ConvoCourses

Cyber Security Compliance and IT Jobs

Listen on:

  • Apple Podcasts
  • Podbean App
  • Spotify
  • Amazon Music
  • iHeartRadio
  • PlayerFM
  • Listen Notes
  • Podchaser

Episodes

Wednesday Sep 28, 2022

 
We talk about taking a Red Hat Admin to Cybersecurity resume and security controls for changing operating systems. 
2020 podcast that is still relevant. https://www.youtube.com/watch?v=E5i_ImjtJss
 

Tuesday Sep 27, 2022

See the video:
https://www.youtube.com/watch?v=ZATU40nemZg&t=2s
 
There are ways to get into cybersecurity and information technology. With little or no experience. 
In this podcast, I explain how to do that. Some things I've learned along the way in my 20 plus years of experience. And we keep open topics. So we talking about a lot of different Now this one is from 2020. A lot of things were happening as you know, in 2020, the pandemic was happening with all these protests in America and all that stuff. I try not to talk about that stuff too much but it does come up from time to time i focus mainly on cyber security stuff so if you're interested in knowing how to get into it with little or no experience check out this podcast
Hope you enjoy this one.  I I do weekly. I missed last week. Um, had some stuff going on, but here I am this week, and today we're gonna cover, we're gonna cover some questions that I recently got. So if you have any questions at, at any time throughout this, just feel free to ask and I will I'll cover it. But one of the common questions I I've been getting lately is how do I get into it with no little or no experience?
And so more than one person has been asking, for some reason questions go in sets like somebody will ask me and then like three other people ask me the same question. So I would like to cover that what, um, and give you some resources and stuff like that. But before we.  I should let you, uh, I should, I just want to give condolences to, to, to the, all the people who have passed away, do the COVID 19, I'm still bunkered in still, um, uh, staying at home and stuff just like I'm supposed to do.
And hopefully you guys are staying safe as far as the job market is concerned. Uh, it's pretty much the same. It's kind of a freeze going on with hiring new people that said, I am still getting job offers, uh, and opportunities in my inbox. Just not as many, not nearly as many as I was before. And also, um, like the company I'm working for, they have kind of a hiring freeze, but they, they did hire some people like at the tail at the very beginning of this COVID 19.
So we actually do have new people, but they're kind of slowing it down. Cause we don't know financially.  where the wind's blowing as far as the company and as far as clients and stuff like that. So that's kind of what's going on with COVID 19. And if you guys, uh, have any anecdotal, uh, personal experiences on what's going on in your wherever, you're from feel free to let us know.
Um, you guys are looking at the same data that I'm looking at, so that's, what's going on with it. And let's just go ahead and dive into this. Let me see if I could bring up the questions I've been getting. And, uh, yeah. So several people have been asking me this question right here. I dunno if you could see this, but I'm just gonna go ahead and read it and it says, um, Hey, what if you have zero experience and just got your security plus cert everyone seems to want new graduates or people with five years of experience.
Also, I don't have a security clearance. So I gotten this question several times, um, from several different people. From all over, uh, from, from LinkedIn, from my email box. Uh, and then there's a couple other people who have, who have asked that very question. So I'm gonna go ahead and answer it to the best of my ability.
And bef before I start on this, I should let you know that I actually have a course that talks about this very thing. So if you go to combo courses.com or you can go to security, compliance, dot, think.com, combo courses.com, easier to remember. You'll see some courses that I have, one of the free courses that I have that talks about my, my perspective on how do you get into it?
How do you get into cyber security with little or no experience? And I talk about it here. I break everything down. I talk about what I would do if I was in like, starting from scratch, knowing what I know now, what would I do?  um, and this is from an insider's perspective, what would I do to get in? And so here's some of the topics that I cover.
And so very briefly, I'm gonna summarize some of the stuff that's in here, but if you're interested in this, it is free right now. Um, the reason why I made it free recently is because people are hurting. People are wanting to change and I can see the service industry and several other industries are destroyed.
I'm fine. My job's fine. Um, even if I lost my job right now, I'm certain I could get a job very quickly. It's because I'm in it. And I realize that I'm, you know, I'm a very privileged growing field. And so I encourage a lot of people who, who are looking for a stability to, to get into this field because it's, we definitely need people.
We need people with experience. We need people with, with patients. Um, and you might be surprised you might be in an industry that compliments getting into it. A lot of people I think are kind of shook by all the technical stuff you have to know. But to be honest with you, there's some aspects of our career field that are not very technical and I will talk about those things.
So there you go. There's a free course for you. If you want to jump on there and then I've got some other paid stuff that's also in there, sign up is free. The course is free and it's to help people out. So there you go. All right, what would I do? What would I do? And I got some stuff lined up to tell you like other people's perspective on it.
What, what I would do is number one, I would look at my current experience. Cause as I said, some experience that you may have in the service industry, in the medical industry, in banking, whatever you do it, may you be, might be surprised how much it could compliment getting into it. And I'll give you a couple examples.
In retail, let's say you work retail or your customer service. You're a front facing person who a customer comes up to and has to interact with the way this can help, can help you if you're getting into it, is that a lot of ITP professionals are not good with people. They're not, they're just not good at talking to me, myself included.
I'm I'm I mean, I'm now I'm damn near 50, so I, I know how to speak. I've been, I've done so many things. I've been baptized by fire so many times I've talked, you know, I've done briefings for generals. I've done briefing for, uh, C level execs. I so many times that now it's just, it feels natural to me. I still get nervous and stuff cuz it's just not my I'm not an extrovert.
Uh, so what I'm getting at is a lot of us, it professionals we're good at technical stuff, but not so good. Usually at face to face interaction. So if you're at a customers facing. Um, whether it's retail or if it's, uh, if you're working in, um, the front, your clerk store clerk, or even, uh, you work at McDonald's or anything like that, you have to interact with people on a regular basis.
You have to have a, you know, you have to be professional at all times. You have to approach things in a certain way, from the perspective of the company, you know, you have to maintain this face. That right there already is way above what a lot of it professionals. Skill sets entail. Um, a lot of us don't have it.
We just don't, we're just not very, we don't have a  we're just not good at it. You know, so right there, you already have a skill set that is very useful for help desk for customer it customer service, believe it or not, there's an it customer service that is still alive and well in the United States. Not just in India, not just in the Philippines, not just in the us.
We have a lot of customer service representative spots. Um, and as, without naming any names without, without naming my clients or anything like that, I was. Few weeks ago, maybe a couple months ago I was, uh, at a client's location and one of our client was saying, yeah, we need, we need it. Security, not, we need it customer, uh, customer service people, and we just can't keep him.
And he was, he was this guy explaining like, man, we just really need, you know, so there is, there are jobs out there for customer service and sometimes some of the entry level positions will train you on the job and you have like a script, uh, and you'll have to interact with people, but they have a script and a walkthrough of how to fix certain things.
Um, so if I was to start now, if I starting off had no experience at all, what I would do is look at my own skills that I already have. So that's one, I just named one skillset that you probably already have. If you're a customer, uh, customer service representative, that's actually a very good skill to have.
Now you still have to learn the basics of it. You still have to learn. Uh, things like what's in the, at the, um, compt a plus certification which breaks down what, what goes in the hardware and software, how it all works together. You still have to have a basic understanding of that stuff. Um, if you're getting in the it, right.
Um, another skill set that you might have is if you've worked in a bank, so banks, their security and their terminology is different. They call assessments, auditing, you know, they, they are always looking for auditors. Somebody who's gonna look at comp. They kind of see the world from a, like a CPA's perspective, you know?
So it's, uh, different terminology, different frameworks, like security compliance frameworks that they have to meet, that banks have to meet a certain compliance. And then you might have to have compliance for PCI. Like that's the card readers. Um, there's Sarbanes Oxley that you might have to learn. There might be some things that you already know that I don't know, Haven never.
Work directly in a banking environment. You know, I've done assessments and stuff for different organizations, but not, I've never worked for a bank. You know, I've never been an employee there. So you may already have some skills. You may already know some terminology. You may have already taken security, basic security training that is very specialized for you as a teller or you as a loan officer or you working in a financial sector, you probably have some skills and some terminology that I, I don't even have with 20 plus years of, um, security and it experience.
So that's another one. Another one is he, the healthcare industry, healthcare industry has, uh, different frameworks and different practices that they use on a regular basis. That is very important in their field, which is like HIPAA is one of them and protecting, uh, the. Healthcare information. So there's a whole realm of things.
You've probably already gotten the training. If you work in the healthcare industry about what HIPAA is and how to protect, uh, electronic, uh, private healthcare information and all those things. So you already have some skills, some of that stuff you can actually literally put on your resume and it's legit.
If you, like I said, customer service, that's legit. Um, healthcare, if your healthcare industry, you know, HIPAA you've been to this or that class, you've done this or that training you've protect this or that per, uh, personnel's information that's you could put that on your resume. Um, what else did I mention banking?
Same thing. There's certain things that you already have certain skills you already have. You can literally put in a resume and it will, uh, help you now that said most people are not gonna, uh, hire you without any.  information. If you don't have, um, a it certification, if you've never taken a class in it, if you don't have any it experience whatsoever, you gotta go out and get it.
So it's, that's the thing you gotta go out now, if it was me, what I would do is I would go volunteer. If I would work. If I work at Walmart, you know, I would, I would see if the, it guys at work in Walmart, there's it guys there. See if I can volunteer my time to work with them, knowing that that experience that I get from volunteering with them can be put on my resume.
You know, if you're, if you, or excuse me, if, if you're allowed to get in there and do it, then yeah, they're gonna, you can put that. On your resume. Um, if you go to church, like church might have an it, like they might want to hook up their wifi server there, you, you might volunteer to help 'em out, uh, wifi, uh, hotspots or whatever, you know, they have there, you might volunteer to help them out.
Um, so there's a lot of volunteer stuff that you can do. You gotta see what's on your resume. Put that stuff on your resume. Um, see what get, dive into it. Learn its another thing I would do. I would hit the books, get in there, start studying, uh, to learn how this stuff all works together. That's what I would do is in entry level is not gonna be overnight.
It's gonna take some hard work, but what I wanna do right now is look at some tips that some people have brought up here. This article right here brings up a couple of things from leader quest.com. Leader quest online.com is where I'm at. It says seven tips for getting into it. With zero experience. Let me see if there's any of this that I can agree with or stuff that I think you should know, um, reexamine and apply for your past experience in it industry.
Yep. That's what I just said. Um, and it's just to kind of read it real quickly, like a little part of it. It might be, it might seem like to you, like you have none, none of the skills that you need, but soft skills can be surprisingly important. Exactly. Soft skills are like non-technical skills because, uh, we need people who can talk to people.
You know what I mean? Customer service people are very good at talking to people. They, they have training and they, it says, for example, if you were looking into starting to help desk position, a common entry level, it role, uh, things like communication, customer service familiarity with Microsoft office.
Yeah, those skills are, you can put on your resume. So right there, you know, that's one, use your past skills, put those on your, find out and see that's the reason why you have to dive into it. Cuz you don't know anything about it. Once you start diving in, you'll start finding, well, I've done this before, put it on your resume.
If you've done it before in a professional. So you don't even know, you don't even realize how experienced you already have in it, or even it security. If you've ever, uh, done it, training in your company, if you, if you've ever been in any kind of company and they gave you access to a computer more than likely what they had to do is sit you down and say, okay, um, here's the things you don't do on our computer, right?
When you log into this computer, when we give you this count, here's the things you don't do. So you have to have some kind of standardized security awareness training. Um, some of that training that you've had to use. Like, whether it's you, uh, create, you had to have an account made, you had to, um, do anything with the computers.
You need to look at what you've done and put that on your resume. But as you dive into it, you'll be able to realize things like, okay, audit logs are super important. Logging in, in a, an account creation. Having an account is super important. Uh, training is super important. Policies are super important.
There's certain aspects like when you look at secur, normally from somebody from the outside, looking in, they look at a it person, all they think about is a person taking a computer apart, putting it back together, or a person staring at a computer and typing stuff into the computer. I don't even know what, what they're typing.
there's so many things that go into this field. It's so big. It goes into all often all these different, uh, categories and some of 'em are not even technical, to be honest with you. You're not even that tech one example of. Just kind of go off on a tangent here is, is called project management, proj, and also known as, uh, program manager or project, uh, project manager.
Those two basically are very needed in many different, um, it roles, uh, it units will use a program manager or a project manager to manage giant projects that are going on. They don't have to be technical. They have to know very little about it stuff, cuz they're not diving in the weeds. They don't have to know.
They have to know some of the terminology. They have to know how to work with people and stuff like that. And that's my wife right there. Gimme a second here. So yeah, they have to know certain things, uh, related to the project, but not, not super. They don't have to be super technical because they're not in the weeds.
All right. So let's keep going for, with this thing. Uh, get. It certifications. This is actually something a lot of people do when they contact me. They say, Hey Bruce, I got this a plus certification. How can I get a job? I've been applying for jobs and I can't get one. Um, it's actually a really good step forward because it's showing that you have the initiative it's showing that you have learned, you're learning a common body of knowledge.
Uh, and then you should start to, you'll start to realizing things you've actually done. Like if you actually take the, a plus certification, you actually take the security plus certification. Any of those certifications, you'll start to think. Well, you know, you'll be reading through it and studying and stuff and you'll be realize, damn, I've done this before.
And that's the kind of stuff you wanna put on your resume, you know? So there's so many different aspects of it. As you learn more, you'll, you'll start to realize what you've already done. So it kind of mentions a couple certifications here. So entry level certifications, like the I L certification compt security plus network plus security plus.
These are all good entry level certifications. And some people will hire you just off the strength of that, but they do want you to have some level of experience more times than not, but some entry level jobs. If you just have one those certifications, they will hire you. Um, said you have to apply for certain certifications.
You can't apply for a, uh, junior level cyber security, uh, position with a, just a security plus and no experience. It won't work. Um, it says junior, so you're like, oh it, well, it's a junior certification. No, listen. So there's different tiers here. All right. So, and I wish, let me see if I can show you like a visualization so you can get an idea of the tier system that you have.
I till kind of does a pretty good job of showing this. Let me see if I can find that I till is like, um, A library of different processes. It maps out different things that have to happen within an information technology, um, within the information technology and in any large organization, they have this great breakdown of the different tiers that you have.
And I'm looking for something there's like a lot of maps and stuff here. Here's what I'm, lemme just show you what I'm looking at here. They have this really good breakdown of the different levels that I'm, I'm thinking of right now. That is really good at showing you like where you, where you should really start because you can't start in the middle and with a, just a security plus or an a plus you gotta start from the beginning, think of your own career, you know, think of your own career.
Somebody can't just walk in off the streets and then suddenly be in the middle. You know what I mean? Um, let me see, this looks kind of like what I'm talking about. Yeah. This kind of looks like it. Let me see if I can get a better picture of this. This map is kind what I'm talking about. So here's ital and it breaks down different aspects of an organization that has it services.
