Episodes

Monday Sep 26, 2022

Sunday Sep 25, 2022
Sunday Sep 25, 2022
https://www.youtube.com/watch?v=KW7gaKX_H0Y
RMF ISSO Controls: https://www.amazon.com/dp/B0B6QKT8DR SCA Course (early release) https://securitycompliance.thinkific.... 0:00 start of convocourses 02:23 Security Controls Book and SCA courses (no longer 2 usd) 07:13 Prepare for a SCA Interview (CVE - Common Vulnerabilities and Exposures 23:10) 26:51 Security Controls Book on Amazon & SCA course 34:48 Cyber Security is a great career move 40:19 ITJobs part 1 How Match My Resume with Job I want to Market My self 53:04 ITJobs part 2 Get the Actual Security Experience you did on your resume 59:09 Master Degree in Cybersecurity still no job 1:01:08 GRC and 8140 cybersecurity certifications 1:07:57 The Security Control Assessment Courses has started 1:10:20 Information Security gives Robust Cybersecurity Experience 1:12:06 How to Do CPEs for ISC2 CAP 1:22:51 Cyber security assessor role 1:36:28 Cybersecurity Community on Tiktok & the NIST 800 control book

Friday Sep 23, 2022
Friday Sep 23, 2022
https://www.youtube.com/watch?v=z-OfA-_lU6Q&
We talk about #securityclearance a lot on this one. 0:00 Podcast 0:14 Cybersecurity Public or Private Sector 15:00 How Long Does it Take to Get a Security Clearance 20:47 How do I get a security clearance if I am eligible 29:53 The Value of Security Clearances in IT 33:39 What Security Clearance Can Help in Private Sector 35:51 Does Cybersecurity Job require a Security Clearance 43:44 My experience going through TS clearance 46:33 Finding Out Cybersecurity Salary 52:42 Master Degree in a Cybersecurity Role 1:03:17 Cybersecurity with ZERO experience 1:12:50 convocourses testimonial 1:16:54 Talking about colorado 1:24:58 I recommend Program Management

Thursday Sep 22, 2022
Thursday Sep 22, 2022
This was a 2020 Live on discord and youtube. https://www.youtube.com/watch?v=VzQesvI0T1E

Wednesday Sep 21, 2022
Wednesday Sep 21, 2022
http://convocourses.com
See the video here:
https://www.youtube.com/watch?v=cStSGLLypyI

Tuesday Sep 20, 2022
Tuesday Sep 20, 2022
Full video. May 2020 was crazy.
https://www.youtube.com/watch?v=WnB2rdxQpwI&t=3s
Imagine cyber security and all our career paths being expanded into space as the space industry begins to expand. Imagine us having more opportunities in that. Industry. That's what we talk about a little bit on this podcast. We also go into details about CCIS. STIGs which is security, technical implementation guides and how those.
Interact with risk management framework, 800 and CIS controls. Now, this is an older podcast. Um, that I did in 2020, but a lot of it is still relevant. Hope you enjoy Test test audio, test audio test. All right. This is gonna be a short one. I think, welcome to convo courses. My name is Bruce, and, um, wanna start off by, um, addressing, you know, what's going on right now, as far as the coronavirus and stuff. Uh, but we're gonna dive into, we're gonna keep it, uh, to combo courses and cybersecurity stuff.
I know there's a lot of stuff, negative stuff happening right now. As far as the protests and, um, coronavirus, we're looking at a hundred thousand people, um, reported it as having died from coronavirus. We're looking at around the world, 6 million people infected millions, uh, million, at least in the us and all this stuff's going.
And I want to, first of all, I'll send condolences to, to, uh, the people who have passed away from the coronavirus and people are suffering with it now. And if, and if you happen to be out there protesting or anything like that, I mean, just man, stay safe. Um, and, uh, That's all I'll say about that. You know, it's is a pretty heavy subject and, uh, I don't normally address that kind of stuff on this channel, but I just want to address it and make sure every everybody's being mindful, stay safe out there.
You know, this coronavirus, stuff's still going on, take it serious. Um, at the very least try to protect other people. You know what I mean? Um, the people who are most vulnerable to this, to this. So, and that goes for, uh, our justice system too. Like, let's try to protect those who are vulnerable to, to the injustices and stuff like that.
Listen, let's jump right into it. There is positive stuff happening right now. And I wanna, uh, talk about that stuff. That's that's occurring right now. Namely, I don't know if you've been watching it, but the recent. Astronauts coming from a commercial aircraft, uh, commercial space vehicle flying all the way up to the international space station and then linking up with it.
And then this right here is, is really awesome because it opens up the private industry to start doing things like going to the moon, uh, or without the government. So that that's incredible bull. Uh, the reason why it's incredible for us, for it people, information system security people, especially is because that really expands our industry, the better the techno the technological field, the industries and technology do the, be the more opportunities for people like us, who are it?
People, people who are are nerds, you know, people who are geeks, it people, uh, we get more job opportunities. Um, Um, an increase of salary and, and the whole nine yards. So this is a really positive thing. And just to give you an idea of how positive this is, is that of, of, since I've been outta the military and actually in the military, I did some, some stuff for, uh, operations that are, that had to do with space.
But when I got out of the military, most of my jobs had to do with aerospace. Most of my jobs were with aerospace companies. So. It's a huge industry. And, um, and it needs, especially, it needs, uh, security compliance. Like they have to follow a very strict methodology. Right. And that's exactly what I do. And, and, and that's the stuff that I teach mostly, you know, and I, and I'll branch out to other things like certifications or more technical in the weeds type stuff.
But I just wanted to address, like the reason why this is such a positive. Is that the more commercialized, the more accessible space and aerospace low or, or orbits, or even on the moon or Mars, the, the bigger and larger that industry gets. The more mark my words, don't take my word for it. Just watch history.
Watch what happens as that, that industry expands and we are on the moon or we're on Mars, or we are on the wherever low earth or. They're gonna there more and more of these organizations are gonna crop up and more of them are gonna have to hire people like you and I, it people and security compliance people.
So that's, it's a super positive thing. I know my, my daughter had been up all night watching all the news about the, the protests and the riots and how in some cities it's going pretty bad. Uh, and she says, why are you watching this live feed of NASA? You know, instead of don't, you know, what's going on. I said, Hey, you know, this might give us a way to get off earth and she says, yeah, you know, you have a good point about that.
so, I mean, if you, if you wanna be pessimistic about it, then this is, this is an optimist spin. Is that this is a way eventually, well, just leave. Like you don't like it here. You can just go somewhere else. so, yeah, I just want to bring that up. It's it's um, something positive and, and that's why I see any kind of.
Of stuff about the, the expansion of us in the space humans and the space is a positive thing, cuz the industry is gonna grow and uh, the more the industry grows, the more opportunities there are for, for us, especially because it's, it's private, that's even more opportunities for us. All right. So somebody asking me a question and I wanna address that.
I don't wanna make this one too long, but one of the things I wanted to address. and I'll get to questions after this. I got somebody who just jumped on Alice. How you doing? She says, uh, hi. Um, can I send you my resume and for you to look at, please, may I have your email? So here's my email address. Um, let me see if I can find my contact information.
Let's just, oh, I see what happened. All right. Gimme. There it is right there. There is my email address. That's the best way to contact me. Let, just move this down a little bit, move it, move it down. Boom. Best way to contact me is right here. If you happen to be, have, uh, purchased one of my courses, then, um, I will definitely help you directly.
That's one of the perks of Purchas purchasing it directly from combo courses.com is that I will help. um, I don't have any kind of consulting or side things going on right now. I'm pretty new to this thing. So I, I haven't gotten into paid consulting or anything like that. So you have the benefit of catching me early when I'm doing it a lot, some stuff for free.
So yeah, you can send me your, your resume, particularly if you've bought one of my, uh, courses, uh, on combo courses.com. If you've done that, please send me your resume. I will check it. I sometimes I'll even rearrange it for you. I'll just make suggestions on the resume to say, here's what you should do. You know, here's some key words you should consider and things like that.
But if you're interested here, let me, let me just show you guys something real quick. I think this is a really good course, um, that I'm, that I made a while ago and I was super excited about it, cuz this concept is something that's really helped me out over the years. Here's my here's combo courses right here and I've, I've got many D.
stuff like how to get in from scratch from cybersecurity, um, and how to do risk management framework. I've got free stuff here. Uh, but the one that, that Alice is asking me about is this one right here, resume marketing. This one I'm excited about because this, the techniques that I use here is exactly what has made me, uh, be able to constantly.
Position, uh, positions and constantly get opportunities. And I still, even during the pandemic, even during an economic downturn, such as the one we're in now, and even in 2008, I was still continuously getting opportunities because of this, these techniques that I use here. So if you're considering getting into this and you want me to directly look at your resume, go ahead and check out the resume marketing for cyber security.
And it, I don't just talk about cyber security. And it can also apply to you if you're in, in different industry, really, it can apply to anyone cuz the techniques absolutely work. And if you want an idea of what I'm talking about, it's building a profile it's researching, it's finding key, creating the resume.
I walk you through all this stuff. And then I walk you through how, what tools I use online from career jet monster. And I also have something on interviewing and also. Uh, I will be adding more stuff to there that just like with all my courses, I add continuously add as, uh, as I find new things out or something comes up and I, and this is a, it is a really good thing for the course.
I'll add it to, to that course or, or, or any relevant course that I'm talking about. So go ahead and check that out. And, uh, let's get into control correlation identifier. Somebody's been asking me about. , this is the reason I have not talked about it because this is kind of, uh, this one is a bit of a, this one's very specific to D department of defense and dissa.
So, um, that's why it's kind of it's it's, it's it's out there. So, I mean, it's very specific, but what is it? Let's just talk about what this is real quick. Let me just get rid of this information here. give me a second and now we'll be addressing questions after this, by the way. So just keep the questions coming in the, in the, um, chat and I will I'll get, get to that.
All right. So a CCI or a control correlation identifier provides a standard identifier and description for each of the singular actionable statements. That comprise and information assurance, IA control or IA practice. IA is just another word for security control. That's what the department of defense calls it.
CCI or control. Correlation identifier bridges the gap between high level policy expression and low level technical implementation. All right. I can explain this and there's, there's a lot more here that it talks about here, but I can explain it in clear terms of what it means, what the CCI does is a code that identifies specific tasks that you have to do on Lennox systems on windows systems on servers, on database.
Very specific things you do on each one of these operating systems and it links these specific actions that you have to do to a risk management framework control, uh, to a security control. So I'll give you a specific, I'm gonna show you first off. Let me tell you what it is. And then I'm gonna show you, uh, in greater detail what it is.
And, uh, I don't know how deep we'll go, but it'll, it should be very. What a CCI is when we're done. All right. So first off a specific example would be audit controls, like let's say on you're on a windows 2010 workstation, and you have been tasked to turn, turn on auditing on that system. Meaning event logs.
It's gonna collect event logs for whenever somebody MIS authenticates, they, they type in their password wrong and it pops up as a Nope. This is not your. It will send an event, it'll record an event on the system and that's the control that we have to turn on. Right? Well, CCI would be assigned a specific number, like say CCI 0, 0 6 dash 5 53 or whatever that specific tag.
Uh, we'll be identifying a, a re a specific action, which is turning on audit logs and that specific action ties to AU control one and AU control dash two. So now that might not make any sense if you've never done this before, but I'm going to show you, uh, a more specific example, couple examples. um, let me, let me see if I can bring something up here.
Got a couple of examples that I was just looking at. So bear with me. So this is stuff I downloaded from the site. If you wanna learn more, I just, I am on cyber dot mill slash STIGs slash CCI. That's where I'm at right here. So if you wanna just Google it, you can just Google. CCI STS. And you'll, you'll find this, right?
So this is I'm on the dis is one of diss sites. That's why I'm I am. And I downloaded some of the stuff from here, which is, is not very helpful, to be honest with you. It's not very helpful. Um, uh, right now I'm looking for some examples that I actually had prepped. So just bear with me, give me a second and I will show you what I am talking about.
Okay. Here's one of them. So this is, this is. um, this is
a system that, uh, had a STIG viewer ran on it. And what I wanna show you here, the relevant portion is this right here. This is a CCI. This right here. Can you, can you guys see that? Let me make sure you can see that. Okay. Yeah, you can see it. I made it bigger. CCI 0 0 1 8 1 2. And what is that? Right? What's the re the reference tells us here, it's referring to a specific event that the STIG viewer and okay.
Context, a STIG is a security, technical implementation guide. What it does is it walks you through all the individual things that you have to do to secure a system. The department of defense, along with some other departments within the federal government and even some state organizations, they have this breakdown of everything that you need for best practice to secure a system, whether it's turn on audit logs, making sure you have multifactor authentication, making sure it's in a secure area and physical has certain physical security making sure it has a policy making sure, uh, you have GPOs turned on and you.
You have control over your shared files, networking file protocols, making sure you have certain encryption turned on and or updated though. Each one of those things and there's that mil, thousands and thousands of others, maybe millions of others that are individual tasks on windows, on red hat, on every operating system.
You can think. It has security controls. Right? And so what this department of defense does is they create these STIGs security, technical implementation guides that breaks down all the task and they made it so that it's, they made it easier for you to make like a, you can make a script that automatically goes through and fixes all that stuff for you.
And they actually have some scripts that you can use to actually fix that stuff automatically. But this is a you're looking. Some stuff from an actual STIG. And it's the rule title. The thing that it's trying to fix is on a windows, 10 guy, uh, system, and it's for a windows installer will always install with elevated privileges.
This must be disabled. So by default, a window system will automatically elevate privilege. to, uh, to, they're trying to make it easier, more user friendly whenever you, uh, install something. So it just automatically gives elevated privileges. But the problem is that's an that's something that can be exploited.
So the rule that the stick came up with best practice is to turn this off. So when you turn, when you turn the system on you installing it, it, you gotta go in there and turn it off. Okay. So discussion standard user accounts must not be granted elevated privileges. Because, and the reason for that is you want least privilege that what that means is, um, AC I'm not gonna remember C five.
I think it is it's either AC five or C six. And I don't, I don't remember which one it is, but it's the standard of least privilege. Meaning you, you only give users. Standard users, privileged users, operational users. You only give users what they need to do their job. You don't give them anymore. So windows by default and even Lennox does this will give extra privileges that you don't necessarily need for this specific environment.
Now, there may be instances where you, you can give more privileges. It just depends on the environment, but let's dive back into this. It says the standard user. Must not be granted elevated privileges, enable windows installer to elevate privileges. When installing applications can allow malicious persons or threat actors and applications to gain full control of the system.
So if this thing is turned on, somebody with mal with malicious intent might exploit it by, by granting, elevating their own privilege. Right. So we have to disable this thing. That's what they're telling us. And then they tell us specifically how to do it, where to go in the actual system to disable, always install elevated privileges.
And it's telling us to go to computer configuration, administrative F uh, template, windows, component, windows, installer, and then disable, always install with elevated privileges. And I hope that makes sense this right here, what everything I just read is a CCI. All right now, let's talk about how CCIS this specific task on a specific system links to N um, N uh, 800, uh, security compliance controls.
All right, here it is right here. This reference explains it. So at first of all, it has a, it's a, has a, a unique identifier. Every single CCI has a unique identifier. In this case, a CCI 0 0 1 8 1. And what is it telling like in one sentences explains what it is. The information system, prohibits user installation of software without explicit privileges, uh, privileged status.
That's what it does. And it links to, and the references, it tells you it links to this nest 853 rev four is going to rev five soon, cm, 11. so cm is, is dealing with configuration management. Configuration management is dealing with, does our organization control? Does the security posture of our, of our or environment in layman's terms, in layman's terms?
What I'm saying is a cm control is having a inventory of everything that's on your network. Like for example, in your own. you know, you already know you got three computers, right? Your kid has a computer. Everybody has a cell phone and you have a router down in the basement. That's it? Right. If you suddenly were doing a scan on your network and you saw 15 other systems on your network, that would give you grounds to freak the hell out.
Right. cause that you don't know what's going on. So in the same way, an organization needs to know everything that's going on on their environment. They need to know what networking devices are on their network, all the nodes, what their IPS are, what systems they have, what vulnerabilities they have. They need to know all the software that's in their environment.
Right. They need to know if there's wireless, if there's other connections coming into their. They need to know everything that's going on with their network. And that's where a cm control comes in. So cm is controlling your environment. That's all it is configuration management, managing my configuration of my organization's systems because we have very important stuff going on.
That's that's cm. And so they're saying that this CCI links to this cm 11. So if we go down the. Let me see if there's anything I else I can show. Okay. Here's here's what I'm gonna do. I'm gonna actually bring up a STIG. This is a STIG viewer right here. This is an application you can download for free. Go to DISA a DISA dot mail, uh, or just Google a St.
Viewer. And this is a automated it, it's basically a little app that will grab all of the security, uh, CCI. Everything you're supposed to do on a window system or on a Linnux system or a red hat, whatever system and says, okay, have you done these things? Right? So that's what we're looking at here. So I've already taken Liberty to downloading a windows 10, uh, security St.
And one of these days I'm gonna make a whole course outta how to, how to do this. This is something I've been doing a long time, so I know, I definitely know how to do it. So here we. Um, and I can explain, break all this stuff down. It's it's pretty involved, um, special if you're going through all these. So this right here, what you're looking at is windows.
Um, okay. This is not showing me, us everything. So I'm gonna make this a little smaller so you can see everything going on here. There you go. Hopefully that's clear to you. That's okay. There we go. Right there. So right here, we're looking at window. The last one I showed to you was an, was a screenshot. This is an actual STIG that I pulled down.
Um, not from a client of mine or anything like that. would not show that. So here's, so we're clear. This is just a random STIG that I downloaded from this dot mail. And then that's what we're looking at. This is generic. So, uh, what I wanna show you is. This first CCI, this is CCI 0 0 0. Here's where I'm getting the number from right here.
