ConvoCourses

This is from 2020 but is still relevant. 
here is the video:
https://www.youtube.com/watch?v=zFKC9_vr2io&t=2s
 

https://www.youtube.com/watch?v=p3dGCHFVeSA
check out convocourses.com
 

See the video here:
https://www.youtube.com/watch?v=1LkfH1TI3rk
More training:
http://convocourses.com
https://securitycompliance.thinkific.com/courses/rmf-isso-nist-800-53-controls-book-2-nist-800-control-families-in-each-rmf-step
 
 
 Today. I'm actually gonna train on access controls and documentation that goes with it.
 
So we're gonna be talking about something a little bit different. Normally what I do is I go through jobs, break all of those jobs down and then talk about like how to get the jobs. And then I break down what the employer wants to see. But today we're gonna do some actual training.  now, if you're interested in this training, if you want to go deeper, if you want to deep dive, cuz I'm only gonna cover like a few security controls, but if you want a deep dive, if you really want to know this stuff, then I have a couple of courses for you.
I've got a risk management information system, security officer foundations course, if you want to actually know it from a scratch, like you, you're an it person. You, this is not for entry level type person. The risk management framework foundations is gonna assume that you have some level of it background.
And from there I build on what you already know and it walks you through how to get into risk management framework, how to do the actual information system security officer work. So if you want to deep dive into this, go to combo courses.com and go check those courses out. I also have this what you're about to see as one slice of.
Some of the stuff that I'm putting into a new course that I'm developing right now. And if you want to have a full blown, you want to really check it out. I've gotta free. The first port portion of the course is actually free right now. If you go to convo courses.com you sign in and you can actually see the context of what I'm talking about.
And it's a lot of really good stuff, but right now let's get into access controls and some of the documentation. Let me see here. All right. So here are the access controls. These are actually, these are all the security controls and why you're seeing two sets of these is that one is from risk management framework, 37 version one and one.
The bottom one is from version two. That's coming. That's already out right now, but there's a set of N 853 controls that are coming soon. And so that's what you're seeing right now on the screen. So the top one is from version four version. Is it version three or version four?  The top one you're seeing is from the current version of the 800 nest, 853 controls.
The bottom one is the one that's in draft right now, but it should be out. I think this year is when they recently pushed it out to some other date. So anyway, so those are, that's what you're seeing. You're seeing access controls. You're seeing at controls, training controls, MP controls, media protection, physical controls, all these different controls, that I'm gonna cover all of these in the training, I'm gonna be releasing a month over month until we get all the way to the end. And then I also ask questions if you purchase the actual course, but right now we're gonna focus on just. AC controls and just a few of those AC controls, by the way.
If it would take us, it is gonna be many lessons to actually break down all that just AC controls. There's 25 of 'em right now as up the time of this recording. All right. So first of all, what are access controls? So access controls are what an organization uses to control physical. Not it's just not, it's not just logical con controls, not just access to the information, but it also includes access to the system itself.
So some of that is in there, but it also includes things like roles. My cats in here, this is live by the way. , this is gonna conclude things like role based privileges. It's gonna include things like.  Separation of duties. There's a lot of different things, but let's talk about access.
What is access? It's the ability to make use of any system or resource. So somebody walks into your facility and they want access to your servers, right? They need access. So access control is the process of granting or denying specific requests and obtaining obtaining access  access, obtaining access to that information is what we're talking about here.
And so the N 800 controls, actually it goes through a breakdown of how an organization goes about managing access to the information. All right. So these top six controls. Are some of the most important ones. And I talk about this in greater detail in the course, in the part of the free course, I talk a little bit about it, but I go in more depth in the one that's coming out.
I'm gonna try to release it this month, but I talk about C one C two, and now we're gonna right now, we're gonna talk about C three, a C three access control three is access enforcement. So what is access enforcement? It is the organization's ability to implement the actual access control policies. So not only does your organization have to put a policy in place that talks about how to control access a C three says not you have to implement it.
How have they implemented this the actual access. To the information like you're saying in this document that you have access controls. And you're saying that a person has to be trained before they come in. You're saying now, do you do it, are, is it implemented throughout your organization? All right.
So that's what we're gonna talk about. All right. Let me show you what I'm talking about. You could follow along, feel free to follow along with me. If you like, what I'm doing is I am on this. Let me see if I can give you this link here. If you wanna follow along. Nope. I can't sign into the chat, but where I'm at is N dot it's nvd.n.gov.
If you wanna follow along with me, that's where I'm at right now. So you go to Google and type in nvd.n.gov. You'll find it. And if you go to, once you get there,  you'll click on the families like this. Let me just show you real quick. Click on the families that this site has. All the families breaks each one down, as you can see here.
And then I went to access controls and you got access control one, two, and now we're on three. So I'm clicking on three right here. If you wanna follow along, you can also just download the PDF, the N 853 PD PDFs PDF, and then look at 853 C three, and you'll find everything we're seeing right here.
So what are we talking about here? This right here breaks down. What a C three is access enforcement. All right, so let's just look at the actual description here. Let me just make this a little bit bigger so we can read this together and then we're gonna interpret it. The information system. Enforces approved, authorized authorization for logical access to information and in and system resources in accordance with the applicable access control policy.
All right, so let's break this down. So the information system enforces information system, what is an information system? It's a computer, it's a server. It's a workstation. It's a Cisco device. It's an internetworking device. It's a firewall information system covers all like that ground. It's a very general term, but it, where we're saying here, the C three says it enforces whatever system that is.
Let's say it's a windows 6, 20 16 server. It enforces approved authorizations for logical access to the information system. So in other words, there's logical. What do we mean by logical? So there's technical. Things in place on the system that enforce what you have written in your security policy. That is what they're saying here.
So logical access, I'll give you a specific example on our example of a server 2016 windows server, right? So a logical access would be, or enforcement of that logical access would be username and password. Simple enough. So if you written, if you, if your organization wrote in your policy that everyone who comes in has to have a username and the username has to be.
20 characters  the username has to fit a certain certain policy. And then the password has to fit certain policy. Password has to be 14 characters long has to use upper lowercase, all that stuff's in your policy, right? They're saying that you have to have implemented that into the actual server itself.
And and before I show you how you, as an information system, security officer can actually check this out and make sure that the organization's doing it. Let's just deep dive into this a little bit further.
All right. So in here it's lives finishing out the sentence. It says the information and system resource in in the, in accordance with applicable access control policies. Yeah. There. So there you go. The organization writes the policy and then the system has to actually implement what you said in the policy.
That's what it's saying right here. That's really the name of the game here. So as an information system, security officer, I've been doing this for a long time. And the name of the game is the organization creates a policy, right? The policy states, what the rules are to having access to your environment.
And then you're making sure as the information system, security officer, you are making sure that all of those policies are documented and they're that they're in place. And if they're not in place, you have. Work it out with the stakeholders. And one of the things that you can do is a plan of action and milestone, but that's for a whole nother discussion.
Okay. So let's, this is look at a little bit more of this so we can get more details, supplemental guide. So this is a great supplemental guides are great because they put it in plain English. What they're saying here. So once again, if you're joining this late, this is AC three and I'm talking about we're interpreting it.
And then we're talking about how to implement this as an information system security officer. All right. So let's get back into this. The supplemental guide says access control policies, and it says identified based policies, role based policy control, matrix cryptography. So these are some of the things you might put in your security control in your access control policy or your overall security policy.
That's just why they're examples. They're just giving you some examples. So control. Access between activities, entities, or subjects. So they're talking about, here are some examples you might have cryptography that cryptographer cryptography might be between might be between the user object and a file.
So they're trying to be the way they write these is try to be as general as possible so that the organization has the freedom to implement the level of security that they need for their environment. Cuz there's many kinds of environments. That's why they write these like this.
All right. And they said, okay, give you an example of different kinds of entities, active entities and subjects, users or processes acting on behalf of users. Passive entities or objects. See just what I just said. So they're saying that the access control policy will have some sort of a role based or a cryptography or something between different objects within the environment.
That's what they're saying here in this guidance, but let me show you, let's put this in action. Let's put this in action. Let me see, what can we do here? Okay. Where I'm at right now is what's called AC. We're on C three, but I'm on a document called 800 dash 53. A here's how you can determine whether or not your organization is actually implementing the AC three in access enforcement.
You go to, this is just one of the things you can do by the way. One of the, one of the main things that I do, you go to 853, a. And 853 a is how you assess each one of the controls, all the controls, the act has every single one of the controls. So 853, a the reason why so useful is because when it's, whenever a system is assessed, this document is what they actually use.
Or some parts of this document is what they might use name. The assessor might even not even know that they're using 853 a but all the assessment stuff comes from this source document. So it's very useful. Okay. So first of all, assessment objectives for a C three, determine if the information system forces approved authorizations for logical access is what we just read.
So the assessor has to make sure that number one, You have a security policy, right? Or some kind of a policy and that a policy addresses access controls. Now the assessor, one of their objectives is to make sure that the logical, the technical security features that you put on your system are in place and they match what you, what was written by and approved by your organization, in the security policy.
That's all they're doing. They're saying, okay. What do you have in your security policy? All right. Are you doing that on this window? 16, 20 16 server. Let's see. That's what they'll do. They'll just say, okay. Log into the system. You'll log into the system and it meets that just you logging in meets one of the access controls, because one of the access controls is that everybody will have a role.
Everybody will have a username password. Everyone will have a role. And then what they might do is say, okay, log in.  Let me see you log in with a normal user account. And then they'll say, okay, now try to access this this file system that, that you're not supposed to access. They'll tell you to access, say the audit logs or something, a normal user shouldn't be able to access the audit logs.
So that's the kind of things that they do now. Let me show you something else. Potential assessment methods and objectives. So this is things that a, an assessor can use to assess whether or not you have implemented a C three. You can either examine, you can interview or you can test, right? So normally for AC three, from what I've seen, they do two things.
They look at your your access control policy, which is normally in your security policy. And then they see, they say, okay, let me see what you got. Let me see you do it. Let me see you access that system. Let me see you access the backup drives, and then they're determining whether or not you can.
So that's one of the things that they do now. Let's go to another control here. Let's go to the next control. And I'm gonna go through a few controls here for you guys.
Let's go to AC four and this is information flow enforcement. We're gonna talk very briefly about this one and won't spend a lot of time on it, but it is important just so you know, what is AC four information flow enforcement is the organization controlling the flow of data. And is it documented as an information system, security officer?
Those are the main questions for AC four. So let's go ahead and let me show you what we're talking about here. We're gonna go to C4 and I'm still on nvd.n.gov. And I just want to, if you're joining me late, you can just, you can follow along if you want, but I'm on nvd.n.gov, 853. Here we are. We're gonna interpret it.
And then I'm gonna show you how it's implemented, how some of the things that you can do to actually check on it. So AC controls, let's see, let's just go right to the description here. Here we are. And it says the information system we already described what the information system is enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on what the organization says, right?
They don't the N doesn't tell you, tell the organization what those control policies, what you should. What elements should be controlled. They allow the organization to control. And that's why they say interconnection systems based on organization defined flow information flow policy. So the organization defines what the flow, the information flow is.
And then you're suppo the informa. The organization has to enforce those policies that they put forth. So one of the main things that I have seen done to document information flow enforcement is a diagram. So a diagram that kind of maybe looks like this, it has firewalls. Let's go through this.
This is on the N this is on cisco.com, by the way, network diagram, it has a DMZ, it has three servers in the DMZ, right? And we can see our DMZ is connected to a switch. The switch is. Connecting two different networks. Those networks are protected by these two different firewalls. Here's one land, but that's behind a firewall and it has some VPNs that are connected to the internet, right?
So this one has more exposure than these ones over here. This is the inside of our organization. So this one's behind an internal firewall. So this is an external firewall and this is an internal firewall. And so this right here is showing what kind of flow enforcement we have. So we're just saying that our data just doesn't go out everywhere.
It's controlled. We have a inter protected sanctum here with land computers, with all of our protected data on it. And then we have outside systems. We have a. We have a protection from the internet. So this is actually the internet. Maybe we have VPN clients that log in or guest accounts that can log in to certain limited resources that we have out there.
But what we're saying with flow control is that we're our, data's not going anywhere, not I've seen this done and documented different ways. Another way that I've documented in the past, or I've seen other organizations documented is to just have a list of all of the land. If you have land and building five, a land and building seven and a land and building 10, you would just list out here's the lands.
And here's what they connect to. You could have like in a spreadsheet and explain what's going on with those things. All right. So I'm gonna go ahead and move on from this one. And I'm going to address a couple of more access controls real quick. We're gonna go straight into.  these two right here.
We're gonna talk about AC five separation of duties and ACC six privileged least privileged. These ones right here are probably the most overlooked security controls in the AC control family. And the reason I say that is because a lot of organizations, I go to one of the main vulnerabilities that they have is they either give too many permissions to users that don't need it, or they don't separate.
They don't separate the different organization, organizational duties. And it's an easy one to do, especially if you're in a smaller, if you're in a smaller organization where you only have 10 users, a lot of times those 10 users will have 10 different hats. You know what I mean is your security guy will do all the administrator work and they'll do all the system analyst work.
And then they'll also.  be making multimillion dollar choices for the whole organization that they don't, that's not separation of duties. And sometimes you don't really need, multiple people cuz you, you have five computers, five assets and you don't really need a bunch of people to do all these different jobs.