Um, and that's, that's what it's all about. When you start off you're you're not starting in the middle. You're not starting here. You know what I mean? You're not starting. So a lot of jobs that you, that people say, Hey, I've been applying for all these jobs and I can't get in a job. They're applying for mid-tier positions.
Like they already know, okay, I'm not a manager, I'm not a middle manager, man. I'm not gonna be able to. But what they don't realize is that the job they're applying for a lot of times are middle. Level, you're gonna be on like a service desk type position. You're gonna start from the bottom. This is where most people start.
Even if you go on a program manager, which has, which has no technical, very little technical skills, I should say, cuz you do have to know like office when Microsoft office and the Gantt charts and stuff like that. But which you can learn very quickly, but even those jobs it's non-technical you still have to start from the bottom.
And so that's what this is kind of kind of showing here. The service desk has a many different layers on top of it. Even service desks gets extremely advanced all the way to management, you know, who answers directly to the CIO and, and higher management positions. But you gotta start from the bottom. And how do you find these positions?
Let me, let me show you. So if you go to just go to Google, like we don't have to get fancy. Let's just go to Google. If you type in entry level, um, project manager, let's say we were going for a project manager job, just Google. It's gonna go on your local, wherever you're from. It's gonna start from there.
And you'll have a bunch of entry level positions starting from where you're from. If you're willing, willing to move, you'll find way more positions. If you're willing to move. If you're, if you're flexible in, in location, then it'll, it'll be some of these project management jobs are actually, um, or actually, uh, work from home positions as well.
You can get, find these from, uh, work from home, but here's a couple of entry level project coordinator, project manager type positions. They're gonna tell you what they expect from you. And most of 'em are, look this one, one to two years. You know, you can apply for it, but they're saying, look, we expect you to have some experience.
We expect you to have this kind of bachelor's degree, you know? So there are still things that you caveats that you need to, to, to have. Um, so that, yeah, that's just to give you in a nutshell, like that's a couple things on the list of a person with no experience trying to get an it, let's just read a couple more here.
Your degree in another field may be a huge asset and this is true. Like a lot of positions in it will actually take science degrees. They'll take, uh, engineering degrees that are not necessarily computer based. And let me just read a little bit, says you may be tearing your hair out with regret, wondering why you used all your time in college to get a degree that isn't helping you and your quest for a long term career.
Many employers are more. Inclined to offer you a job because you have accomplished that feat and earning a degree, instead of focusing on how your degree may have cost you money and, and blah, blah, blah, um, uh, focus on ways your degree can help apply for moving for a degree moving forward in the it career field.
And this is, yeah, I would say this is true. Like, especially if you have a technical degree, not all degrees are gonna help you. You know what I mean? If you have a, if you have an, um, art degree, it's probably not. I mean, unless you're doing like a AutoCAD or something, or if you're doing engineering and you need to learn 3d modeling, then that might art might help you.
But if you're doing straight up it fixing computers, or if you're, you know, it it's science degrees might help you, engineering degrees might help you.  just being completely honest. Not all degrees are gonna help you out, but they're saying here in this article, a philosophy major, I think this is a stretch  philosophy major, uh, has a deep understanding of a logic and unique way of approaching challenges.
I, I guess I, you know, I don't know about that. I just tell you from my experience, normally, when companies are hiring people, they're looking for technical type degrees, philosophy degree. I don't know that it's gonna help you. So I, I kind of disagree with this portion, what you could do. If you have a major in philosophy, you have a master's degree in philosophy, it could help you to get an it degree, go back to college, get a minor in it.
And you, you know, you're doing less classes, but you're gonna, you're gonna still get, uh, your degree faster provided they, they accept your, your previous credits. Okay, so be open to start from the bottom. This is absolutely important. Um, you gotta start from the bottom, right? If you have zero experience, you gotta expect to come in and learn so super important.
Um, you can't start from the middle and think you're gonna get a job. You need to type in entry, go to Google type in our LinkedIn or wherever you're at type in entry level position and this entry level position. And that, um, especially the thing is if you have, if you were trying to get an entry level, position and network engineering or net, uh, uh, beginning in, uh, security, it's probably not gonna happen cuz once you get to networking or servers or if you get it's kind of a, the next step, it's another tier.
It's another support tier. That's very specialized. You have to start from the bottom first, which is help desk, customer service.  you know, junior level help desk positions, uh, is the best way to get that experience, but you can also volunteer too. Okay. So don't forget the power of networking, talk to people, you know, if you happen to be at a job, um, and you, you know, there's an it department and you want to get experience, you are you're in a gold mine, especially if the company allows you to help out.
You can. Even, what I would do is if I was so hungry to get into this field is I was willing to work extra just to learn. Not to get paid, not over time just to learn cuz I realized the value experience and it's really paid off in the long run. It's a long term plan that I had and it worked teach yourself relevant technical skills also very important.
Absolutely. You gotta get in there and, and once you do that, you can actually use that to put some of that stuff that you've learned on your resume by saying familiar with this, familiar with that. Meaning. Yeah, I've never done. I've never used this thing before, but I'm familiar with it. I've read about it.
I have a lab at home that I worked on. I'm familiar with it. You know, you can even say that you have a lab in your house where you take care of a, uh, a Splunk system that's collecting logs on 45 different virtual systems. You know what I mean? Like you can, you can put stuff like that on your resume. Um, look for crossover positions.
Yep. This is what I was talking about. You happen to be in a field. They might have a, an it workers there that you can go and ask them or ask, see if you can laterally, move over there and start learning stuff. Some companies will allow you to do that. So a lot of the stuff that they talked about in here actually have talked about in this free course, it, if you happen to be in entry level and you have no experience, this is a great opportunity for you to, uh, dive into this.
It's about four hours. I think of video and, and, uh, slides, presentation and stuff like that. You can watch it at your leisure on all devices. Go ahead and go check it out and it's free. All right. So let me see, I'm gonna switch gears here. And there's some people been watching me. Thanks guys for watching.
Appreciate you guys. I got, uh, spades 93 says how can, how can anyone, how can one established. Uh, two to three years in administrative, how can one established a bit with two to three years in administrative support, get, uh, transitioned into cybersecurity position. I'll be taking my security plus exam in two weeks.
Okay. This is right up. What we're talking about. This is great. So this is exactly. If you're still watching this spade, this is for you. This is exactly what I'm talking about. So you're in a administrative supportive position. What I would do is number one, just like this is number, and this is what I'm talking about in this course.
This is why this course is IPO is, is, uh, important. Cuz I, this is exactly what I I'm saying. Okay. If you're a beginner, you have no zero experience. Here's where you start. If you were an it geek, meaning, meaning you don't, you've never held a position, but you do, you do stuff online at your house. You like to mess around and tinker around with things in your home.
I I'm saying like, here's how you evolve from that point. Cuz you need to go to the next level. If you're a beginner, you need to become an it geek. If you're an it geek, next level is a security. Plus get those courses in there, start volunteering places and become an it professional. And then once you're an it professional, you start to focus in on whatever field you can go into forensics.
You can go into cyber security, you can go into, uh, cyber and analyst, work, threat analysis work. There's so many different aspects and so many different places you can go once. You're an it professional and to, uh, hone in your skills and have one specialized skill. Not just cybersecurity by the way. So yeah, so exactly what I'm talking about is for you.
If you're an administrative support person, this is what I'm talking about. You already have soft skills that, um, That you can apply to your current resume. You probably, even as an administrative person, you may even have technical skills. You need to see the thing is, as you dive into security, plus, as you get into the a plus certification or whatever certification as you start cracking those books and start doing, looking at the common body of knowledge that goes in the it, you'll start to realize, man, I've done that before you wanna put that on your resume.
Like as an I'm trying to think of an, an administrative support person, like the kind of things that they might do is like personnel security. So personnel security, meaning you vet people who come into your, and I'm just guessing what your job is. So bear with me. So a person who, a new person, a person who's coming in off somewhere else, they're coming into your organization.
An administrative support person might be in charge of doing things like personnel security, meaning they conduct like a brief background check. They maybe they. Call their supervisor and call that's personnel security. That's something that you can legitimately put on your resume to say, yes, here's some security I've done.
What other kinds of administrative support stuff have, uh, that I could point to would be kind of like, um, uh, security awareness training. Everybody has to have that. I'm sure you've had some kind of cyber security awareness training, or if you've ever caught an email from a, from a, uh, fishing attack, that's another thing that you might have done.
Like there, a lot of times organizations will do their own fishing attacks or actual fishing attacks will come into your email box and you caught you spot one. Like this, this email looks weird. I'm gonna send this to the security support team. Guess what? You could put that on your resume. You know, that's one thing out, it's a small thing, but the thing is you put enough of those small things that you've done on your resume and it looks like.
They're, it's not that you're painting some fake picture, but you're saying here's the actual exposure that I've had in it. Another thing that you may have helped out is like, if you had to stay a while with the it department to help them to load patches or something, maybe they want you to stick around and, uh, reboot your system and they're, and you're, so you're actually coordinating and assisting them to, uh, put patches on a, on a system.
Uh, another thing like that, this article actually mentions and is also in my course, my free course is that get in the certifications does help. I do agree with that. It does help. It's not the end all be all. You definitely want. Don't wanna start there, stop me. You don't wanna stop there. Um, and starting from the bottom.
So all of these things help. Another thing is, um, using, they mentioned it in here. I think they said it was called. Teach yourself relevant skills. Yeah. We already know about that crossover positions. Yeah. This is a good one. So if you're in an administrative position, there's it guys you might wanna try to get in there, like the even volunteer, uh, a couple hours for free, like be like I'm off right now, but I wanna learn this so bad that you go in there coordinate a time.
Like you don't want to, you, you wanna be on their time. Right. So if there's like a swing shift and the it guys are there at get permission to legitimately go in there and learn from them. Or even do work with them that is even better. Cuz you can put that on your resume and, and every all experience equals money in it.
All right. So he says I've triage computer issues, uh, at my position as an AA. Exactly. So that's the kind of stuff you can put on your resume and that's really good stuff. That's the kind of stuff that you wanna put on your resume. Okay. I've got some other questions here. DD says, hi Bruce. I have been applying for jobs for over 15 and over 15 interviews and still no job offers, what am I doing wrong?
So DD, I would have to, if you tapping to still be on, um, I get this a lot from people saying I've applied for all these jobs and from my position. And I, I, I realize I have a kind of a, um, filtered position. It's kind of, um, through my eyes. There's so many job openings. I it's shocking when people say that, but I don't know your context.
Like, I don't know how much experience you have. I don't know what you're applying for. I don't. So what you want to do is you wanna match your skillset. Let me just see if I can bring up what I was looking at before you wanna match whatever skillset you have with positions that are out there. So in this example, right here are these jobs here.
I'll use this one. I just opened up here, right? This is for a junior project analyst. Sorry, a junior project engineer, right at Kelly services in Colorado Springs, Colorado. Excuse me. Now look at this job title. What we just read project engineer. They are looking for three to one to 2, 1, 2, 3 years of experience.
They're looking for a bachelor's degree, they're looking for necessary 3d modeling design. So here's what I do.
Here's my technique. What I do is I look for jobs that I have the skills for. Um, so for example, this says junior level one to two years of experience, one to three years of experience, right. As a project engineer. Okay. I make sure I have that education, uh, education level bachelor's degree in these items.
Right. I make sure I have that. I match myself up with that career path. No, you might be thinking well, Bruce, I don't have a year experience. I don't have 3d modeling. I don't have, are you telling me that I'm supposed to go get this job get three years? Where do I get the three years experience? Okay.
Listen to what I'm saying right here. Check this out. So you have to find a job that already matches the skills you already have, right? Not, not necessarily, if you're just kind of shooting around, if you're just like throwing resumes out there, that's not going to work as effectively as finding somebody you already match up with you already have these skills, find somebody who matches that same skill.
That's all I do. That's all I do. And now, nowadays you got tools like Google. This is cool. This is a cool little tool and everything, but the best tools are ones that have built in job search algorithms that are built specifically for that. Google's very good at search. Very good at research. Awesome way to, and I would definitely put that in your toolbox, but linked in is.
Incredible LinkedIn, you can do exactly what I'm telling you to do. Like, what you do is you fill out a LinkedIn profile, right? Fill it out in complete completely. Then what you now have a whole course about how to do it. What my exact techniques, in what keywords I use tools to find keywords, all that kind of stuff, go to convo courses.com.
You'll find it there, but let me just summarize some things that are very important for you right now for free. So what you do is you take your current skills and I'm assuming you're an it guy right now. If you're, if you're a NBE, that's totally different. That's what we were just talking about. That's entry level, that's volunteer work.
That's something else entirely. If you have it experience, take your resume. Match your resume. What skills you already have with something you find on LinkedIn on career jet on indy.com on dice.com on all these different algorithms, search engines, um, that are specialized in jobs. That's what I do. And it works.
So let me just give you another, let me just show you what I'm talking about here. I'm gonna find one of my real profiles out here on LinkedIn. Let me just, I just gotta sign in real quick. If I could sign in what's going on here, why is it lead me all these different directions? Okay, here we go. So check this out.
Here's my real LinkedIn profile, right? And I, I've not looked at this in a while, so, but here, I hope there's no surprises in here, but here's my real LinkedIn profile right here. And I feel it completely out. I don't even have that many connections. Here's the thing. Many people I know have way more connections than I do, but somehow I get all of these very targeted positions.
Why, why is that? Cause I feel this completely out from top to bottom. So once I do that, this, this tool linked in finds jobs for me, it lines me up and suggests certain jobs for me. When I do a search, if I was to type in, um, it security, it's gonna find jobs in my location. It'll find jobs that, um, that accept my degree, accept my certifications.
It's not blasting everything out. It's, it's looking for stuff that's within, uh, 30 miles from. So there's tons of stuff. And it also shows here's another little gym. It also shows other people with my similar skills, people resulting in it security like this guy, if I was a type click on this guy's resume, I'll see all the stuff that he does now.
This is the owner of black heels information. So he's not what I'm talking about.  um, a better job description would be, uh, it securities too. Generic. I'll just say, okay, let's just, let's just go risk management framework. This is pretty specific, um, analyst or engineer. This is very specific to what I do.
It's a very, it's a very specific thing. Another thing I could have typed in is cybersecurity engineer, cyber security analysts. There's lots of different things I could have typed in it. Security is too broad. All right. So here's some guys here.  we're very closely aligned with what I do that are kind of in my field.
I could click on any one of these guys' resume to get a better idea of what I should be putting on my resume. What's working for them. Why are they like the top people popping up? Another thing you can do is go into actual jobs, going to actual jobs and look at what they're looking for, examine what the things that they're looking for in when they say they want you to have, what, what are they looking for experience with risk management framework.
And, and this is, this is my field, but you could be whatever your field is. And you're saying de de says, no, no experience previous experience. I have.  a BA in criminology and have an ma in strategy and security administration. All right. So that's the reason why right there, you don't have any experience.
It's really hard to get a job with no experience. So what I would do if I were you, is I will type entry level it, entry level it. And I would start from here. I would start from looking at entry level it jobs. What you wanna do is get in at a, get in, at a low level and then start gathering as much. It's not gonna pay.