If you could see my cursor where my curse was pointing, right, right there. is CCI 0 0 0 360 6. Organization implements the security configuration. And what is it linked to? There's a few of them cm, six cm, uh, six do one, uh, and, uh, cm, six B what are we doing? What we're doing is looking at the domain. Joined systems.
Must use windows 10, uh, enterprise edition, 64 version. and it goes in a deeper discussion on what, what they're wanting want, what they're wanting as far as how to meet this particular, uh, STIG control and each one of these, the way they break it down. So, okay. Let's, let's do a little bit of a tour here.
There's a couple of numbers here that, that I think you should know. So let's look at this one right here. This vulnerability, I. Vulnerability ID identifies each individual potential weakness of a system. It's saying that specifically the weakness, uh, on this system is this is X, right? And, and the rule name is attached to a w N windows 10 dash.
right. And each, each one of these vulnerability IDs attached to a specific weakness that has been detect that, um, that needs to be addressed. Right. And so you can manually go through each one of these. So one of the things that you can do as an information system, security officer, one great tool you can use better than nothing is to run this stool, this run, this STIG viewer and have your system.
By your side, right? You have your system right here. You have your system here and you're looking at each individual item manually going through one by one by one to fix everything on your system. Another thing you can do is, is run a, a script that fixes all these things automatically. Right. And, and I believe there's tools.
I, I wanna say that there's, there's something called, um, uh, SCC or. Checker software that, that, uh, you can get from department of defense, that, that has something that will fix it. It'll scan your system. You, you load it on your, the affected system. Uh, and then you scan it'll scan and, and see what STS, what individual CCIS, what vulnerability IDs are not being met on your system.
And then you would go through manually and fix every, all those items. Now. There's a couple of different things here. How does this help you? Um, as an information system, security officer, if you don't happen to be actually installing these things, how it helps you is that if you have the report from this thing, you'll be able to know, okay.
When they did a scan, they found, let me just find that whole different CCI here, that we can talk about something that.
So let's say you're only doing documentation. You can take something like this, this scan, and you could, uh, this would be like an artifact or a bit of evidence stating that this rule has been met. And how's the rule been met, you could say, right, right in here. It says, uh, that first of all, it is a windows ink workspace.
Consider. Uh, uh, sorry. Uh, workstation ink works, windows, ink, workspace configured, but disallowed access, uh, above the lock. And it tells us how to secure it. Securing windows ink with, uh, which contains application and features oriented towards, uh, the pin towards pin comput. I, I have no idea what this is. I have no idea.
I have no idea what this is. This is some oh, pin, like the pin you E enter into the system. Okay. Okay. Okay. I'm just making more sense to me. So this is showing us how the scan, how, where it would be scanned at, like, what value is would you be looking for? So it's saying that you would go into the registry back into the system and then.
If this was turned on, and if you're doing a scan, it would check for this item in the registry keys. That's what it's saying. That's how I'm understanding it. And it's saying the fix action is disable the convenience pin, uh, sign in. So we don't want you to be able to sign in with a pin because that's too easy to exploit.
So here's how we fix that. That's that's what they're saying here. And it breaks it down exactly how you actually fix it. So. If you were doing the documentation for this, there's a couple things you could do. You could use this to explain what the weakness is. Let's say your organization didn't do it. You could use this to break down where we are not meeting specifically how, uh, what's going on.
Or if you wanted to prove that it, that it's been fixed, you could go through and do a screenshot of what, of, of this feature, or if you were doing a. you could run a scan and say, look, here it is right here. The windows 10 CC 0 0 0 3, 8 85 has been met. And that covers, uh, cm seven right there, CCM seven. So, and you could do that on many of these different items here that we have here and.
go from, they run the gamut from going this one, C, C uh, S I 16, you got some AC IA controls, you got different controls. So it's telling you here in the CC, uh, in this reference where these map to each one of the security controls, and that's why super helpful you as an information security officer. If you happen to be one you're looking for, how can I.
These security controls. How can, how does our organization meet this particular security control? So this is just one way. If you happen to have a window system or a Linux or whatever it is, right? Cause they have, they have these for every kind of system. All the main systems are, are, are covered by the STS.
You can use this information to figure out if you guys are meeting this particular control or if you're not meeting control and how to. So I hope that that makes sense. Um, I kind of, I feel like we, we kind of went overboard with it, but at, at some point, what I would like to do is actually take a system and secure the system, using the STIGs using the SCC tools and everything, but that'll be a whole course cuz that, that all that stuff takes a bit of time and set up and all that kind of stuff.
I'm actually setting up some stuff on the back end here, but um, it's gonna take me a while to set all that stuff up. if there's any questions we can address those, but while you guys are coming up with questions, I would like to show you something else real quick. Uh, another very useful thing with ma with having a matrix or having these individual vulnerability IDs and CC eyes and all these things, or how they all come together is beautiful because there's something else where these same control.
Map to, um, a more commercialized version of controls, which is CIS benchmark controls. These controls are used by a lot of private industry stuff, private industries, some banks, and some other industries actually use these controls rather than the nest controls.

Monday Sep 19, 2022
Monday Sep 19, 2022
Hey guys, this is Bruce, and welcome to combo courses, podcast. I'm doing an experiment where I'm doing daily is here. We'll see how this goes. I don't know if I'll keep this or maybe I'll do this twice a week or something like that because it hasn't been that bad. I got so many things. I can talk about so many questions to answer, but right now I wanted to focus my time on the categories of cybersecurity.
So a lot of times. Industry people think that cyber security is all about. And I think it's all about just hacking or something like that, something to that effect. And those are the things that are popular, just Hacking or pin testing or programming another one's for digital forensics.
People think that's all that there is, but in cyber security, not just I've been doing this for a very long time. I've done everything from the technical side where I'm actually configuring systems and installing systems and that kind of thing. But I've also done the, more of the management type side.
And I want to tell you that there's. So many different. Parts to cyber security. And when you see somebody talking about hacking or whatever it's very glamorous, but that's a tiny fraction of the whole spectrum of cyber security. It goes very deep. So if you're actually trying to get into this career path, cuz it pays very well and it does then I, what I wanna do is introduce you to some other categories of cyber security that you may.
Know about. And so one of there's an organization out there and it's from nonprofits and the government and a couple of private sector. They got together and they broke down the different categories of cyber security that need to be addressed. And it's not just. Cyber security by itself. Some of it is you can have a system administrator who does cyber security, that also accounts for this one.
And I'm gonna explain that in a second. If you stick with me, you'll understand this and you'll understand, especially if you, this is particularly for you. If you are trying to get into cyber security, if you're interested enough to want to be a part of cyber security in this field. And if you've been thinking about getting into it, I'm gonna show you the whole spectrum of cyber security.
Let me show you. A framework called it's called the workforce framework for cyber security. And if you didn't know about this is something the federal us federal government has been using for years now to figure out what categories to put people in and what kind of training that they need to do in order to be in these different categories.
And from a bird's eye view. Let me. Switch my screen over here on TikTok. Feel free to ask me any kind of questions. I'll be doing this for about 30 minutes if you're interested in this, but let me show you what I've got going on here. And I'm just so you know, I'm broadcasting on a podcast, but I'm also doing so I, I will explain what we're looking at here, but you can watch this on YouTube and Facebook eventually will put this on Facebook.
But here we have all the categories. Now there's seven different categories at the time of this recording. There's analyze. There's collect and operate. There's investigate. There is operate and maintain, overseeing, govern, protect, and defend and securely provision. And what I wanna do is give you an example of each one of these seven categories, cuz each one of these breaks out into specialty areas.
So for example, analyze breaks out into. What you call exploit analysis, language analysis, target analysis, and you'll see that some of these don't look like cyber security topics, but they, in fact they are now, if you happen to be dual bilingual, if you happen to know another language Very fluently.
You might actually be able to very quickly go into something called language analysis, which we'll briefly touch on in a second. But what I wanna keep this kind of high level right now, just to show you the different specialty areas. Now there's about, I don't know, 30 or 40 different specialty areas.
Each one of these categories of cyber security breaks out into these special specialty areas now in collect and operate, you'll see things like cyber, operational planning, you don't think that would have a lot of hands-on stuff and it actually doesn't. So let's keep going here.
And when I say hands-on, I mean like somebody who's actually configuring a server or setting up a network and stuff like that, cyber security is not all just about that. It's a very broad area. It's a very broad umbrella. So investigation is what you might expect is digital forensics, cyber investigations.
Threat hunting, things like that. And we'll cover that in a second operate and maintain. This is what people normally think about when they think about system administrators, data, administrators, network services, that's their network engineers, things like that. These guys are in.
Cyber security in that they have to do a lot of cyber security-type activities. They're not typically seen as cybersecurity people, but they have to do a lot of things in cybersecurity. As you might expect when they're installing patches or things like that. Overseeing govern. So this is what I do.
I can speak extensively on this, but this is a lot of management type stuff. Cyber security management. This is your C level execs and it even includes legal and program managers. This is something I would very much like to talk to you about because program management requires a certain level of emotional intelligence that a lot of it people do not.
Okay. And I, it's a very important a very critical piece of any kind of system engineering, any kind of major cyber security projects, anything the organization is doing that where they're spending a lot of time, money, and energy, and a lot of resources. They need a program manager. I'll get off my soapbox on that one, but it also pays very.
And that's something I talk about a lot on my site program management is a big one. Okay. Anyway, let's keep going. Let's keep it high level protect and defend. So protect and defend. Is dealing with a cyber defense analysis, just to name a few incident response. That's a huge one, vulnerability assessment and management.
Huge, but that's for protect and defend. So you see, this is not all just firewalls. This is not all hacking have I haven't even mentioned hacking yet. That's how big this field. And there's some things that are not even included on here. Like cryptography, you don't see cryptography on here, but cryptography is considered part of part of cyber security.
And I would argue that the cypherpunks, the guys who created The concept for Bitcoin and all that kind of stuff were also very good cybersecurity people anyway. So securely provision. Now this one has to do with risk management, software development, system architecture, that sort of thing. So you can see, what I wanna do is just show you.
The high level here. There's many different categories of cyber security and it's not all just hacking. It's not all just programming. Yes. Those are part of what we do. But in the major scheme of things, like when you look at the big picture for all of this it's a very big feel. And I wanna just explain to you why if you think about it, it really makes sense when you go to your bank and you are trying to send a wire transfer from one.
Using ACH to another bank, right? Or you wanna wire something overseas or whatever the case may be. The bank has a certain they have certain protocols and procedures and certain policies that they have to do in order to secure your information to make sure that the $1,000 you sent from one bank to another, or from, to your, whoever.
Wherever you're sending it. They have to make sure that information is protected. The rules and protocols and procedures and the legal system. All of the things that come together that is known as secure security compliance. Now the financial industry has a different set of laws, as you would imagine than say the healthcare.
The healthcare industry is protecting your healthcare information, your digital, if it's that information is digitized, they have to protect that information, right? So they have a whole different set of laws that are completely different because it has a different has a different, it has, it requires a bus different business solution than say a bank.
If you think about it like this, the government, the federal government, who's protecting your social security number. They're protecting your, I don't know. They're holding, making sure that things like the DMV, if you're talking about the state they have to protect your personal on for information as well.
and making sure that's, of course there's all kinds of leaks and all kinds of hacks and all that kind of stuff going on, but they have a whole different set of procedures and rule sets and laws that apply to the federal and state government. And that's also called security compliance.
Security compliance is in every industry. It's in every state, it's in every jurisdiction, it's in every county and it's in every country. Each country has their own set of laws that pertain to. And all of us, all of them have different solutions that they need for their particular situation. So one would imagine as you can probably imagine, there's a lot of security that has to be done for that.
And it's not all hacking. Like you can see how hacking is a tiny drip and a gigantic ocean that is cyber. Cybersecurity is a very huge field and that's why you have seven different categories. Now, what I wanna do is kinda give you a practical understanding of these seven categories. Now let's start from the top here.
I'm gonna give you a specific example of where you might have seen this on TV or in a movie, or relate it to something you can understand here on a practical way. So let's start with analyze the first category we see on the top here is analyze. Has these specialty areas right here. Now, if you break these down and if you wanna go to the site, by the way, if you happen to be watching me on YouTube I have a link to where you can actually follow along.
The actual site. Is there in the link now analyze, let me give you a practical understanding what analyze is now. When I was in the military, we had, when I was in a combat zone and we have we had languish analyst. Whenever we and the reason why we had these language analysts was because we can't understand, say if say a another country is attempting to hack our systems, like they'll put some code on our systems and that code has to be in Ukrainian or in Russian or whatever other language you need a language.
To actually figure out what is being said in that in that code. And that's why a lot of times they figure out, oh yeah this hat came from Russia. This hat came from Ukraine. This hat came from whatever country, because you have an language analyst who has they're multidiscipline in language languages, where they can figure out and decipher and figure out like what's going on.
They'll have like different tools. That'll help them to decipher what's going on with that, with whatever hack is going on. So this is actually a part of the analyze category. Let me give you another example, threat analysis. Now this is a big one. So a cyber threat analysis is something where what you're doing is.
You're trying to detect and figure out where a company might get hacked from an organization might get hacked from, and it sounds impossible. Sounds crazy. How can you figure out where threats are coming from? There's some ways to do it. So if you think about like this right now, somebody might be trying to hack, I don't know, I'm just pick something off the top of my head.
They might be trying to hack Walmart or something. Wal, what Walmart can do is they can have somebody scour the internet. Do search conduct searches or create a tool that goes out and. Does a web crawl of the internet to figure out okay, who is mentioning Walmart who is talking about it on social media?
Who's talking where are the communications that are in the public domain to figure out who is talking about us so we can figure out where those threats are coming from. Because a lot of times when these, before the attack even occurs, these criminal hackers are talking amongst each other on the dark web.
About how they're gonna attack or they even already had the attack. They already pulled the information from there and they're selling Walmart's emails. Now this is just an example. I just, so you know, I don't have a client with Walmart or anything like that. I don't have not interacted with Walmart's cyber security.
I was using them as an example and I'm unaware of any current tax or anything like that. Just, this is just an example, but that is what threat warning analysts do. And this is something I did at my last job, as a matter of fact, that was one of our jobs was to do threat analysis on companies to figure out what's going on.
And this also pertains to doing cyber looking at terrorist threats for whole countries, by the way. So that's analyze an analyze goes into analyzing information, analyzing targets, analyzing threats that might be coming to a cyber security through, to an organization. There is, there can be some hacking involved.
There can be times where you have to know a little code, but language analysts don't typically know code, and then all source analysis. This goes straight into just intelligence. This is normally what you'll see in like intelligence organizations where they're gathering actual, actionable intelligence from other.
From multiple sources, putting that information together to figure out, okay, we have a terrorist threat here. We have a terrorist threat there. We know that we have advanced persistent threats here and there. We have some, we have reason to believe we have human intelligence people on the ground where they've gathered this or that information to figure.
Who's gonna attack what, and a good example of this one would be that if you've ever watched a mission, impossible the ghost ghost recon, that one, they have, they talk about this type of job all the throughout that one. The as a matter of fact, they have one of the characters is an analyst, and this is the, what they're talking about.
This is somebody who. Who pulls information from different sources, different intelligence sources puts it together and figures out. Okay. We know that there's a credible, there's a probable attack. That's gonna happen over here, over there, based off of all the Intel that they've gathered in the field.
Okay. So we beat that one to death. Let's keep going here. So that is analyzed and that's in cybersecurity. Then we've. Collect and operate. Let's look at this one. So here's the specialty areas with collect and operate. Now, what are we talking about here? This is also dealing with a lot of intelligence, this, a lot of govern department of defense and some of the other three level organizations will have something like this cyber operations, where they're also looking at real time threats.
They're looking at foreign intelligence entities. So this one's very much related. To what we were talking about here analyze a lot of times we'll see these in security operation centers, a security operation center, especially the ones for that work for different governments.
They're very large, they have a large. Office where you have all these giant screens going on, you see these in movies, like when they were walking in and it's like, what's the threat and there's a, there's supposed to be a bomb here and they're trying to figure out like, what's going on. so a lot of times they're talking about a cyber.
Intel planner. These are the guys who put everything together. And if I could just read through some of this details here, it says, develops detailed intelligence plans to satisfy cyber operations requirements. So these are the guys that are managing all the information that's coming in and how we're gonna, what we're gonna do once we gather that information.
So that is collect and operates, dealing with a lot of Intel type stuff. And You see it in movies and stuff like that. That's, it's not like the movies to be honest with. It's pretty boring. But okay. Investigation. Now, this one, if you ever seen the show CSI, this is. It, the digital forensics, not necessarily the scientists scientific forensics where they're trying to figure out when a person was murdered, based off of the insects that are consuming the corpse or whatever, sorry to be so crude, but that's forensics, digital forensics is a little bit different.
This is the people who will take a computer. A lot of times they'll work with law enforcement and stuff because they're dealing with very heavy issues. I don't wanna get flagged for talking about some of the stuff that they find. But if you're talking about digital forensics, you're only talking about a few crimes major crimes that are gonna have to necessitate a digital forensics guy, major crime murders, and assaults that were caught on fi on, on digital media.
And somebody try to hide some. Illegal contraband on their computer and try to do some illegal transactions using cryptocurrency or something like that, and they have to trace back. Where the cryptocurrency wallet it's went to, or they have to figure out see if somebody was using some illegal pictures or images on their computer, but they try to erase it.
But with digital forensics, you can actually extract that from the ones and zeros on the hard drive. That is what we're talking about when we're talking about investigations. So they work a lot with the law, with law enforcement, they work a lot with with The with law they might have to do things like what you call it.
Chain of custody, where they have to make sure that the hard drive that they're investigating can get to trial and not be tampered with and things like that. So that's investigations then you have maintain and operate. So what is this one maintain and operate is this one's pretty self explanatory.