So this is this one, these two right here are foundational. Like you, you real, the organization really needs to have these, but I notice a lot of people don't have them. Let's dive into what these actually mean. Cuz I realize I'm probably talking about stuff that you don't, you might not understand.
So let's go back here. I'm on nvd.n.gov once again, and I'm going to go to families just to show you how I got here and I'm gonna go to AC controls and then I'm gonna go to. I'm gonna go to separation of duties. I just wanna explain what separation of duties is, and then we'll go to C six lease privilege.
All right, here we are right here and I see some people joining me. Thanks for watching. I'll be answering questions after I cover these two items right here. All right. AC five separation of duties. What is separation of duties?
What do you do with separation of duties? The organization? This is N 853. The organization, whatever organization you work for, this is what they will do. The organization operates organization, defined duties of individuals. What does this mean? Let me interpret it for. All right. So it says the organization, if it's the department of health and human services, if it's the department of agriculture, the department of labor and Maine, whatever organization it is the organization, let's say the department of health and human services separates whatever or whatever duties that they define.
So the organization has to actually define different duties and then they separate the duties. So the N is not telling you, yay. Veely all sec, cyber security people can't do any kind of administrator work or administrator work. Can't do firewall work or a server guy. Can't be also be a firewall guy.
That's not what they're saying. They're saying that where it makes sense. You're gonna separate duties apart. So if you have. And what you're trying to avoid is conflict of interest. That's what, the reason why you're trying to do it. And there's certain places where it makes sense. If you are in a very small organization, you don't really have to necessarily, if you don't have the resources to do it, or if there's no reason to do it, if you don't have a server that's controlling a thousand different systems or a hundred different systems, you probably don't really need separation to duties.
You can have your ISSO, your information system, security guy also do some the firewall and also look at logs, and there's no conflict of interest, but if you have a whole bunch of computers systems and you, can't not even possibly track all the users on a day to day basis. And there's data.
There's thousands of terabytes of data coming in now of your network. Yes. You probably even want to think about separation duties. You probably want to have a whole security unit that, that also watches the administrators and then separate administrator. That is controlled by a whole nother office.
All right. Let's keep reading this and get an idea of what's going on. You have to document the separation of duties of these individuals that the organization has deemed necessary to have, right? So if you have a firewall team and you have a server team, you have to document that these are the individuals who control this.
And these are the roles that control these items here. Define information system, access, authorizations to support separation of duties. So you're gonna define what level of access these people have.  and then what systems that they have access to. So that's what, in a nutshell, that's what you're doing.
That's what separation of duties is. And like I said, I do see this one violated quite a bit. It's a kind of find it's a foundational best practice that you do in larger organizations, especially, or medium size organizations. Let's get a little bit more supplemental guidance on this separation of duties, addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activities without collusion.
What does that mean? So think about it urine, a large organization like Lockheed Martin has a large contract with a. Health and human services. Now I don't have any pre I've never worked for Lockheed. I don't have any pre any kind of special information on either one of these things.
I'm about to say this is pure speculation on my part. So if I accidentally guess it was an accident. Okay.  so anyway, Lockheed Martin I've never worked for  has a large contract with health and human services, they have a thousand computers and 10,000 users, right? So these 10,000 users let's say, are managed on on a server and on several different act active do active directory servers somebody, one of the administrators is doing something they shouldn't do.
They are making new users over and over again. Why do we have 10,000 users? Somebody is making new users. . So in this case you would wanna have separation of duties so that this person who's abusing their power is monitored by a whole nother organization. This is just one example of separation of duties.
By the way, you could have a security operations team. And what their job is to do is to watch everything on the network. They're not only watching data going in and out of the network, but they're also watching users. Maybe they have a flag set up to whenever somebody creates a new user, they can see who created the user, what account made that user, when did they made that user?
And then, and maybe they even set up something like a justification, like a why? So every time you make a new user account, you have to make a justification and go through the SOC team. That is one way that you can make it so that these people aren't abusing their power. And that's what they're saying here.
Separation of duties addresses the potential for abuse of author authorized privileges, cuz somebody could give themselves more privilege or they can make 15 other accounts and then make all those accounts, these secret backdoor user accounts that allow them in and in inside access. There's just so many different things you can do if you don't have separation of duties in a large environment.
And that's really mainly what it's for. So you wanna do it when it's, when it makes sense to do it. All right. So I think we beat that dead horse. Let's keep going here. And then what we'll do is, ah, show you how you can document separation of duties. But for now let's talk about the next item, which is least privilege is this one right here.
ACC six least privilege. Let's go into this one and talk about least privilege, access, control, least privilege. And if you're, if you don't have any context here, if you're, you just jumped on this live and you're like, man, what's what is he talking about? What is N special publication? 853 rev four.
What is that? What's going on? If you're interested in actually knowing more about this kind of this field, this path, what I'm talking about is security compliance, specifically with N and I have a whole course. If you're interested, it's called risk management framework, information system, security officer foundations, and it talks about it talks about how to do security compliance using the N standard.
But then I have another one coming out real soon. That talks about how to document everything I'm talking about to you. Now, I give you context of how it all works. I tell I'll break down different documentation and I'm gonna go through. All the families or most of the families, I don't know if I'm gonna cover all of them, but I'm gonna cover most of the families in that.
In that course, that's coming out soon. So go ahead and check that out on combo courses.com. If you're interested. All right, let's keep going here. Least privilege. Now this one right here, this one's near and dear to my heart. This is something that many different organizations I would say most of the organizations that I've ever worked for violate this one.
The reason why is because we as human beings are. We wanna do the least amount of work for the greatest amount of impact . So if there's a way that we can give somebody, if we have a really smart system administrator in our organization, and we want that server fixed this guy, who's really the smartest guy in the organization does Cisco routers, but we also want him, we just start giving this person all of these different privileges that they don't need.
That's one of the things that happens with least privilege. Another thing we'll do, and, or especially in large organizations, is we will we'll have say a thousand different users, right? And the users don't really need, they only need to access their workstation, but they keep coming up with these different things that happen.
Like maybe they have this annoying popup and we restricted their laptop to where they can only do their job. They can only, but they got this annoying popup. So every time they get this popup, they contact the help desk. And they're like, Hey, could you guys fix this popup after a while? The help desk is  okay.
Forget it. Let's just give these guys local admin privileges so that they can fix it themselves. And then they tell 'em how to fix it. But they, and then it's just local admin privileges. What could possibly go wrong with that? A lot can go wrong with that.  that's another violation of least privilege.
What is least privilege? Let's talk about it. The organization employs a principle of least privilege, allowing only authorized access for users which are necessary to accomplish the assigned tasks in accordance with the organization's mission or business function. What did I just say? So what I'm saying is you only give people the privileges that they need to do their job period, full stop.
That's it that's what least privilege is.  the, like I said, the reason why this is violated is because we are lazy. We want to do the easiest thing possible, and it's harder to give people limited privileges when every time they need extra privileges, they have to go and ask, they gotta play mother may eye to go get access to the logs or this popup just keeps popping up.
I wanna stop it. So lease privileges. It's one of the biggest issues I've that I've seen in organizations. Let's look at the supplemental guidance here, organizations the organization employs lease privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at a privileged level, no higher than necessary to accomplish the required organizational or business mission or business function.
You only give the privileges that are needed to do the job period. So runaway privileges is one of the biggest issues in most organizations. I've in 90% of the organizations I've been to, this is the biggest violation, and this is the one that gets the most people in trouble. Let's talk about how to document these two controls that we just talked about here.
What I'm gonna do is bring up, I'm gonna bring up a couple things. If you're doing risk management framework, documentation is the name of the game. We, the reason why we document so much. And I know I talked to some of my system, administrators who are very technical they're all their head is always, deep in the weeds on how to implement these systems or set up a new Linux server or whatever.
So they don't have time for documentation a lot of times, or at least how they feel. But the reason why documentation is so important to somebody who does what I do, which is security compliance, is that if we don't have documentation, a lot of times we don't know who has privileges and who don't, we don't know what privileges are needed here or to this person or what role we even have sometimes.
Organizations are so large that they don't even know what roles they have and they don't even know what roles have, what privileges and the reason why is because they didn't document it. So you have to make sure that you document and that's why it's so important. One of the biggest reasons why we have to document is is having a security baseline.
If you don't document, you don't know what baseline you have. And a lot of times that's the reason why you have a legacy system out there on windows 2003 or windows 2000 or something like that in the year 2020, and then there's no support for that system. And so it's out there and you didn't even know it was out there.
So that's why you have to document document. Let's talk about documentation here. So what I'm gonna do is I'm gonna bring up an example of how you would. These two controls. What this is here is a one example, one format of a system security plan. This is system security plan right here. And what we were just looking at is ACC six here's ACC six, right here, C six.
And how will we document this? So in a system security plan, normally you have an implementation statement. And so that's what we're gonna put right here. And normally this thing will say, okay, did you tailored it in? What did you, is it implemented or not? Is it tailored in or is it tailored out?
Meaning did you, it is implemented and if you didn't have it, let's say we didn't we know we need least privilege, but we don't have it. We would say. Now, keep in mind, this is just one way to document into a security plan. I there's also, here's a, let me just show you real quick, another way that you can document it like this.
If you wanted to, this is a word document and this word documents a template. I've seen organizations do it like this before. A little easier to on the eyes. I think easier on the eyes, but harder to deal with when you have large amounts of data than a spreadsheet, spreadsheets, in my opinion are easier, but there's another level that's above this that most organizations, large organizations are going to, which is like a database.
You put that stuff in a database and the re it's way easier to deal with in a database. Cause the more data that you have on these spreadsheets the more confusing it gets, the more you lose track of things. So what kind of control is it?  it's a common control inherited, which is something we talk about in the course.
And then here's where we, the implementation statement comes in. So we would say something like this least let's say our organization is Lockheed gen general. I'm just making stuff up.  Adheres to the principle of least privilege
by enforcing a global policy
GPO. So that it's a technical way that they are enforcing all privileges throughout the whole environment. You're just saying what the organization is doing. This is how you document, you're not making this stuff up. All right. Let me just be very clear about this in the real world. What you okay. My head is covering this up.
Let me just move myself outta the way here before I that's what I typed right there. So let me just be very clear. You're not making this stuff up as an information system, security officer, as a security compliance person, whether you work for the bank or the government or hospital, you're not making any of this stuff up.
You're gathering the information from the organiz. So you, that means you have to bring in stakeholders. That's the people who do this stuff on a regular basis. That means it might even mean you're CIO. It might mean you're CFO. It might mean you're the actual people implementing it, the system administrators, or maybe you're the system administrator, or maybe it's already written in their, another policy somewhere else.
You would grab that information and then you're gonna put it into this system. Security plan. All of our system security documents are focused on security. Like you might have, HR has their own documents. The architects guys have their own documents. The technical team have their wikis and their work instructions and their all that stuff.
We are focused on the security features of this system. And so that's what we're doing. We're gathering from all these other existing documents where we can, and we're interp, we're putting those into pouring those into our system security. Plan now another place that's really good. Let me move my face here.
Another place that's really good to document these security features is a security policy. A security policy is really good, cuz you can really break down. You can really break down each individual item with a security policy. I've got a C four, a C five, a C, 11, and many other things.
So in the security policy, I can really focus in and say, here's what we have here and be very specific. And you're not making this stuff up. You're getting it from the actual people who know the system. So that's what you have to do as a system security person. And that's AC the AC controls in a nutshell.
And like I said, if you're interested in this. You can go check out combo courses, if you want to deep dive into this kind of stuff. And now I'm gonna open up to any kind of questions that anybody has to let you know what's going on. Any questions whatsoever about anything we talked about is a great opportunity to talk about it.
I see a few people here that's joined me a cyber security guy. How do you ever defeat your arrival hacker? So I think that it's, there's, that's not how that's not how I would format. That's not how I see it. That's not my perspective on how what's going on here. So what's going on is you're controlling your data as best your POS as possible in your organization.
It's not, you're not defeating an individual person. This is just how I see it. This is not personal. The way I see it is I am working for my organization to protect their information. I'm working for their interest. So whatever their interest is I, that's what I'm protecting. And it's a team effort.
It's not me against some random hacker out there. And then, from the hackers perspective, from the malicious criminal hackers perspective, cuz some hackers are good from a malicious attacker's perspective. It's not personal. They just, they have a mission too. And it's either money or it's, it is activism.
Or, and they're not usually just going after one organization, they're going after many organizations and seeing what works and me as a cybersecurity guy, same thing. I'm just working for the interest of my organization. And it's a team effort. I'm working with several other people who. This guy does firewalls.
This guy does vulnerability management. This other person is the CEO of the company. They have to manage all of the resources of the company. They have a fiduciary responsibility for the organization's information. So there's many different people working on this. It's not me against one lone hacker.
And then from the hackers perspective, from the attacker's perspective, it's nothing personal. They just want to find the weakest link. And they're just usually what they'll do is they'll search the whole, a whole spectrum of the internet to look for the weakest link or to look for free information that's being given out there that they can use that information to infiltrate the weakest person who's out there.