Well, all right. It might be shift work. It might be 30 miles farther than you want to drive, but you gotta think long term. So what I mean by that is where do you want to be in five years, in five years from now? What kind of career do you wanna have? What kind of career and what path. Are you trying to get into that's what you do.
Just like with your degree, you have a master's degree in strategy and security administration, which will help you, by the way, you have a bachelors D degree in criminology. What was going through your head when you got those degrees? You know, it's a, a four to six year degree, right? You had to plan it out.
It's the same thing with this career path, you gotta be like, okay, in four years, I wanna do, um, forensics that'll match great with my criminology stuff. Forensics is, is a great match for me. Where can I get my first entry level, position experience doing forensics? That's how you gotta think. So what you do is, okay, forensics entry level forensics, which who knows it might, I don't think we're gonna find it, but it's worth a try.
I can't even spell forensics  entry level per forensics. Did I spell it right? I guess I did. Okay. So yeah, so here's some entry level positions, uh, cyber security analyst, entry level, uh, security analyst. So you have stuff here. Um, and I don't know that this is what you wanna be. Hopefully you're following along with me.
This is kind of what you wanna do. Entry level is only one keyword or key phrase that you could use to get in. Really. You want any kind of entry level position just to start. Once you get your foot in the door, you can then start putting that on your resume experience equals money experience equals stability.
All right. I can't stress. It enough. A lot of people who contact me, that's the same thing. It's the same story, Bruce. Um, I have no experience whatsoever. I've applied for a hundred jobs. I can't find a job experience is king experience is better than a D than a degree experience is better than a certification.
Um, everything else is just icing on the cake experience is everything. Um, I, I knew people who, who had no degree, no certifications, and because of their experience coming out of the military and they had done all they'd set up servers before they'd set up DNS servers, they'd secure systems on, you know, 500.
Uh, systems around the world. No, no degree, no certification, but they were brilliant.  they were, and they had experience. They could do whatever task was given to them. And they would get a job from their connections and they were getting paid like crazy, the certifications and degrees, all that stuff for them came later.
I know a lot of guys like that, um, that, that happened to couple of my mentors, actually, neither a few of my top mentors had no degree, no certifications. Those, they were just extremely brilliant. Uh, and they , they just knew how to do stuff. It's crazy. Um, but that said they had experience. So the reason why they were able to figure out these problems is because they were thrown to the wolves.
They were a baby that was thrown to the wolves in the military. That's what they do. They just throw you in there and say, fix this, fix that. That's what they used to do. I don't know what they do now. It's been, it's been a while.  experience, experience, experience. That's how you do it get experience. Um, and how do you probably think, how do I get experience volunteer?
Do you go to school? Do you still have an Alma mater? Do you still have a, a, are you still close to your college? See if you can volunteer at the school, try to experience is money. Okay. It's not money now. It's money in the future. Go volunteer at whatever community, um, thing that you do. You have you go to church volunteer there.
If you go to you have a high school volunteer there, volunteer to teach, volunteer, to help out set out, uh, set up a teacher's, uh, little network. If they have something there volunteer to be their assistant volunteer, to help out set up the, uh, the wireless volunteer, you know, and then do stuff on your own too.
Set up stuff in your own house to, to learn more. And spade says, uh, look into e-discovery. Is that like a training? Is that like a training session or something?
Okay. So I hope that helps out, uh, DD and also look into your own field. Like whatever field you're in, you might already have some experience, you know, a lot of times people say they have zero experience and especially if they're older people like kids don't have experience. You know what I mean? Like if you're just coming outta high school, you pro you really don't have any experience, but if you are, have been in the field for a while, like my man is doing, um, uh, administrative support that I'm sure he has experience.
I'm I'm certain he has it. He just doesn't know. Probably doesn't know what he has yet, but he, he has experience. All right, let me, there's some other questions here before I let you guys go. I've been on this for 48 minutes. I think I answered this one, but I do have some more stuff. Spade says it's like the practice.
And prep. It's like, it's like the practice and prep and preparing data and security controls for litigation. Some FARs work in it. Is that the kind of work that you've done? Oh, okay. E that's what e-discovery is. Oh, okay. I see what you're saying. And you in criminology, um, you might even wanna look into the FBI.
Um, I'm, you're probably laughing, but seriously, uh, because you sounds like you have, I don't know, you don't might wanna look into it. They have some really good, um, they have some really good programs in, in the federal government that, uh, where they'll teach you the federal, government's a different kind of beast.
Like basically they don't pay you a lot in the federal government. Like if you're a federal employee, I'm not talking about contractor, I'm not talking about like, I'm talking about U R E federal employee. What they'll do is they'll you sign up, right. And they'll give you all this training, but you have you're on like a contract.
I don't know if the FBI does this, but in the military though, you're on a contract, but they're going to give you so much training. The thing is, I know field agents have something similar to this and field agents get thousands and thousands of dollars in free training. And if you were to stay with them like a government agency for like three years, hell two years, you have, by the end of it, you have so much ex experience that, uh, you're so far ahead of most people in it field.
All right. Let me read some of these questions here. See if there's anything else? Um, let me see here. Somebody said, um, I don't have a secret clearance, but I have. I have a degree in it. Security I'm air force veteran, how can I get employment? So right here, all he, all this person has to do daily hip hop live.
If you, if you're watching this, you ever watch this. If you send me your resume, I might be able to help you out. Cuz if you have a it cybersecurity degree, if you were in the air force, um, yeah, I might be able to help you out if our, were you one option for you? I don't know how you feel about this, but one option that you have just from what I'm reading here is to become a us, um, a, a government, civilian government, civilian employee is one option for you and then just do it for a couple years.
And then after that, it also helps you to retain your total active federal service. So there there's that. So, yeah, that's, you're actually way ahead of, of most people, if you have these two things, so yeah. Send me your resume. I might be able to help you out.
Um, DEI says, thanks, Bruce. You are awesome. Thanks man. Appreciate that.
I mean, thanks, sir. Or ma'am  uh, let me see. I'm reading more stuff here. I'm trying to find more questions. I might be able to answer right now before I go.
That's relevant to what we're seeing here. Okay. This one says
hi there, are there any sites that offer a free security com a free cyber security certification for free offers? A, a cyber security certificate for free, because I do not have the money. If there is a site that I hope you will put the link or tell me about it. Um, I don't know if there's any off the top of my head.
I don't know of any free ones. I know there's some that are pretty cheap. Like I tell used to be very cheap. I think right now that they're requiring that you take their they're requiring now that you take their training and I don't know how expensive their training is, but it's not free, um, free courses.
Let me see if I was kind of messing around looking for this online, and this is kind of what I found. One of 'em. I know that there's lots of free courses out there. One of which is my course, I got a couple free things and actually I've got a few other free things out there that you can try out. If you're trying to get into cyber security.
This is an entry level course right here. But then I've got some other stuff that's free. Some, some of my stuff that's actually paid, I'll have free things in that. So you might wanna still just go on there and check out free stuff, but there's other free courses online as well. There's some from Harvard, there's some from you'd be surprised.
So this is 15 best free online certifications, courses and training. Let's see what they're talking about here. There are several great sites that offer free online certifications among these sites are cor Sarah edx.com. allison.com code academy. TMY uh, U to me has some very cheap courses. Very, very cheap.
I don't know that they have free ones, but they might, um, general assembly and MIT open courseware to name a few. All right. So let's see what they're talking about here. So for programming. You've got a introduction to computer science at Harvard. You've got a Michigan university programming for everybody introduction for Python.
These are just courses by the way. Uh, you've got a, this is how you make iPhone apps. And I actually making apps, I learned to make apps from where was it, does a free couple free sites. And then some YouTube channels that I learned to actually code, uh, smartphone, um, apps with it's still, you know, I don't have a lot of experience with it.
I, I don't have a, I don't have a, a, uh, talent for it.  but I was able, actually able to make one just from free courses online from YouTube and from just sites that walked me through it design. Okay. So they have some free design courses like Adobe certifications, I guess these are free certifications. For designing what though?
Um, it's cuz Adobe has okay here. It's it kind of mentions it here. Image manipulation, photo retouching, um, Adobe's tools, vector design, layout design. And I guess there's some, some actual certifications in, in that as well. Uh, graphic design specialization at Cal arts,
fundamental graphic design graphic artists can make money, even if they're independent
online marketing, let's see online. I know there's a lot of good stuff for online marketing. Google, I think has one. As a matter of fact, I believe is free diploma for web business development and marketing from Allison. There's marketing and digital world, university of Illinois getting started on Google analytics.
Yep. That's free. And I think you even get a certification off of this one and they also have one for ad sense. I think they got Google analytics, Google ad sense. And then they got some other stuff, learning a new language. This is kind of off the beaten path. I'm just gonna zip through this one, uh, entrepreneurship, new venture financing.
Okay. This is just business stuff. I'm looking for kind of technical this I'm writing, uh, communication, communicating strategically Purdue university. So yeah, there's, there's some stuff out there. I know that Google has some free courses. Amazon may have some free courses. , you know, I don't know that you'll, after you take those courses and those cert and you have that certification that you're gonna be able to just go out and get a job immediately or anything like that.
But to answer your question, yes, there's free training out there. So I'm gonna go ahead and leave this link for
I have, well, before I promote my own stuff, I'll just put, put this here. Here is some stuff, stuff I found
also Google and possibly,
possibly, where can I spell possibly? Um, Amazon might have some free, might have free certs and training. I also have free training.
You really need experience to get a job though?
Um, yeah, I don't even know how many of these are actually, I don't know if they're security, not sure if they are security related.
Hope that answers this question. Big, like big thumbs up. And somebody said D five D D D. If you, if you're a military veteran, uh, they're actually a few organizations that pay for your search. Yep. That's another thing. So this guy right here, I'm gonna go ahead and message him.
You may. So as a veteran, as a vet, you may have many opportunities,
opportunities, grants, and other stuff you can do to get more training and or positions.
I don't have a security clearance, but I have a degree in, I think he means associates, a master's degree, master's degree in it, security and I'm air force veteran. How can I get employed? Send your resume. And I will take a look, send my email address.
There it is right there.
Hey Al, how you doing? I'm just finishing this up, answering some questions that people have sent me. Um, but if you have any questions right now, I am. Free to open, uh, free to answer any questions at all right now, I got two job offers this past week from my dream companies. Your videos are the best. Thanks, Bruce.
Love to hear that. That's great news. Great news. There's there's lots of opportunities out there even now for it there, we just don't have enough people to do this work. Um, enough qualified people who are willing to put in the, have the patience to actually sit down and learn it. And that's why, like, most of our it's funny, like our, our nation, like is kind of like, not, doesn't seem appreciative of, uh, immigrants, but immigrants really are like something like 75% of the business is made here from immigrants.
I don't know if you guys knew that, but Google, Amazon, uh, name a company. Uh, they're probably made by either I an immigrant or the children of immigrants. Like I'm talking about, they were born, their parents are born in another country, came here, had they had kids and then their kids started Google. Yeah.
Larry look up, um, Larry Page in, uh, Sege Brin, at least one of them is from German is from Russia. I think Serge BRN is from Russia. His parents are from Russia. He was, uh, he may have been born here. Um, the dude who started, uh, uh, Yahoo was, uh, he's either a Chinese immigrant or his parents are a Chinese immigrant.
The, uh, the dude who started, uh, well actually Bezos fr uh, Jeff Bezos is, is, uh, his dad was from Cuba Bezos. Um,  uh, who else? Uh, go down the list. Just go down the list. I mean, president Trump, himself, his. Great grandfathers from not from here. So yeah, I mean, immigrants, um, immigrants are like really a great part of, uh, this of the us.
And it's just unfortunate, more Americans don't take up engineering or mathematics, or I know stem, like we just, I don't know what's going on, but there's not enough Americans people born here, you know, that actually apply for these jobs. And so they're always, we're always wearing two, three hats. So I'm about to end this guys.
Um, I got more questions here. Um, some of these, I probably maybe I'll save 'em for next week and I appreciate all the compliments here. Great, great compliments. I'm glad this stuff. Some of this stuff is helping people. I appreciate everybody. Who's been watching me week after week. I'm gonna continue to put out more, more, um, content for everybody.
And, um, if you guys have time, check out my courses, it's at combo courses.com. I got a collection of, of stuff I'm building. I'm gonna do certifications, certifications take a lot longer to do, but there's free stuff out here. A lot of informative stuff I'm gonna, I've got more stuff coming real soon. Al says, uh, is because I don't have any certifications is because I don't have cert any certifications or anything.
I straight, straight cyber security for five years. Al do you mean that you don't, you, you haven't had a position or, or what, what was your, what was this? It seems like I, I caught this conversation in the middle of, of what you're saying here.
Is this a question you said it's because I don't have any certifications yet. Um, Cyber security for five years. Are you asking if, like, why can't you get a position or do you have a position or is, I'm not sure I understand your question.
So let me see if I can answer one more question before I cut outta here. Um,
our great says, just wanted to say, just wanted to say your interview tips and information has helped me to get an offer with a prominent government agency. As critical asset and vulnerability analyst. Thanks a lot. Yep. I've been doing this for a while, man. Um, this is just stuff that I've been doing and I've learned with trial and error and that's why this stuff works.
Um, it's just, this is honestly, I am in the industry currently. I'm currently in this industry and I'm just, I'm just saying what I've been through. I've I'm telling people how I've gotten to where I've gotten and the interview stuff. Yeah. That's just, it's just worked. It just worked over and over again.
So now I'm just passing it along to people who are willing to listen. So that's what this whole channel's about. That's what my combo courses.com is about. It's telling you literally what to do. Uh, let me see. Joe says, are cybersecurity labs enough experience to get a job? Um, I would say, uh,  I would say yes.
And no reason why I say that is because is because, uh, it depends on the job. Number one. So if you're, if you're looking for a high level job, no, it's a lab is not enough. Uh, if you're looking for entry level job, and the lab allows you to a, the lab gets you in a place where you can either volunteer to get other experience, or you can get a certification, um, or you can get that, yes, that might get you to a place where you can get your foot in the door at an entry level position, doing something like help desk, junior level entry level help desk, or, or doing, uh, customer service where you're taking calls and helping people troubleshoot, uh, different issues like that.
If you, if you're looking in, if it's something like that, then maybe, maybe, um, but typically I can tell you. As a person who's actually done interviews on people. Um, them just, if I can't say it is not that we wouldn't hire somebody just off of their knowledge, cuz if they had really good knowledge, then maybe, but normally experiences what you're looking for.
Like the baseline is normally experience. And then the big question becomes, how do I get that experience? You're on the right track. If you have a lab in your house and you're training, or if you got the security plus or a plus certification, you're going on the right track. That's what you want to do.
You wanna crack those books? You want to get your hands dirty. You wanna set up labs in your house. You wanna tear computers apart, putting 'em back together. You wanna learn as much as you can. And then while you're trying to get your foot in the door in it, now that doesn't mean cold calling IBM necessarily.
Right? There's. Nowadays, you put your resume out there. You put what your experience is, but also if you happen to already have a job, you can get a lateral, uh, get lateral training or you can get a lateral move. You can, if you're already at a job, wherever it is, they have an it department go over to the it, it department and get friendly with them and start asking 'em questions.
Like man, I'm, I'm really trying to get into it. You'd be surprised how many geeks and nerds are there who want to talk your ear off about how to do it? Cuz we don't normally get those kinds of questions. We don't normally, I mean, I know me, I'm always anxious to, to train people.