Once, once you see some of the job titles and stuff in here network services, that's like the people who install, configure, test operate, maintain the network, the firewalls. The switches, the hubs, they, they say hubs here, but not many people use hubs that much anymore. So that's funny, but system administrators, these are people who install, troubleshoot, maintain the servers and the configuration files and make sure that the config, the confidentiality, the integrity and the availability of the system is protected.
So yeah, that's that is maintain and operate. Then you've got overseeing governor. I could talk. My entire site is about this one specifically about cyber security management. Cause this is what I do. And this is when I, when we were talking about this in the beginning, we were talking about what exactly what I'm doing, which is.
This right here, information system, security manager, actually, I'm a my specialty is information system security operate officer, but management's something I do as well. So it's security. Doing cyber security for the whole organization, making sure that the cyber security of the organization is sound making sure the documentation is good, making sure that you've got all the system security controls are in place, things like that.
And you have to work a lot with the C level execs, high level security people within the organization. Doing a lot of coordination talking with the program managers, talking with the subject matter experts on the firewalls, on the networks, on all that kind of stuff, to make sure that we, as a team in the organization are doing what we're supposed to do, whether that's doing PCI compliance or HIPAA compliance or whatever industry standard we need to meet, that's what cyber security managers are doing.
And. COMSEC manager. These guys manage the cryptography, the crypto keys within an organization. So that is one, that's just one of the specialty areas that we're talking about for overseeing govern. This also goes into C level execs, your CIOs, your CIS OS with chief system security officers, or your chief information security officers, your C level execs, you're legal people.
You don't know often see legal people. Lumped into cyber security, but here it is right before your eyes. I'm telling you, the point I'm trying to make is that cyber security is not just programming. It's not just hacking stuff. It's also, it includes legal advocacy. Because the organization has to protect its reputation.
If somebody's defaming the organization, right? Their reputation is at stake. Who do they go to? You go to your legal team. Your legal team is, has to determine, okay, did these people defam? The, our organization are these, do we need to do a cease and desist order on this website? That's trying to. Do what's called typo squatting.
That's where you let's say google.com, but some somebody creates a site called Google, whether E and the L are transposed so that people, whenever they miss type Google, it goes to their site. And then they take you to a, some malware or something. Some other site. So are, do we have a legal case?
For the protection of our reputation or not, so legal is also where you would talk about, okay, we need to develop a privacy notification. We need to develop a a, something so that some, a non-disclosure agreement for all of our users who come in that's legal department. They, so they're very much involved with things like.
Privacy notifications that pop up on a website whenever you've gone to a website that privacy notification pops up, that's serious because the organization doesn't wanna be liable to, they don't wanna get sued because they released your information without you knowing about it without you, knowing what you were clicking on.
So they have to go to the legal department for that kind of stuff. Cyber security includes that kind of. So let's keep going here. I wanna show you a few more things and I'll keep it a little bit briefer on the next ones, what we do. So that's overseeing, govern. Let's go to the next one, which is protect and defend.
This is one of my favorite ones, cuz this one, excuse me. This one includes cyber defense analysis. In a past life. This is what I did. And this is, this one is really fun. I really love doing this one. This is people looking at logs. It looks like the matrix. Like they'll sit there and they're watching a screen full of logs go by and they're trying to figure out what is, if there's any kind of attacks going on in, on their, in their environment.
If there's some, if. Malware happening in the environment. Like it, it actual infiltrated the environment, or if there's somebody doing something they're not supposed to do, you could pick that stuff up in the logs. If you know what to look for. And they're looking for certain patterns of behavior inside the logs, that's reflected in what's going on.
Cyber defense analysis is where you would do that. It's picking up the IDs, intrusion detection, intrusion prevention, the firewall logs, the network, traffic logs, all that stuff. And it's making a determination. And these days you can do it a little bit with artificial intelligence to help you out, to help out the actual cyber defense analysts.
So that. What we're talking about with that's one of the things that we're talking about with protect and defend another huge one is incident response. That's a big one. And then vulnerability. These are like whole. Industries, by the way. This I'm briefly mentioning the names, but this is an entire industry in and of itself.
This one incident responses is own thing. And so it's vulnerability management. Okay. Let's go to securely provision. And this is the last one last, but not least this one's getting into risk management. This is something I do a lot. This is my whole job right here. Risk management. This is making sure that the organization is within a acceptable level of risk because every system that's out there, every single system, no matter what system it is, has some certain level of risk that they have to operate with.
And so risk management is just simply making sure that the risk is not too great for them to operate and not the risk. If a system has too much risk. It's too much exposure to their critical systems, then they can get, they're gonna get hacked at some point, they're gonna have a breach at some point, if your risk is too high.
So you need risk management as a specialty area, software development, whenever you develop software, you gotta make sure that software is developed securely so that you don't have any major breaches. A lot of the breaches that happen especially with zero. It's because of software issues, that software that wasn't secure and that's all in securely division securely provisioned rather.
So there's other things in here and the whole point I'm trying to make before I close this thing out and I'm almost done here is that cyber security is a huge, it's a huge field. It includes everything from manage. Program managers are very integral part to cybersecurity. It's a whole different discipline.
They do not have to have hands on stuff. They do need to, at some point, understand the organization's process on how software is developed, but not necessarily no Java or no C plus, or how to actually code or how to use the coding libraries and all that kind of stuff. They don't need to. They need to know the organization's process.
They need to know things like agile. They need to know things like what's the other one, scrum. And and things like that, processes that allow an organization to get to securely build the system securely build the software, develop the software, things like that. They need to know. So it, this includes C level executives.
This includes like we said, manage. It includes risk risk management, managing the risk effectively for an organization. It includes an, a lot of analysis. It includes all of these aspects. So whenever you think, whenever somebody says cyber security, just know it's a huge field, and it's not just one thing.
It's many different things. Okay. That's it for this one, guys. Thank you for watching me. I really appreciate it. I'm trying to do these lives. Daily. I'm I've got one on YouTube coming tomorrow. I'll try to put this on TikTok as well. I try to put on as many platforms as I can tomorrow. I do these at least once a week on Saturdays, one o'clock mountain standard time on YouTube.
I've got a podcast it's called pod combo courses dot pod, bean.com. And if you go to combo courses.com, there's tons of downloadables tons of free stuff. It's free to actually sign up there and I'm always giving out stuff like this where I don't expect you to pay me anything. I'm just giving you out information so we can get.
More people where they can take care of their family. To me, that's the name of the game you taking, being able to take care of yourself and being unable to take care of your family. That's the name of the game? That's why I teach people how to get into this field, how to make more money in this field and how to have security in this field.
Financial security. A career security so that they could take care of themselves and their family. All right, guys, that's it for this one. Thank you so much for watching. I really appreciate everybody. Who watched and I'm sorry, I couldn't get to your questions this time. Maybe next time.
We'll attack those questions. Peace.

Sunday Sep 18, 2022
Sunday Sep 18, 2022
http://convocourses.com
All right. I'm testing a new platform called stream yard, and this is convocourse's podcast. I'm gonna do about, I don't know, 20, 30 minutes to test this out and also to inform you guys of a career move I recently made. I haven't really talked about this. But about three months ago I was working as a cybersecurity consultant and that's much different from an information system, security officer.
So in the past, Three four months. I made a big Mo well, not really a big move. I I've, it's not a big move for me. I've done both jobs before, but all I want to do is compare the two kind of give you an idea of what the differences are between cyber security consultant.
And what I'm going to be doing with information system security officer work, and what's the daily life of both of those things. How do they compare and give you an idea of which one you should choose before I start, you should know that I own a site called combo courses where I teach cyber security compliance and how to get in this field as a cyber security person.
I've been doing this for 20 years, doing cyber security in all forms of security, as well as some it information technology stuff like being a system admin or network. Administrators, stuff like that. I've done a little bit of all that stuff. But my specialty is really in security compliance.
And so that's what I teach people to do. And. People ask me on YouTube, on, on TikTok questions. And I'll just go ahead and answer them and by the way, if you have any questions during this feel free to ask them and I’ll do my best to answer. them sometimes we have such a great community that they'll actually answer the questions on my behalf.
There’re things I don't know. So, somebody, some other subject matter expert will jump in and then answer those questions and. My favorite times on this, on convo courses, because that's what convo courses in my mind is all about is about the community and us coming together, figuring things out. Okay. So, I wanted to tell you recently I made a huge move.
I was working at a major telecommunications company that does cybersecurity on the side. They have a branch that does cybersecurity and I did it because it was a great opportunity. One of my former coworkers. Gave me a they referred me and brought me into the company. It was a great company.
They had great benefits. It was some of the best benefits I've had outside the military. It was decent pay and the only, probably bad thing was that there was a lot of travel and that eventually was the thing that got me out of there. And it was stressful too. And I was how having too many personal issues that happened at that at the time that I was working there, I worked for there for about two and a half, three years, and I was doing cyber security consulting for them.
So, what we would do is we would. We bring our expertise to smaller companies. We go to, and it's a lot of companies and banks and hospitals and healthcare industries that you probably use to be honest with you. that? I Some of I was surprised were like, damn, I use this. We're doing security compliance for them.
And the security compliance it wasn't just security compliance. It was basically, we would do a bunch of We would do a bunch of risk assessments and those risk assessments would be things like be we had 15… different risk assessments. So, 12, 12 to 15 different risk assessments, depending on what they chose.
So we would do things like physical security assessments we would do. Of course, network security assessments. There was like three of those. We did cloud-based security assessments. We did… We did wireless security assessments. We take all of those and we would give them an overall view of what their security looks like.
And then we would prioritize where their major risks were. And then we would talk to the sea level or director or upper-level management to say, hey, this is where you should focus your energy because this is where we see the most risk. And the purpose of that was to reduce their. Their security any kind of vulnerabilities they have, and they can focus all their time, money, and energy and resources to that highest level of risk in their organization.
That's what I was doing. And it wasn't too bad. I actually liked it. I fit right in over there. The only I, we would do these reports, which were really easy for me, the. Challenging thing I found was sometimes the clients were a bit difficult to work with and it wasn't that they didn't know what they were doing or something like that.
It was just very high strung because cybersecurity. It could be very stressful because you're dealing with you. If you have a vulnerability, a major vulnerability and you have to take that to the C CEO and say, Hey, we have. We have a bunch of legacy systems that are in this area here, there's a lot of stress because you don't want to be the person that to, to barer of bad news, and we'd find those things and we'd say, Hey.
You have this stuff going on. And there was just a lot of stress with that. That's probably the hardest part of the whole thing. The travel wouldn't have been a big deal if I hadn't had so many personal issues happening with my family, kids and everything that just all happened at once. So, I had to unfortunately had to leave because I actually really loved the people and everything.
What did my daily life look like? We were mostly going off east coast time for me, because that's where most of my clients were. They'd give us like two or three clients. And then you would work directly with them. So, most of your day was coordinating. The scans and the assessments that you'd have to do, if you had to go to their site, you'd have to coordinate that.
And they expect you to go do that on your own. It was very self-directed where it's you have the client, like you'd run the meetings with them. You'd coordinate when you're going to go there. You'd coordinate how many hours or how much time it would take to get there and who you're gonna meet and all of that stuff you'd have to do.
And then the scans, we had a, like a separate scan team. We'd work with the scan team. We'd work with the program. Managers we'd work with them and we'd put together this report to deliver. On a quarterly basis and sometimes annually, it depends on what kind of assessment it was. Because obviously you wouldn't do like a physical assessment every quarter.
Because I didn't, that wouldn't really make any sense because it stuff doesn't change. But anyway, so that's what we would do. It is mostly meetings and coordination and doing scans and reviewing the scans and then writing reports that's your, that was your whole day as a cybersecurity consultant at this organization.
I was with where. The main thing we did was deliver these reports and we would do really, most of it was risk assessment type stuff. And I was very familiar with that because in the department of defense, we do a lot of security assessments and stuff. So that's very different from where my main core specialties are, which is security compliance.
We would dabble a little bit in security compliance like every now and then. We I would help them do like a PCI compliant PCI audit or something like that or we'd say, okay here's how you, your system would fit into eight NIST 800 or here's how your system would fit into CIS controls.
You do a little bit of that, but that wasn't really what we're, that would, it was separate from what we were doing was mostly risk assessment type stuff. So seeing where their risks are and determining that. Now that brings us to the next thing, which is information system security officer. So information system security officer is more in compliance.
It, the compliance space, security compliance and security compliance is making sure an organization is lined up with regulations, laws, industry standards. That doesn't have to be the federal government, which is mostly what I work with. It can be with hospitals have a certain standard that they're supposed to meet.
One of which is called HIPAA, where they have to make sure that they're protecting their patient's healthcare information and their digital records for the healthcare and stuff like that. Another example of industry standards would be PCI compliance. That's protection of. Of credit cards. So whenever you are at a store and you're using your credit cards, they're supposed to have a separate network for those point of sale devices.
So that doesn't touch, say the wifi that's in the that's for the staff or for guest to log in. So that has to be a separate protected network so that the credit card data has its has, is protected. So separate from your. Other networks. That's just one of the things you have to do.
Another things you have to do for PCI compliance is have the adequate documentation for the security of the system. Like making sure that net, we have network diagrams and making sure you have asset and inventory of all the assets, things like that. Those are all the types of things that you would have to do for PCI.
And that's, those are just two examples, but you've got CIS compliance. You've got. ISO 27,001 compliance. You got many different countries have their own security compliance and different industries like have their own compliance. So my, my specialty is in NIST 800. Security compliance NIST 800 is what the federal government has created and adopted as the main source of security controls.
Sec security controls is a set of security features that protect the organization's. Primary assets. That means like your main server that has all the social security numbers on it. Your main server that has all the secret secret data on it, the main server that's holding all the maps of different parts of the world.
Those, that's what you call an asset. So those are just some of the examples of, and those are some of the difference. Now, one of the things that, what the daily, what it looks like from on a day to day basis for an is. Just to compare this versus versus the consulting I was doing.
So it's also a lot of meetings. Security is a lot of coordination. Cyber security is a lot of coordination with different organiz because you're having to meet. Different subject matter experts like you, you're not necessarily the person who's locking down the, those, that windows server.
That's gonna be a server type person. That's gonna be a person like a system admin who specializes in Linux, red hat, network, administration and windows 2019. Active directory servers so you are gonna coordinate with them. So in ISSO, that's what they do. They're coordinating with these different, the firewall guy, the the privacy person.
They're coordinating with all these different people to make sure that the organization has a certain level of. So it is a lot of meetings. It's a lot of meetings with a lot of different people, and that's probably the main difference between the meetings. Like an ISSO is gonna have a meeting with all kinds of people throughout the organization.
One organization, whereas a consultant is gonna have a meeting with just a few people at different organizations like me. I had three or four clients at a, any given time and I would have to coordinate with the there's like a main point of contact. I would talk to big two or three main points of contact and every now and then I'd meet like a C level exec, but I was talking to three or four different organizations.
Whereas an ISSO is talking maybe one organization and there might be other sub organizations, but they're all one you're talking about many people in that organization. So you're going really deep in, in all of the details and stuff and making sure that all the securities is is in place. Now it wasn't, it's not like an enforcement role.
Typically you are more like a news reporter. What I mean by that is a lot of people think that you're the police and you're gonna come and busting down doors and say, Hey, this, we gotta secure this server. That's not really your job. Like you might point things out, but the person who has to be the enforcer is gonna be the management, because they're the ones, things come down from management.
So they have to be the ones to enforce that stuff. Now if you happen to be the voice piece, the mouthpiece to tell them, Hey, the CEO just said. You're just a reporter. You're just reporting to them. Hey, this is what happened. We have to obey what is going on with this organization's policies.
Here's what we have to do. So that's the main differences between a security consultant and information system, security officer. The reason why I quit my job as. A consultant and went over to, and now I'm going to back to information to security officers has more to do with. Not the work per se. It was, it is more like the travel, like the organization I was at was paid really good, had great.
One of the best benefit packages I've ever had, but it was too much travel and I had too much stuff going on. And I had too many clients, it was getting a little stressful plus I had family stuff I had to deal with. So that's the reason why I transitioned over. And now I'm going to somewhere where it's a little bit more It's gonna be a better fit for me and my new family situation.
So that's what's going on. Okay. I've got some questions here. Let me see for Mike. Thanks Mike, for your question. I really appreciate that. And Mike says he says quick question the ISSM role coming from being an ISSO. What is what's your suggestion? Quick question is S. A ism role coming from, are you gonna be doing an ISSM role from being an is O I'm assuming that's what you mean?
So you were an ISSO and now you're about to be an ISS O sorry. You were an is O you're about to be an ISSM that's I'm trying to interpret your questionnaire. Any suggestions. Yeah. So the biggest difference between these two roles is that one is a manager information systems, creating manager.
You're gonna have more of you're gonna have even more meetings. I'm just gonna tell you like the differences. So an ISSO is more like they, they both have a lot of meetings, but an ISSOs has to be more in the weeds because ISSO has to be able to say, give an example of an issue. A vulnerability comes down the vulnerability.
Is let's make something up. A vulnerability is a zero day exploit on windows 2019 or something. And now the ISSO gets wind into this and that comes from the vulnerability team. Now they have to meet directly with the vulnerability team to figure out what's going on with this thing. And they might have to spend some time researching what the zero day exploit is.
What's the criticality of it. Like how quickly do we need to fix this thing? They have to be in the weed. So they have to go probably go to the CVE. CVEs and then figure out what type of what this affects. And they have to probably look at a list of every, all the systems that this is going to touch.
And how quickly can we fix this? So there. And if so is more in the weeds in that they have to know what is going on in a, on a technical level, they have to get more in the weeds and be more technical if you get what I mean. They might not have to touch the system. A lot of times, they're not the ones implementing the security controls, but they're coordinating with the people who have to implement those security controls.
Compared to that, to an information system, security manager, their meetings are more with upper level people. So they're dealing with stuff that's more broad and stuff. That's touching the entire organization and making sure you have enough making sure the security team has all the resources in that they need all the time and resources that they need to do their work.