So that's it guys. If there's no other questions I'm going to. Go ahead and go, oh wait, I got somebody here. Let me see. They said I need a job and I don't have any information system security background coming from a Lenox system engineering background. What will be the best advice? What would be your advice?
Please help me. This is easy. If you have a Lennox background you don't. So right now, even with the virus, even with all the stuff's happening, even with the lockdown, now it has slowed down. Like I, some of the employers that have talked to me said that there's right now, there's a free hiring freeze going on throughout.
That's hiring freeze going on, for obvious reasons. You can't do interviews in person. You can't, you don't know what, we don't know how long this is gonna last. We don't know. For large organizations, they don't know what kind of what their fiscal year is gonna look like if they're losing sales, depends on what kind of industry they're in.
But there's just a lot of uncertainty right now. So obviously the markets have slown down a lot. But that being said, people do still need information system, security officers. So if I were you, here's what I would do. If I were you, here's one of the things that, and I have a whole series about this, by the way, I would go to indeed.com.
I've gotta, if you're interested in this, I got an entire series that talks about, I got a whole series that talks about how to market yourself and that's what it's all about. Marketing yourself. I would go to indeed.com. Here's one of the places I would go to Mr. Bun me golden. And then I will type in, I don't know what your skillset is, but you said Lenox is pretty hot.
What kind of Linux is it? Red hat. You gotta be specific. Let's say red hat. I'm gonna assume you're a red hat, Lenox guy, red hat. I'm gonna assume you're a red hat administrator.
All right. And where, what, where are you? Where are you at? Let's say you are I'm gonna assume you're in Texas, Houston, Texas. You're a red hat administrator. I have, I'd have to know more about what you have going on to, to actually help you out in a more realistic way. But I'm assuming you're a red hat administrator and that you have about five years of experience and you are in Houston, Texas, and I'm gonna go find jobs now.
I'm assuming you're in the us. So now look at this. DC. And you're looking for a job. Come on, man. Come on, man. This always blows my mind. DC is one of the hottest areas for it, DC, Virginia, that whole area is hot. Like I, there's not almost, there's barely a week that goes by to somebody from from Washington.
DC is not trying to contact me about a job. The thing is most of us it guys, and it's not your fault. Your profession is technical, right? We're not marketers thing is you wanna market your resume. You wanna market yourself. That's the key. That's the whole key to this whole thing. If you're interested in this, you have somebody else having you watching this kind of thing.
I gotta you go to combo courses.com. You're gonna go check out my course. It talks about how to, how I've been able to have not only a job.  but a six figure job working from home for the last X years. And I'm not some freaking genius, man. I'm not some freaking prodigy. I'm not some freaking genius.
The only thing that se separates me from other people is that I work really hard. That's it? I know having seen extremely brilliant people. I know I'm not one of those guys.  I know I'm not one of those guys, everything I do, I have to work my ass off for. So that said, and I, I have a level of success that allows me to take care of my family, my wife and kids and travel the world and do what I want, if, when I want, how I want.
But anyway, okay. Back to your question, you said, how do I find a job? You're I'm assuming you're a red. Okay. So you said red hat, six and seven in Washington, DC. All right. So let's look at this. I would go.  indeed.com I would make, I would upload my resume. See this. It says, upload your resume. If you're following the law, if you're really hungry, man, you could, right now, I'm gonna show you how to do it.
Upload your resume, fill this out. Don't just upload it. Fill out the complete profile. If you look at my course walks you through everything. What kind of key words to use, how to find the right keyword, all that kind of stuff. If you're not interested in that, you wanna get it for free. I'll show you right now, upload your resume.
Fill out the entire profile. Alright. Put in all, every one of your skills in there don't even leave one out. Cuz there's a place where it allows you to put your skills in how to it allows you to put in all, every place you've ever worked. How many years of experience do you have if you don't mind me asking.
Okay, so red hat administrator. Now look at this and let me show you something. . So if you look at this, it'll tell you who's hiring like right now. And these two places, one in Virginia, one in DC are hiring right now. Right now. It means they have an urgent hiring. They really need somebody who knows this stuff.
So here's S AIC, SIS IIC is a good company, by the way. At least when I was doing it many years ago, the guy you got medical industry, you've got Linux. There's a couple of industries that lend themselves or four years, man. That's perfect. So there's a couple industries that really lend themselves to you work in almost anywhere in almost any industry.
And one of those is Linux is super hot. It, somebody always need it needs it because they just don't. We just don't have enough people who know it now. So what I did was I clicked on this top one right here, and let's just break this thing apart. Let's look at this. So these guys will tell you what they need from you.
If you don't fit this, then move on to the next thing. The magic of putting your resume into indeed.com, putting it, uploading it and putting all your skills is that after a while, indeed. Now it's not the best algorithm. I'm gonna show you a better one in a second, but it's but the thing about it is once you put your stuff in there, it will match up different jobs that fit your resume.
So right here, as we're looking, we're being very active and we're looking at this job here they require a bachelor's degree. Do you have a bachelor's degree? If you have a bachelor's degree, guess what? This that's great. Good for you. Demonstrate experience with system engineering to include network design documentation installation.
Now, like I said, if you don't fit this, go onto the next job. If you do apply. Now, if you put your resume in there, when you hit apply, now it'll take your resume and it sends it to them.
let me show you what let's keep going here. All right. This one is Exel logic administrator remote. This is a remote position right here. Look at this. You just go through what requirements, what re skill requirements. And now they want Oracle. I don't know if Oracle, but if you don't know Oracle move on to the next one.
We want Linux administrator. We want red hat administrator, S a I C. Now here's S CICS. One of their job pages here. Pretty good company. And let me see here. Yeah. See, look at this happiness score. I never seen that before.  I think I clicked the wrong thing here. We wanted, I wanted to actually see the job.
So let's just go to the job itself of S a I. Okay. It's talking about a little bit about S a I C, and we're looking at the job screwed. This is what you do. If you're really hungry for a job, you go through every single one of these, every single one. And you find a match for you. But if you put your resume in, it does have to work for you because the hour room's gonna match you up with certain jobs, but you don't want to just wait for that.
You wanna put that in there, let it do this work. And then you want to be extremely active and look at every one of these and look at which ones look at the duties. If you can do it, apply for it. If it's a really long drive, factor that into your final decision, you wanna probably find something closer to you, but don't rule it out, right?
Don't like, I'm the type of person. If I need to feed my family, I'll work at freaking McDonald's man. I'll work the fries. And then at night I'll Moonlight and deliver pizzas, do what you gotta do. To take care of yourself and your family. You know what I mean? So let's go to the next one system administrator, but you don't have to do that.
You're a Lenox administrator. You don't have to, you don't have to flip burgers. You don't have to, Lenox administrator is no joke and you have four years of experience. You should have a really good job right now. And I'm gonna show you how to get one. All right. So bottom line go through every one of these upload your resume, and then you can type in your location, your skillset right here, you can search 'em.
But the big thing is to upload your resume. Now, lemme show you something else. LinkedIn. If you're in the us, LinkedIn is one of the best sites to find jobs. I'm gonna show you a better one after this, a better one than LinkedIn, in my personal opinion. couple better ones for LinkedIn. Now, in my course, I tell you exactly how I'm able to.
Get so many job opportunities from LinkedIn. This, I don't have a lot of people who actively follow me here, but I could tell you most of the people who contact me, these are real opportunities for me. So what I did was what you're gonna do is you're gonna fill out, you're gonna sign up on LinkedIn and you're gonna fill completely fill out this profile, completely fill it out.
And the more you fill it out, the more targeted that it will be the more targeted the traffic you're gonna get. The more targeted, the people who contact you, the technical recruiters that contact you the more targeted they'll be towards you. And that way more peop the most of the people who contact you will be legitimate jobs for you, fill it out.
But here's another thing you can do.  red hat, Linux administrator. Look at this. You can join groups, right? Join groups. Here's another thing you can do.
So you're gonna join groups. You're gonna make a complete profile. I hope you're taking notes. And then you're going to admin. We're gonna look for jobs. We just typed in red hat, Linux, admin, and these are all the other people who are also admins. Now look at this. I want you to take note of this. This guy came up number two.
This means technical recruiters are literally typing this in red hat, Lennox administrator. And they're seeing this guy's face. Why is this guy number one? Think about it. Why is this guy? Number one? Why is he coming up? Why is everybody seeing this guy's face? Why is he getting so many job opportunities?
He filled out his complete profile. That's why he filled this entire profile out. That's why he is getting so many jobs. That's what you have to do. Now, if I go to this next, now I'm actually looking for jobs here. So let's just keep scrolling. Now note how this is broken, broke down. So see it has, it starts off with other people.
Then it talks about the jobs and then groups should be here somewhere. I'm looking. Yeah here's different. Oh, these are different companies. You can follow the companies. If you follow them every time they come out with a new something new they'll, it'll pop up in your messages or notifications.
But what I'm looking for is jobs. I'm gonna say, see all, if you're following along. And once again, what we're gonna do is we're gonna go through every one of these, even though this says Kafka engineer, analyst, I'm gonna go see what this is. I don't know what this is. It says promoted. I usually avoid the promoted ones.
Because they're paying for it, but that's fine. Even check those wounds out too. It's telling you where, what location? Oh, look, we didn't put our location in. Let's make sure we put our location. You said Washington, DC, Baltimore. Look at this Washington, Baltimore, one of the hottest places for jobs by the way.
And they pay a great amount of money, especially if you're willing to travel. Okay. So this one is, I don't know if Splunk, but Splunk developer. Okay. So that's not what we want. Let's keep going. We want some more like Linux kind of administrator type work. This one's looking for sci clearance.
I'm assuming that you don't know as you don't have that. That's a clearance. Not a lot of people have it. I don't have a Ts S C I, I don't think anymore. That's Splunk. Let's skip that one. Let's go to the next one. So if you, if it's obvious, you don't know that, just move on to the next one, but this one right here.
this one deserves our in our time. Let's look at this one. What are they looking for now? Notice I'm just, I'll come back to this later. They're talking about what kind of business it is. It's women owned and all this kind of stuff. I'll come back to that right now. When I'm looking for is what is in the job description?
Can I do it? Nope. Look at this. It says security. Does TSS C I clearance. I don't have a clearance, so let's keep it moving. Notice how I'm just going through these. If I don't if there's any indication I can't do the job I move on. And the reason why is because I got stuff to do, I need to find people who are a good fit for me.
That's what we're doing. We're trying to find what's the best fit for our Linux red hat administrator in Washington, Baltimore. Is this even in the same right location, Virginia. Okay. I could drive there. Security plus requirements. Do you have a security plus, do you have any kind of security clearances?
okay. I'm assuming not. And this is asking for Oracle stuff, so no, I'm gonna move on. This is how you do it right here. Now my, it looks like my search is not great. So what I'm gonna do is I'm gonna change my keyword here. I'm gonna go to, I'm gonna call this red hat, Linux administrate.
Look at this man. I can barely spell you're a Lenux administrator and I'm a American with one language who can barely spell. And if I can get a job, you can get a job.  that's all I'm saying all. Okay. Look at this rest in Virginia. Okay. That's not too far from Washington. You're willing to make the drive, but security clearance.
So we can't do that one. Let's keep going here. Security clearance. Raytheon. Raytheon is a, is an okay company.  They get a lot of contracts, so you'll see tons of jobs from these guys must be a us citizen and S sci clearance. Okay. Moving on now, I'm assuming that in the east coast, this is one of the problems we have is looking for jobs with that don't require clearance.
So I'm moving on to general dynamics. Another very large company has 10,000 employees. Let's see here. Okay. Here we go. Scope of work. They explain to you what you, what they're expecting from you. Looking for requirements, education, no degree, 10 years of trip wire experience. Okay. If you don't have trip wire experience, let's move on.
So you need to go through every one of these. After you make your profile. First thing you want to do go tod.com put in your profile, go to linkedin.com, make a profile. Once you make the profile, it starts to find jobs that fit you. The reason why this is coming up with stuff that fits me is because I have my pro I have my, I already have a very full profile there.
So it's automatically searching things that fit me. So it's I'm having a hard time finding stuff that fits you. That's why it's very imperative that you do this. Okay. Let's look at these skills right here. They're saying in-depth knowledge of HBSS. Okay. Let's I'm assuming you all know that let's just keep going.
Red hot platform and applications administrator. So I'm assuming this one's a software engineer, somewhat qualifications. This one might fit. You obtain a public trust clearance. Okay. So this one might fit you because. , they're not looking for a sci clearance, which not everybody can get or has, but public trust clearances just means that they'll do a background check on you and you don't have to be a us citizen.
You could be a green car holder or whatever, but public trust is easier to get five years experience with red hat. You said four, you could still pull it off. I would still apply for it. I'd apply for this one. This one might be good for you. Actually, I would look at this one right here. Look at this co this is some stuff you can learn.
Cold fusion. They're saying three to five years of WebSphere experience. If you have that, I'd apply for this one that we're getting closer. All right, let's keep going. Let's go. Keep going down here. You get the idea. You're gonna go through every one of these and try to find a match. All right. Try to find a match for you.
If it doesn't, if it in anything's out of place, the closer you get to a match. You wanna apply for those jobs, right? The closer you get to a match, the better, because those are gonna be give you the most probability of actually getting an interview with them. Now, let me show you a couple of other places that are really good to apply for there's dice.com, which is probably the best technical place to find a job in the United States of America.
So what you would do is go to dice.com and then type in red hat, Linux. You know what? Let's change it up. Let's type in Linux administrator. There we go right there. See this look at, take note of this. Look at this, see how this keyword popped up. That means this is highly searched and they have tons of jobs for this, but then they also have other job titles here, too.
Linux administration, Linux administrator.  senior Linux administrator, an Sr senior administrator. There's many different ones. What you wanna do is click one of the ones that fit closest to you. Let's look at another keyword red hat. Let's see what pops up with, let red hat look at this. See all these keyword.
These are the key words you want to use all these keywords right here. These ones that people are typing in these people that have hot jobs that you're looking for. But I wanna go back to Lenox administrator. And then this is the one right here. And then we gotta type in a location. You said Washington and Washington DC, boom, fine jobs.
So y'all notice all these jobs. Look at it. Look how technical all these technical jobs. Look how this one's way better than indeed and way better than LinkedIn, as far as search options go for technical people. What another thing you wanna do is don't look for anything too old. If it's months old, then just forget it.
This one's one hour, this one's nine days. This one's 12 hours, 12 hours, 10, 10 hours, two hours. These are just recently posted some of these, right? I said there was a hiring freeze, but look at this one hour, 16 days ago, 30 days ago, I would avoid these one. That's a long time. If it's after 30 days, I would not apply for that.
But you never know, never know this one 11 hours ago, one day ago, one hour ago, Restin VA two days ago. That's not too far from where you live. Linux engineer, Linux, admin experience. You get the idea, but what you wanna do is make yourself a full blown profile.