Monday Sep 26, 2022

Check out convocourses.com

Sunday Sep 25, 2022

https://www.youtube.com/watch?v=KW7gaKX_H0Y
 
RMF ISSO Controls: https://www.amazon.com/dp/B0B6QKT8DR SCA Course (early release) https://securitycompliance.thinkific.... 0:00 start of convocourses 02:23 Security Controls Book and SCA courses (no longer 2 usd) 07:13 Prepare for a SCA Interview (CVE - Common Vulnerabilities and Exposures 23:10) 26:51 Security Controls Book on Amazon & SCA course 34:48 Cyber Security is a great career move 40:19 ITJobs part 1 How Match My Resume with Job I want to Market My self 53:04 ITJobs part 2 Get the Actual Security Experience you did on your resume 59:09 Master Degree in Cybersecurity still no job 1:01:08 GRC and 8140 cybersecurity certifications 1:07:57 The Security Control Assessment Courses has started 1:10:20 Information Security gives Robust Cybersecurity Experience 1:12:06 How to Do CPEs for ISC2 CAP 1:22:51 Cyber security assessor role 1:36:28 Cybersecurity Community on Tiktok & the NIST 800 control book

Friday Sep 23, 2022

 
https://www.youtube.com/watch?v=z-OfA-_lU6Q&
We talk about #securityclearance a lot on this one. 0:00 Podcast 0:14 Cybersecurity Public or Private Sector 15:00 How Long Does it Take to Get a Security Clearance 20:47 How do I get a security clearance if I am eligible 29:53 The Value of Security Clearances in IT 33:39 What Security Clearance Can Help in Private Sector 35:51 Does Cybersecurity Job require a Security Clearance 43:44 My experience going through TS clearance 46:33 Finding Out Cybersecurity Salary 52:42 Master Degree in a Cybersecurity Role 1:03:17 Cybersecurity with ZERO experience 1:12:50 convocourses testimonial 1:16:54 Talking about colorado 1:24:58 I recommend Program Management

Thursday Sep 22, 2022

This was a 2020 Live on discord and youtube. https://www.youtube.com/watch?v=VzQesvI0T1E
 
 

Wednesday Sep 21, 2022

http://convocourses.com
See the video here:
https://www.youtube.com/watch?v=cStSGLLypyI
 