So your. Gonna have the same amount of meetings or more, but they're gonna be with upper level management from. Fields like you're gonna be talking to the it manager, the information technology manager who, whom the network manager, the network engineering manager. You're gonna be talk, coordinate with them.
And you guys are gonna be talking about like resources. How many resources do we have to do this work? Okay. We just had this zero date on windows, 2019. Do you guys have the resources and time to do this? How much time do you guys need to actually get this? So you're talking about like on a broader scale, how do we manage the resources that our team needs to get this job done?
And can we get it done and effectively in a reasonable amount of time? And you're trying to, your main job is managing expectations to upper level management, the C level execs, the directors and all that stuff, managing their expectation. That is your main job, as well as taking care of the people who are.
You work for the ISSOs like your job is working for the, ISSOs managing the expectations of upper level management. So you're still in cyber security, but it's more of a management. You're not in the weeds. You're not having you. You'll never, you're not ever touching any technology. Whereas in ISSO they might have to touch something at some point like, and so they might have to touch the EMA system where they're inputting information there, they might have to mess around with creating.
They might have to create a security policy, might help create the security policy review, the security policy. They might look at audit logs. They might. Help enable audit logs. They might be the person who's doing threat detection and stuff. The managers, they're not doing that kind of stuff. They're working on resources for the information system, security officers.
So it's a great move because it is is SMS are ma are legit managers. And so they're paid typically paid a lot more. They're paid more. And if you. If you're a first time manager, you'll get, you should get a pay bump. But if you have been doing a management for a while, you get a significant pay bump, like if you've been doing it for a year or two, then you'll be able to like, if forever you move or.
Those are the guys who eventually become directors. That's the path directly to directors and see C level execs and things like that who gets paid a lot of money. So that's really good. That's a really good move. If that's the case, if that's what you're doing, then that's awesome, man.
And Mike says got it. ISSOs ISSO I worked with EAs and C C Sam and tenable. Yep. Tenable NEIS and all that kind of stuff. That's right. Exactly. You got it. They're more hands on and touching stuff. Whereas managers, they're not, they're gonna ask about, Hey, you have access to eMASS.
Okay, cool. Great. They might look in there since, okay. Let's make sure that the system security plan is there. All right. And any problems with the system security plan. Okay, good. There's no problems. Let's go or, Hey Does the new guy have access to EASs. Does the new guy have access to tenable?
Okay, cool. Or let me help out. Make sure that we have, let me coordinate with the person who controls access to tenable to make sure the new guy has it. Okay. The new guy we just have some people leave. Let's make sure that person is not, no longer has access to eMASS or tenable stuff like that.
That's the manager. They're not like putting things. Into EASs or running the scans necessarily. Sometimes I've been with some managers who did do that kind of stuff, but it was because they wanted to do it. And they were very sharp, very technical, and they wanted to do it and they, but they te they totally didn't have to.
And they had other things to do by the way. All right. Let me shift gears. If you guys have any questions, go ahead and feel free to, to ask me any questions. I'm testing out this new platform. That's why it all looks a little bit different. So if you want, have any questions whatsoever, feel free to ask me in the meantime, let me show you that I have a book out called R MF is O where walks you through it's a bird's eye view of what NIST 800 is all.
And it's very quick, and this is actually the audio version, which is only like one hour long. And then also I've got a deeper dive into the NIST 800 security controls, but I'm not hitting every single control. What I do is I hit the families and give you a practical understanding of what the families are and how you navigate those.
And interpretation of the families of controls. And I focus from an ISSOs perspective. What parts of that family do you really need to know? That's the kind of stuff that I'm focusing on. And another thing you guys should know, if you didn't know already is I have a podcast here. It is right here. The podcast is, I'm doing the podcast right now.
So this the type of stuff that you hear me talk about here is the kind of stuff that I actually is gonna be on the odd. But this, the difference is on a podcast, you could just be in your car, on your commute and listen to it, or when you're cleaning or something like that, you can actually just listen to it.
Listen to our conversation as we're, as you're doing your thing. So, that's the good thing about doing a podcast? I actually really like podcasts. I'm listening to one right now, learning a new language. And I really like it. Okay. Let me see. There's another question here from Mike. He says, can I book you for a consultant for my ISSO role ISSO role you know what I'm actually in the middle of a couple of other consultations, you can email me feel free to email me and I'll see if I can find some.
For you, I'm not saying no, but let me see what I can do. Here's my I'm gonna send you my contact. My contact is scrolling across the bottom. There is contact@convocourses.com. If you're interested in getting some kind of consulting and stuff like that, I'm I'm getting back into the work field.
I'm not gonna be able to do as much consulting as I was doing before. Because my hours are gonna get tapped, but Hey, who knows? Like maybe we can do it before I actually start my job right now. I'm going through the background. The background investigation process. Okay. I got another questions from.
Mr. Fernandez. He says, so I'm getting my bachelor's degree in, in cyber security in December, I'm currently working on physical in wor working in physical security for government contracting. So I'm dealing with classified documents and D O D things will. Will I be able to, okay, let me see the next rest of this question to get an entry level is ISS O I think you mean ISS O job in your opinion, yes or no.
Okay. So L Ludwig let me give you an example and I hope that my example can give you an idea. First of all, short answer is yes. Okay. I know this because I actually start off in physical security myself. So I was a. Security forces member in the air force. And basically what I was really, I was a weapon expert.
Like I don't even know if they have that, that it was called 3P0X1. That was my AFSC. It's a specialty code that they have had in the military at that time. I don't know if they I've been following it, but basically what I did was I was a weapon specialist and. I guarded planes. I guarded if the president came in to our base or whatever, I'd do that, I'd be on that detail.
Not much personnel security, to be honest, it was mostly garden resources. And then I also did some law enforcement. So I knew a lot about the UCMJ use of force, all that kind of weapons, training, combat training, all that work with the army and the Marines and all branches and different countries.
Security people, but it was mostly physical security and I trans we call it cross train. I cross trained from physical security to cyber security. There's a lot of crossover. I was surprised to, to learn that. Some I'll just tell you a few things that are gonna help you going from physical security over into cyber security into it in general.
Number one you are, you're gonna have a very sound understanding of security overall because it's not really that much. When you get into cyber security, it's just a lot of more layers and there's, it's more complex because you got defense in depth. Physical security still applies in cyber security, which is crazy.
But when you think about it's common sense, if anybody can touch a system, then they own it. You can own a system. You can take the hard drive out, put it in another device you can use password crackers you could use. Oh man, you, you could do forensics tools on it and then extract all the bits on it and figure out what people try to delete is that as a matter of fact, that's what forensics is all about.
And speaking of forensics some of the laws that pertain to, to you, like when you're talking about chain of custody, when you're talking about Making sure that things that, that things aren't tampered with during the investigations, all those things apply. So some of the laws still apply.
What else applies, man? Physical security checks, physical security assessments is it's. The concept is similar and actually is still used in cyber security. You has to still do physical security to make sure that the facility and the room that the information system resides in is protected so that all that stuff still applies.
So it is gonna help you out. And then the main thing is that if you dealt with classified documentation before, and if you have a security clearance, all of that will also help you. To get an entry level job in cyber security. And if specifically, in information to security officer, but any kind of entry level position, because you have a security clearance, if you have one that helps.
A lot of people confuse like security. They think that if you're in cyber security, you have to have a security clearance. No that's not the case. Two different things. The security, they should just call it a clearance. It's very confusing. A clearance just does a background check on you to make sure that you are trustworthy to make sure that you don't have any criminal background that might that might.
Cause a conflict of interest where you're working like a bank doesn't want somebody who robbed the bank. You know what I mean? It's stuff like that. A hospital probably doesn't want somebody who had malpractice it's stuff. Like they don't, there's certain criminal things that not to say that you if you had some kind of.
You had a case on you in the past that you couldn't work in cyber security? It's not what they're saying. It's basically, there's certain things that cause a conflict of interest. So I have to do a background check on you to make sure that there's nothing that might allow you to be exploited.
Or something that deems you as untrustworthy to do that particular job. So if you have a clearance that really helps out a lot if you've handled classified information before that actually helps you quite a bit as well, because some people don't have any experience with that and they don't know how that world works, but you knowing that, how that world works, that helps you quite a bit.
The main thing that you need to focus on now is technical. Because me going from physical security over to cyber security, that was the biggest challenge is learning all the terminology, learning information, technology, learning how computer works learning how Ram CPU and storage all works together.
Learning how to protect those components of information system. Those are the main things, all the layers and the minutia of learning networks, how to networks work how you protect those networks, stuff like that. Porch protocols, and services. Those are the things that you need to be really focusing your mind on the security stuff will come very naturally to you.
So the answer to your question is, yes, it will help you to get an entry level job when you get your, that bachelor's degree. Only thing I would recommend that you do while you're in school. And this is what I tell everybody is try to get experience. If you. Hands on technical experience, if you can. That means if you're whatever college you're going to, or if you happen to be in the military or wherever, whatever, wherever you're at, try to get hands on.
If you see the, we call them work group managers, fixing a computer, ask if you can help them out. If you can, if they will allow you to help them to fix that computer, whether it's update and virus, definitions, updating the security patches, whatever it is like even the simplest thing possible, even if it's putting the router in and plugging it in or whatever, you'll be able to put that on your resume.
And the experience is what they really wanna see a degree is great. Certifications are great, but the experience is what they really wanna see. Another thing is I would highly recommend that you, if you can, if you have the time, if you have the cycles to do it, some people do not is to get a certification while you're working on your degree.
Degree takes a pretty long time. And sometimes the degree helps you to get the degree. If they, if you're college or wherever you're going to has a degree, a certification program, I will go ahead and take it. It's not a waste of your time, especially if you get the comp Tia, any of the comp Tia ones. If you get any kind of cloud certification, if you get any kind of networking certifications, those are all gonna help you out a bit, a lot on your resume.
So I hope that answers your question. Okay. I've got another question here. It says Mr. Fernandez says and I'm a security plus certified I'm security plus certified, but I don't have the most experience with physical hardware. Okay. Yeah. Yeah, that's what I'm saying is go ahead and get as much.
Experiences you can with any aspect of information technology. And at this point, since you're new, anything will help you out. Like whether it's help desk type stuff, whether you're Updating, like I said, virus, signatures, whether I, the reason why I keep bringing those up, because those are the simplest things that kind of come up constantly over time.
Like you've probably done it before you just don't it's something we do often so often that we don't even think about it, but that is something you can literally put on your resume. You just need to know how to articul. Speaking of articulation, just to do a little transition here. I'm working on a book right now, a new book.
That's gonna tell you how to actually break down a resume. How to, I have a course on this already. So if you're interested I'm not trying to cram anything down anybody's throat or anything, but I'm working on a book. That's a lot cheaper that. It'll be about 20 bucks or something like that.
It'll have downloadable templates. It's essentially this right here. This course right here is something I've been using for a long time. And because of this, I haven't been without a job. I, this thing works like this process that I've been doing, basically, all I did was to say, okay, how am I getting all these jobs?
I literally get like 10 offers a day between LinkedIn. Messages on LinkedIn emails calls I'm literally getting anywhere from, it's not as much as it used to be before COVID and now we have some kind of a downturn in the economy. So it's not as many as it used to be, but it's at least six messages a day.
I get for different jobs and I'm just constantly getting undated with these opportunities. And so all I did was I condensed exactly how I'm able to do this into. Into a course. And I'm gonna make this into a book that tells you how to articulate your, any kind of. Security, cyber security experience into a workable template that is marketable to employers.
So that is what I'm doing and it's coming, I'm working on it. I actually finished the first draft. I'm getting it edited right now. As we speak the first, book's gonna be a three, the four books series where I'm gonna break down. Not only how to market your resume and not only how to create the resume, not only a template so that you can use my mys as a sample and other people's resume as a sample.
But I'm also what I'm gonna do is expand it out into other books that tells you how to get remote jobs. Because people ask me about that a lot and I'm gonna do one where it's talking about the different categories of cyber security, because that's something I've found. People, the questions that they ask, I can tell they don't really know that there's different aspects of cybersecurity.
So that is what I'm doing. Mike says, I bought this course from you. You need to update it. Oh, okay. Yes, updates are on the way. I'm working on a whole bunch of stuff right now. So that's when I'm not on these calls that's what I'm. Okay. If there's no more questions, guys, I'm going to, I'm gonna call it quits for the day and I'll see you guys next time.
See you on the next one. Thanks for thanks for jumping on this one. Thanks Mike. For all your questions. Appreciate it. Appreciate all the questions and and thanks, Mike. Thanks for the update, Mike. I will get on that. I appreciate you later.

Saturday Sep 17, 2022
Saturday Sep 17, 2022
http://convocourses.com
Full video on Youtube.com/convocourses
Hey guys, this is Bruce and welcome to convo courses, podcasts. Every week. What I do is I talk to you guys about cyber security, mainly speaking on security compliance. And I'm opening this things up to questions. So if you have any questions during the course of this live session, feel free to ask 'em.
This is the perfect time to interact with me. And if you didn't know, I'm the sole proprietor owner of convo courses.com where I got tons of free stuff. If you're interested in cyber security compliance in particular, lots of downloadables, lots of free stuff for you to check it out.
You might not even be interested in cyber security, but outta, unless you try you, you must been hearing about it. It's a hot career path and let's get right into this. So what I wanted to talk about today, If somebody on TikTok said just another guy selling a book and yes, I am selling a book, but I'm also selling courses.
I'm selling my time. But it, the thing is I've been doing this for years. , it's I've been putting free content out for years. My. Has something like 600 free videos where I'm putting people on how to get into cyber security, how to do cyber security compliance how to secure their system.
All things, cyber security I've been talking about for free and you can still get this stuff's all out there. So if you're interested in this. The best place to follow me. If I can't, if you wanna get stuff for free, you wanna try it out or whatever, or get information is to go to YouTube.
YouTube has hour long. Literally I do these every week. I've been doing hourly long videos for years, teaching people, just ask me questions and I'll just go ahead and speak for an hour straight about a topic. Yeah, I am I selling a book? Yes. On Amazon, I'm selling a risk management framework. I, this Audi, most of the people in this audience will not be interested in that book.
I'm selling to a very niche group of people who are interested in this is people who are in cyber security, trying to make big money. Not everybody is willing to do, take the time to to learn this trade. And to get into this and they want that quick money, but this is not quick money.
This is long term money that's gonna help you and your family for years. If you are interested in that, then you come to the right place, cuz I'm here to teach. And if you're here to learn then let's do this. Somebody said what up family? Somebody said any thoughts on IBM cybersecurity certificate on Corsera is really dope.
Corsera if I'm not mistaken they're also doing the Google support it certification. So Coursera is incredible. Another one I would recommend is you to me. I've taken TMY myself, actually, TMY is incredible because it has a lot of entry level courses and stuff. IBM cyber security certification.
My opinion on it is I really, this is the first time I've heard about it. That being said, one of the things that you wanna look into whenever you try to get a certification is how. How popular is that certification that matters to give you an example of why that matters is because there's a certification called the C and it's a certified ethical hacker cert certification.
And it's got a lot of attraction, like HR departments, companies know what exactly what it is and what it does. It's for people who do pen testing it's for people who are looking at cyber threats. Cyber threat analysis, things like that. Now in the hacker community, if you talk to most hackers, people have been doing this for a while.
People really know what they're doing. They hate that certification. The reason why is because the certification is a, not, I won't say it's a money grab, but it doesn't. It goes into a lot of the tools that you use for the trade, rather than the actual theory. And I having read through the books for C I would disagree with that.
They treat you a lot of the fundamentals that it takes to learn the basics of hacking and goes a little bit deeper. So I would say it was from basic to intermediate. But it's got a, an unfair shake in my opinion, from the hacker and the pen testing community, because it just doesn't go deep enough and they want it to be more hardcore.
If you want something more hardcore, you wanna go to the SC P O S C P or Cali Linux, stuff like that. Those certifications have more hacker respect. What the point I'm trying to get at is C is a very marketable certification. If you have that certifi. You're looking at and a little bit of experience under your belt.
You're looking at six figures, but that's because it's a popular certification. So IBM cyber security certification I'm saying is not super popular. I'm guessing, but let's take the guesswork out of it when I'm gonna do right now is I'm gonna go to, I'm gonna go to a. And I'm gonna show you what I'm talking about.
As far as marketability of certifications, you wanna look at the marketability of a certification. Let's go to indeed.com. One of my favorite sites to go to for job searches. And I'm gonna show you, let me show you my screen real quick while I'm doing this. Somebody ask me what search do I have?
I'll answer that in a second. While I'm doing this C I S P and Cap and a few other ones, but let me show you what I'm talking about. Oh man. You can not see that. Okay. I'll just walk you through it. Okay. So I've got a bunch of people watching, so I'm on indeed right here. And I'm gonna type in IBM what'd you say security certification.
You said cyber security certification cyber. And this is what you wanna do with any kind of certification that you are trying to pursue. You wanna see the marketability of it? Cyber security, certifi. You can just go to any kind of job aggregator such as LinkedIn, indeed monster and just type it in. So it says there's no searches, but that's because it's only searching in my area of Colorado.
Let's look at all the United States and let's see how many certifications how many people are looking for the certification. So I did a search here. And it's saying that there's 11 jobs looking for the IBM certification where that keyword came up and really it's not even it's keying in on certification security.
It's not really finding the IBM certification, but let's take an equivalent certification. Let's say equivalent of cyber security certification. Let's say it's a security plus. Now watch this. I type in security plus comp Tia. In fact let's narrow it down. Comp Tia security plus certification.
There are 9,000 jobs. That's what that says right there. Nine, 9,000 jobs for the comp Tia security plus, and look at the look at what they're paying. Now. This is for a junior ethical hacker, but that's not bad at. And it's getting you into ethical hacking, which is pretty good. It's I've.
So my opinion about the IBM certification is doesn't have traction just yet. A lot of these vendors will try to create their own, and this is coming from somebody who has vendor level certifications. I'll get into what kind of certifications I have in a second, but vendor level certifications, some of 'em don't take off some of 'em don't they lose traction.