 
We talk about taking a Red Hat Admin to Cybersecurity resume and security controls for changing operating systems. 
2020 podcast that is still relevant. https://www.youtube.com/watch?v=E5i_ImjtJss
 

See the video:
https://www.youtube.com/watch?v=ZATU40nemZg&t=2s
 
There are ways to get into cybersecurity and information technology. With little or no experience. 
In this podcast, I explain how to do that. Some things I've learned along the way in my 20 plus years of experience. And we keep open topics. So we talking about a lot of different Now this one is from 2020. A lot of things were happening as you know, in 2020, the pandemic was happening with all these protests in America and all that stuff. I try not to talk about that stuff too much but it does come up from time to time i focus mainly on cyber security stuff so if you're interested in knowing how to get into it with little or no experience check out this podcast
Hope you enjoy this one.  I I do weekly. I missed last week. Um, had some stuff going on, but here I am this week, and today we're gonna cover, we're gonna cover some questions that I recently got. So if you have any questions at, at any time throughout this, just feel free to ask and I will I'll cover it. But one of the common questions I I've been getting lately is how do I get into it with no little or no experience?
And so more than one person has been asking, for some reason questions go in sets like somebody will ask me and then like three other people ask me the same question. So I would like to cover that what, um, and give you some resources and stuff like that. But before we.  I should let you, uh, I should, I just want to give condolences to, to, to the, all the people who have passed away, do the COVID 19, I'm still bunkered in still, um, uh, staying at home and stuff just like I'm supposed to do.
And hopefully you guys are staying safe as far as the job market is concerned. Uh, it's pretty much the same. It's kind of a freeze going on with hiring new people that said, I am still getting job offers, uh, and opportunities in my inbox. Just not as many, not nearly as many as I was before. And also, um, like the company I'm working for, they have kind of a hiring freeze, but they, they did hire some people like at the tail at the very beginning of this COVID 19.
So we actually do have new people, but they're kind of slowing it down. Cause we don't know financially.  where the wind's blowing as far as the company and as far as clients and stuff like that. So that's kind of what's going on with COVID 19. And if you guys, uh, have any anecdotal, uh, personal experiences on what's going on in your wherever, you're from feel free to let us know.
Um, you guys are looking at the same data that I'm looking at, so that's, what's going on with it. And let's just go ahead and dive into this. Let me see if I could bring up the questions I've been getting. And, uh, yeah. So several people have been asking me this question right here. I dunno if you could see this, but I'm just gonna go ahead and read it and it says, um, Hey, what if you have zero experience and just got your security plus cert everyone seems to want new graduates or people with five years of experience.
Also, I don't have a security clearance. So I gotten this question several times, um, from several different people. From all over, uh, from, from LinkedIn, from my email box. Uh, and then there's a couple other people who have, who have asked that very question. So I'm gonna go ahead and answer it to the best of my ability.
And bef before I start on this, I should let you know that I actually have a course that talks about this very thing. So if you go to combo courses.com or you can go to security, compliance, dot, think.com, combo courses.com, easier to remember. You'll see some courses that I have, one of the free courses that I have that talks about my, my perspective on how do you get into it?
How do you get into cyber security with little or no experience? And I talk about it here. I break everything down. I talk about what I would do if I was in like, starting from scratch, knowing what I know now, what would I do?  um, and this is from an insider's perspective, what would I do to get in? And so here's some of the topics that I cover.
And so very briefly, I'm gonna summarize some of the stuff that's in here, but if you're interested in this, it is free right now. Um, the reason why I made it free recently is because people are hurting. People are wanting to change and I can see the service industry and several other industries are destroyed.
I'm fine. My job's fine. Um, even if I lost my job right now, I'm certain I could get a job very quickly. It's because I'm in it. And I realize that I'm, you know, I'm a very privileged growing field. And so I encourage a lot of people who, who are looking for a stability to, to get into this field because it's, we definitely need people.
We need people with experience. We need people with, with patients. Um, and you might be surprised you might be in an industry that compliments getting into it. A lot of people I think are kind of shook by all the technical stuff you have to know. But to be honest with you, there's some aspects of our career field that are not very technical and I will talk about those things.
So there you go. There's a free course for you. If you want to jump on there and then I've got some other paid stuff that's also in there, sign up is free. The course is free and it's to help people out. So there you go. All right, what would I do? What would I do? And I got some stuff lined up to tell you like other people's perspective on it.
What, what I would do is number one, I would look at my current experience. Cause as I said, some experience that you may have in the service industry, in the medical industry, in banking, whatever you do it, may you be, might be surprised how much it could compliment getting into it. And I'll give you a couple examples.
In retail, let's say you work retail or your customer service. You're a front facing person who a customer comes up to and has to interact with the way this can help, can help you if you're getting into it, is that a lot of ITP professionals are not good with people. They're not, they're just not good at talking to me, myself included.
I'm I'm I mean, I'm now I'm damn near 50, so I, I know how to speak. I've been, I've done so many things. I've been baptized by fire so many times I've talked, you know, I've done briefings for generals. I've done briefing for, uh, C level execs. I so many times that now it's just, it feels natural to me. I still get nervous and stuff cuz it's just not my I'm not an extrovert.
Uh, so what I'm getting at is a lot of us, it professionals we're good at technical stuff, but not so good. Usually at face to face interaction. So if you're at a customers facing. Um, whether it's retail or if it's, uh, if you're working in, um, the front, your clerk store clerk, or even, uh, you work at McDonald's or anything like that, you have to interact with people on a regular basis.
You have to have a, you know, you have to be professional at all times. You have to approach things in a certain way, from the perspective of the company, you know, you have to maintain this face. That right there already is way above what a lot of it professionals. Skill sets entail. Um, a lot of us don't have it.
We just don't, we're just not very, we don't have a  we're just not good at it. You know, so right there, you already have a skill set that is very useful for help desk for customer it customer service, believe it or not, there's an it customer service that is still alive and well in the United States. Not just in India, not just in the Philippines, not just in the us.
We have a lot of customer service representative spots. Um, and as, without naming any names without, without naming my clients or anything like that, I was. Few weeks ago, maybe a couple months ago I was, uh, at a client's location and one of our client was saying, yeah, we need, we need it. Security, not, we need it customer, uh, customer service people, and we just can't keep him.
And he was, he was this guy explaining like, man, we just really need, you know, so there is, there are jobs out there for customer service and sometimes some of the entry level positions will train you on the job and you have like a script, uh, and you'll have to interact with people, but they have a script and a walkthrough of how to fix certain things.
Um, so if I was to start now, if I starting off had no experience at all, what I would do is look at my own skills that I already have. So that's one, I just named one skillset that you probably already have. If you're a customer, uh, customer service representative, that's actually a very good skill to have.
Now you still have to learn the basics of it. You still have to learn. Uh, things like what's in the, at the, um, compt a plus certification which breaks down what, what goes in the hardware and software, how it all works together. You still have to have a basic understanding of that stuff. Um, if you're getting in the it, right.
Um, another skill set that you might have is if you've worked in a bank, so banks, their security and their terminology is different. They call assessments, auditing, you know, they, they are always looking for auditors. Somebody who's gonna look at comp. They kind of see the world from a, like a CPA's perspective, you know?
So it's, uh, different terminology, different frameworks, like security compliance frameworks that they have to meet, that banks have to meet a certain compliance. And then you might have to have compliance for PCI. Like that's the card readers. Um, there's Sarbanes Oxley that you might have to learn. There might be some things that you already know that I don't know, Haven never.
Work directly in a banking environment. You know, I've done assessments and stuff for different organizations, but not, I've never worked for a bank. You know, I've never been an employee there. So you may already have some skills. You may already know some terminology. You may have already taken security, basic security training that is very specialized for you as a teller or you as a loan officer or you working in a financial sector, you probably have some skills and some terminology that I, I don't even have with 20 plus years of, um, security and it experience.
So that's another one. Another one is he, the healthcare industry, healthcare industry has, uh, different frameworks and different practices that they use on a regular basis. That is very important in their field, which is like HIPAA is one of them and protecting, uh, the. Healthcare information. So there's a whole realm of things.
You've probably already gotten the training. If you work in the healthcare industry about what HIPAA is and how to protect, uh, electronic, uh, private healthcare information and all those things. So you already have some skills, some of that stuff you can actually literally put on your resume and it's legit.
If you, like I said, customer service, that's legit. Um, healthcare, if your healthcare industry, you know, HIPAA you've been to this or that class, you've done this or that training you've protect this or that per, uh, personnel's information that's you could put that on your resume. Um, what else did I mention banking?
Same thing. There's certain things that you already have certain skills you already have. You can literally put in a resume and it will, uh, help you now that said most people are not gonna, uh, hire you without any.  information. If you don't have, um, a it certification, if you've never taken a class in it, if you don't have any it experience whatsoever, you gotta go out and get it.
So it's, that's the thing you gotta go out now, if it was me, what I would do is I would go volunteer. If I would work. If I work at Walmart, you know, I would, I would see if the, it guys at work in Walmart, there's it guys there. See if I can volunteer my time to work with them, knowing that that experience that I get from volunteering with them can be put on my resume.
You know, if you're, if you, or excuse me, if, if you're allowed to get in there and do it, then yeah, they're gonna, you can put that. On your resume. Um, if you go to church, like church might have an it, like they might want to hook up their wifi server there, you, you might volunteer to help 'em out, uh, wifi, uh, hotspots or whatever, you know, they have there, you might volunteer to help them out.
Um, so there's a lot of volunteer stuff that you can do. You gotta see what's on your resume. Put that stuff on your resume. Um, see what get, dive into it. Learn its another thing I would do. I would hit the books, get in there, start studying, uh, to learn how this stuff all works together. That's what I would do is in entry level is not gonna be overnight.
It's gonna take some hard work, but what I wanna do right now is look at some tips that some people have brought up here. This article right here brings up a couple of things from leader quest.com. Leader quest online.com is where I'm at. It says seven tips for getting into it. With zero experience. Let me see if there's any of this that I can agree with or stuff that I think you should know, um, reexamine and apply for your past experience in it industry.
Yep. That's what I just said. Um, and it's just to kind of read it real quickly, like a little part of it. It might be, it might seem like to you, like you have none, none of the skills that you need, but soft skills can be surprisingly important. Exactly. Soft skills are like non-technical skills because, uh, we need people who can talk to people.
You know what I mean? Customer service people are very good at talking to people. They, they have training and they, it says, for example, if you were looking into starting to help desk position, a common entry level, it role, uh, things like communication, customer service familiarity with Microsoft office.
Yeah, those skills are, you can put on your resume. So right there, you know, that's one, use your past skills, put those on your, find out and see that's the reason why you have to dive into it. Cuz you don't know anything about it. Once you start diving in, you'll start finding, well, I've done this before, put it on your resume.
If you've done it before in a professional. So you don't even know, you don't even realize how experienced you already have in it, or even it security. If you've ever, uh, done it, training in your company, if you, if you've ever been in any kind of company and they gave you access to a computer more than likely what they had to do is sit you down and say, okay, um, here's the things you don't do on our computer, right?
When you log into this computer, when we give you this count, here's the things you don't do. So you have to have some kind of standardized security awareness training. Um, some of that training that you've had to use. Like, whether it's you, uh, create, you had to have an account made, you had to, um, do anything with the computers.