Tuesday Sep 20, 2022

Full video. May 2020 was crazy.
https://www.youtube.com/watch?v=WnB2rdxQpwI&t=3s
 
Imagine cyber security and all our career paths being expanded into space as the space industry begins to expand. Imagine us having more opportunities in that. Industry. That's what we talk about a little bit on this podcast. We also go into details about CCIS. STIGs which is security, technical implementation guides and how those. 
Interact with risk management framework, 800 and CIS controls. Now, this is an older podcast. Um, that I did in 2020, but a lot of it is still relevant. Hope you enjoy  Test test audio, test audio test. All right. This is gonna be a short one. I think, welcome to convo courses. My name is Bruce, and, um, wanna start off by, um, addressing, you know, what's going on right now, as far as the coronavirus and stuff. Uh, but we're gonna dive into, we're gonna keep it, uh, to combo courses and cybersecurity stuff.
I know there's a lot of stuff, negative stuff happening right now. As far as the protests and, um, coronavirus, we're looking at a hundred thousand people, um, reported it as having died from coronavirus. We're looking at around the world, 6 million people infected millions, uh, million, at least in the us and all this stuff's going.
And I want to, first of all, I'll send condolences to, to, uh, the people who have passed away from the coronavirus and people are suffering with it now. And if, and if you happen to be out there protesting or anything like that, I mean, just man, stay safe. Um, and, uh, That's all I'll say about that. You know, it's is a pretty heavy subject and, uh, I don't normally address that kind of stuff on this channel, but I just want to address it and make sure every everybody's being mindful, stay safe out there.
You know, this coronavirus, stuff's still going on, take it serious. Um, at the very least try to protect other people. You know what I mean? Um, the people who are most vulnerable to this, to this. So, and that goes for, uh, our justice system too. Like, let's try to protect those who are vulnerable to, to the injustices and stuff like that.
Listen, let's jump right into it. There is positive stuff happening right now. And I wanna, uh, talk about that stuff. That's that's occurring right now. Namely, I don't know if you've been watching it, but the recent. Astronauts coming from a commercial aircraft, uh, commercial space vehicle flying all the way up to the international space station and then linking up with it.
And then this right here is, is really awesome because it opens up the private industry to start doing things like going to the moon, uh, or without the government. So that that's incredible bull. Uh, the reason why it's incredible for us, for it people, information system security people, especially is because that really expands our industry, the better the techno the technological field, the industries and technology do the, be the more opportunities for people like us, who are it?
People, people who are are nerds, you know, people who are geeks, it people, uh, we get more job opportunities. Um, Um, an increase of salary and, and the whole nine yards. So this is a really positive thing. And just to give you an idea of how positive this is, is that of, of, since I've been outta the military and actually in the military, I did some, some stuff for, uh, operations that are, that had to do with space.
But when I got out of the military, most of my jobs had to do with aerospace. Most of my jobs were with aerospace companies. So. It's a huge industry. And, um, and it needs, especially, it needs, uh, security compliance. Like they have to follow a very strict methodology. Right. And that's exactly what I do. And, and, and that's the stuff that I teach mostly, you know, and I, and I'll branch out to other things like certifications or more technical in the weeds type stuff.
But I just wanted to address, like the reason why this is such a positive. Is that the more commercialized, the more accessible space and aerospace low or, or orbits, or even on the moon or Mars, the, the bigger and larger that industry gets. The more mark my words, don't take my word for it. Just watch history.
Watch what happens as that, that industry expands and we are on the moon or we're on Mars, or we are on the wherever low earth or. They're gonna there more and more of these organizations are gonna crop up and more of them are gonna have to hire people like you and I, it people and security compliance people.
So that's, it's a super positive thing. I know my, my daughter had been up all night watching all the news about the, the protests and the riots and how in some cities it's going pretty bad. Uh, and she says, why are you watching this live feed of NASA? You know,  instead of don't, you know, what's going on. I said, Hey, you know,  this might give us a way to get off earth  and she says, yeah, you know, you have a good point about that.
so, I mean, if you, if you wanna be pessimistic about it, then this is, this is an optimist spin. Is that this is a way eventually, well, just leave. Like you don't like it here. You can just go somewhere else.  so, yeah, I just want to bring that up. It's it's um, something positive and, and that's why I see any kind of.
Of stuff about the, the expansion of us in the space humans and the space is a positive thing, cuz the industry is gonna grow and uh, the more the industry grows, the more opportunities there are for, for us, especially because it's, it's private, that's even more opportunities for us. All right. So somebody asking me a question and I wanna address that.
I don't wanna make this one too long, but one of the things I wanted to address.  and I'll get to questions after this. I got somebody who just jumped on Alice. How you doing? She says, uh, hi. Um, can I send you my resume and for you to look at, please, may I have your email? So here's my email address. Um, let me see if I can find my contact information.
Let's just, oh, I see what happened. All right. Gimme. There it is right there. There is my email address. That's the best way to contact me. Let, just move this down a little bit, move it, move it down. Boom. Best way to contact me is right here. If you happen to be, have, uh, purchased one of my courses, then, um, I will definitely help you directly.
That's one of the perks of Purchas purchasing it directly from combo courses.com is that I will help.  um, I don't have any kind of consulting or side things going on right now. I'm pretty new to this thing. So I, I haven't gotten into paid consulting or anything like that. So you have the benefit of catching me early when I'm doing it a lot, some stuff for free.
So yeah, you can send me your, your resume, particularly if you've bought one of my, uh, courses, uh, on combo courses.com. If you've done that, please send me your resume. I will check it. I sometimes I'll even rearrange it for you. I'll just make suggestions on the resume to say, here's what you should do. You know, here's some key words you should consider and things like that.
But if you're interested here, let me, let me just show you guys something real quick. I think this is a really good course, um, that I'm, that I made a while ago and I was super excited about it, cuz this concept is something that's really helped me out over the years. Here's my here's combo courses right here and I've, I've got many D.
stuff like how to get in from scratch from cybersecurity, um, and how to do risk management framework. I've got free stuff here. Uh, but the one that, that Alice is asking me about is this one right here, resume marketing. This one I'm excited about because this, the techniques that I use here is exactly what has made me, uh, be able to constantly.
Position, uh, positions and constantly get opportunities. And I still, even during the pandemic, even during an economic downturn, such as the one we're in now, and even in 2008, I was still continuously getting opportunities because of this, these techniques that I use here. So if you're considering getting into this and you want me to directly look at your resume, go ahead and check out the resume marketing for cyber security.
And it, I don't just talk about cyber security. And it can also apply to you if you're in, in different industry, really, it can apply to anyone cuz the techniques absolutely work. And if you want an idea of what I'm talking about, it's building a profile it's researching, it's finding key, creating the resume.
I walk you through all this stuff. And then I walk you through how, what tools I use online from career jet monster. And I also have something on interviewing and also. Uh, I will be adding more stuff to there that just like with all my courses, I add continuously add as, uh, as I find new things out or something comes up and I, and this is a, it is a really good thing for the course.
I'll add it to, to that course or, or, or any relevant course that I'm talking about. So go ahead and check that out. And, uh, let's get into control correlation identifier. Somebody's been asking me about. , this is the reason I have not talked about it because this is kind of, uh, this one is a bit of a, this one's very specific to D department of defense and dissa.
So, um, that's why it's kind of it's it's, it's it's out there. So, I mean, it's very specific, but what is it? Let's just talk about what this is real quick. Let me just get rid of this information here.  give me a second and now we'll be addressing questions after this, by the way. So just keep the questions coming in the, in the, um, chat and I will I'll get, get to that.
All right. So a CCI or a control correlation identifier provides a standard identifier and description for each of the singular actionable statements. That comprise and information assurance, IA control or IA practice. IA is just another word for security control. That's what the department of defense calls it.
CCI or control. Correlation identifier bridges the gap between high level policy expression and low level technical implementation. All right. I can explain this and there's, there's a lot more here that it talks about here, but I can explain it in clear terms of what it means, what the CCI does is a code that identifies specific tasks that you have to do on Lennox systems on windows systems on servers, on database.
Very specific things you do on each one of these operating systems and it links these specific actions that you have to do to a risk management framework control, uh, to a security control. So I'll give you a specific, I'm gonna show you first off. Let me tell you what it is. And then I'm gonna show you, uh, in greater detail what it is.
And, uh, I don't know how deep we'll go, but it'll, it should be very. What a CCI is when we're done. All right. So first off a specific example would be audit controls, like let's say on you're on a windows 2010 workstation, and you have been tasked to turn, turn on auditing on that system. Meaning event logs.
It's gonna collect event logs for whenever somebody MIS authenticates, they, they type in their password wrong and it pops up as a Nope. This is not your. It will send an event, it'll record an event on the system and that's the control that we have to turn on. Right? Well, CCI would be assigned a specific number, like say CCI 0, 0 6 dash 5 53 or whatever that specific tag.
Uh, we'll be identifying a, a re a specific action, which is turning on audit logs and that specific action ties to AU control one and AU control dash two. So now that might not make any sense if you've never done this before, but I'm going to show you, uh, a more specific example, couple examples.  um, let me, let me see if I can bring something up here.
Got a couple of examples that I was just looking at. So bear with me. So this is stuff I downloaded from the site. If you wanna learn more, I just, I am on cyber dot mill slash STIGs slash CCI. That's where I'm at right here. So if you wanna just Google it, you can just Google. CCI STS. And you'll, you'll find this, right?
So this is I'm on the dis is one of diss sites. That's why I'm I am. And I downloaded some of the stuff from here, which is, is not very helpful, to be honest with you. It's not very helpful. Um, uh, right now I'm looking for some examples that I actually had prepped. So just bear with me, give me a second and I will show you what I am talking about.
Okay. Here's one of them. So this is, this is.  um, this is
a system that, uh, had a STIG viewer ran on it. And what I wanna show you here, the relevant portion is this right here. This is a CCI. This right here. Can you, can you guys see that? Let me make sure you can see that. Okay. Yeah, you can see it. I made it bigger. CCI 0 0 1 8 1 2. And what is that? Right? What's the re the reference tells us here, it's referring to a specific event that the STIG viewer and okay.
Context, a STIG is a security, technical implementation guide. What it does is it walks you through all the individual things that you have to do to secure a system. The department of defense, along with some other departments within the federal government and even some state organizations, they have this breakdown of everything that you need for best practice to secure a system, whether it's turn on audit logs, making sure you have multifactor authentication, making sure it's in a secure area and physical has certain physical security making sure it has a policy making sure, uh, you have GPOs turned on and you.
You have control over your shared files, networking file protocols, making sure you have certain encryption turned on and or updated though. Each one of those things and there's that mil, thousands and thousands of others, maybe millions of others that are individual tasks on windows, on red hat, on every operating system.
You can think. It has security controls. Right? And so what this department of defense does is they create these STIGs security, technical implementation guides that breaks down all the task and they made it so that it's, they made it easier for you to make like a, you can make a script that automatically goes through and fixes all that stuff for you.
And they actually have some scripts that you can use to actually fix that stuff automatically. But this is a you're looking. Some stuff from an actual STIG. And it's the rule title. The thing that it's trying to fix is on a windows, 10 guy, uh, system, and it's for a windows installer will always install with elevated privileges.
This must be disabled. So by default, a window system will automatically elevate privilege.  to, uh, to, they're trying to make it easier, more user friendly whenever you, uh, install something. So it just automatically gives elevated privileges. But the problem is that's an that's something that can be exploited.
So the rule that the stick came up with best practice is to turn this off. So when you turn, when you turn the system on you installing it, it, you gotta go in there and turn it off. Okay. So discussion standard user accounts must not be granted elevated privileges. Because, and the reason for that is you want least privilege that what that means is, um, AC I'm not gonna remember C five.
I think it is it's either AC five or C six. And I don't, I don't remember which one it is, but it's the standard of least privilege. Meaning you, you only give users. Standard users, privileged users, operational users. You only give users what they need to do their job. You don't give them anymore. So windows by default and even Lennox does this will give extra privileges that you don't necessarily need for this specific environment.
Now, there may be instances where you, you can give more privileges. It just depends on the environment, but let's dive back into this. It says the standard user. Must not be granted elevated privileges, enable windows installer to elevate privileges. When installing applications can allow malicious persons or threat actors and applications to gain full control of the system.
So if this thing is turned on, somebody with mal with malicious intent might exploit it by, by granting, elevating their own privilege. Right. So we have to disable this thing. That's what they're telling us. And then they tell us specifically how to do it, where to go in the actual system to disable, always install elevated privileges.
And it's telling us to go to computer configuration, administrative F uh, template, windows, component, windows, installer, and then disable, always install with elevated privileges. And I hope that makes sense this right here, what everything I just read is a CCI. All right now, let's talk about how CCIS this specific task on a specific system links to N um, N uh, 800, uh, security compliance controls.
All right, here it is right here. This reference explains it. So at first of all, it has a, it's a, has a, a unique identifier. Every single CCI has a unique identifier. In this case, a CCI 0 0 1 8 1. And what is it telling like in one sentences explains what it is. The information system, prohibits user installation of software without explicit privileges, uh, privileged status.
That's what it does. And it links to, and the references, it tells you it links to this nest 853 rev four is going to rev five soon, cm, 11.  so cm is, is dealing with configuration management. Configuration management is dealing with, does our organization control? Does the security posture of our, of our or environment in layman's terms, in layman's terms?
What I'm saying is a cm control is having a inventory of everything that's on your network. Like for example, in your own.  you know, you already know you got three computers, right? Your kid has a computer. Everybody has a cell phone and you have a router down in the basement. That's it? Right. If you suddenly were doing a scan on your network and you saw 15 other systems on your network, that would give you grounds to freak the hell out.
Right.  cause that you don't know what's going on. So in the same way, an organization needs to know everything that's going on on their environment. They need to know what networking devices are on their network, all the nodes, what their IPS are, what systems they have, what vulnerabilities they have. They need to know all the software that's in their environment.
Right. They need to know if there's wireless, if there's other connections coming into their. They need to know everything that's going on with their network. And that's where a cm control comes in. So cm is controlling your environment. That's all it is configuration management, managing my configuration of my organization's systems because we have very important stuff going on.
That's that's cm. And so they're saying that this CCI links to this cm 11. So if we go down the. Let me see if there's anything I else I can show. Okay. Here's here's what I'm gonna do. I'm gonna actually bring up a STIG. This is a STIG viewer right here. This is an application you can download for free. Go to DISA a DISA dot mail, uh, or just Google a St.
Viewer. And this is a automated it, it's basically a little app that will grab all of the security, uh, CCI. Everything you're supposed to do on a window system or on a Linnux system or a red hat, whatever system and says, okay, have you done these things? Right? So that's what we're looking at here. So I've already taken Liberty to downloading a windows 10, uh, security St.
And one of these days I'm gonna make a whole course outta how to, how to do this. This is something I've been doing a long time, so I know, I definitely know how to do it. So here we. Um, and I can explain, break all this stuff down. It's it's pretty involved, um, special if you're going through all these. So this right here, what you're looking at is windows.
Um, okay. This is not showing me, us everything. So I'm gonna make this a little smaller so you can see everything going on here. There you go. Hopefully that's clear to you. That's okay. There we go. Right there. So right here, we're looking at window. The last one I showed to you was an, was a screenshot. This is an actual STIG that I pulled down.
Um, not from a client of mine or anything like that.  would not show that. So here's, so we're clear. This is just a random STIG that I downloaded from this dot mail. And then that's what we're looking at. This is generic. So, uh, what I wanna show you is. This first CCI, this is CCI 0 0 0. Here's where I'm getting the number from right here.
If you could see my cursor where my curse was pointing, right, right there.  is CCI 0 0 0 360 6. Organization implements the security configuration. And what is it linked to? There's a few of them cm, six cm, uh, six do one, uh, and, uh, cm, six B what are we doing? What we're doing is looking at the domain. Joined systems.
Must use windows 10, uh, enterprise edition, 64 version.  and it goes in a deeper discussion on what, what they're wanting want, what they're wanting as far as how to meet this particular, uh, STIG control and each one of these, the way they break it down. So, okay. Let's, let's do a little bit of a tour here.
There's a couple of numbers here that, that I think you should know. So let's look at this one right here. This vulnerability, I. Vulnerability ID identifies each individual potential weakness of a system. It's saying that specifically the weakness, uh, on this system is this is X, right? And, and the rule name is attached to a w N windows 10 dash.
right. And each, each one of these vulnerability IDs attached to a specific weakness that has been detect that, um, that needs to be addressed. Right. And so you can manually go through each one of these. So one of the things that you can do as an information system, security officer, one great tool you can use better than nothing is to run this stool, this run, this STIG viewer and have your system.
By your side, right? You have your system right here. You have your system here and you're looking at each individual item manually going through one by one by one to fix everything on your system. Another thing you can do is, is run a, a script that fixes all these things automatically. Right. And, and I believe there's tools.
I, I wanna say that there's, there's something called, um, uh, SCC or. Checker software that, that, uh, you can get from department of defense, that, that has something that will fix it. It'll scan your system. You, you load it on your, the affected system. Uh, and then you scan it'll scan and, and see what STS, what individual CCIS, what vulnerability IDs are not being met on your system.
And then you would go through manually and fix every, all those items. Now. There's a couple of different things here. How does this help you? Um, as an information system, security officer, if you don't happen to be actually installing these things, how it helps you is that if you have the report from this thing, you'll be able to know, okay.
When they did a scan, they found, let me just find that whole different CCI here, that we can talk about something that.
So let's say you're only doing documentation. You can take something like this, this scan, and you could, uh, this would be like an artifact or a bit of evidence stating that this rule has been met. And how's the rule been met, you could say, right, right in here. It says, uh, that first of all, it is a windows ink workspace.
Consider. Uh, uh, sorry. Uh, workstation ink works, windows, ink, workspace configured, but disallowed access, uh, above the lock. And it tells us how to secure it. Securing windows ink with, uh, which contains application and features oriented towards, uh, the pin towards pin comput. I, I have no idea what this is.  I have no idea.
I have no idea what this is. This is some oh, pin, like the pin you E enter into the system. Okay. Okay. Okay. I'm just making more sense to me. So this is showing us how the scan, how, where it would be scanned at, like, what value is would you be looking for? So it's saying that you would go into the registry back into the system and then.
If this was turned on, and if you're doing a scan, it would check for this item in the registry keys. That's what it's saying. That's how I'm understanding it. And it's saying the fix action is disable the convenience pin, uh, sign in. So we don't want you to be able to sign in with a pin because that's too easy to exploit.
So here's how we fix that. That's that's what they're saying here. And it breaks it down exactly how you actually fix it. So. If you were doing the documentation for this, there's a couple things you could do. You could use this to explain what the weakness is. Let's say your organization didn't do it. You could use this to break down where we are not meeting specifically how, uh, what's going on.
Or if you wanted to prove that it, that it's been fixed, you could go through and do a screenshot of what, of, of this feature, or if you were doing a.  you could run a scan and say, look, here it is right here. The windows 10 CC 0 0 0 3, 8 85 has been met. And that covers, uh, cm seven right there, CCM seven. So, and you could do that on many of these different items here that we have here and.
go from, they run the gamut from going this one, C, C uh, S I 16, you got some AC IA controls, you got different controls. So it's telling you here in the CC, uh, in this reference where these map to each one of the security controls, and that's why super helpful you as an information security officer. If you happen to be one you're looking for, how can I.
These security controls. How can, how does our organization meet this particular security control? So this is just one way. If you happen to have a window system or a Linux or whatever it is, right? Cause they have, they have these for every kind of system. All the main systems are, are, are covered by the STS.
You can use this information to figure out if you guys are meeting this particular control or if you're not meeting control and how to. So I hope that that makes sense. Um, I kind of, I feel like we, we kind of went overboard with it, but at, at some point, what I would like to do is actually take a system and secure the system, using the STIGs using the SCC tools and everything, but that'll be a whole course cuz that, that all that stuff takes a bit of time and set up and all that kind of stuff.
I'm actually setting up some stuff on the back end here, but um, it's gonna take me a while to set all that stuff up.  if there's any questions we can address those, but while you guys are coming up with questions, I would like to show you something else real quick. Uh, another very useful thing with ma with having a matrix or having these individual vulnerability IDs and CC eyes and all these things, or how they all come together is beautiful because there's something else where these same control.
Map to, um, a more commercialized version of controls, which is CIS benchmark controls. These controls are used by a lot of private industry stuff, private industries, some banks, and some other industries actually use these controls rather than the nest controls.