And because it's the company, the organization doesn't market them effectively. And what they lack that some of the certification organizations have. A couple being ISACA, which has C I S a C I S M C risk and some of the others comp Tia, which has a plus certification network plus certification security plus certification and others.
And then you have is I C ISC two squared, which has CS S P and a couple of other big time certifications. What these guys do right? Is they market the certification. They know who to talk to, to get in on these lists, the government lists to say, Hey, these are approved set of certifications. They market it so that other people have to take the cert.
And then it becomes a requirement like they did with the C the marketing on C is incredible. Like they did a great job on the marketing aspect of it. So my opinion of the IBM cyber security certification, it doesn't have traction just. I would probably go for something like the sec security plus if you're trying to get in the field and make money.
So that's my opinion about it. I hope that answers your question. That's a question from TikTok, by the way. Here's another question that I have from Floris floes leak. And it says, what kind of certifications do you have? Certifications that I have. Okay. I've got the C I S P that certification singlehandedly changed my life as a professional level certification from ISD to squared.
I got it when it, not when it first came out, but shortly after it came out. So I have a pretty low number. They have a set of numbers. So I got mine in like 2006 or 2005 or something like that. And then I've got the ISC two cap, which is it's for a security compliance for N 800. I. I've had two different versions of the security plus one of which doesn't expire.
Cuz I got it. Like when it first came out, I used to teach security plus comp Tia. I had the original network plus the original, a plus, which was one certification now is two. I have Microsoft C I've got, I had the CCNA, but that expired. I don't like, I don't, my, that knowledge has left me. If you don't speak a language for a while it's gone.
I understand still the basics of, I, I could probably configure a router or something like that, but it will take me a minute. Then I've got a bunch of vendor level certifications. I've got one for arc site. I've got one for QS. I got one and I got a few other ones, and I'm not people call me a paper tiger or whatever, cuz I, I go out and get these certs and stuff.
I normally, I would get the cert based on the job I'm in. If there's a job I need to do. And they need me to do learn this particular, this a certain thing. Then I'll go out and learn that. So that's why I have so many certifications. I got 'em outta necessity. I didn't get 'em because I was trying to get a bunch of certifications.
It was all for me. It's outta necessity. I got other things to do with my time. , you know what I'm saying? Like the next certification I'm gonna get is probably gonna be a cloud based certification. Like I'll probably get that AWS. Cloud practitioner one coming up real soon because people keep asking me questions about cloud.
I'm like, damn, I don't really, I'm not really deep on cloud, so okay. Let me see. Jimmy says thanks for the breakdown, man. I really appreciate that. Hey man, no problem. No problem at all. Okay. So I wanted to take some have people call in, but I'm having, I don't have a lot of people joining me on YouTube, so I'll wait on.
In the meantime, what I can do is I could take more questions and I can actually teach some stuff on a N 837. Or, you know what I think a better thing to do is to speak a little bit more on certifications since I got a lot of people asking questions about it. Okay. So certifications, I would recommend let's talk about that certifications.
I would recommend I'm gonna talk about the Entry level intermediate to expert. Okay. Let's start with intermediate entry level certifications. So entry level certifications. I would highly recommend in this order. If you let's say you come in off the street, you get, you know anything about it or computers.
I would recommend a plus certification. That was the first one I took. It was, it's a great introduction into the common body of knowledge that you need to know in order to troubleshoot. Systems and how to secure them as well as the networking aspect of computers. A plus certification is one of the best ones from comp Tia.
So comp Tia, let me just show you what that site looks like. CompTIA. Another one I would recommend would be the Google support it certification. This is comp tier right here. It's one of the top certification. Organizations in the world, CompTIA, they got a plus they got network. Plus they've got cloud plus they've got a really good course curriculum that breaks down the basics of what you really need to know for this career field.
So it's a really good starting point. I would say. And then another one I would recommend would be the Google. It support it, which a lot of people are getting jobs off of that for some reason. And then the other one I would highly recommend for entry level. If you've already taken the a plus, if you've already taken security plus stuff like that, ISS.
Certification AWS cloud practitioner. This is this one's hot. Because Amazon, if you didn't know, owns a large percentage of the market share for cloud. So they're competing against Google. They're competing against, Oracles in there now, but the biggest competitors is Microsoft and Google.
Microsoft has Azure, their Azure product. And then Google has their own cloud based products and the go. Of the world are, and other companies are starting to use their cloud services, but the ones that they use the most is Amazon. I believe like Netflix, Netflix uses Amazon cloud services and then other like large organizations multi-billion dollar trillion dollar organizations are using, or either they already have their own cloud service or they're using Amazon Google or Microsoft Azure.
So those are the three entry level certifications that I would recommend. Intermediate let's say you're already an it person. You've got three years under your belt doing it. You, your work on help desk, you work as a customer support. What would I recommend? I would recommend for entry level or intermediate is to go for a professional level certification.
That's what I would recommend. That's a CIS S. Top one, especially if you're doing cyber security, I would recommend if you're networking, then you want to go with either a CCNA security or a CCNP security. I think they have a CCNP cloud and a CCMP video and all kind of other CCMP. These are not easy certifications, but CCMP is from Cisco.
It's one of the highest sought after certifications out there. It. It's gonna pay you a lot of money. That's why I'm saying that you should do it. And on top of that, you're gonna really know what you're doing because and then a, they, Cisco owns a lot of the market share for networking technology.
The only other one that comes close is like Huawei, which is in China and is banned in the us and parts of Europe. Their products are, and Juniper and I think Palo Alto or something like that, that even come close to their market share, but Cisco's the best. And so that's why we recommend that's one of the, one of the few vendor level certs out.
You could get by yourself. You can get that one cert by itself. And then that would be incredible. Like it would. It will butter your bread. It will. It's gonna pay your bills. it's and then expert low level certifica. Oh, another one for intermediate would be there's red hat certifications that if you happen to be a red hat person and then there's Microsoft, if you, so once you get intermediate.
Entry level is gonna be like basic stuff that you need to know. But once you get into intermediate territory or professional level territory, you have, you're going to drill down into one or two products. Like you're gonna be really good on one or two products. You're not gonna be a master of everything.
So once you get to that level you're gonna wanna get a professional level cert in that field that you're in. If you happen to do Microsoft, you're gonna get I don't know what they're calling it now. MCs. MCSE. Is that still valid? I haven't done Microsoft in a while, so I might be wrong.
Let me see CSE and correct me if I'm wrong, guys, if I'm okay. Cuz I know that they changed it recently. Yes. Still MCSE. Okay. They have different. Okay. It's definitely evolved quite a bit. MCSE and MCSA yeah, that's a professional level cert as well. And then Cisco has CCMP so you'd wanna go deeper into whatever product that, once you get to the professional level, then at the expert level.
That's very specialized typically. So an expert level cert would be would be a C, C I E. And a lot of people, most people don't have it. It's like the equivalent of a PhD. Not many people get those because they're super, super hard. And it takes a toll outta your life. It's serious.
So C I E if you're in, if you're in networking, another one would be. I think there's an there's one in hacking called the O S C E, which is super high level. I don't know much about it. I just know it's a high level expert level certification. And then there's GS E which also not many people have, cuz it's just super expensive and super hard to get.
So you've got entry level certifications, which are usually called like core CompTIA calls 'em core. They're. Entry level or associate, then you've got professional level certifications. They're called the usually professional level certifications or intermediate certifications. And then you got expert level certifications.
What do you think about the IBM certification on a program on KRS Coria? So I already answered this one, but your quick answer would be that I don't think it's a very popular certification. I'm not trying to hate on IBM certification. Now, if you, if it happens to be your first certification, it just add a caveat to it.
If it happens to be your first certification, go for it. If it's your first certification, you're trying to learn it and they're giving it out for free. It won't hurt to go ahead and try it. But as far as if you got the certification, would it be marketable? I don't know how marketable it's gonna be like a security plus will be way more marketable.
I'm just telling you guys honestly like a, that IBM certification is not on any, it's not on the D O D approved list. It's not, I just heard about it on TikTok. It must be. They're giving it out for free because more than one person has asked me about it. If you happen to be learning this, go for it.
If you're like learning this from scratch, go for it, do it. But if you wanna level up at some point, take that one and then do the security plus security. Plus once you get that certification under your belt, it's marketable. Like you could put it on your resume. And get a job. So I don't know if you can do the same with IBM cyber security.
I'm not trying to hate on it or anything, but go, I'm saying, go for it. IBM is dope. I just putting IBM actually IBM itself is a key word that you could put on your resume. So IBM itself would be good to put on your resume. IBM security program. I'm sure it, it would make you a little bit more marketable than you are.
If you don't already have it on there. That's my 2 cents on it. Cisco does have some free search too. I'm not sure if they're already covered. Oh, really? I didn't know that. Cisco has a C E N T, which is an entry level certification. I think that one's pretty good. And then.
Above the CC E and T you have a CCNA and then above CCNA, you have specializations of CCNA, and then you have a CC N P, which is a professional level cert, which goes pretty deep on different technologies. Yeah that's the whole thing then CC I E is like expert level, top tier type certification.
I've known a few people who have the C I E, but they're pretty rares. I've known a lot more people who have the CCMP or a CCNA as matter of fact, I've had a CCNA before. Okay. Let me see here. Let me see if I got any more questions or stuff I want to talk about. Okay. Here's one. I wanted to talk about the pros and cons of cybersecurity.
If you guys are interested in joining a call that I have right now on YouTube, feel free to jump on. This broadcast on YouTube on just go to YouTube type in combo courses. You'll see me there. And then I will a give you a link if you're interested in this. And if not, that's cool. Let me see, I'm gonna talk to you guys about the pros and cons of it.
For, I get a lot of people who are contacting me, who are new to this and who want to get in this field. And I feel like one of the questions they should ask is what are the pros and cons of this, especially if they happen to. A nurse or a teacher or some other profession trying to get in this security field in this field as a cyber security person or it person, what are the pros and cons of this and the pros and cons of it really depends on, I think, on where you're coming from.
If you happen to be in the service based industry and you're dealing with a client, a lot of clients and you happen to not to hate to. Love dealing with people. You happen to be an extrovert. You love interacting with people, and it's just boring where you don't have anybody to talk to makes the day go by faster.
If you have somebody to talk to then one of the negative things about can be with it is that you sometimes you're isolated. Sometimes your. Sometimes a job makes it so that you're actually isolated to where, for example when I was a network engineer, we just, sometimes we'd be in the com closet, the computer, the communications closet hooking up wires all day.
And I wouldn't see a person. I wouldn't see a human for six hours a day, like four hours. I'd be in this computer room, this cold computer room. With no windows fixing a router, just trying to, trying to fix the iOS on a router and backing the router up and stuff like that. And it would take all day cuz it be something wrong with it.
For whatever reason, it's not connecting to the next rest of the network. I'm connecting a bunch of systems to it. Or I'm trying to figure out which wire's not working or. Or I'm trying to turn on port security on a bunch of ports or something on a switch. Like I'd just be messing tinkering with this thing for hours.
If you happen to be an extrovert, that can be a negative thing. If you really like interacting with people, that's one of the negative things about it, but. It really depends, cuz not all jobs are like that. It could be a positive thing if you happen to be an introvert, like you don't really want be in the industry, the service industry, for example, you just don't really want to talk to people you don't wanna really deal with this kind of stuff.
Then it's perfect for you cuz you'll be in locked in a closet programming or something all day long so it really depends on what you wanna do? Pros and cons of it. Let me think of some other pros and cons of it. And if you guys happen to be in it, I wanna ask you guys, what are the pros and cons of being in information technology?
What are the good things about in being in information technology and what are some of the bad things about being in information technology, please chime in. Feel free to talk to me about it. I'll read your comment on there, but another one good thing I would say. It is that it, it pays pretty good.
Like even if you start off entry level and you're not getting paid really good after about a year, if you put that stuff on your resume, you work your resume, you can very quickly escalate to another level. And a lot of career paths don't have that kind, that level of they don't have that kind of progression built into the structure.
Like I know that my I've got a few friends and family who were nurses. Who were doing nursing or they were CNAs or something like that. And I noticed their progression's a lot harder. Like it's really hard to go from say a certified nursing assistant to a nurse. There's a huge gap in pay and skillset.
And there's just this huge gap between those two things you would think it's close. It's not close at all. Like a certified nursing assistant. Is a huge gap. Whereas in it, you can quickly progress one like one skill at a time and make a little bit more money, little bit more money, little bit more money.
So that's one of the pros and DG five, one says remote working is a pro. Oh my Lord. That's a great one. That's a great point, man. Thank you for bringing that up. Remote work is one of the. Things about it, the it field in my personal opinion because a lot of people don't have that option.
I think if you're a nurse, you'd be a traveling nurse and you can have remote work and then, but you're still traveling. You're still going to site and stuff like that. But with it, you can truly be remote, and there's networking jobs that remote, there's Infrastructure jobs that are remote there's cyber security jobs that are remote there's computer consulting jobs that are remote.
I, that was my last position. There's cyber security that are remote risk assessments that are remote customer service, technical that are that's remote. There's so many remote positions and that's one of the great things about doing remote. Let me see. So somebody said somebody said, do you need computer science degree to start no.
To do in cyber security or in it? No you don't need you don't need to have a degree to get into. To get into it. So the caveat to that is that I'm gonna prove it to you. I'm gonna show you some I'm gonna actually prove to and show you what exactly what I'm saying is true. So do you need that kind of those kind of computer?
So first of all, let's break this down. A computer science degree. It typically the courses typically focus on software engineering. Okay. Computer science. I don't even have a computer science degree and I've been doing it for 20 years and I'm making six figures working from home. Okay. I have a bachelor's degree in information technology, but I know people who have a bachelor's degree in information systems.
I know people who had math degrees, actually I know people with double's that's a electrical engineer who are working in this field as cyber security. So typically. If there are, if they are looking for a degree, you don't even have to have a computer science degree or a cyber security degree. You just need something in stem, which is science, technology, engineering, and mathematics.
If you have that with a little bit of experience, you can get, you can get in there and make really good money. Now that being said, There are jobs that don't require a degree at all. Now let me qualify that. So they do expect you to either travel a lot or learn very quickly, or have a G E D high school equivalent or.
Be working on a degree or have a certification or have a certain skill set. They usually want you to have something without a degree. And it's probably not gonna pay as much. That being said, two of my mentors who taught me all kinds of stuff did not have a degree. And they were the highest paid guys in the room at any given time, but they were brilliant.
They were brilliant. They were coming outta the military with three, four years of experience. They were the main person everybody was relying on. So I'm just trying to qualify this, but now let me show you where jobs, where you don't need a degree working in it. So what I'm gonna do here is I'm gonna go to a, I'm gonna go to a
Job search engine. And I'm gonna show you how you can find these jobs where it doesn't need a degree. Now it does need you to know you gotta do the work. They're gonna expect you to know exactly what you're doing. So you gotta actually have some knowledge of it. I'm not saying you can just walk in off the street.
This is not sweeping floors. You know what I mean? Like you have to know some stuff to come in to do this. So if you wanna follow along, let me just explain to you what I'm doing. Cause I've got people listening in on this as well. So what I'm doing is I just went to indeed dot. Okay. And I do job search. I remove the state.
You gotta remove the state. Because sometimes it'll come up with your local state. If you happen, you can also do this on LinkedIn and go to the search results. And then what you're gonna type in is entry level entry level it, okay. That's all I'm typing in entry level it
and. It'll come up with a bunch of stuff. Now we've got all kinds. Okay. Here's one help desk technician. What you're gonna do is you're gonna go down this list and look for positions that don't require a degree. So you'll go to the requirements. You'll go to each one of these jobs. I clicked on one called help desk technician.
And it's in it's remote job in Missouri and there's, here's their requirements. They said proven experience with help desk and customer service role customer. Customer oriented in difficult situations. Tech savvy must be able to be a part of a team be able to speak proficiency in English communication skills and it's a 40,000 to 60,000 per year job.
They're not saying anything about a degree. This is the kind of stuff I'm talking about. And what all I did was typed in entry level. It that's, this is the kind of jobs you can get. You don't actually need a degree. And that's another positive thing about it is that you, it's. So in demand that a lot of times you don't actually need a degree, but you're gonna have to look for those jobs.
And in addition You you're gonna have to know what you're doing because you saw that what they wanted you to have was a proficiency in actually fixing the computers. And they're looking for you to already have one to two, two to three years. Actually they're saying here in a position that said, or one year experience.
For entry level positions, and there's all kinds of positions like this that you can find, but you gotta know what you're doing. You gotta do your due diligence. And that's why I always tell people, Hey, go for an a plus certification, cuz it's gonna break down the fundamentals of what you really need to get into this field, to get in an entry level position, just like this.
All right. I've got some people who are joining me on YouTube. Let me just read a couple of these questions here. Somebody said Tony said. Thanks Tony for the comment he says I work in cyber security and I have a criminal justice degree. I have a criminal justice degree. I have a C I S P.
That's awesome. That's incredible. Tony, you should are you actually working in the field right now? Do you have a job in information technology and what's the status of that? Is it doing pretty good? I would be really interested in this. When I was in the military, I worked as a.
As a security forces member, where I had associate's degree in criminal justice. And I was like, man, I don't wanna get out and be a police officer. This is, it was a tough job. Like it was not an easy job, mad respect to police officers, cuz that's a thankless job where your customers. Hate your guts.
and you're dealing with the worst parts of society. A lot of times you're going and you're going in an and. Talking to people on their worst day of their life. And so they're not usually in their best frame of mind. It's a hard, it's a hard job, I know all the stuff going on with police officers today, and I'm not at any, at all, trying to justify some of the bad police officers that are out there cuz there's there's like right now, this is the epidemic and the police department's defend these guys.
I'm not saying that stuff is good. Like with some of the stuff that's happening, it's good at all. When I was in, they, when I was in the military, they, if you slipped up at all, they weren't did not have your back. You were, they threw you right under the bus. Like you better you were held to a higher standard.