You need to look at what you've done and put that on your resume. But as you dive into it, you'll be able to realize things like, okay, audit logs are super important. Logging in, in a, an account creation. Having an account is super important. Uh, training is super important. Policies are super important.
There's certain aspects like when you look at secur, normally from somebody from the outside, looking in, they look at a it person, all they think about is a person taking a computer apart, putting it back together, or a person staring at a computer and typing stuff into the computer. I don't even know what, what they're typing.
there's so many things that go into this field. It's so big. It goes into all often all these different, uh, categories and some of 'em are not even technical, to be honest with you. You're not even that tech one example of. Just kind of go off on a tangent here is, is called project management, proj, and also known as, uh, program manager or project, uh, project manager.
Those two basically are very needed in many different, um, it roles, uh, it units will use a program manager or a project manager to manage giant projects that are going on. They don't have to be technical. They have to know very little about it stuff, cuz they're not diving in the weeds. They don't have to know.
They have to know some of the terminology. They have to know how to work with people and stuff like that. And that's my wife right there. Gimme a second here. So yeah, they have to know certain things, uh, related to the project, but not, not super. They don't have to be super technical because they're not in the weeds.
All right. So let's keep going for, with this thing. Uh, get. It certifications. This is actually something a lot of people do when they contact me. They say, Hey Bruce, I got this a plus certification. How can I get a job? I've been applying for jobs and I can't get one. Um, it's actually a really good step forward because it's showing that you have the initiative it's showing that you have learned, you're learning a common body of knowledge.
Uh, and then you should start to, you'll start to realizing things you've actually done. Like if you actually take the, a plus certification, you actually take the security plus certification. Any of those certifications, you'll start to think. Well, you know, you'll be reading through it and studying and stuff and you'll be realize, damn, I've done this before.
And that's the kind of stuff you wanna put on your resume, you know? So there's so many different aspects of it. As you learn more, you'll, you'll start to realize what you've already done. So it kind of mentions a couple certifications here. So entry level certifications, like the I L certification compt security plus network plus security plus.
These are all good entry level certifications. And some people will hire you just off the strength of that, but they do want you to have some level of experience more times than not, but some entry level jobs. If you just have one those certifications, they will hire you. Um, said you have to apply for certain certifications.
You can't apply for a, uh, junior level cyber security, uh, position with a, just a security plus and no experience. It won't work. Um, it says junior, so you're like, oh it, well, it's a junior certification. No, listen. So there's different tiers here. All right. So, and I wish, let me see if I can show you like a visualization so you can get an idea of the tier system that you have.
I till kind of does a pretty good job of showing this. Let me see if I can find that I till is like, um, A library of different processes. It maps out different things that have to happen within an information technology, um, within the information technology and in any large organization, they have this great breakdown of the different tiers that you have.
And I'm looking for something there's like a lot of maps and stuff here. Here's what I'm, lemme just show you what I'm looking at here. They have this really good breakdown of the different levels that I'm, I'm thinking of right now. That is really good at showing you like where you, where you should really start because you can't start in the middle and with a, just a security plus or an a plus you gotta start from the beginning, think of your own career, you know, think of your own career.
Somebody can't just walk in off the streets and then suddenly be in the middle. You know what I mean? Um, let me see, this looks kind of like what I'm talking about. Yeah. This kind of looks like it. Let me see if I can get a better picture of this. This map is kind what I'm talking about. So here's ital and it breaks down different aspects of an organization that has it services.
Um, and that's, that's what it's all about. When you start off you're you're not starting in the middle. You're not starting here. You know what I mean? You're not starting. So a lot of jobs that you, that people say, Hey, I've been applying for all these jobs and I can't get in a job. They're applying for mid-tier positions.
Like they already know, okay, I'm not a manager, I'm not a middle manager, man. I'm not gonna be able to. But what they don't realize is that the job they're applying for a lot of times are middle. Level, you're gonna be on like a service desk type position. You're gonna start from the bottom. This is where most people start.
Even if you go on a program manager, which has, which has no technical, very little technical skills, I should say, cuz you do have to know like office when Microsoft office and the Gantt charts and stuff like that. But which you can learn very quickly, but even those jobs it's non-technical you still have to start from the bottom.
And so that's what this is kind of kind of showing here. The service desk has a many different layers on top of it. Even service desks gets extremely advanced all the way to management, you know, who answers directly to the CIO and, and higher management positions. But you gotta start from the bottom. And how do you find these positions?
Let me, let me show you. So if you go to just go to Google, like we don't have to get fancy. Let's just go to Google. If you type in entry level, um, project manager, let's say we were going for a project manager job, just Google. It's gonna go on your local, wherever you're from. It's gonna start from there.
And you'll have a bunch of entry level positions starting from where you're from. If you're willing, willing to move, you'll find way more positions. If you're willing to move. If you're, if you're flexible in, in location, then it'll, it'll be some of these project management jobs are actually, um, or actually, uh, work from home positions as well.
You can get, find these from, uh, work from home, but here's a couple of entry level project coordinator, project manager type positions. They're gonna tell you what they expect from you. And most of 'em are, look this one, one to two years. You know, you can apply for it, but they're saying, look, we expect you to have some experience.
We expect you to have this kind of bachelor's degree, you know? So there are still things that you caveats that you need to, to, to have. Um, so that, yeah, that's just to give you in a nutshell, like that's a couple things on the list of a person with no experience trying to get an it, let's just read a couple more here.
Your degree in another field may be a huge asset and this is true. Like a lot of positions in it will actually take science degrees. They'll take, uh, engineering degrees that are not necessarily computer based. And let me just read a little bit, says you may be tearing your hair out with regret, wondering why you used all your time in college to get a degree that isn't helping you and your quest for a long term career.
Many employers are more. Inclined to offer you a job because you have accomplished that feat and earning a degree, instead of focusing on how your degree may have cost you money and, and blah, blah, blah, um, uh, focus on ways your degree can help apply for moving for a degree moving forward in the it career field.
And this is, yeah, I would say this is true. Like, especially if you have a technical degree, not all degrees are gonna help you. You know what I mean? If you have a, if you have an, um, art degree, it's probably not. I mean, unless you're doing like a AutoCAD or something, or if you're doing engineering and you need to learn 3d modeling, then that might art might help you.
But if you're doing straight up it fixing computers, or if you're, you know, it it's science degrees might help you, engineering degrees might help you.  just being completely honest. Not all degrees are gonna help you out, but they're saying here in this article, a philosophy major, I think this is a stretch  philosophy major, uh, has a deep understanding of a logic and unique way of approaching challenges.
I, I guess I, you know, I don't know about that. I just tell you from my experience, normally, when companies are hiring people, they're looking for technical type degrees, philosophy degree. I don't know that it's gonna help you. So I, I kind of disagree with this portion, what you could do. If you have a major in philosophy, you have a master's degree in philosophy, it could help you to get an it degree, go back to college, get a minor in it.
And you, you know, you're doing less classes, but you're gonna, you're gonna still get, uh, your degree faster provided they, they accept your, your previous credits. Okay, so be open to start from the bottom. This is absolutely important. Um, you gotta start from the bottom, right? If you have zero experience, you gotta expect to come in and learn so super important.
Um, you can't start from the middle and think you're gonna get a job. You need to type in entry, go to Google type in our LinkedIn or wherever you're at type in entry level position and this entry level position. And that, um, especially the thing is if you have, if you were trying to get an entry level, position and network engineering or net, uh, uh, beginning in, uh, security, it's probably not gonna happen cuz once you get to networking or servers or if you get it's kind of a, the next step, it's another tier.
It's another support tier. That's very specialized. You have to start from the bottom first, which is help desk, customer service.  you know, junior level help desk positions, uh, is the best way to get that experience, but you can also volunteer too. Okay. So don't forget the power of networking, talk to people, you know, if you happen to be at a job, um, and you, you know, there's an it department and you want to get experience, you are you're in a gold mine, especially if the company allows you to help out.
You can. Even, what I would do is if I was so hungry to get into this field is I was willing to work extra just to learn. Not to get paid, not over time just to learn cuz I realized the value experience and it's really paid off in the long run. It's a long term plan that I had and it worked teach yourself relevant technical skills also very important.
Absolutely. You gotta get in there and, and once you do that, you can actually use that to put some of that stuff that you've learned on your resume by saying familiar with this, familiar with that. Meaning. Yeah, I've never done. I've never used this thing before, but I'm familiar with it. I've read about it.
I have a lab at home that I worked on. I'm familiar with it. You know, you can even say that you have a lab in your house where you take care of a, uh, a Splunk system that's collecting logs on 45 different virtual systems. You know what I mean? Like you can, you can put stuff like that on your resume. Um, look for crossover positions.
Yep. This is what I was talking about. You happen to be in a field. They might have a, an it workers there that you can go and ask them or ask, see if you can laterally, move over there and start learning stuff. Some companies will allow you to do that. So a lot of the stuff that they talked about in here actually have talked about in this free course, it, if you happen to be in entry level and you have no experience, this is a great opportunity for you to, uh, dive into this.
It's about four hours. I think of video and, and, uh, slides, presentation and stuff like that. You can watch it at your leisure on all devices. Go ahead and go check it out and it's free. All right. So let me see, I'm gonna switch gears here. And there's some people been watching me. Thanks guys for watching.
Appreciate you guys. I got, uh, spades 93 says how can, how can anyone, how can one established. Uh, two to three years in administrative, how can one established a bit with two to three years in administrative support, get, uh, transitioned into cybersecurity position. I'll be taking my security plus exam in two weeks.
Okay. This is right up. What we're talking about. This is great. So this is exactly. If you're still watching this spade, this is for you. This is exactly what I'm talking about. So you're in a administrative supportive position. What I would do is number one, just like this is number, and this is what I'm talking about in this course.
This is why this course is IPO is, is, uh, important. Cuz I, this is exactly what I I'm saying. Okay. If you're a beginner, you have no zero experience. Here's where you start. If you were an it geek, meaning, meaning you don't, you've never held a position, but you do, you do stuff online at your house. You like to mess around and tinker around with things in your home.
I I'm saying like, here's how you evolve from that point. Cuz you need to go to the next level. If you're a beginner, you need to become an it geek. If you're an it geek, next level is a security. Plus get those courses in there, start volunteering places and become an it professional. And then once you're an it professional, you start to focus in on whatever field you can go into forensics.
You can go into cyber security, you can go into, uh, cyber and analyst, work, threat analysis work. There's so many different aspects and so many different places you can go once. You're an it professional and to, uh, hone in your skills and have one specialized skill. Not just cybersecurity by the way. So yeah, so exactly what I'm talking about is for you.
If you're an administrative support person, this is what I'm talking about. You already have soft skills that, um, That you can apply to your current resume. You probably, even as an administrative person, you may even have technical skills. You need to see the thing is, as you dive into security, plus, as you get into the a plus certification or whatever certification as you start cracking those books and start doing, looking at the common body of knowledge that goes in the it, you'll start to realize, man, I've done that before you wanna put that on your resume.
