating the security patches, whatever it is like even the simplest thing possible, even if it's putting the router in and plugging it in or whatever, you'll be able to put that on your resume.

And the experience is what they really wanna see a degree is great. Certifications are great, but the experience is what they really wanna see.  Another thing is I would highly recommend that you, if you can, if you have the time, if you have the cycles to do it, some people do not is to get    a certification while you're working on your degree.

Degree takes a pretty long time. And sometimes the degree helps you to get the degree. If they, if you're college or wherever you're going to has a degree, a certification program, I will go ahead and take it. It's not a waste of your time, especially if you get the comp Tia, any of the comp Tia ones. If you get any kind of cloud certification, if you get  any kind of networking certifications, those are all gonna help you out a bit, a lot on your resume.

So I hope that answers your question. Okay. I've got another question here. It says  Mr. Fernandez says  and I'm a security plus certified I'm security plus certified, but I don't have  the most experience  with physical hardware. Okay. Yeah.  Yeah, that's what I'm saying is  go ahead and get as much.

Experiences you can  with any aspect of information technology. And at this point, since you're new, anything will help you out. Like whether it's help desk type stuff, whether you're  Updating, like I said, virus, signatures, whether I, the reason why I keep bringing those up, because those are  the simplest things that kind of come up constantly over time.

Like you've probably done it before you just don't it's something we do often so often that we don't even think about it, but that is something you can literally put on your resume. You just need to know  how to articul. Speaking of articulation, just to do a little transition here.  I'm working on a book right now, a new book.

That's gonna tell you how to actually break down a resume.  How to, I have a course on this already. So  if you're interested  I'm not trying to cram anything down anybody's throat or anything, but I'm working on a book. That's a lot cheaper that. It'll be about 20 bucks or something like that.

It'll have downloadable templates.  It's essentially this right here. This course right here is something  I've been using for a long time. And because of this, I haven't been without a job. I, this thing works like this process  that I've been doing, basically, all I did was to say, okay, how am I getting all these jobs?

I literally get like 10 offers a day between LinkedIn. Messages on LinkedIn emails calls I'm literally getting anywhere from, it's not as much as it used to be before COVID and now we have some kind of  a downturn in the economy. So it's not as many as it used to be, but it's at least six messages a day.

I get for different jobs and I'm just constantly getting undated with these opportunities. And so all I did was I condensed exactly how I'm able to do this into. Into a course. And I'm gonna make this into a book that tells you how to articulate your, any kind of.  Security, cyber security experience into  a workable template that is marketable to employers.

So that is what I'm doing and it's coming, I'm working on it. I actually finished the first draft. I'm getting it edited right now. As we speak the first, book's gonna be a three, the four books series where I'm gonna break down. Not only how to market your resume and not only how to create the resume, not only a template so that you can use my mys as a sample and other people's resume as a sample.

But I'm also what I'm gonna do is expand it out into other books that tells you how to get remote jobs. Because people ask me about that a lot and I'm gonna do one where it's talking about  the different categories of cyber security, because that's something I've found. People, the questions that they ask, I can tell they don't really know that there's different aspects of cybersecurity.

So that is what I'm doing.  Mike says, I bought this course from you.  You need to update it. Oh, okay.   Yes, updates are on the way.  I'm working on  a whole bunch of stuff right now. So that's  when I'm not on these calls  that's what I'm.  Okay. If there's no more questions, guys, I'm going to, I'm gonna call it quits for the day and I'll see you guys next time.

See you on the next one. Thanks for  thanks for jumping on this one. Thanks Mike. For all your questions. Appreciate it.  Appreciate all the questions and  and thanks, Mike. Thanks for the update, Mike.  I will get on that. I appreciate you later.