And that's how I think police officers, the whole industry should be, but it's not, that's not what's happening. That being said, mad respect to that profession because it's very difficult and not everybody can do that. And I wish they would stop putting people in those positions that don't, that shouldn't be police officers cuz that's what's happening.
Okay. Tony says I'm actually a cyber security manager at oh KPMG. That's one of the top big four. That's one of the big four, one of the top. If I'm not mistaken, that's one of the top accounting firms in the us. There's four there's de. There's ston young there's P KPMG. And then there's one more.
I can't remember what the other one is. If you guys can remember what it is, please chime in. He says he acts as a cyber security manager at the okay. That's awesome, man. I do. I work in GRC work. So what kind of things do you guys do? Do you guys. So that means you're in the financial sector.
Do you guys have a system security plan where is that a, it's a package where you put all the security controls into one package and then you get the system authorized. I'm sure you guys have risk assessments. You guys have things like continuous monitoring. You guys have things like, but do you guys have like a system security plan where it's.
All of the documentation for all the controls are put in one place in a database. And that's shared out to the organization for some sort of approval with your C level execs and for the agency to approve that system. I'm very curious that you got, if you guys have something like that, do you guys also use Sarbanes Oxley?
That's a, if you didn't know, that's a security compliance set of rules. That banks, financial institutions, investing institutions use to make sure that the organization's doing what they're supposed to do. I'm very curious about that, Tony. And while you're answering that one, let me see somebody else.
Ask me another question. They said anyone trying to get into cyber and it. Should get in the help desk. That's yeah. That's definitely a big step up. It's a great way to learn the foundation that you need to get ahead. Oh man. SS that's some great advice. Great advice. Okay. So while I'm waiting on Tony to respond, I think I'm gonna go to assess this comment.
So you work in KPMG. And then you said you work in GRC. Okay. I don't know if Tony's gonna respond. So let me just go to SS. So SS says anyone trying to get into cyber and it should get into help desk. It's a great way to learn foundations. It needed to get ahead. Absolutely. Another thing I would add to that is that if you do help desk for some time to help desk, okay.
So there's a lot of different names for help desk. You've got customer support, technical customer support. You've got field tech, one field tech two, you've got a lot of different names for a help desk person, but essentially it's the first line of defense. Outside the user themselves, the first line to defense in the organization, the first person somebody calls.
When their computer is not working properly or it needs to be updated and something went wrong or they need a backup, a quick backup of a desktop or a laptop or something like that. Or they need to reconfigure their laptop or re-image the laptop or something. That's the, when they call the number, it goes to help desk.
That's the first person that they're contacting. It really is great for your resume because it's gonna give you. Like one, two years of experience where you actually get exposure to networking, you get experience with a little bit of a little bit of cloud technology. If they have that in environ environment, you get a little bit of, you might even get to touch on servers, some net routers and cyber security, of course.
So you just gotta put all that stuff on your resume. So that after about a year of work with that, Being on the help desk being on the front lines of that organization, that you can go ahead and level up after about a year. So yeah, a help desk was my actual first position on the job training. It was.
That was incredible. Like that experience I don't take it for granted. Like when I was there, I was just wanting to jump into routers or do firewalls or something like that, something specialized, but that foundational knowledge and skillset that I got of troubleshooting. And trying to figure out basic problems on those computers in a production environment, that experience, and that exposure allowed me to get into things like do deeper dives into things like networking.
Cuz I did network engineering for a while. It allowed me to do deeper dives into. Learning to build a software in a real environment, like how to, how not to develop software in different environments, like webpages and stuff and web applications and things like that. We didn't have that many back then, but from time to time we had to touch those.
So those are some of the stuff that I learned on the help desk. I would SS I would definitely agree with you on. All right. I've been talking for a little bit. I really wanted to test out I'm on this new thing where I can actually have people call in. I'm gonna keep using this until I can get people to call in and add their 2 cents on.
On things like cyber security and security compliance, maybe next week, we'll do this again and then have people call in. But if you're interested in calling in at some point give me your email and then I'll let you call in and I'll let you speak. On all this stuff. And but for today, I think that's about it.
Thank you guys so much for your questions. Thank you for your comments. Thanks, SS. Thanks Tony. And all the people on TikTok. Wow. There's a lot of interaction on TikTok with just a very few people who've been follow me. So thank you guys for that, but I'm gonna close this thing out.
Thank you so much. Let's close out TikTok first in the live show. And then I was also live on the podcast that's over and thanks so much once again, as always. Thank you so much for joining me on YouTube. Thanks for your questions. I'm outta here.

Friday Sep 16, 2022
Friday Sep 16, 2022
New podcast link: https://convocourses.podbean.com/
check out the new books on amazon and audible RMF ISSO Controls: https://www.amazon.com/dp/B0B6QKT8DR
SCA Course (early release) https://securitycompliance.thinkific.com/courses/rmf-isso-security-control-assessment
Audible book: https://www.audible.com/pd/B0B4PYJ9JV/?source_code=AUDFPWS0223189MWT-BK-ACX0-312685&ref=acx_bty_BK_ACX0_312685_rh_us
check out our courses at: discord: https://discord.gg/esJAz2enBW facebook: https://www.facebook.com/groups/719892952526379
Hey guys, this is Bruce and welcome to combo courses, podcast. This is gonna be a short one. I just wanted to talk to you guys about cyber security, it jobs, resume marketing. Now we talked about this the last time we did a live podcast, but I wanna talk about it again and go a little bit greater detail.
And my purpose here is to help people to know what to put on the resume to actually get a job in cyber security. Cuz a lot of people are asking me questions about like, Hey Bruce, you know, I'm, I'm in it. Like what, what do I, I'm trying to get a level up in my job. I'm trying to make more money. Like what do I do?
So I'm about to tell you exactly what I do on my resume. As matter of fact, I'm gonna go into pretty good detail about. And I'm gonna show you where you can get your own resources on how you can figure this stuff out. Now, this is what you're seeing here on the screen. If you happen to be watching me, if you happen to be listening, I'll explain everything.
I'm writing a book called cyber security jobs, resume marketing, and it's gonna be a series of books. That's gonna break down exactly how to target, what category of cyber security you want, cuz it's a pretty big field and it breaks down into all these different parts. And then it's gonna talk about how to actually market yourself, how to get the keywords, how to find those keywords in that targeted market, and then put those in your resume and then how to actually write an impact, an action statement bullet in your resume.
That's very powerful and it's been working for me for years. This is stuff I learned from the military when I was getting out and also just from experience, just like doing this stuff myself. So let me just get down to what I'm talking about. now what, what you should do if you have any it experience is you've gotta put what you've done on there.
As far as your cyber security, like what, and if you've done it more than likely you've done cyber security, you just didn't know it. And so I, I have evidence of that. Let me show you evidence of that. So what I do is security compliance and in security compliance, we have to know a lot of security controls are going into not only the information system, but the, the organization as a.
Meaning it's not just the actual system that you're locking down and putting, you know, very complex passwords or making sure it has audit logs or making sure there's a, a whole space firewall on it and stuff like that. And anti-virus, and all those are all security controls that you're probably familiar with.
If you've ever done any of those things, guess what you you've done cybersecurity, and you need to put it in your resume. So in this book, what I'm gonna do is tell you not only what keyword to put in there and where to find those keyword, but also how to word it, how to word it and explain how you, how you participated, how you conducted and enabled configurations for security controls.
In secure, in in security compliance, I'm very familiar with all of the rules and all the security controls and one of the actual compliance. frameworks that I use is N 800, but there's many others. There's HIPAA. There's PCI compliance. There's some of 'em are just laws that kind of briefly explain what you can and can't do.
Some of 'em are in very great detail, like N 801 of 'em is called a CIS security control. So I use that one as an example in my book, cuz it's just a perfect it's it's perfect for what I'm trying to show you because N 800 is just, has it has over a thousand controls so that one wouldn't be, it wouldn't be right for this particular book.
Like if I I'm writing a spec, a book about that one or I'm breaking it down differently. And I actually have written, written a book on that one already, but I'm, I'm writing another, a whole series of books just on this 800 and how you can use it practically. But for the purposes of getting your work experience in what I do is I tell you, okay, here's how you put it in.
Here's the format you use. That's going to help you. To get your resume in front of more people, it's called an ATS style resume. Here's how, here's how the date should look. Here's how it should look when you put your position in here's how all of that stuff's in here. But more importantly, what I do is, and there's some misspellings in here because I have, I've gotta edit it and I'm actually working on that now, but just kind of took a breather and, and took a break so I can show you guys what I'm doing here.
So what I wanna show you that's important is let me see, I'm getting down. Oh, here it is right here. So here, if you could see my screen, these are all the controls that, that are in the CIS security, critical security controls. This is also known as the sand. Sand's top best practice best security practices.
But these controls explain all the things that an organization needs to have in order to secure their system. If you've done any of these things as an it professional in your profession, any whatever profession you're in profession, you're in, you've done these things. You have done security and you need to put it on your resume.
You need to put it up front in your resume. So let me just go through a couple here to give you an example. So I'll pick a couple here. One is here's what's a good one. Let me see if you've done. Okay. Here's here's a good one. Here's a couple good ones. One is email. Well, we'll start with audit logs.
I like that one audit log management. If you've ever turn enabled audit logs, for example, if you've ever monitored audit logs, if you've ever. For EV any reason had to analyze the O audit logs. That's a security, that's a cybersecurity thing you gotta put on your resume. And audit logs. If you didn't know another name for it is event, event, viewer event logs, you know, different systems call it like slightly different names, but it's all, it means the same things.
It's the logs that are in the back end of the system. That's telling you if the system is shut down or if somebody is if somebody is attempted to log into the system, but it was logged in, in unsuccessfully or, or successfully or whatever those are logs, audit logs. Another thing we'll talk about is EV email and browser protections, email and browsers is probably one of the biggest threat vectors or biggest ways that, that attackers adversaries can actually infiltrate an organization.
Cuz email, think about it, fishing. Like when somebody sends a fake email with a clickable link and then, then somebody who doesn't know any better, they click on that link. And it takes into a malicious site that malicious site downloads something to their system. Yeah, that's, that's one of the main ways right now that's happening that that sites and organizations are getting infiltrated and web browser protection.
That's another one, everybody interfaces with the internet. Most of the 99% of their interactions with the internet is through a browser. So it's important that that browser is up to date. It's important that it has any extensions. Those are approved in extensions, things like that. Malware defense. That's another one.
This is like making sure you have anti-virus. So let me show you, how do you word these on your resume? How would you go about wording? So what I did was I broke each one of these sections down to explain how you word these on your resume. So let's go to the ones we just talked about. We'll go audit, audit, log, manage.
So what, first of all, explain what it is. Audit log management audit logs are gathered on servers, end user systems routers, and other systems to prevent to detect, prevent and understand possible security incidents on the enterprise. That's what they're for. It's not just for security. It's actually for maintenance as well.
So how could we word this? So one of the things we could say is that you ensured that audit logs were enabled in a mixed mode environment. Mixed mode means like you didn't have just windows, you had Mac and you had Linux or whatever. And you allowed detection of threats against assets against assets in cybersecurity.
Okay. This one, I, I have to reword this one. I did reword that one. So in my, my next draft, but let me, let me just give you another example. Conducted security, audit, log, an analysis to detect anomalies or. Abnormal events that might match adversarial tactics, techniques, and procedures that are in the Mir attack framework.
And the reason why I put these together, this, this sentence is, is very tactical because I put a whole bunch of keywords in here. They wanna see that, you know, the Mir attack framework. If you don't know what it is, go look it up. It's, it's really important to cyber threat intelligence. Whenever you do cyber threat intelligence, it's like a breakdown of different types of attacks.
And I'm sure most of these you'll be familiar with like, how do people infiltrate a, a network via a Trojan, a Trojan horse? How do they, how do they actually infiltrate? Mir talks about things like that. Mir talks about cross side scripting, Mir talks about escalation of privileges. It breaks all these things down and kind of gives, gives you an idea of the path that an attacker and adversary takes to get into a, a network.
And you use the terminology to, to. basically establish a pattern when, and this is really good for writing reports. It's really good for your resume. It's really good for articulating what kinds of threats and what kind of vulnerabilities you have to avoid within your organization? So this is a really good key word, and I see it all over things like if you're going for a cyber security analyst, Mighter you, you need to have that on your resume.
And then audit log analysis. This is another key word. So you can see that what I'm doing is I'm talking about, I'm given the action of what you did pertaining to cyber security. So if you've done it more than likely you you've done something with audit locks, you have to articulate that. So I give you several different examples here of how you can articulate and how you, how you can word your the, the bullets on your resume.
And I apologize for this. This is like a rough draft. I'm actually, I have another updated one that I I'm working on. On my other computer. So let me show you another one. And here's another one right here. This one doesn't even have bullets on it. This is showing you how I'm literally working on this as we speak.
So bear with me here. Let me just put some bullets on it. So it's clear to, to read. Okay. So this one is CI CIS control nine email and web browser protections. What is it? So it's protection of email and web browsers. And, and this has everything to do. What we talked about earlier, which is making sure that users are educated on things like social engineering.
What is it? How do you avoid suspicious emails and clicking and opening up things that you shouldn't open? Well, how do you put this on your resume? Cause more than likely you, if you've done it for some time, you have done something with this. Now keep in mind if you haven't done this before and you're trying to get into it.
If you're trying to get into cyber security, this is a great opportunity for you to. What you need to what experiences that you need to have, what things you need to study, because this is the kind of thing that employers are actually looking for. So let's just go through a couple of these. So one is updated signatures on enterprise antivirus software for proactive protection of 1500 endpoint devices and servers on the land.
So we've got a couple of really good keyword here. We're talking about anti-virus software, we're talking, we gave an, an impact. Now this is another thing you use numbers to establish the impact to your actions. Cuz it's one thing to have an action, but it's a whole another to actually show the impact of what you did so that the employer, when they're reading your resume, they're like, okay, this guy does know how to do antivirus, but wow.
They did 1500 InPoint devices. Okay, this person really knows what they're talking about. And another step you can do is actually name the actual software that you used. That's also a great tactic. Because a lot of times, like what I've noticed in right now, I'm, I'm actually interviewing for jobs and stuff and they keep asking me specifically, do you know semantic endpoint protection, because that was on my resume to keep asking about it and have I implemented it?
Have I maintained it? Have I configured it, all those kinds of questions. So you can name the actual anti-virus enterprise antivirus that you actually use, whether it's Soho or if it's semantic or, or, or AFF or whatever it is, you can name it. So that they'll know which one you're using. And that becomes a key word as well.
Let's see here set up DLP technologies like Proofpoint email. See this one. I'm I'm mentioning it. DLP and C a S B Microsoft information protection MI Microsoft security, suite defender. So I'm naming a whole bunch of, of, of, of tools here. Tools are also a are also a key word. So that's something that you should also mention on there.
Okay. Let's keep going. There's a couple of other ones here, but let's go to the last one here. Malware defense. Now this is most people who are in it have done this before. So if you've done this, you've gotta mention it on your resume. You've gotta put these security features. Anytime you've interacted with a security control, you have to put it on your resume.
Otherwise, the employer is not gonna know if what you've done. So, this is one of the main ones, and this is, most people have done this. If you've done it, you've put in, you've updated the antivirus software. You've, you've updated the signatures of the antivirus software. You've removed antivirus on there.
So you've gotta put it on your resume. And this one actually on my, I didn't actually put the, the breakdown of the, of bullets here, but it's on my, this will be in the book. So just stay tuned for this. I just, the reason why I decided to do this book, I took a, a kind of a respite from the risk management framework series because people kept asking me the same questions, the same questions over and over and over again about like, Hey Bruce, what do I put on my resume?
Like what, what do I, how can I get in? I've been doing this for 15 years. I'm working in a job. That's not, I'm not getting paid a lot, but I've been, I have 15 years of experience. And why am I not able to get six figures? Why am I not able to get a better. And then I look at their resume and they're not really talking about cyber security and I'm like, you wanna get a cyber security job, but you didn't mention cyber security on your resume.
And I'm like, you gotta put it on your resume. So they'll send me their resume. I'll take a look at it. And there's nothing on there that talks about cyber. So what I'll do is I'll just put it in some keyword and I'll say, look, this is the kind of stuff you have to do. And now I'm trying to put a book form where I can just give it, basically give it it away, cuz it's gonna be a pretty cheap book.
It's not gonna be expensive, but it's gonna help a lot of people out. So that's kind of what I'm going with this. And I'll I'll let me see if I can answer a couple questions here. I see a couple people join me. Thanks for watching. I appreciate you guys. I know this is not the normal time that I do this smooth virus says 1500 more like 150,000 yeah.
True. True. True. Okay. So let me, let me go to, I had some stuff open here. If it didn't crash on me. We have some questions. Let me see if I'll just answer like one or two. I won't to keep you guys too long here. And this'll, this'll actually be an audio file. If, if you didn't know, I have a, if you go to pod bean, right?
If you go to pod bean combo courses dot pod bean, that's where my actual podcast is, and I've been putting 'em out daily. So go ahead and check that out. There's a whole bunch of 'em that I, that I I hadn't released. So I've been releasing those ones in podcast. Let's see. Let me see if I can answer some relevant questions here.
Okay. Somebody saw, talked about the, the key challenge. I don't know if you guys knew this, but there's something's going on where people are stealing Kias using a USB cable Kia's in Hyundais, Hondas. I believe of a certain type it's called the Kia challenge. Look that up. It's pretty, especially if you have a Kia high Hyundai is what it is.
Kia or hi Hyundai. Let me see, see if I can answer some more questions here. It's mostly about the Kia challenge. Somebody asked me about my book. I probably need to respond to that one. Whoa. Okay. That should have been blocked. Okay. I'm gonna go to TikTok. Let's see if there's some questions here lately.