Like as an I'm trying to think of an, an administrative support person, like the kind of things that they might do is like personnel security. So personnel security, meaning you vet people who come into your, and I'm just guessing what your job is. So bear with me. So a person who, a new person, a person who's coming in off somewhere else, they're coming into your organization.
An administrative support person might be in charge of doing things like personnel security, meaning they conduct like a brief background check. They maybe they. Call their supervisor and call that's personnel security. That's something that you can legitimately put on your resume to say, yes, here's some security I've done.
What other kinds of administrative support stuff have, uh, that I could point to would be kind of like, um, uh, security awareness training. Everybody has to have that. I'm sure you've had some kind of cyber security awareness training, or if you've ever caught an email from a, from a, uh, fishing attack, that's another thing that you might have done.
Like there, a lot of times organizations will do their own fishing attacks or actual fishing attacks will come into your email box and you caught you spot one. Like this, this email looks weird. I'm gonna send this to the security support team. Guess what? You could put that on your resume. You know, that's one thing out, it's a small thing, but the thing is you put enough of those small things that you've done on your resume and it looks like.
They're, it's not that you're painting some fake picture, but you're saying here's the actual exposure that I've had in it. Another thing that you may have helped out is like, if you had to stay a while with the it department to help them to load patches or something, maybe they want you to stick around and, uh, reboot your system and they're, and you're, so you're actually coordinating and assisting them to, uh, put patches on a, on a system.
Uh, another thing like that, this article actually mentions and is also in my course, my free course is that get in the certifications does help. I do agree with that. It does help. It's not the end all be all. You definitely want. Don't wanna start there, stop me. You don't wanna stop there. Um, and starting from the bottom.
So all of these things help. Another thing is, um, using, they mentioned it in here. I think they said it was called. Teach yourself relevant skills. Yeah. We already know about that crossover positions. Yeah. This is a good one. So if you're in an administrative position, there's it guys you might wanna try to get in there, like the even volunteer, uh, a couple hours for free, like be like I'm off right now, but I wanna learn this so bad that you go in there coordinate a time.
Like you don't want to, you, you wanna be on their time. Right. So if there's like a swing shift and the it guys are there at get permission to legitimately go in there and learn from them. Or even do work with them that is even better. Cuz you can put that on your resume and, and every all experience equals money in it.
All right. So he says I've triage computer issues, uh, at my position as an AA. Exactly. So that's the kind of stuff you can put on your resume and that's really good stuff. That's the kind of stuff that you wanna put on your resume. Okay. I've got some other questions here. DD says, hi Bruce. I have been applying for jobs for over 15 and over 15 interviews and still no job offers, what am I doing wrong?
So DD, I would have to, if you tapping to still be on, um, I get this a lot from people saying I've applied for all these jobs and from my position. And I, I, I realize I have a kind of a, um, filtered position. It's kind of, um, through my eyes. There's so many job openings. I it's shocking when people say that, but I don't know your context.
Like, I don't know how much experience you have. I don't know what you're applying for. I don't. So what you want to do is you wanna match your skillset. Let me just see if I can bring up what I was looking at before you wanna match whatever skillset you have with positions that are out there. So in this example, right here are these jobs here.
I'll use this one. I just opened up here, right? This is for a junior project analyst. Sorry, a junior project engineer, right at Kelly services in Colorado Springs, Colorado. Excuse me. Now look at this job title. What we just read project engineer. They are looking for three to one to 2, 1, 2, 3 years of experience.
They're looking for a bachelor's degree, they're looking for necessary 3d modeling design. So here's what I do.
Here's my technique. What I do is I look for jobs that I have the skills for. Um, so for example, this says junior level one to two years of experience, one to three years of experience, right. As a project engineer. Okay. I make sure I have that education, uh, education level bachelor's degree in these items.
Right. I make sure I have that. I match myself up with that career path. No, you might be thinking well, Bruce, I don't have a year experience. I don't have 3d modeling. I don't have, are you telling me that I'm supposed to go get this job get three years? Where do I get the three years experience? Okay.
Listen to what I'm saying right here. Check this out. So you have to find a job that already matches the skills you already have, right? Not, not necessarily, if you're just kind of shooting around, if you're just like throwing resumes out there, that's not going to work as effectively as finding somebody you already match up with you already have these skills, find somebody who matches that same skill.
That's all I do. That's all I do. And now, nowadays you got tools like Google. This is cool. This is a cool little tool and everything, but the best tools are ones that have built in job search algorithms that are built specifically for that. Google's very good at search. Very good at research. Awesome way to, and I would definitely put that in your toolbox, but linked in is.
Incredible LinkedIn, you can do exactly what I'm telling you to do. Like, what you do is you fill out a LinkedIn profile, right? Fill it out in complete completely. Then what you now have a whole course about how to do it. What my exact techniques, in what keywords I use tools to find keywords, all that kind of stuff, go to convo courses.com.
You'll find it there, but let me just summarize some things that are very important for you right now for free. So what you do is you take your current skills and I'm assuming you're an it guy right now. If you're, if you're a NBE, that's totally different. That's what we were just talking about. That's entry level, that's volunteer work.
That's something else entirely. If you have it experience, take your resume. Match your resume. What skills you already have with something you find on LinkedIn on career jet on indy.com on dice.com on all these different algorithms, search engines, um, that are specialized in jobs. That's what I do. And it works.
So let me just give you another, let me just show you what I'm talking about here. I'm gonna find one of my real profiles out here on LinkedIn. Let me just, I just gotta sign in real quick. If I could sign in what's going on here, why is it lead me all these different directions? Okay, here we go. So check this out.
Here's my real LinkedIn profile, right? And I, I've not looked at this in a while, so, but here, I hope there's no surprises in here, but here's my real LinkedIn profile right here. And I feel it completely out. I don't even have that many connections. Here's the thing. Many people I know have way more connections than I do, but somehow I get all of these very targeted positions.
Why, why is that? Cause I feel this completely out from top to bottom. So once I do that, this, this tool linked in finds jobs for me, it lines me up and suggests certain jobs for me. When I do a search, if I was to type in, um, it security, it's gonna find jobs in my location. It'll find jobs that, um, that accept my degree, accept my certifications.
It's not blasting everything out. It's, it's looking for stuff that's within, uh, 30 miles from. So there's tons of stuff. And it also shows here's another little gym. It also shows other people with my similar skills, people resulting in it security like this guy, if I was a type click on this guy's resume, I'll see all the stuff that he does now.
This is the owner of black heels information. So he's not what I'm talking about.  um, a better job description would be, uh, it securities too. Generic. I'll just say, okay, let's just, let's just go risk management framework. This is pretty specific, um, analyst or engineer. This is very specific to what I do.
It's a very, it's a very specific thing. Another thing I could have typed in is cybersecurity engineer, cyber security analysts. There's lots of different things I could have typed in it. Security is too broad. All right. So here's some guys here.  we're very closely aligned with what I do that are kind of in my field.
I could click on any one of these guys' resume to get a better idea of what I should be putting on my resume. What's working for them. Why are they like the top people popping up? Another thing you can do is go into actual jobs, going to actual jobs and look at what they're looking for, examine what the things that they're looking for in when they say they want you to have, what, what are they looking for experience with risk management framework.
And, and this is, this is my field, but you could be whatever your field is. And you're saying de de says, no, no experience previous experience. I have.  a BA in criminology and have an ma in strategy and security administration. All right. So that's the reason why right there, you don't have any experience.
It's really hard to get a job with no experience. So what I would do if I were you, is I will type entry level it, entry level it. And I would start from here. I would start from looking at entry level it jobs. What you wanna do is get in at a, get in, at a low level and then start gathering as much. It's not gonna pay.
Well, all right. It might be shift work. It might be 30 miles farther than you want to drive, but you gotta think long term. So what I mean by that is where do you want to be in five years, in five years from now? What kind of career do you wanna have? What kind of career and what path. Are you trying to get into that's what you do.
Just like with your degree, you have a master's degree in strategy and security administration, which will help you, by the way, you have a bachelors D degree in criminology. What was going through your head when you got those degrees? You know, it's a, a four to six year degree, right? You had to plan it out.
It's the same thing with this career path, you gotta be like, okay, in four years, I wanna do, um, forensics that'll match great with my criminology stuff. Forensics is, is a great match for me. Where can I get my first entry level, position experience doing forensics? That's how you gotta think. So what you do is, okay, forensics entry level forensics, which who knows it might, I don't think we're gonna find it, but it's worth a try.
I can't even spell forensics  entry level per forensics. Did I spell it right? I guess I did. Okay. So yeah, so here's some entry level positions, uh, cyber security analyst, entry level, uh, security analyst. So you have stuff here. Um, and I don't know that this is what you wanna be. Hopefully you're following along with me.
This is kind of what you wanna do. Entry level is only one keyword or key phrase that you could use to get in. Really. You want any kind of entry level position just to start. Once you get your foot in the door, you can then start putting that on your resume experience equals money experience equals stability.
All right. I can't stress. It enough. A lot of people who contact me, that's the same thing. It's the same story, Bruce. Um, I have no experience whatsoever. I've applied for a hundred jobs. I can't find a job experience is king experience is better than a D than a degree experience is better than a certification.
Um, everything else is just icing on the cake experience is everything. Um, I, I knew people who, who had no degree, no certifications, and because of their experience coming out of the military and they had done all they'd set up servers before they'd set up DNS servers, they'd secure systems on, you know, 500.
Uh, systems around the world. No, no degree, no certification, but they were brilliant.  they were, and they had experience. They could do whatever task was given to them. And they would get a job from their connections and they were getting paid like crazy, the certifications and degrees, all that stuff for them came later.
I know a lot of guys like that, um, that, that happened to couple of my mentors, actually, neither a few of my top mentors had no degree, no certifications. Those, they were just extremely brilliant. Uh, and they , they just knew how to do stuff. It's crazy. Um, but that said they had experience. So the reason why they were able to figure out these problems is because they were thrown to the wolves.
They were a baby that was thrown to the wolves in the military. That's what they do. They just throw you in there and say, fix this, fix that. That's what they used to do. I don't know what they do now. It's been, it's been a while.  experience, experience, experience. That's how you do it get experience. Um, and how do you probably think, how do I get experience volunteer?
Do you go to school? Do you still have an Alma mater? Do you still have a, a, are you still close to your college? See if you can volunteer at the school, try to experience is money. Okay. It's not money now. It's money in the future. Go volunteer at whatever community, um, thing that you do. You have you go to church volunteer there.
If you go to you have a high school volunteer there, volunteer to teach, volunteer, to help out set out, uh, set up a teacher's, uh, little network. If they have something there volunteer to be their assistant volunteer, to help out set up the, uh, the wireless volunteer, you know, and then do stuff on your own too.
Set up stuff in your own house to, to learn more. And spade says, uh, look into e-discovery. Is that like a training? Is that like a training session or something?
Okay. So I hope that helps out, uh, DD and also look into your own field. Like whatever field you're in, you might already have some experience, you know, a lot of times people say they have zero experience and especially if they're older people like kids don't have experience. You know what I mean? Like if you're just coming outta high school, you pro you really don't have any experience, but if you are, have been in the field for a while, like my man is doing, um, uh, administrative support that I'm sure he has experience.
I'm I'm certain he has it. He just doesn't know. Probably doesn't know what he has yet, but he, he has experience. All right, let me, there's some other questions here before I let you guys go. I've been on this for 48 minutes. I think I answered this one, but I do have some more stuff. Spade says it's like the practice.