Monday Sep 19, 2022

 
Hey guys, this is Bruce, and welcome to combo courses, podcast. I'm doing an experiment where I'm doing daily is here. We'll see how this goes. I don't know if I'll keep this or maybe I'll do this twice a week or something like that because it hasn't been that bad. I got so many things. I can talk about so many questions to answer, but right now I wanted to focus my time on the categories of cybersecurity.
So a lot of times. Industry people think that cyber security is all about. And I think it's all about just hacking or something like that, something to that effect. And those are the things that are popular, just Hacking or pin testing or programming another one's for digital forensics.
People think that's all that there is, but in cyber security, not just I've been doing this for a very long time. I've done everything from the technical side where I'm actually configuring systems and installing systems and that kind of thing. But I've also done the, more of the management type side.
And I want to tell you that there's. So many different. Parts to cyber security. And when you see somebody talking about hacking or whatever it's very glamorous, but that's a tiny fraction of the whole spectrum of cyber security. It goes very deep. So if you're actually trying to get into this career path, cuz it pays very well and it does then I, what I wanna do is introduce you to some other categories of cyber security that you may.
Know about. And so one of there's an organization out there and it's from nonprofits and the government and a couple of private sector. They got together and they broke down the different categories of cyber security that need to be addressed. And it's not just. Cyber security by itself. Some of it is you can have a system administrator who does cyber security, that also accounts for this one.
And I'm gonna explain that in a second. If you stick with me, you'll understand this and you'll understand, especially if you, this is particularly for you. If you are trying to get into cyber security, if you're interested enough to want to be a part of cyber security in this field. And if you've been thinking about getting into it, I'm gonna show you the whole spectrum of cyber security.
Let me show you. A framework called it's called the workforce framework for cyber security. And if you didn't know about this is something the federal us federal government has been using for years now to figure out what categories to put people in and what kind of training that they need to do in order to be in these different categories.
And from a bird's eye view. Let me. Switch my screen over here on TikTok. Feel free to ask me any kind of questions. I'll be doing this for about 30 minutes if you're interested in this, but let me show you what I've got going on here. And I'm just so you know, I'm broadcasting on a podcast, but I'm also doing so I, I will explain what we're looking at here, but you can watch this on YouTube and Facebook eventually will put this on Facebook.
But here we have all the categories. Now there's seven different categories at the time of this recording. There's analyze. There's collect and operate. There's investigate. There is operate and maintain, overseeing, govern, protect, and defend and securely provision. And what I wanna do is give you an example of each one of these seven categories, cuz each one of these breaks out into specialty areas.
So for example, analyze breaks out into. What you call exploit analysis, language analysis, target analysis, and you'll see that some of these don't look like cyber security topics, but they, in fact they are now, if you happen to be dual bilingual, if you happen to know another language Very fluently.
You might actually be able to very quickly go into something called language analysis, which we'll briefly touch on in a second. But what I wanna keep this kind of high level right now, just to show you the different specialty areas. Now there's about, I don't know, 30 or 40 different specialty areas.
Each one of these categories of cyber security breaks out into these special specialty areas now in collect and operate, you'll see things like cyber, operational planning, you don't think that would have a lot of hands-on stuff and it actually doesn't. So let's keep going here.
And when I say hands-on, I mean like somebody who's actually configuring a server or setting up a network and stuff like that, cyber security is not all just about that. It's a very broad area. It's a very broad umbrella. So investigation is what you might expect is digital forensics, cyber investigations.
Threat hunting, things like that. And we'll cover that in a second operate and maintain. This is what people normally think about when they think about system administrators, data, administrators, network services, that's their network engineers, things like that. These guys are in.
Cyber security in that they have to do a lot of cyber security-type activities. They're not typically seen as cybersecurity people, but they have to do a lot of things in cybersecurity. As you might expect when they're installing patches or things like that. Overseeing govern. So this is what I do.
I can speak extensively on this, but this is a lot of management type stuff. Cyber security management. This is your C level execs and it even includes legal and program managers. This is something I would very much like to talk to you about because program management requires a certain level of emotional intelligence that a lot of it people do not.
Okay. And I, it's a very important a very critical piece of any kind of system engineering, any kind of major cyber security projects, anything the organization is doing that where they're spending a lot of time, money, and energy, and a lot of resources. They need a program manager. I'll get off my soapbox on that one, but it also pays very.
And that's something I talk about a lot on my site program management is a big one. Okay. Anyway, let's keep going. Let's keep it high level protect and defend. So protect and defend. Is dealing with a cyber defense analysis, just to name a few incident response. That's a huge one, vulnerability assessment and management.
Huge, but that's for protect and defend. So you see, this is not all just firewalls. This is not all hacking have I haven't even mentioned hacking yet. That's how big this field. And there's some things that are not even included on here. Like cryptography, you don't see cryptography on here, but cryptography is considered part of part of cyber security.
And I would argue that the cypherpunks, the guys who created The concept for Bitcoin and all that kind of stuff were also very good cybersecurity people anyway. So securely provision. Now this one has to do with risk management, software development, system architecture, that sort of thing. So you can see, what I wanna do is just show you.
The high level here. There's many different categories of cyber security and it's not all just hacking. It's not all just programming. Yes. Those are part of what we do. But in the major scheme of things, like when you look at the big picture for all of this it's a very big feel. And I wanna just explain to you why if you think about it, it really makes sense when you go to your bank and you are trying to send a wire transfer from one.
Using ACH to another bank, right? Or you wanna wire something overseas or whatever the case may be. The bank has a certain they have certain protocols and procedures and certain policies that they have to do in order to secure your information to make sure that the $1,000 you sent from one bank to another, or from, to your, whoever.
Wherever you're sending it. They have to make sure that information is protected. The rules and protocols and procedures and the legal system. All of the things that come together that is known as secure security compliance. Now the financial industry has a different set of laws, as you would imagine than say the healthcare.
The healthcare industry is protecting your healthcare information, your digital, if it's that information is digitized, they have to protect that information, right? So they have a whole different set of laws that are completely different because it has a different has a different, it has, it requires a bus different business solution than say a bank.
If you think about it like this, the government, the federal government, who's protecting your social security number. They're protecting your, I don't know. They're holding, making sure that things like the DMV, if you're talking about the state they have to protect your personal on for information as well.
and making sure that's, of course there's all kinds of leaks and all kinds of hacks and all that kind of stuff going on, but they have a whole different set of procedures and rule sets and laws that apply to the federal and state government. And that's also called security compliance.
Security compliance is in every industry. It's in every state, it's in every jurisdiction, it's in every county and it's in every country. Each country has their own set of laws that pertain to. And all of us, all of them have different solutions that they need for their particular situation. So one would imagine as you can probably imagine, there's a lot of security that has to be done for that.
And it's not all hacking. Like you can see how hacking is a tiny drip and a gigantic ocean that is cyber. Cybersecurity is a very huge field and that's why you have seven different categories. Now, what I wanna do is kinda give you a practical understanding of these seven categories. Now let's start from the top here.
I'm gonna give you a specific example of where you might have seen this on TV or in a movie, or relate it to something you can understand here on a practical way. So let's start with analyze the first category we see on the top here is analyze. Has these specialty areas right here. Now, if you break these down and if you wanna go to the site, by the way, if you happen to be watching me on YouTube I have a link to where you can actually follow along.
The actual site. Is there in the link now analyze, let me give you a practical understanding what analyze is now. When I was in the military, we had, when I was in a combat zone and we have we had languish analyst. Whenever we and the reason why we had these language analysts was because we can't understand, say if say a another country is attempting to hack our systems, like they'll put some code on our systems and that code has to be in Ukrainian or in Russian or whatever other language you need a language.
To actually figure out what is being said in that in that code. And that's why a lot of times they figure out, oh yeah this hat came from Russia. This hat came from Ukraine. This hat came from whatever country, because you have an language analyst who has they're multidiscipline in language languages, where they can figure out and decipher and figure out like what's going on.
They'll have like different tools. That'll help them to decipher what's going on with that, with whatever hack is going on. So this is actually a part of the analyze category. Let me give you another example, threat analysis. Now this is a big one. So a cyber threat analysis is something where what you're doing is.
You're trying to detect and figure out where a company might get hacked from an organization might get hacked from, and it sounds impossible. Sounds crazy. How can you figure out where threats are coming from? There's some ways to do it. So if you think about like this right now, somebody might be trying to hack, I don't know, I'm just pick something off the top of my head.
They might be trying to hack Walmart or something. Wal, what Walmart can do is they can have somebody scour the internet. Do search conduct searches or create a tool that goes out and. Does a web crawl of the internet to figure out okay, who is mentioning Walmart who is talking about it on social media?
Who's talking where are the communications that are in the public domain to figure out who is talking about us so we can figure out where those threats are coming from. Because a lot of times when these, before the attack even occurs, these criminal hackers are talking amongst each other on the dark web.
About how they're gonna attack or they even already had the attack. They already pulled the information from there and they're selling Walmart's emails. Now this is just an example. I just, so you know, I don't have a client with Walmart or anything like that. I don't have not interacted with Walmart's cyber security.
I was using them as an example and I'm unaware of any current tax or anything like that. Just, this is just an example, but that is what threat warning analysts do. And this is something I did at my last job, as a matter of fact, that was one of our jobs was to do threat analysis on companies to figure out what's going on.
And this also pertains to doing cyber looking at terrorist threats for whole countries, by the way. So that's analyze an analyze goes into analyzing information, analyzing targets, analyzing threats that might be coming to a cyber security through, to an organization. There is, there can be some hacking involved.
There can be times where you have to know a little code, but language analysts don't typically know code, and then all source analysis. This goes straight into just intelligence. This is normally what you'll see in like intelligence organizations where they're gathering actual, actionable intelligence from other.
From multiple sources, putting that information together to figure out, okay, we have a terrorist threat here. We have a terrorist threat there. We know that we have advanced persistent threats here and there. We have some, we have reason to believe we have human intelligence people on the ground where they've gathered this or that information to figure.
Who's gonna attack what, and a good example of this one would be that if you've ever watched a mission, impossible the ghost ghost recon, that one, they have, they talk about this type of job all the throughout that one. The as a matter of fact, they have one of the characters is an analyst, and this is the, what they're talking about.
This is somebody who. Who pulls information from different sources, different intelligence sources puts it together and figures out. Okay. We know that there's a credible, there's a probable attack. That's gonna happen over here, over there, based off of all the Intel that they've gathered in the field.
Okay. So we beat that one to death. Let's keep going here. So that is analyzed and that's in cybersecurity. Then we've. Collect and operate. Let's look at this one. So here's the specialty areas with collect and operate. Now, what are we talking about here? This is also dealing with a lot of intelligence, this, a lot of govern department of defense and some of the other three level organizations will have something like this cyber operations, where they're also looking at real time threats.
They're looking at foreign intelligence entities. So this one's very much related. To what we were talking about here analyze a lot of times we'll see these in security operation centers, a security operation center, especially the ones for that work for different governments.
They're very large, they have a large. Office where you have all these giant screens going on, you see these in movies, like when they were walking in and it's like, what's the threat and there's a, there's supposed to be a bomb here and they're trying to figure out like, what's going on.  so a lot of times they're talking about a cyber.
Intel planner. These are the guys who put everything together. And if I could just read through some of this details here, it says, develops detailed intelligence plans to satisfy cyber operations requirements. So these are the guys that are managing all the information that's coming in and how we're gonna, what we're gonna do once we gather that information.
So that is collect and operates, dealing with a lot of Intel type stuff. And You see it in movies and stuff like that. That's, it's not like the movies to be honest with. It's pretty boring. But okay. Investigation. Now, this one, if you ever seen the show CSI, this is. It, the digital forensics, not necessarily the scientists scientific forensics where they're trying to figure out when a person was murdered, based off of the insects that are consuming the corpse or whatever, sorry to be so crude, but that's forensics, digital forensics is a little bit different.
This is the people who will take a computer. A lot of times they'll work with law enforcement and stuff because they're dealing with very heavy issues. I don't wanna get flagged for talking about some of the stuff that they find. But if you're talking about digital forensics, you're only talking about a few crimes major crimes that are gonna have to necessitate a digital forensics guy, major crime murders, and assaults that were caught on fi on, on digital media.
And somebody try to hide some. Illegal contraband on their computer and try to do some illegal transactions using cryptocurrency or something like that, and they have to trace back. Where the cryptocurrency wallet it's went to, or they have to figure out see if somebody was using some illegal pictures or images on their computer, but they try to erase it.
But with digital forensics, you can actually extract that from the ones and zeros on the hard drive. That is what we're talking about when we're talking about investigations. So they work a lot with the law, with law enforcement, they work a lot with with The with law they might have to do things like what you call it.
Chain of custody, where they have to make sure that the hard drive that they're investigating can get to trial and not be tampered with and things like that. So that's investigations then you have maintain and operate. So what is this one maintain and operate is this one's pretty self explanatory.
Once, once you see some of the job titles and stuff in here network services, that's like the people who install, configure, test operate, maintain the network, the firewalls. The switches, the hubs, they, they say hubs here, but not many people use hubs that much anymore. So that's funny, but system administrators, these are people who install, troubleshoot, maintain the servers and the configuration files and make sure that the config, the confidentiality, the integrity and the availability of the system is protected.
So yeah, that's that is maintain and operate. Then you've got overseeing governor. I could talk. My entire site is about this one specifically about cyber security management. Cause this is what I do. And this is when I, when we were talking about this in the beginning, we were talking about what exactly what I'm doing, which is.
This right here, information system, security manager, actually, I'm a my specialty is information system security operate officer, but management's something I do as well. So it's security. Doing cyber security for the whole organization, making sure that the cyber security of the organization is sound making sure the documentation is good, making sure that you've got all the system security controls are in place, things like that.
And you have to work a lot with the C level execs, high level security people within the organization. Doing a lot of coordination talking with the program managers, talking with the subject matter experts on the firewalls, on the networks, on all that kind of stuff, to make sure that we, as a team in the organization are doing what we're supposed to do, whether that's doing PCI compliance or HIPAA compliance or whatever industry standard we need to meet, that's what cyber security managers are doing.
And. COMSEC manager. These guys manage the cryptography, the crypto keys within an organization. So that is one, that's just one of the specialty areas that we're talking about for overseeing govern. This also goes into C level execs, your CIOs, your CIS OS with chief system security officers, or your chief information security officers, your C level execs, you're legal people.
You don't know often see legal people. Lumped into cyber security, but here it is right before your eyes. I'm telling you, the point I'm trying to make is that cyber security is not just programming. It's not just hacking stuff. It's also, it includes legal advocacy. Because the organization has to protect its reputation.
If somebody's defaming the organization, right? Their reputation is at stake. Who do they go to? You go to your legal team. Your legal team is, has to determine, okay, did these people defam? The, our organization are these, do we need to do a cease and desist order on this website? That's trying to. Do what's called typo squatting.
That's where you let's say google.com, but some somebody creates a site called Google, whether E and the L are transposed so that people, whenever they miss type Google, it goes to their site. And then they take you to a, some malware or something. Some other site. So are, do we have a legal case?
For the protection of our reputation or not, so legal is also where you would talk about, okay, we need to develop a privacy notification. We need to develop a a, something so that some, a non-disclosure agreement for all of our users who come in that's legal department. They, so they're very much involved with things like.
Privacy notifications that pop up on a website whenever you've gone to a website that privacy notification pops up, that's serious because the organization doesn't wanna be liable to, they don't wanna get sued because they released your information without you knowing about it without you, knowing what you were clicking on.
So they have to go to the legal department for that kind of stuff. Cyber security includes that kind of. So let's keep going here. I wanna show you a few more things and I'll keep it a little bit briefer on the next ones, what we do. So that's overseeing, govern. Let's go to the next one, which is protect and defend.
This is one of my favorite ones, cuz this one, excuse me. This one includes cyber defense analysis. In a past life. This is what I did. And this is, this one is really fun. I really love doing this one. This is people looking at logs. It looks like the matrix. Like they'll sit there and they're watching a screen full of logs go by and they're trying to figure out what is, if there's any kind of attacks going on in, on their, in their environment.
If there's some, if. Malware happening in the environment. Like it, it actual infiltrated the environment, or if there's somebody doing something they're not supposed to do, you could pick that stuff up in the logs. If you know what to look for. And they're looking for certain patterns of behavior inside the logs, that's reflected in what's going on.
Cyber defense analysis is where you would do that. It's picking up the IDs, intrusion detection, intrusion prevention, the firewall logs, the network, traffic logs, all that stuff. And it's making a determination. And these days you can do it a little bit with artificial intelligence to help you out, to help out the actual cyber defense analysts.
So that. What we're talking about with that's one of the things that we're talking about with protect and defend another huge one is incident response. That's a big one. And then vulnerability. These are like whole. Industries, by the way. This I'm briefly mentioning the names, but this is an entire industry in and of itself.
This one incident responses is own thing. And so it's vulnerability management. Okay. Let's go to securely provision. And this is the last one last, but not least this one's getting into risk management. This is something I do a lot. This is my whole job right here. Risk management. This is making sure that the organization is within a acceptable level of risk because every system that's out there, every single system, no matter what system it is, has some certain level of risk that they have to operate with.
And so risk management is just simply making sure that the risk is not too great for them to operate and not the risk. If a system has too much risk. It's too much exposure to their critical systems, then they can get, they're gonna get hacked at some point, they're gonna have a breach at some point, if your risk is too high.
So you need risk management as a specialty area, software development, whenever you develop software, you gotta make sure that software is developed securely so that you don't have any major breaches. A lot of the breaches that happen especially with zero. It's because of software issues, that software that wasn't secure and that's all in securely division securely provisioned rather.
So there's other things in here and the whole point I'm trying to make before I close this thing out and I'm almost done here is that cyber security is a huge, it's a huge field. It includes everything from manage. Program managers are very integral part to cybersecurity. It's a whole different discipline.
They do not have to have hands on stuff. They do need to, at some point, understand the organization's process on how software is developed, but not necessarily no Java or no C plus, or how to actually code or how to use the coding libraries and all that kind of stuff. They don't need to. They need to know the organization's process.
They need to know things like agile. They need to know things like what's the other one, scrum. And and things like that, processes that allow an organization to get to securely build the system securely build the software, develop the software, things like that. They need to know. So it, this includes C level executives.
This includes like we said, manage. It includes risk risk management, managing the risk effectively for an organization. It includes an, a lot of analysis. It includes all of these aspects. So whenever you think, whenever somebody says cyber security, just know it's a huge field, and it's not just one thing.
It's many different things. Okay. That's it for this one, guys. Thank you for watching me. I really appreciate it. I'm trying to do these lives. Daily. I'm I've got one on YouTube coming tomorrow. I'll try to put this on TikTok as well. I try to put on as many platforms as I can tomorrow. I do these at least once a week on Saturdays, one o'clock mountain standard time on YouTube.
I've got a podcast it's called pod combo courses dot pod, bean.com. And if you go to combo courses.com, there's tons of downloadables tons of free stuff. It's free to actually sign up there and I'm always giving out stuff like this where I don't expect you to pay me anything. I'm just giving you out information so we can get.
More people where they can take care of their family. To me, that's the name of the game you taking, being able to take care of yourself and being unable to take care of your family. That's the name of the game? That's why I teach people how to get into this field, how to make more money in this field and how to have security in this field.
Financial security. A career security so that they could take care of themselves and their family. All right, guys, that's it for this one. Thank you so much for watching. I really appreciate everybody. Who watched and I'm sorry, I couldn't get to your questions this time. Maybe next time.
We'll attack those questions. Peace.