I've been getting a lot of questions on TikTok. And so I answer these one at a time directly usually, but let me see if I can answer at least one. Could I get into cyber security with just one year of help desk and one of these certs? Absolutely. You can. This is exactly what I'm talking about. So if you, if you have, if you've been on the help desk for a year, more than likely you have done cyber security.
So that's that's, this is exactly what I'm talking about. You have done cyber security before you just have to put it on your resume. If you put it on your resume you, you will. You will get hits. You will get people contacting you about this. And that's what this book is all about. Let me see if I can bring that up again.
Nine, which one? Which version? Okay. I've got so many. That's one. I write, I have a whole bunch of versions. I have a whole bunch of versions of my book where I'm, I'm constantly updating, updating the book and stuff. So let's see set up marketing. I tell you how to market. Once you create an awesome resume with loaded, with keywords and, and lots of action and impact statements, I show you how to market it.
And this is something that's been working for me for many, many years. I've been using the same thing. And what I didn't know that I was doing right is I was using the correct format for my resume. I didn't know until recently it's called ATS style resume, and it looks a little bit like this it's very plain.
It doesn't have any kind of, and that's the thing. My, I had a ugly resume. It's ugly and there's misspellings in my resume. somebody point I was in an interview and somebody pointed that out to me and said, Hey, you know that you have some misspellings here. And they were like, I don't care about that. But you, you know, you might want to fix that.
I was like, wow. And I still got that job by the way. It's crazy. Right. And it's because my resume's dope. My resume's really good. It's it's loader we keyword. It's it's highlighting all the security stuff I've done. This is what an ATS style resume looks like. It's just plain. It's just like, so this is what you'll do.
If you are help desk, you've been doing it for one year. You, you have to put ATS style, resume on your cyber security resume. And then you've gotta mention all the times you've done cyber security. You can't just talk about in uploading or installing windows. It's gotta be what security patches did you put on that windows device?
How did you help the organization reduce the risk? Stuff like that. And this is stuff that when you're in the weeds, when you're on the help desk, when you're, you're a system admin, when you are firewall, even firewall guys, sometimes they're not seeing the big picture of what's going on, which, which is making sure the security posture of the organization remains at a certain level, right?
They're not seeing the big picture, but you gotta put that big picture on your resume. And the way that you can pinpoint that is look at the actual security. Look at the actual security controls, the best practices, the CIS controls is one that's only one you could do PC. You could look at PCI, they have a breakdown of all the security controls, and they look very much, very, very similar to CIS N 800 is really exhaustive and it goes into super great detail and stuff.
You, you can also use those too. This one I found is like one of the best breakdowns, because it just gets right to the point there's only eight 18 controls, security controls in the CIS version eight. I think, I think version seven, the previous version has like 22 controls E either way. It's covering the same ground, all the best security practices.
And that's the stuff you gotta put in your resume. I'm gonna do another actual TikTok of this, where I break this down. And so, so we'll, we'll cover that in greater detail. Bark says I've got lots of work to do on my fed resume. Yeah, man, like this kind of stuff right here is what you wanna make sure you put on there, this kind of stuff right here, these things, if you've done any of these things, you gotta put it on your resume.
and my, my new book is gonna break down, like how you word it for each one of these controls. If you've done this before, give you an idea, like, okay, have I configured data recovery systems? Have I done that before? How do I word that in an, in an impactful way that shows that not only have I done it, but I impacted this organization, I helped them with their security bar says, by the way got your, your RMF book.
Was there a part one? There's a part one and a part two to the RMF books. So let me see if I can bring that up. The RMF book has a part one and a part two, and I'm actually working on a part three, but that's gonna, that, one's gonna take me a little longer, cuz it's, it's talking about SCA or security control assessments.
Let me show you. Okay. I'm gonna show you on two different platforms. I'm gonna show you on audible and then I'll also show you, cuz I've got an audible version of it. If you happen to be driving on your commute, you can actually just listen to it. Or if you happen to be jogging or something, listen to it.
If you wanna know more about risk management framework and the controls and how it's broken down and stuff like that. The other one is Amazon. Let me show you. So if you go to Amazon or you go to audible and you type in just R M F I I S S O and you will find my book, both books. R M F I S S O. Okay.
Let me just show you here. What I'm talking about here. It is an audible. You can listen to it right now. If you like. The one, the first one is very short. It's only like an hour long. It's a guide. It's an overview. Like if you were like wondering, like what is missed 800. If you are crazy enough to like, say, what is N 800?
Like this breaks it down in one hour, I break down like what, not only what is, is it is, but how do you actually implement it? How do you as an information system, security officer, I'm hidden it from that perspective, how you actually, how you actually implement it as a, a cyber security person. And then the next book goes into greater detail about the controls.
And what I do is I talk about like, here's, here's the controls and here's what you do in with each one of the control families. I don't, there's a thousand controls, so I don't go in all thousand controls. That'd be a super boring book. I also use practical. Things that have actually happened to me in each one of those families, not just happened to me, but happen to people.
I know things that are going, like I mentioned, the, the I don't know if you guys remember the, the colonial pipeline, where does that fit in with the risk management framework? Where does that fit in with security controls? I use real world example. So you can get an exam, a, an idea of what that control family really means.
So that that's the two books right there. One's four hours long. The second book is four hours long. So I, I think it's a really good, a really good book. I, I haven't seen anybody write it like that before. So where you are using practical stuff, and I'm kind of doing the same thing with the SCA book, the SSEA book, the SA book is going a lot deeper than I wanted.
I, it's kind of like when you write, sometimes the book goes in its own direction and that's kind of what's happening with SCA. It's just getting way longer than I thought I was gonna get. I'm trying to, I gotta chop it down a little bit. Let's see. Bruce helped me. Land a federal contract job in cyber security management, man, smooth, smooth virus.
I is, is the man. this person I know. I know personally. So the advice he gives you does work, man. It really, really does work. And I only, I only mention it because I've been doing it for years. It's, it's the same tactic I've been using for years. And I, I constantly get work. I'm never, I, I don't have to worry about not having a job because I use this technique and I'm con sometimes I gotta turn the tap off.
Right. I turn it on. And it's like a flood of all of these different opportunities. And I gotta turn it off. I gotta turn the taps off. So it stops. And right now I'm, I'm going through that process right now. And it's something else I'm not actually doing background checks and stuff with a job that I, that I got chosen for bar says, awesome.
I have a good state level. Experience, but but new to fed. Oh, okay. That's great, man. That fits right. That fits right into the state federal stuff. It it's kind of goes hand in hand with, I, I believe state uses N right. Well, some states use the, the N 800 framework. So you'll, if, if that's the case you'll fit, right, right.
In there, federal stuff does, does things a little bit different is a lot more details. I, and then smooth virus says I can't get them to stop emailing me. exactly. Exactly. It's crazy. It's crazy. You gotta make sure all of your like monsters, you gotta be turned off, like make the, make your resume invisible.
You've gotta turn off. But what happens is, so what happens? Smooth virus is that the, it works so effectively. He's talking about the, this, this method that I have, it works so effectively because, because when you, when you put the resume into their database, it stays there. it stays in their database for years.
I got people calling me from a resume that went into their database five years, literally five years ago. And they contact me and say, Hey, are you on the market? Like your resume fits this job that just opened up with Boeing or with, with whoever, right. All of these different companies. And they're calling me from five, my resume's five years old in their database.
And sometimes they're like, nah, that's my old resume. Like, here's my new one. Like, here's, here's an updated resume. It really works. Like this technique really, really works. So if you, if you're like really looking for a job you're really trying to level up, then then you should be looking out for this book cuz it's coming soon.
It's coming within the next 30 days for sure. And then I'll have a follow up book where I break down something called a nice cyber security workforce where I break down each category. If you're trying to level up from one. Category to another, or if you're from it and you want to target a specific genre of cyber security, cuz there's many different kinds, then, then that's gonna be the second book.
And that one, I should be able to knock out pretty fast. I hope. And then I'm thinking about a third book in that series where I'm talking about either remote work, cuz I've been able to remote work remotely for, for over six years now. And then I'm thinking about doing one for entry level, cuz I get a lot of questions on that one as well.
So those books are incoming. First book in the series is gonna be called cyber security jobs resume marketing, and that one's coming real soon and, and it really, really works. It's all about finding patterns, finding patterns and exploiting those patterns and putting that on your resume. It it's like you're hacking, it's like you're hacking the entire system to make sure that your stuff rises to the top every time.
And it's really, really been working for me. Okay. There's a conversation happening here. Let me see. He says, bar says he's, he's got he's in Virginia and he's got a CI S P with 18 years of experience. Holy crap, man. You're about to make some money. If you got the, the CI S P or golden. Absolutely.
That's true. Let me see. And he says yeah, I would, if I would, yeah, you'd get around 200,000 or more in, in in Virginia area. Virginia pays really good, especially if you've got a, if you've got Virginia, Maryland, DC, that area, the DMV area, DC, Virginia, Maryland, D D DC, Maryland, Virginia D DMV. Yeah. so much anyway, so that area pays really good.
There's so many jobs in that area pays, pays really, really well. and because there's just so much competition. They they're, they're the ones getting most of the government contracts and it's because there's three level, all the three letter agencies have their headquarters there. NSA, FBI, CIA, all of those.
And some, some other ones DIA and all, all these other ones have it's like the hub of everything. Then you've got the senates there. You know, the Congress is there. You've got the white house. Is there everything is there. So there's all these contractors and subcontractors and there's just this, so many cyber security jobs there.
So, so man, it's crazy. Okay. I got a lot of people. Wow. I got a lot of people watching me right now. Mike VI, how you doing bark? I've got a smooth virus. I've got. Lu Ludwig. Hey, thanks guys. Thanks for watching. I appreciate everybody. And if you guys didn't know if you're caught catching this late, what I'm doing is I'm talking about another book that I'm, that I'm putting out real soon, you're looking at like the rough draft, this isn't E doesn't even have the, the actual right name here, but it's gonna be cyber security jobs, resume marketing.
And this one is gonna break down how you can level up using these proven techniques I've been using for many, many years. And as a matter of fact, people there's people watching me right now who use this technique that I've directly told them how to do it, or they took my course and they did it. And now they're working remotely working where they wanna work, making the kind of money they wanna make.
And that's what I'm trying to help people to do to. Make a whole bunch of mini Bruces out there. So you can, you guys can reap the rewards and the benefits of cyber security that I have over all of these years and not have to worry about the recession or people saying the economy's gonna collapse or whatever, cuz no matter what happens, cyber security is necessary because all of us are relying more and more on information technology.
And the more we rely on it, the more heavily rely we rely on it. The more protection is needed for your, your personally identifiable information, your private information, more more protection on your social security numbers, your banking information, your healthcare information, you name it. Every industry needs cyber security.
So the, the right now, as a matter of fact, there's something like 700,000 jobs that are positions that are need be, need to be filled. That are in the government space alone. So yeah, I'm telling you like it, this is a hot, this is a perfect opportunity to strike while they really need more people.
There's been a huge vacuum of people that have retired gotten outta this career field. A lot of boomers are getting out because they're, you know, they're 60 plus they're kind of getting, getting out, going retiring and stuff. So now there's this huge vacuum of people who are come, who need to come in fresh blood is needed to, to make this system work.
Mike bill says I'm in school doing cyber security and cloud. That's awesome. Mike, I would, I would highly suggest getting a cloud certification. The AWS cloud practitioner is a really good one. I would come outta school with that. And then. As much as you can, Mike, if you can get some kind of experience under your belt while you're in school, that would be awesome.
Get some sort of experience so that when you, you are already starting to fix your resume up, right. And the things that you need to do, the kind of stuff they wanna see on your resume. I mentioned in this book I break it down like how they wanna, how they wanna see it and all that kind of stuff. It's these controls because the name of the game was cyber security.
It's all about it's all about implementation of cyber, of cyber security controls, and actually physical controls and management controls. It's actually quite a bit of different types of controls that you can, if you've ever done an example, like to, just to give you an umbrella of like what kind of controls that they wanna see, not just technical controls, not just firewalls, not just audit logs, but it's also physical.
If you've ever done a physical security control assessment, that's one. If you've ever done a wireless scan, that's one, if you've ever done inventory on a network and, and made sure that the organization has a baseline of, of all of their software and hardware, that's the first two right here. The first two are inventory.
You wouldn't think this is a security control, right? But if you've ever taken accountability of all the assets, assets, meaning their computers, their servers, their workstations, their laptops, their phones, and made an inventory, a list, and you've maintained it in a database or whatever, whatever have you.
If you've done that before, that's actually a cyber security controls. So you gotta put that on your resume. And before you get outta school outta school, Mike, if you can try to get work, I'm working in the college as a as a front desk. That's awesome. If you can get some cyber security under your belt, some kind of, if you help them to.
For example, update their viruses, definitions, like say you, you have a desktop right in front of you. You help 'em to upload their virus definitions, put that on your resume because you can literally name the school and say I updated, you know, X amount of systems with the, or I've I up updated a critical system with the most current signature for McAfee, antivirus, whatever.
Like you could put that on your resume, start building your resume before you even get outta school. Because the most important thing when you get out is gonna be your experience. Yeah. Your degree is great. Like you have a bachelor's degree, especially if you have cloud experience, another thing, build a cloud server before you get out and that's something you don't even need the school for.
You can build a cloud server and get ans practitioner cloud practitioner certification, and you put that on your resume. If you can help the school do any kind of cloud stuff, put that on your resume. I'm in the CCDC team. Yeah, man. That's awesome. What, what does that stand for? CCD C's team is that computer department?
What, what does that stand for? Okay. Somebody says, how can I work as an ISSO without a clearance? So O Omo. So there are jobs and back me up. If you guys know what I'm talking about here, there are some is so jobs without security clearances, but they're, they're rare. And I personally have worked a couple a job, actually, right now I'm interviewing for a job where I already interviewed for it.
I got the job. I'm just doing background check, but there's clearances that are not security clearances. I mean, not secret clearances or not Ts S E I clearances. There's one called the public trust. Public trust is like a lower level a lower level security clearance. So. You, you, you know, you, there are jobs where the is, so doesn't have to have a security clearance, but there's also jobs where the is.
So can have a public trust, which is not as high level as a, a secret clearance or a Ts S sci, and it's way cheaper for them to do that particular type of clearance where they'll bring you in and, and they'll give you that public trust clearance. That's another thing. Another thing is that when you get into those jobs, what they'll do is sometimes they'll pay for your, your SS B I, your background check.
And then you can take that background, check to the next job, your clearance to your next job, and then you get paid a little bit more. It's national collegiate cyber defense competition. That's awesome. Put that on your resume. Put that on your resume. Is do as much as you can, before you get out, you probably give a, get a job before you even get out.
If you start right now, Mike, if you, if you, let me tell you something right now, you can put, you can list the credits that you already have from your degree on your resume. Right? Then you can put that you're on the national collegiate cyber defense competition, and then the accomplished event that you guys have done any kind of any time, you've helped them with their help desk issues, troubleshooting, adding updating patches that kind of thing.
Put that on your resume. It's just a matter of wording it properly, put that on your resume and then put that resume up on LinkedIn. Now it's not gonna have a lot on it because you're just now getting into this field, but I guarantee you, if you put that on monster on dice on LinkedIn and at least 10 other sites, As you're building your resume, you will get contacted.
You could have a job before you even leave the college. You hell it might even be so good that you say, Hey, you know what? I'll come back to college. I'll finish this later. I'm and I'm being completely serious. You'll get offers if you actually do what I just told you. Let me see. Okay. Focusing on the third risk management jobs, I'm focusing on the third party risk management jobs since I have no clearance.
Okay. Is that pretty good? Sounds like that's pretty good money. Like risk management job, third party, risk management job. You could still get security security control assessment jobs, and those pay really good if you're doing like third party risk, risk assessments and stuff like that. That, that, that could do too really good.
Now, om old, if you don't mind me asking, why don't you have a clearance? Is it, are you not eligible to get a clearance? Are you not a citizen? Because I know that. In order to be eligible, to get certain clearances, you have to be a you have to be a us citizen for certain clearances. And I don't, I think public trust, you don't need a clearance, but I could be wrong.
I mean, you don't what I'm saying. So I think for public trust, you don't need to be eligible. You don't have to be a a, a us citizen, I believe, but I could be wrong about that. Let me see. Okay. And then smooth job, smooth virus, just, he confirmed what I said. I'm completing my bachelor's degree now.
I got the job, even though I'm not done yet. Exact. That's exactly what I'm saying. Like one time I give you another example, Mike, when I I got outta the military, I had experience doing the work, but I didn't have all the requirements. I had a degree, but I didn't have, I didn't have a I didn't have the CISs P yet, but because I had the experience.
they said, Hey, you know, I sat with, through the interview, they love me. And they're like, listen, we want to take you. But only thing is this job requires a CI SS. P can you get a CI S S P within a year? I said, I said, yeah. And they said, we'll, we'll, we're gonna send you to a bootcamp. So you can get this, this certification and we'll pay for the certification, but you gotta get it within a year.
I said, yes, I'll do it. So there's flexibility. Like, even while you're in school, if you start to build your resume and market yourself, like I just told you, you can start getting a job. You could actually get a part-time job, making really good money in it and cyber security while you're finishing your degree.
And actually the company, a lot of times, they want you to finish that degree cuz soon as you, you you're done with it. They'll be like, okay, you're a supervisor. Okay. We gotta pay you more. We're gonna put you over here. They'll do that from time to time because they really need people who, who know what they're doing.
They really need people who, who are willing to work and do this and level up. Let me see. Almost says I'm a citizen, man. Then what is happening? Why don't you Somo? Like if you're looking for security clearance then what you could do, one of the things you can do is especially if you live in the east, on the east coast, they have a lot of jobs that require security clearance.
If you have a skill set, you said you, you work as a risk management framework person, third party, but you don't have a clearance. You could get a job, even if it pays a little bit less, right? And, but they're willing to pay for your clearance. Listen, it will be worth your time to work there for about six months, work there for about six months, have them get your clearance take as long as it needs for them to get you a clearance and then bounce, roll out and go to another place and be like, Hey, I got my clearance.