And prep. It's like, it's like the practice and prep and preparing data and security controls for litigation. Some FARs work in it. Is that the kind of work that you've done? Oh, okay. E that's what e-discovery is. Oh, okay. I see what you're saying. And you in criminology, um, you might even wanna look into the FBI.
Um, I'm, you're probably laughing, but seriously, uh, because you sounds like you have, I don't know, you don't might wanna look into it. They have some really good, um, they have some really good programs in, in the federal government that, uh, where they'll teach you the federal, government's a different kind of beast.
Like basically they don't pay you a lot in the federal government. Like if you're a federal employee, I'm not talking about contractor, I'm not talking about like, I'm talking about U R E federal employee. What they'll do is they'll you sign up, right. And they'll give you all this training, but you have you're on like a contract.
I don't know if the FBI does this, but in the military though, you're on a contract, but they're going to give you so much training. The thing is, I know field agents have something similar to this and field agents get thousands and thousands of dollars in free training. And if you were to stay with them like a government agency for like three years, hell two years, you have, by the end of it, you have so much ex experience that, uh, you're so far ahead of most people in it field.
All right. Let me read some of these questions here. See if there's anything else? Um, let me see here. Somebody said, um, I don't have a secret clearance, but I have. I have a degree in it. Security I'm air force veteran, how can I get employment? So right here, all he, all this person has to do daily hip hop live.
If you, if you're watching this, you ever watch this. If you send me your resume, I might be able to help you out. Cuz if you have a it cybersecurity degree, if you were in the air force, um, yeah, I might be able to help you out if our, were you one option for you? I don't know how you feel about this, but one option that you have just from what I'm reading here is to become a us, um, a, a government, civilian government, civilian employee is one option for you and then just do it for a couple years.
And then after that, it also helps you to retain your total active federal service. So there there's that. So, yeah, that's, you're actually way ahead of, of most people, if you have these two things, so yeah. Send me your resume. I might be able to help you out.
Um, DEI says, thanks, Bruce. You are awesome. Thanks man. Appreciate that.
I mean, thanks, sir. Or ma'am  uh, let me see. I'm reading more stuff here. I'm trying to find more questions. I might be able to answer right now before I go.
That's relevant to what we're seeing here. Okay. This one says
hi there, are there any sites that offer a free security com a free cyber security certification for free offers? A, a cyber security certificate for free, because I do not have the money. If there is a site that I hope you will put the link or tell me about it. Um, I don't know if there's any off the top of my head.
I don't know of any free ones. I know there's some that are pretty cheap. Like I tell used to be very cheap. I think right now that they're requiring that you take their they're requiring now that you take their training and I don't know how expensive their training is, but it's not free, um, free courses.
Let me see if I was kind of messing around looking for this online, and this is kind of what I found. One of 'em. I know that there's lots of free courses out there. One of which is my course, I got a couple free things and actually I've got a few other free things out there that you can try out. If you're trying to get into cyber security.
This is an entry level course right here. But then I've got some other stuff that's free. Some, some of my stuff that's actually paid, I'll have free things in that. So you might wanna still just go on there and check out free stuff, but there's other free courses online as well. There's some from Harvard, there's some from you'd be surprised.
So this is 15 best free online certifications, courses and training. Let's see what they're talking about here. There are several great sites that offer free online certifications among these sites are cor Sarah edx.com. allison.com code academy. TMY uh, U to me has some very cheap courses. Very, very cheap.
I don't know that they have free ones, but they might, um, general assembly and MIT open courseware to name a few. All right. So let's see what they're talking about here. So for programming. You've got a introduction to computer science at Harvard. You've got a Michigan university programming for everybody introduction for Python.
These are just courses by the way. Uh, you've got a, this is how you make iPhone apps. And I actually making apps, I learned to make apps from where was it, does a free couple free sites. And then some YouTube channels that I learned to actually code, uh, smartphone, um, apps with it's still, you know, I don't have a lot of experience with it.
I, I don't have a, I don't have a, a, uh, talent for it.  but I was able, actually able to make one just from free courses online from YouTube and from just sites that walked me through it design. Okay. So they have some free design courses like Adobe certifications, I guess these are free certifications. For designing what though?
Um, it's cuz Adobe has okay here. It's it kind of mentions it here. Image manipulation, photo retouching, um, Adobe's tools, vector design, layout design. And I guess there's some, some actual certifications in, in that as well. Uh, graphic design specialization at Cal arts,
fundamental graphic design graphic artists can make money, even if they're independent
online marketing, let's see online. I know there's a lot of good stuff for online marketing. Google, I think has one. As a matter of fact, I believe is free diploma for web business development and marketing from Allison. There's marketing and digital world, university of Illinois getting started on Google analytics.
Yep. That's free. And I think you even get a certification off of this one and they also have one for ad sense. I think they got Google analytics, Google ad sense. And then they got some other stuff, learning a new language. This is kind of off the beaten path. I'm just gonna zip through this one, uh, entrepreneurship, new venture financing.
Okay. This is just business stuff. I'm looking for kind of technical this I'm writing, uh, communication, communicating strategically Purdue university. So yeah, there's, there's some stuff out there. I know that Google has some free courses. Amazon may have some free courses. , you know, I don't know that you'll, after you take those courses and those cert and you have that certification that you're gonna be able to just go out and get a job immediately or anything like that.
But to answer your question, yes, there's free training out there. So I'm gonna go ahead and leave this link for
I have, well, before I promote my own stuff, I'll just put, put this here. Here is some stuff, stuff I found
also Google and possibly,
possibly, where can I spell possibly? Um, Amazon might have some free, might have free certs and training. I also have free training.
You really need experience to get a job though?
Um, yeah, I don't even know how many of these are actually, I don't know if they're security, not sure if they are security related.
Hope that answers this question. Big, like big thumbs up. And somebody said D five D D D. If you, if you're a military veteran, uh, they're actually a few organizations that pay for your search. Yep. That's another thing. So this guy right here, I'm gonna go ahead and message him.
You may. So as a veteran, as a vet, you may have many opportunities,
opportunities, grants, and other stuff you can do to get more training and or positions.
I don't have a security clearance, but I have a degree in, I think he means associates, a master's degree, master's degree in it, security and I'm air force veteran. How can I get employed? Send your resume. And I will take a look, send my email address.
There it is right there.
Hey Al, how you doing? I'm just finishing this up, answering some questions that people have sent me. Um, but if you have any questions right now, I am. Free to open, uh, free to answer any questions at all right now, I got two job offers this past week from my dream companies. Your videos are the best. Thanks, Bruce.
Love to hear that. That's great news. Great news. There's there's lots of opportunities out there even now for it there, we just don't have enough people to do this work. Um, enough qualified people who are willing to put in the, have the patience to actually sit down and learn it. And that's why, like, most of our it's funny, like our, our nation, like is kind of like, not, doesn't seem appreciative of, uh, immigrants, but immigrants really are like something like 75% of the business is made here from immigrants.
I don't know if you guys knew that, but Google, Amazon, uh, name a company. Uh, they're probably made by either I an immigrant or the children of immigrants. Like I'm talking about, they were born, their parents are born in another country, came here, had they had kids and then their kids started Google. Yeah.
Larry look up, um, Larry Page in, uh, Sege Brin, at least one of them is from German is from Russia. I think Serge BRN is from Russia. His parents are from Russia. He was, uh, he may have been born here. Um, the dude who started, uh, uh, Yahoo was, uh, he's either a Chinese immigrant or his parents are a Chinese immigrant.
The, uh, the dude who started, uh, well actually Bezos fr uh, Jeff Bezos is, is, uh, his dad was from Cuba Bezos. Um,  uh, who else? Uh, go down the list. Just go down the list. I mean, president Trump, himself, his. Great grandfathers from not from here. So yeah, I mean, immigrants, um, immigrants are like really a great part of, uh, this of the us.
And it's just unfortunate, more Americans don't take up engineering or mathematics, or I know stem, like we just, I don't know what's going on, but there's not enough Americans people born here, you know, that actually apply for these jobs. And so they're always, we're always wearing two, three hats. So I'm about to end this guys.
Um, I got more questions here. Um, some of these, I probably maybe I'll save 'em for next week and I appreciate all the compliments here. Great, great compliments. I'm glad this stuff. Some of this stuff is helping people. I appreciate everybody. Who's been watching me week after week. I'm gonna continue to put out more, more, um, content for everybody.
And, um, if you guys have time, check out my courses, it's at combo courses.com. I got a collection of, of stuff I'm building. I'm gonna do certifications, certifications take a lot longer to do, but there's free stuff out here. A lot of informative stuff I'm gonna, I've got more stuff coming real soon. Al says, uh, is because I don't have any certifications is because I don't have cert any certifications or anything.
I straight, straight cyber security for five years. Al do you mean that you don't, you, you haven't had a position or, or what, what was your, what was this? It seems like I, I caught this conversation in the middle of, of what you're saying here.
Is this a question you said it's because I don't have any certifications yet. Um, Cyber security for five years. Are you asking if, like, why can't you get a position or do you have a position or is, I'm not sure I understand your question.
So let me see if I can answer one more question before I cut outta here. Um,
our great says, just wanted to say, just wanted to say your interview tips and information has helped me to get an offer with a prominent government agency. As critical asset and vulnerability analyst. Thanks a lot. Yep. I've been doing this for a while, man. Um, this is just stuff that I've been doing and I've learned with trial and error and that's why this stuff works.
Um, it's just, this is honestly, I am in the industry currently. I'm currently in this industry and I'm just, I'm just saying what I've been through. I've I'm telling people how I've gotten to where I've gotten and the interview stuff. Yeah. That's just, it's just worked. It just worked over and over again.
So now I'm just passing it along to people who are willing to listen. So that's what this whole channel's about. That's what my combo courses.com is about. It's telling you literally what to do. Uh, let me see. Joe says, are cybersecurity labs enough experience to get a job? Um, I would say, uh,  I would say yes.
And no reason why I say that is because is because, uh, it depends on the job. Number one. So if you're, if you're looking for a high level job, no, it's a lab is not enough. Uh, if you're looking for entry level job, and the lab allows you to a, the lab gets you in a place where you can either volunteer to get other experience, or you can get a certification, um, or you can get that, yes, that might get you to a place where you can get your foot in the door at an entry level position, doing something like help desk, junior level entry level help desk, or, or doing, uh, customer service where you're taking calls and helping people troubleshoot, uh, different issues like that.
If you, if you're looking in, if it's something like that, then maybe, maybe, um, but typically I can tell you. As a person who's actually done interviews on people. Um, them just, if I can't say it is not that we wouldn't hire somebody just off of their knowledge, cuz if they had really good knowledge, then maybe, but normally experiences what you're looking for.
Like the baseline is normally experience. And then the big question becomes, how do I get that experience? You're on the right track. If you have a lab in your house and you're training, or if you got the security plus or a plus certification, you're going on the right track. That's what you want to do.
You wanna crack those books? You want to get your hands dirty. You wanna set up labs in your house. You wanna tear computers apart, putting 'em back together. You wanna learn as much as you can. And then while you're trying to get your foot in the door in it, now that doesn't mean cold calling IBM necessarily.
Right? There's. Nowadays, you put your resume out there. You put what your experience is, but also if you happen to already have a job, you can get a lateral, uh, get lateral training or you can get a lateral move. You can, if you're already at a job, wherever it is, they have an it department go over to the it, it department and get friendly with them and start asking 'em questions.
Like man, I'm, I'm really trying to get into it. You'd be surprised how many geeks and nerds are there who want to talk your ear off about how to do it? Cuz we don't normally get those kinds of questions. We don't normally, I mean, I know me, I'm always anxious to, to train people.