Sunday Sep 18, 2022

http://convocourses.com
 
All right. I'm testing a new platform called stream yard, and this is convocourse's podcast. I'm gonna do about, I don't know, 20, 30 minutes to test this out and also to inform you guys of  a career move I recently made. I haven't really talked about this.  But about three months ago I was working as a cybersecurity consultant and that's much different from an information system, security officer.
So in the past, Three four months.  I made a big Mo well, not really a big move. I I've, it's not a big move for me.  I've done both jobs before, but all I want to do is  compare the two kind of give you an idea of  what the differences are between  cyber security consultant.
And what I'm going to be doing with information system security officer work, and  what's the daily life of both of those things. How do they compare and give you an idea of  which one you should choose before I start, you should know that  I own a site called combo courses where I teach cyber security compliance and  how to get in this field as a cyber security person.
I've been doing this for 20 years, doing cyber security in  all forms of security, as well as some it information technology stuff  like being a system admin or network. Administrators, stuff like that. I've done a little bit of all that stuff.  But my specialty is really in security compliance.
And so that's what I teach people to do. And. People ask me on YouTube, on, on TikTok questions. And I'll just go ahead and answer them and by the way, if you have any questions during this feel free to ask them and I’ll do my best to answer. them sometimes we have such a great community that they'll actually answer the questions on my behalf.
There’re things I don't know. So, somebody, some other subject matter expert will jump in and then answer those questions and. My favorite times on this, on convo courses, because that's what convo courses in my mind is all about is about the community and us coming together, figuring things out. Okay. So, I wanted to tell you recently I made a huge move.
I was working at a major telecommunications company that does cybersecurity on the side. They have a branch that does cybersecurity and    I did it because it was a great opportunity. One of my former coworkers.  Gave me a they referred me and brought me into the company. It was a great company.
They had great benefits. It was some of the best benefits I've had outside the military.  It was decent pay and the only, probably bad thing was that there was a lot of travel and that eventually was the thing that got me out of there. And it was stressful too. And I was how having too many personal issues that happened at that at the time that I was working there, I worked for there for about two and a half, three years, and I was doing cyber security consulting for them.
So, what we would do is we would. We bring our expertise to smaller companies.  We go to, and it's a lot of companies and banks and hospitals and healthcare industries that you probably use to be honest with you.  that? I Some of I was surprised were like, damn, I use this. We're doing security compliance for them.
And   the security compliance it wasn't just security compliance.  It was basically, we would do a bunch of We would do a bunch of risk assessments and those risk assessments would be things like be we had 15… different risk assessments. So, 12, 12 to 15 different risk assessments, depending on what they chose.
So we would do things like physical security assessments we would do. Of course, network security assessments. There was like three of those. We did cloud-based security assessments. We did…  We did wireless security assessments. We take all of those and we would give them an overall view of what their security looks like.
And then we would prioritize where their major risks were. And then we would talk to the sea level or director or upper-level management to say, hey, this is where you should focus your energy because this is where we see the most risk. And the purpose of that was to reduce their. Their security any kind of vulnerabilities they have, and they can focus all their time, money, and energy and resources to that highest level of risk in their organization.
That's what I was doing. And it wasn't too bad. I actually liked it.      I fit right in over there. The only I, we would do these reports, which were really easy for me, the. Challenging thing I found was sometimes the clients were a bit difficult to work with and it wasn't that they didn't know what they were doing or something like that.
It was just very high strung because cybersecurity.  It could be very stressful because you're dealing with you.   If you have a vulnerability, a major vulnerability and you have to take that to the C CEO and say, Hey, we have. We have a bunch of legacy systems that are   in this area here, there's a lot of stress because you don't want to be the person that to, to barer of bad news, and we'd find those things and we'd say, Hey.
You have this stuff going on. And there was just a lot of stress with that.  That's probably the hardest part of the whole thing.  The travel wouldn't have been a big deal if I hadn't had so many personal issues happening with my family, kids and everything that just all happened at once. So, I had to unfortunately had to leave because I actually really loved the people and everything.
What did my daily life look like?     We were mostly going off east coast time for me, because that's where most of my clients were. They'd give us like two or three clients.  And then you would work directly with them. So, most of your day was coordinating.  The scans and the assessments that you'd have to do, if you had to go to their site, you'd have to coordinate that.
And they expect you to go do that on your own.  It was very self-directed where it's you have the client, like you'd run the meetings with them. You'd coordinate when you're going to go there. You'd coordinate how many hours or  how much time it would take to get there and who you're gonna meet and all of that stuff you'd have to do.
And then the scans, we had a, like a separate scan team. We'd work with the scan team. We'd work with the program. Managers we'd work with them and we'd put together this report to deliver. On a quarterly basis and sometimes annually, it depends on what kind of assessment it was. Because obviously you wouldn't do like a physical assessment every quarter.
Because I didn't, that wouldn't really make any sense because it stuff doesn't change. But anyway, so that's what we would do. It is mostly meetings and coordination  and doing scans and reviewing the scans and then writing reports  that's your, that was your whole day as a cybersecurity consultant at this organization.
I was with  where. The main thing we did was deliver these reports and we would do really, most of it was risk assessment type stuff. And I was very familiar with that because in the department of defense, we do a lot of security assessments and stuff.  So that's very different from where my main  core specialties are, which is security compliance.
We would dabble a little bit in security compliance like every now and then. We  I would help them do like a PCI compliant  PCI audit or something like that  or we'd say, okay  here's how you, your system would fit into eight NIST 800 or here's how your system would fit into CIS controls.
You do a little bit of that, but that wasn't really what we're, that would, it was separate from what we were doing was mostly risk assessment type stuff. So seeing where their risks are and determining that.  Now that brings us to the next thing, which is information system security officer. So information system security officer is more in compliance.
It, the compliance space, security compliance and security compliance is making sure an organization is lined up with regulations, laws, industry standards. That doesn't have to be the federal government, which is mostly what I work with. It can be with  hospitals have a certain standard that they're supposed to meet.
One of which is called HIPAA, where they have to make sure that they're protecting their patient's healthcare information and their digital records for the healthcare and stuff like that. Another example of industry standards would be PCI compliance.  That's protection of. Of  credit cards. So whenever  you are at a store and you're using your credit cards, they're supposed to have a separate network for those point of sale devices.
So that doesn't touch,  say the wifi that's in the  that's for the staff or for  guest  to log in. So that has to be a separate protected network so that the credit card data has its has, is protected.  So separate from your. Other networks. That's just one of the things you have to do.
Another things you have to do for PCI compliance is have the adequate  documentation for the security of the system. Like making sure that net, we have network diagrams and making sure you have  asset  and inventory of all the assets, things like that. Those are all    the types of things that you would have to do for PCI.
And that's, those are just two examples, but you've got CIS compliance. You've got. ISO 27,001 compliance. You got many  different countries have their own security compliance and different industries like  have their own compliance. So my, my  specialty is in NIST 800.  Security compliance NIST 800  is what the federal government has created and adopted as the main source of security controls.
Sec security controls is a set of security features that protect the organization's. Primary assets. That means like your main server that has all the social security numbers on it. Your  main server that has all the secret  secret data on it, the main server that's holding all  the maps of different parts of the world.
 Those, that's what you call an asset. So those are just some of the examples of, and those are some of the difference. Now, one of the things that, what the daily, what it looks like from on a day to day basis for an is.  Just to  compare this versus  versus  the consulting I was doing.
So it's also a lot of meetings. Security is a lot  of coordination. Cyber security is a lot of coordination with different organiz because  you're having to meet. Different  subject matter experts like you, you're not necessarily the person who's locking down the, those, that windows server.
That's gonna be a server type person.  That's gonna be a person like a system admin who specializes in Linux, red hat, network, administration and windows  2019. Active directory servers  so  you are gonna coordinate with them. So in ISSO, that's what they do. They're coordinating with these different, the firewall guy, the  the privacy person.
 They're coordinating with all these different people to make sure that the organization has a certain level of. So it is a lot of meetings. It's a lot of meetings with a lot of different people, and that's probably the main difference between  the meetings. Like an ISSO is gonna have a meeting with all kinds of people throughout the organization.
 One organization, whereas a consultant is gonna have a meeting with just a few people at different organizations like me. I had  three or four clients at a, any given time and I would have to coordinate with the there's like a main point of contact. I would talk to big two or three main points of contact and every now and then  I'd meet like a C level exec, but I was talking to three or four different organizations.
Whereas an ISSO is talking maybe one organization and there might be other sub organizations, but they're all one you're talking about many people in that organization. So you're going really deep in, in all of the details  and stuff and making sure that all the securities is  is in place. Now it wasn't, it's not like an enforcement role.
Typically you are more like a news reporter. What I mean by that is a lot of people think that you're the police and you're gonna come and busting down doors and say, Hey, this, we gotta secure this server. That's not really  your job. Like you might point things out, but the person who has to be the enforcer is gonna be the management, because they're the ones, things come down from management.
So they have to be the ones to enforce that stuff. Now  if you happen to be the voice piece, the mouthpiece to tell them, Hey, the CEO just said.  You're just a reporter. You're just reporting to them. Hey, this is what happened. We have to obey what is going on with this organization's policies.
Here's what we have to do. So that's the main differences between a security consultant and information system, security officer. The reason why I quit my job as. A consultant and went over to, and now I'm going to back to information to security officers has more to do with. Not the work per se. It was, it is more like the travel, like the organization I was at was paid really good, had great.
One of the best benefit packages I've ever had, but it was too much travel and I had too much stuff going on.    And I had too many clients, it was getting a little stressful plus I had family stuff I had to deal with. So that's the reason why  I transitioned over.  And now  I'm going to somewhere where it's a little bit more  It's gonna be  a better fit  for me and my new family situation.
So that's  what's going on. Okay. I've got some questions here. Let me see for Mike. Thanks Mike, for your question. I really appreciate that. And Mike says  he says quick question  the ISSM role coming from being an ISSO. What is what's your suggestion? Quick question is S. A ism role coming from, are you gonna be doing an ISSM role from being an is O I'm assuming that's what you mean?
So you were an ISSO and now you're about to be an ISS O  sorry. You were an is O you're about to be an ISSM that's I'm trying to interpret your questionnaire.  Any suggestions.  Yeah. So the biggest difference between these two roles is that  one is a manager information systems, creating manager.
 You're gonna have more of  you're gonna have even more meetings.  I'm just gonna tell you like the differences. So an ISSO is more like they, they both have a lot of meetings, but an ISSOs has to be more in the weeds because ISSO has to be able to say, give an example of an issue.    A vulnerability comes down the vulnerability.
 Is let's make something up.  A vulnerability is a zero day exploit on windows 2019 or something.  And  now the ISSO gets wind into this and that comes from the vulnerability team. Now they have to meet directly with the vulnerability team to figure out what's going on with this thing. And they might have to spend some time researching what the zero day exploit is.
 What's the criticality of it. Like how quickly do we need to fix this thing? They have to be in the weed. So they have to go probably go to the CVE.  CVEs and then figure out what type of what this affects. And they have to probably look at  a list of every, all the systems that this is going to touch.
And how quickly can we fix this? So there. And if so is more in the weeds in that they have to know  what is going on in a, on a technical level, they have to get more in the weeds and be more technical if you get what I mean.  They might not have to touch the system. A lot of times, they're not the ones implementing the security controls, but they're coordinating with the people who have to implement those security controls.
Compared to that, to  an information system, security manager, their meetings are more with upper level people. So they're dealing with stuff that's more broad   and stuff. That's touching the entire organization and making sure you have enough making sure the security team has all the resources in that they need all the time and resources that they need to do their work.
So your. Gonna have the same amount of meetings or more, but they're gonna be with upper level management from. Fields like you're gonna be talking to the it manager, the information technology manager who, whom  the network manager, the network engineering manager. You're gonna be talk, coordinate with them.
And you guys are gonna be talking about like resources. How many resources do we have to do this work? Okay. We just had this zero date on windows, 2019. Do you guys have the resources and time to do this? How much time do you guys need to actually get this? So  you're talking about like on a broader scale, how do we manage the resources that our team needs to get this job done?