And by the way, I'm a risk management framework person. They'll pay you more money. Like you'll. They'll pay you more my hell after you get the clearance, they might even, they might even update you. They might even pay you more. It says I'm doing things backwards too. I'm in the healthcare and got a security plus and plan on going to get my master's in cyber security.
That's awesome, man. Like healthcare has so many great so many great opportunities because there's just such a huge need for healthcare professionals. People who are well versed in the healthcare industry to be cyber security or it people right now. And I can just give you one example of what I'm talking about.
Like it's, it's so crazy right now. Let me just show you what I'm talking about. Here's my book right now. If you guys, my book's right there. If you guys are trying to learn risk management framework, it's those stuff it's blowing up. Let me see. So let me, let me just take you to this site. This is a DISA site.
I'm gonna take you into a DISA dot mill site. Now you might be wondering, like, what does that have to do with healthcare? I'm about to show you, this is how crazy healthcare is. So I just typed in DISA a dot mill at 81 40. So let me just show you to this site. So 81, 40 and 85 85 70 is like it's like a breakdown of all the approved certifications that the department of defense and by proxy, some of the federal government actually uses to say, okay, these are approved certifications.
So what I wanted to show you is this right here. See this right here. What's that say? You see that this is on the approved list. This is an IAM level two. I am level two means information assurance manager level two, which means it's it's, it's a fancy word for information security or Infor or cyber security for information security.
Manage management and it has H, C I S S C H C I S P P. And I don't know if you've ever heard of this certification, but let me, let me show you something here. So if you type in this particular certification, I happen to know that this one specifically for healthcare and it's coming from the ISC two squared ISC, two squared is the top organization, arguably the top organization for security certifications because they, these are the guys who do the C I S S P.
Now they have one called the H C I S P P, which is for healthcare security certifications. I mean, professionals. And it break. Let me show you the breakdown of this. Like, if you didn't know about this one, this is this, one's hot, this one's hot, especially if you're in the healthcare industry. So this is the kind of stuff that's on that they expect you to know as a H H C I S P P.
and it's H H C I S P P is ideal for information security professionals charged with guarding protecting healthcare information. P H I protected healthcare. He protected health information, including those in the following positions. So if you happen to be in a compliance officer, information, security, privacy, officer, risk analysis analysis analyst hi health information manager.
If you do any of these things, they're saying, Hey, this is good for you. And see, it's listed right up here with the, with all the big boys, all these CI S S P and the cap and all these other ones. I didn't know about that. Thanks for sharing. Yeah, this is a, this is a really, really good one. Now, recently, if you happen to be entry level, this might be for Mike right here.
Entry level, the CI the ISE two square recently created this one right here. This is exciting. I think this one's gonna be listed on that approved list. It's the entry level certification for cyber security people, which is, which is crazy. They're trying to compete with security plus I think, but yeah, anyway, back to our subject.
So we're talking about this one though. So this is CRA, this is crazy. So you just recently added this to that department of defenses, the list of certifications. That means this certification is about the blow up. A lot of that means a lot of contractors, a lot of recruiters, a lot of HR departments are gonna start listing this as a requirement at major healthcare facilities, so that you have this certification, you get this, something like this under your belt.
And the thing is if you've been doing this and the healthcare field for some time, You might, you might just blow this test out of the water and then they have a breakdown of topics. So you gotta, I think you have to give them your, your information. They'll send this to you and, and you'll have their newsletter or whatever, but they have a breakdown of the domains, which I'd be interested in to see this right here.
Oh, here it is right here. Okay. Sneak peek at the domains. Here's the chapters. Third party, risk management, introduction of healthcare industry governance, legal risk compliance. Yeah, really cool stuff. Really cool stuff. It's they're saying it's already ranking in 39th among security clearances. I don't know about that, but that came from certification magazine.
Okay.
Yeah. So that's, that's really good stuff. Exciting times if you happen to be in this field. It hasn't always been like this. It's it's really hot right now. There's so many, there's so many job opportunities. And I just want to show you guys this this little before I let you go. There's so many jobs that they're looking for recently.
This is from July 1st, 2021 of last year, all the way till now this is from July 29th. The white house is pushing to fill 700 700. This is real. They're pushing to fill 700,000 jobs in cyber security in the United States. And what they're doing to do this is they're getting with all kinds of all kinds of private and public and nonprofit organizations to, to teach this.
That's how they have a whole bunch of free courses out there. They've got a bunch of, of, of organizations that are trying to get entry level people in cyber security. Like I believe Booz Allen Hamilton did it. And they go really fast. Like as soon as they list that job, it just, they jobs just start going really fast.
So the 700,000 job thing is real. Yeah, this is real, man. This is, this is coming directly from the, the, the white house, like the white house at a summit lack last month where they said there's 700,000 cyber security jobs we wanna fill across. I think what they mean not is not just the federal government.
I was, I think I misspoke with that. I think they mean throughout the United States, there's 700,000 jobs. And the reason why is cuz there's heightened, there's a lot of stuff going on behind the scenes. Like governments are starting to attack each other. There's a huge cyber war going on right now. And so that's why you're hearing about all these leaks and all of these.
All of these hacks and stuff, because a lot of companies and a lot of banks and a lot of healthcare industry facilities and stuff, they don't really have appropriate. They don't have appropriate security measures and what's happening is they're, they're soft targets. And and they're going to these hackers.
There's there's criminal gangs. There's some that are backed by, by government state state governments. There's some that are backed by you name it, criminal organizations, just that you're just trying to get money, whatever it's a free for all right now. And there's, and we are, the us is the biggest target because they're the ones holding all the money right now.
So, you know, they'll go off to a bank cuz they know a they know what the healthcare industry will pay. Like if they get you, did you hear about the one in LA? Like the LA school district? Somebody tried good on LA school district. They, they were able to they were able to protect themselves, but yeah, some, some hacker group went after LA school district.
Let me see if I can find that one.
Let me see if I could find that one. This is crazy. So yeah, the, they, somebody went after hackers target Los Angeles school district with a ransomware attack. They tried to get 'em on a ransomware attack. This was recent. This was like yesterday or something. Yeah. Look at this. September 10th. Yeah. Okay. So four days ago, hackers target Los Angeles school district with ransomware attack.
And luckily the, the school district was prepared for it. This is kind, this is what's happening. This is what's happening across the board because we're, so we've got so many soft targets and It's just, it's, it's sad to see, but that's why there's so many job openings for cyber security. And the white house is pushing this huge initiative to you know, to get more people, cyber security analysts, information system, security officers even, even things like program managers.
They probably lump those, those people in there program managers are super critical to, to doing things like security and engineering. So they are part of our team. Let me see, basle says, I'm looking to get into this field. Can you let me know what I could study or brush up brush up with? Okay.
So here's, here's what I, here's one of the things that I show how to that I would suggest. Okay. And this is just my 2 cents. Like some, there's some gurus out there who are, will tell you something totally different. , this is the first certification that I got from CompTIA. CompTIA has one of the best curriculums out there.
Some people really hate this certification, but you know, the market doesn't, if you have the certification, you can get hired somewhere so people can hate on it all. They want just like ch people hate on ch, but you know what? That will pay you. And this one, if you're an entry level, this is where you can start.
And so one thing you should know is that certifications, you can't just get a certification and magically get a job. Okay? It's not, that's not how it works. Like you can't, if you've never done any it work before you gotta put the work in to learn the material. But what I'm saying to you is that even though these these, these certifications are made to validate the skillset and knowledge that you already know, or the experience you already have, you can use it as a curriculum to learn.
And, and that will get your foot in the door. Now don't focus on the prize so much as the process itself, the process of learning this material in such a way that you can level up and start to actually do this work and, and get yourself an entry level position that doesn't require all of these different high level requirements.
So you go through this and you go through the curriculum of this, and it's gonna show you things like hardware, operating systems, how they work, software troubleshooting, network, networking, troubleshooting, security, virtualization, a little bit about cloud stuff, mobile devices. Those are kinds of the things that you're gonna see on this test.
But bef like before you take the test, you want to actually go read the book, break it down. Learn about it, put it on your computer. You can use VMware to learn it on your own. Like you could have a virtual environment right here, right on your computer. You can set up networks in your house. What, what I did when I first started doing this, I would build computers.
I would, I would buy the components, build the computer, cuz it gets you exposure to the hardware and let you know how the software works with the hardware with hands on experience, nothing beats hands on hand on hands on experience. So if you can get virtual virtual networks from things like GNS three, that's another thing you can use once you get this certification.
Like what you wanna do is study there's. This is two tests. This is not an easy test by the way. Now, if you're not very proficient, if you're not very savvy on on computer stuff, what you can do is go comp tia.org and go to ITF ITF. Plus, if you wanna, this will tell you whether or not you should even take.
Any of this, like you, whether you not, you wanna do this, a lot of people chase that money, chase the stability of it. So you, you might not even wanna do this. You know what I mean? Like this right here kind of dips your toe in the waters of it. So when I keep you probably I think it, Bruce, I don't care about it.
I wanna do cyber security. I know, I know. I know. I understand. But I, cyber security is stands on the . You have to know it before you get into cybersecurity. I, it, cyber security. Is it information technology? All we're doing is it's. It's like one it's cybersecurity is multidisciplinary. All right. So for cybersecurity, You're you're expected to already know information technology that's basic computer stuff, hardware, software troubleshooting, things like that.
So this something like this is an entry level. That's gonna tell you the terminology, the basics of information technology, how it works before you get into the hardware hardcore stuff, which is a plus certification. A plus certification is, is actually no joke. It's it it's, especially if it's your first certification, it's not easy.
So it was my first one and it wasn't easy for me. So it was not easy cuz you have to learn all the terminology and they're just throwing all the stuff at you and stuff. So like now if I went back to it, I'd be like, okay, I know this. Yeah, I know this, I know this, but if you're coming on there cold, a plus is not an easy certification to take cold.
It's not easy to take cold. It's so much terminology that you have to learn. So. After you take, let's say you, you got, you went through all this curriculum. You listened to Bruce's live and you like, man, this guy knows what you're talking about. I'm gonna go ahead and study for a plus. You got a book, you broke down the book, you took notes on it.
You took the test, you passed it. Another thing you could do, I'm just gonna tell you three different search. You should do that. I recommend there's another one called Google. This is, if you don't know, if you don't have a degree, if you Mike is already getting his degree, he's already like he should, he could probably do go straight to professional level search if he wants, because he is about to get a degree he's in UND himself in this world and everything.
But if you happen to have no degree, you're doing us all from scratch. Here's another one you can do. And you can do this one. If you're in college too, it's no big deal, but here's one called the Google support. It certification. The reason why I would recommend this one is because a lot of people are taking this certification with no degree going in.
And, and making and making this kind of salary right here. This is what people are telling me. This is what my users. Now this is anecdotal information. I do not personally have experience with this. This is all new to me. In my experience. You, you can't get into these fields without experience, but I stand corrected cuz several people have contacted me and said, yes, I got this it support certificate and I'm making X amount of dollars.
So this is another one you can do. If you're trying to bypass the degree programs and stuff. I, this is no guarantee that you're gonna get anything. Okay. But I'm just telling you anecdotal information of people contacting me saying I took certification. I'm now making X amount of dollars, not a hundred thousand, but it's pretty good money.
And it's entry level. They're doing entry level work by the way, another certification. Here's the hottest. One of all this one, whether you're in, whether you are in a degree program, whether you are have five years of experience. Whether you have a CIS S P, whether you're coming in off the street, you used to be a sanitation engineer, and now you're doing this.
I recommend every person take this one. Every person, every man, woman, and child dogs, cats living together, all of everybody should take this one. Okay. It's called the eight. If I could type cloud certification practitioner. So there, and let me, I'll just explain why this is, this one's so important. Okay.
And I went to the wrong site here, went to the wrong site. I'm trying to go to actual TMY is a good, good place to actually learn this stuff. I don't teach cloud yet. So TMY is a good place to prac. But anyway, here it is right here. AWS cloud practitioner. This is why this one's so important. Everything is going to cloud.
If you use Google, any Google services you use in cloud, Gmail's using cloud YouTube's using cloud services. All streaming uses cloud Netflix uses cloud everything's on the cloud right now. Everything is on the cloud. And AWS, Amazon is the leader in this. So Amazon's the leader in this. Amazon is killing it.
Like Amazon owns something like 30% of the total market share for a cloud. They, they own most of the government stuff in cloud. They, they they're their only competition really that's that's close is Azure from, went from Microsoft and, and Google Google itself. So this, this certification is not hard and, and everybody should know at least this level of knowledge and here.
And here's the reason why I say this. I just had I'm in the process of getting a new job. Okay. And I, I. L literally hundreds of screeners contacted me and it's just annoying. And I need to turn that crap off. But out of those hundreds of screeners people calling me, you know, really quickly, like it's like a quick interview, not even in interview.
It's like let's see if you qualify for this. Anyway. So out of those hundreds of screeners, I had five interviews. I had five interviews. Two out of those five, I have two that are potential one and one I'm act. I actually, they gave me an offer. They gave me a job offer. I said, yes. And now I'm going through the background process.
I say all this to say, going back to the cloud thing is that out of those five interviews, four of them ask me about cloud. And some of them went pretty deep on. and you gotta know cloud. So if, if you happen to be in an environment where you can learn more cloud stuff, learn it. Because I, I regretful my last job.
They were trying to force cloud down my throat and I didn't wanna do it. And I just kept dragging my feet about, and I wish back looking back. I wish I would've just done it. I wish I just would've at least taken this AWS cloud because they were asking me a lot of cloud questions. And I really didn't know.
I'm really, I really didn't know 'em you gotta learn cloud. So I would. And another thing about this AWS practitioner is that look at this it's a hundred dollars is 90 minutes. How hard does this? This can't be hard is 65 questions, multiple choice. I mean, Pearson peer view. It's this has gotta be easy. And I I'm gonna take this test, period.
I, they, they ask me way too many questions about it. It's getting way too ridiculous. I need to know more about cloud stuff. I need to be able to speak on it. And I was not able to do that. And so four interviewers asked me about freaking cloud stuff and I, and I'm like, damn, like I really should have, got more information on this.
I don't even do cloud. I'm doing information system, security officer type stuff. That's the jobs I was going for. And they keep asking me about cloud. I'm like, damn, like, can you ask me risk man, refr more questions? Like why what's cloud? Like, I mean, I have some exposure to it, you know, like Fedra and stuff like that.
But they were asking me like, like, how do you set it up and stuff? I'm like, what? what, what's the difference between a P a, a S and a and a S a, a S I'm like, oh my what? That kind of stuff. Basic really basic stuff, you know, cloud, but I didn't know it. So so yeah, check this one out. Somebody asked me, do you have a resume template?
I do. So if you go to my site I'm, I'm working on breaking down. if you I'm working on having like a complete breakdown of several different resumes and resume samples and stuff and ATS format, but it's gonna take me a while to do I gotta get off this call so I can go do it. But if you go to my site combo courses.com and you go to all courses, here's some of my stuff, books, new stuff that I put out free stuff.
What you're gonna do is you're gonna go to resume marketing. I have a course on resume marketing, the stuff that I'm writing in a book. I already have a course for it. And it works really, really good, but if you want the template, I'm making it free for now. Okay. So if you happen to be watching this, you are, you are in luck because I'm, I'm telling you free stuff.
That's out there right now that I'm probably gonna make. Not free. So if you go to this right here, just sign up is free. Okay. So number one, you can sign up right now and it's free to sign up. When you sign up for free, there's a ton of free stuff. You can download, you gotta go search for it. There's like, see this free preview stuff like that.
You gotta go through there and it'll have free stuff. This, this one has a downloadable for, for my resume has an actual down here it is right here. See this right here. I don't know if you, I don't know if you can see this. So all you have to do is, is if you sign up, you'll get that one for free. You'll get that one for free.
That's the template. Not always gonna be free. Some of the stuff I'm gonna I'm I'm gonna make it. I'm gonna make it paid, but for now it's free. So yes, the answer is yes, I do have a resume template. I'm gonna make a lot more. They're gonna be linked from the book a pipe. I don't know if I'll make 'em free or not.
I'm not sure. Probably, maybe initially, I, I don't know, but stay tuned for that, but in the meantime, there's an ATS style resume that's out there. And thanks a lot smooth virus for your testimonial. I appreciate that. Okay. That's it guys for this one. Thanks for watching a lot. I got 15 people watching me here.
I'm knowing how many people watching me on Facebook, but thanks for watching. Anyway, I'm gonna make this into a podcast. So stay tuned for that one. If you wanna listen to this again or whatever, it'll be out there. If you didn't know, I've got a podcast site it's on convo courses, dot pod bean been, I gotta get used to saying this combo courses.podbean.com.
Here it is right here. Here's everything. Here's all my podcasts. If you're interested in just listening, I got more coming out. I've been trying to crank these out every day. Not easy to do but here. Somebody said I'm sorry, can you show me where to navigate? Okay. Go to con courses.com. Convo courses.com.
courses.com. I'm go. I'm working on making this its own separate link, but for now I'm I gotta focus on writing this book. Okay. So go to all courses and then go to the course where I talk about marketing, cyber security marketing that breaks down what you do on a resume. And on here, I have a free resume.
If you sign, you can sign up for free. You can sign up for free. Okay. This says $145, but you can sign up for free, totally free. And then what you're gonna do is go, if you sign up for free tons of downloadable, see this one. See, this is free. You'll see this free stuff happen. I mean popping up if you go to resume here, that's where it is right there.
ATS resume sample. I've got a whole bunch of other stuff coming, but I'm just I'm right now, currently working on it. Like, obviously I'm, I'm in this live right now, so I can't do that while I'm in this live. So I really gotta let you guys go. Thanks a lot for watching. I appreciate everybody. Tony long time.
No, see I'm outta here guys. Thanks everybody for your questions. Thanks for.