Check out convocourses.com

https://www.youtube.com/watch?v=KW7gaKX_H0Y
 
RMF ISSO Controls: https://www.amazon.com/dp/B0B6QKT8DR SCA Course (early release) https://securitycompliance.thinkific.... 0:00 start of convocourses 02:23 Security Controls Book and SCA courses (no longer 2 usd) 07:13 Prepare for a SCA Interview (CVE - Common Vulnerabilities and Exposures 23:10) 26:51 Security Controls Book on Amazon & SCA course 34:48 Cyber Security is a great career move 40:19 ITJobs part 1 How Match My Resume with Job I want to Market My self 53:04 ITJobs part 2 Get the Actual Security Experience you did on your resume 59:09 Master Degree in Cybersecurity still no job 1:01:08 GRC and 8140 cybersecurity certifications 1:07:57 The Security Control Assessment Courses has started 1:10:20 Information Security gives Robust Cybersecurity Experience 1:12:06 How to Do CPEs for ISC2 CAP 1:22:51 Cyber security assessor role 1:36:28 Cybersecurity Community on Tiktok & the NIST 800 control book

 
https://www.youtube.com/watch?v=z-OfA-_lU6Q&
We talk about #securityclearance a lot on this one. 0:00 Podcast 0:14 Cybersecurity Public or Private Sector 15:00 How Long Does it Take to Get a Security Clearance 20:47 How do I get a security clearance if I am eligible 29:53 The Value of Security Clearances in IT 33:39 What Security Clearance Can Help in Private Sector 35:51 Does Cybersecurity Job require a Security Clearance 43:44 My experience going through TS clearance 46:33 Finding Out Cybersecurity Salary 52:42 Master Degree in a Cybersecurity Role 1:03:17 Cybersecurity with ZERO experience 1:12:50 convocourses testimonial 1:16:54 Talking about colorado 1:24:58 I recommend Program Management

This was a 2020 Live on discord and youtube. https://www.youtube.com/watch?v=VzQesvI0T1E
 
 

http://convocourses.com
See the video here:
https://www.youtube.com/watch?v=cStSGLLypyI