And can we get it done and effectively  in a reasonable amount of time? And you're trying to, your main job is managing expectations to upper level management, the C level execs, the directors and all that stuff, managing their expectation. That is your main job, as well as taking care of the people  who are.
You work for the ISSOs like your job is working for the, ISSOs managing the expectations of upper level management. So you're still in cyber security, but it's more of a management. You're not in the weeds. You're not having you. You'll never, you're not ever touching any technology. Whereas in ISSO they might have to touch something at some point like, and so they might have to touch the  EMA system where they're inputting information there, they might have to mess around with creating.
 They might have to create a security policy, might help create the security policy review, the security policy. They might look at audit logs. They might. Help enable audit logs. They might be the person who's doing threat detection and stuff. The managers, they're not doing that kind of stuff. They're working on resources for the information system, security officers.
So it's a great move because it is    is SMS are ma are legit managers. And so they're paid typically paid a lot more. They're paid more. And if you.  If you're a first time manager, you'll get, you should get a pay bump. But if you have been doing a management for a while, you get a significant  pay bump, like if you've been doing it for  a year or two, then you'll be able to like, if forever you move or.
Those are the guys who eventually become directors. That's the path directly to directors and see C level execs and things like that who gets paid a lot of money. So  that's really good.  That's a really good move.  If that's the case, if that's what you're doing, then  that's awesome, man.
And Mike says  got it. ISSOs  ISSO I worked  with EAs and C  C Sam  and tenable. Yep. Tenable NEIS and all that kind of stuff. That's right. Exactly. You got it. They're more hands on   and touching stuff. Whereas managers, they're not,  they're gonna ask about, Hey, you have access to eMASS.
Okay, cool. Great.  They might look in there since, okay. Let's make sure that the system security plan is there. All right.  And any problems with the system security plan. Okay, good. There's no problems. Let's go  or, Hey  Does the new guy have access to EASs. Does the new guy have access to tenable?
Okay, cool.  Or  let me help out. Make sure that we have, let me coordinate with the person who controls access to tenable to make sure the new guy has it. Okay. The new guy  we just have some people leave. Let's make sure  that person is not, no longer has access to eMASS or tenable stuff like that.
That's the manager. They're not like putting things. Into EASs or running the scans necessarily.  Sometimes  I've been with some managers who did do that kind of stuff, but it was because they wanted to do it. And  they were very sharp, very technical, and they wanted to do it and they, but they te they totally didn't have to.
And they had other things to do by the way. All right. Let me shift gears. If you guys have any questions, go ahead and feel free to, to ask me any questions. I'm testing out this new platform. That's why it all looks a little bit different. So if you want, have any questions whatsoever, feel free to ask me in the meantime, let me show you that I have  a book out called R MF is O where walks you through  it's a bird's eye view of what NIST 800 is all.
And it's very quick, and this is actually the audio version, which is only like one hour long. And then also I've got  a deeper dive into the NIST 800 security controls, but I'm not hitting every single control. What I do is I hit the families and give you a practical understanding of what the families are and how you navigate those.
And interpretation of the families of controls. And I focus from an ISSOs perspective. What parts of that family do you really need to know? That's the kind of stuff that I'm focusing on. And another thing you guys should know, if you didn't know already is I have a podcast here. It is right here. The podcast is, I'm doing the podcast right now.
So this the type of stuff that you hear me talk about here is the kind of stuff that I actually is gonna be on the odd. But this, the difference is  on a podcast, you could just be in your car, on your commute and listen to it, or when you're cleaning or something like that, you can actually just listen to it.
Listen to our conversation as we're, as you're doing your thing. So, that's the good thing about doing a podcast? I actually really like podcasts. I'm listening to one right now, learning a new language. And I really like it. Okay. Let me see. There's another question here from Mike. He says, can I book you for a consultant for my ISSO role  ISSO role  you know what  I'm actually in the middle of a couple of other consultations, you can email me  feel free to email me and I'll see if I can  find some.
For you, I'm not saying no, but let me see what I can do. Here's my I'm gonna send you my contact. My contact is scrolling across the bottom. There is contact@convocourses.com. If you're interested in getting some kind of consulting and stuff like that, I'm  I'm getting back into the work field.
 I'm not gonna be able to do as much consulting as I was doing before.  Because my hours are gonna get tapped, but Hey, who knows? Like maybe we can do it before I actually start my job right now. I'm going through the background.  The  background investigation process. Okay. I got another questions from.
Mr.  Fernandez. He says, so I'm getting my bachelor's degree  in, in cyber security in December, I'm currently working on physical in wor working in physical security for government contracting. So I'm dealing with classified documents and D O D things  will. Will I be able to, okay, let me see the next rest of this question  to get an entry level is ISS O I think you mean ISS O job  in your opinion, yes or no.
Okay. So L Ludwig  let me give you an example and I hope that my example  can give you an idea. First of all, short answer is yes. Okay. I know this because I actually start off in physical security myself. So  I was a. Security forces member in the air force. And basically what  I was really, I was a weapon expert.
Like I don't even know if they have that, that it was called 3P0X1. That was my AFSC.  It's a specialty code that they have had in the military at that time.  I don't know if they I've been following it, but basically what I did was I was a weapon specialist  and. I guarded planes. I guarded    if the president came in to our base or whatever, I'd do that, I'd be on that detail.
 Not much personnel security, to be honest, it was mostly garden resources. And then I also did some law enforcement. So I knew a lot about the UCMJ  use of force, all that kind of  weapons, training, combat training, all that work with the army and the Marines  and all branches and  different  countries.
 Security people, but it was mostly physical security and I trans we call it cross train. I cross trained from physical security to cyber security. There's a lot of crossover. I was surprised to, to learn that.  Some I'll just tell you a few things that are gonna help you going from physical security over into cyber security into it in general.
Number one  you are, you're gonna have a very sound understanding of security overall because it's not really that much. When you get into cyber security, it's just a lot of more layers and there's, it's more complex because you got defense in depth. Physical security still applies in cyber security, which is crazy.
But when you think about it's common sense, if anybody can touch a system, then they own it. You can own a system. You can take the hard drive out, put it in another device you can use  password crackers you could use.  Oh man, you, you could  do forensics tools on it and then extract all the bits on it and figure out what people try to delete is that as a matter of fact, that's what forensics is all about.
 And speaking of forensics  some of the laws that pertain to, to you, like  when you're talking about chain of custody, when you're talking about  Making sure that things that, that  things aren't tampered with during the investigations, all those things apply.  So some of the laws still apply.
 What else applies, man?  Physical security checks, physical security assessments is it's. The concept is similar and actually is still used in cyber security. You has to still do physical security to make sure that the facility and the room that the information system resides in is protected so that all that stuff still applies.
So it is gonna help you out. And then the main thing is that if you dealt with classified documentation before, and if you have a security clearance, all of that will also help you.   To get an entry level job in cyber security. And if specifically, in information to security officer, but any kind of entry level position, because you have a security clearance, if you have one  that helps.
A lot of people confuse like security. They think that if you're in cyber security, you have to have a security clearance. No  that's not the case. Two different things. The security, they should just call it a clearance. It's very confusing. A clearance just does a background check on you to make sure that you are trustworthy to make sure that you don't have any criminal background that might that might.
Cause a conflict of interest where you're working like a bank doesn't want somebody who robbed the bank. You know what I mean?    It's stuff like that.  A hospital probably doesn't want somebody who had malpractice it's stuff. Like they don't, there's certain criminal things that not to say that you  if you had some kind of.
You had a case on you in the past that you couldn't work in cyber security? It's not what they're saying. It's basically, there's certain things that cause a conflict of interest. So I have to do a background check on you to make sure that there's nothing that might allow you to be exploited.
 Or something that deems you as untrustworthy to do that particular job. So if you have a clearance  that really helps out a lot  if you've handled classified information before that actually helps you quite a bit as well, because some people don't have any experience with that and they don't know how that world works, but you knowing that, how that world works,  that helps you quite a bit.
The main thing that you need to focus on now is technical. Because me going from physical security over to cyber security, that was the biggest challenge is learning all the terminology, learning information, technology, learning how computer works learning how Ram CPU and storage all works together.
Learning how to protect those components of  information system. Those are the main things, all the layers  and the minutia  of learning networks, how to networks work  how you protect those networks, stuff like that. Porch protocols, and services. Those are the things that you need to be really focusing your mind on the security stuff will come very naturally to you.
So the answer to your question is, yes, it will help you to get an entry level job when you get your, that bachelor's degree. Only thing I would recommend that you do while you're in school. And this is what I tell everybody is try to get experience. If you. Hands on technical experience, if you can. That means if you're whatever college you're going to, or if you happen to be in the military or wherever, whatever, wherever you're at, try to get hands on.
 If you see the, we call them work group managers, fixing a computer, ask if you can help them out. If you can, if they will allow you to help them to fix that computer, whether it's update and virus, definitions, updating the security patches, whatever it is like even the simplest thing possible, even if it's putting the router in and plugging it in or whatever, you'll be able to put that on your resume.
And the experience is what they really wanna see a degree is great. Certifications are great, but the experience is what they really wanna see.  Another thing is I would highly recommend that you, if you can, if you have the time, if you have the cycles to do it, some people do not is to get    a certification while you're working on your degree.
Degree takes a pretty long time. And sometimes the degree helps you to get the degree. If they, if you're college or wherever you're going to has a degree, a certification program, I will go ahead and take it. It's not a waste of your time, especially if you get the comp Tia, any of the comp Tia ones. If you get any kind of cloud certification, if you get  any kind of networking certifications, those are all gonna help you out a bit, a lot on your resume.
So I hope that answers your question. Okay. I've got another question here. It says  Mr. Fernandez says  and I'm a security plus certified I'm security plus certified, but I don't have  the most experience  with physical hardware. Okay. Yeah.  Yeah, that's what I'm saying is  go ahead and get as much.
Experiences you can  with any aspect of information technology. And at this point, since you're new, anything will help you out. Like whether it's help desk type stuff, whether you're  Updating, like I said, virus, signatures, whether I, the reason why I keep bringing those up, because those are  the simplest things that kind of come up constantly over time.
Like you've probably done it before you just don't it's something we do often so often that we don't even think about it, but that is something you can literally put on your resume. You just need to know  how to articul. Speaking of articulation, just to do a little transition here.  I'm working on a book right now, a new book.
That's gonna tell you how to actually break down a resume.  How to, I have a course on this already. So  if you're interested  I'm not trying to cram anything down anybody's throat or anything, but I'm working on a book. That's a lot cheaper that. It'll be about 20 bucks or something like that.
It'll have downloadable templates.  It's essentially this right here. This course right here is something  I've been using for a long time. And because of this, I haven't been without a job. I, this thing works like this process  that I've been doing, basically, all I did was to say, okay, how am I getting all these jobs?
I literally get like 10 offers a day between LinkedIn. Messages on LinkedIn emails calls I'm literally getting anywhere from, it's not as much as it used to be before COVID and now we have some kind of  a downturn in the economy. So it's not as many as it used to be, but it's at least six messages a day.
I get for different jobs and I'm just constantly getting undated with these opportunities. And so all I did was I condensed exactly how I'm able to do this into. Into a course. And I'm gonna make this into a book that tells you how to articulate your, any kind of.  Security, cyber security experience into  a workable template that is marketable to employers.
So that is what I'm doing and it's coming, I'm working on it. I actually finished the first draft. I'm getting it edited right now. As we speak the first, book's gonna be a three, the four books series where I'm gonna break down. Not only how to market your resume and not only how to create the resume, not only a template so that you can use my mys as a sample and other people's resume as a sample.
But I'm also what I'm gonna do is expand it out into other books that tells you how to get remote jobs. Because people ask me about that a lot and I'm gonna do one where it's talking about  the different categories of cyber security, because that's something I've found. People, the questions that they ask, I can tell they don't really know that there's different aspects of cybersecurity.
So that is what I'm doing.  Mike says, I bought this course from you.  You need to update it. Oh, okay.   Yes, updates are on the way.  I'm working on  a whole bunch of stuff right now. So that's  when I'm not on these calls  that's what I'm.  Okay. If there's no more questions, guys, I'm going to, I'm gonna call it quits for the day and I'll see you guys next time.
See you on the next one. Thanks for  thanks for jumping on this one. Thanks Mike. For all your questions. Appreciate it.  Appreciate all the questions and  and thanks, Mike. Thanks for the update, Mike.  I will get on that. I appreciate you later.
 
 

Copyright 2022 All rights reserved.

Podcast Powered By Podbean

Version: 20241125