ConvoCourses

 
A, this is con course's podcast. And, um, this is unscripted straight off the top of my head. , uh, probably, um, an ill advised way to do this, but this is how I do it. And, um, let's get this started. I'm gonna answer some questions and I'm keeping it live. So if you actually are talking to me now, you'll, you'll be, you'll have appeared on this podcast.
That's gonna survive forever. So let's do this. I got a few questions. First of all, from believe these came from my, um, from my comical YouTube comic courses site, but I'll ask, I'll answer some ones that came from email and everywhere else. And if you happen to be live and ask questions, I'll, I'll do my very best to answer those questions, but let's start with, um, let's start with, what is it like?
To be in it daily. I think I got this one. I got this one a few times actually, but I wanna say I got this particular one from, um, email, somebody emailed this question to me. What is it like to do it day to day? So, um, cyber security day to day. So it really depends on your job. Cyber security is a very big field.
It it's a huge field. Like you have all these different categories of CRI of, uh, cyber security. You've got people who are in cryptography, you know, mathematicians, people who are professional hackers, people who are, do pin testing, people who do assessments, cyber security assessments. You've got people to do information system security, officer work, compliance governance, people who actually are just firewall.
Administrators. You got. IP, uh, IPS, administrators, IDs, administrators, cyber security, and you get the idea there's many different categories. So when you say cyber security, what's your daily life. Like, it really depends on what job you're doing, but I can tell you about a few of them that I've done in my career.
Um, so I've done, um, I did, uh, network engineering for a while. I can tell you what that's like day to day. And I can tell you, I can tell you information system security officer work, man. I did that for a really long time. I can tell you what that's like, and I can tell you what a cyber security analyst does.
So let's start with the one I know the best, which is information system, security officer. What is that like to do every day? What's the daily life of that for, for every single situation. It depends on the organization and, um, you have a large. Medium and small organizations and what I've, I've worked in all of those and the, the amount of work that they get.
The, it really depends on how much work they're getting at that time too, is what's gonna affect your, those are all factors that are gonna affect your daily routine and how much workflow you have. Um, the biggest things that affect your daily routine is gonna be if they have processes that are in place, the best organizations are the ones who have very clearly defined processes.
And they're able to figure out how much work goes to each person. Those are the best because they allow you to actually manage your time. In the day. The worst ones are the ones who don't know what they don't have a clearly defined process.  um, policy or procedure, and it's just chaos. They're just kind of throwing things against the wall.
See what sticks, they're the worst. It's the worst because you they'll, they can have you doing work and then you, you deliver something and they're like, this is what we wanted, you know? And that's very frustrating, psychologically frustrating. Anyway, you wanna know what you do on a day to day basis for information security officer work.
So an information system, security officer is gonna be a person who is coordinating with a lot of different, uh, stakeholders. Stakeholders are people who have an interest in the information system, security assets and the assets of the information systems. The important information that they, if you think of a bank.
So in a bank, they have servers, uh, and they have their, all of their clients' data. The data is, is very essential to their business and the system that that data sits on is an asset, because if that goes down, You don't have access to your data or the data's corrupt or whatever. Right. So an information system, security officer is working with the people who have to, who are directly interacting with that data, interacting with the customers, interacting with the larger organization.
So they're talking to everyone from the C level execs, but mostly they're, they're talking to other technical people. They're talking to other, um, other policy people that's in the organization. So what are they talking about? They're talking about, okay. Windows, uh, had a bunch of patches on Tuesday. We have to wear those implemented.
Um, they're talking about things like that. Uh, they're talking about to, they'll be talking to like say the vulnerability management team. Like you have a whole nother team or a person who does nothing but handles the vulnerability management. So information's in security officer. One of their tasks is gonna be to make sure that the security controls are still, uh, in place effectively in place on a regular basis.
Continuous monitoring is their main. It's really the main job you do. That means all the time looking at the security controls and making sure that they're adequately in place that includes making sure documentation is up to date. That includes making sure that if there was a recent scan, you're gonna be looking through that scan and, and, and analyzing, okay.
Are our control still in place? You may do things like that. And then it, if something's off, like you have a bunch of critical findings, you have a bunch of things that says, okay, when Microsoft's out of date, um, Linux is out of date. Oracle's out of date, uh, Adobe Photoshops out of date, and you have this huge list.
Now you have to see what is going on. So you'll be coordinating with manager, be like, Hey, we just got this scan in. Could you take a look at the it? And it's looking like, it's really bad. Could you take another look at it? You'll take a look at it, right? That might take.  a few hours you're drinking in the morning.
You drinking your coffee in the morning where you're looking at this report and you, you now you have to figure out what's going on. So you can't arbitrarily just assume everything is, is bad. Like there may be some things, some of it might be a false positive. Some of it might have just been cleared. Is this an, is this old data, uh, is this stuff that we need to, that we can fix?
When can we fix it? You won't answer those things by yourself. So you have to coordinate with say the, the vulnerability management team. Maybe they, maybe they gave you an old scan. Maybe the scan is accurate, but a bunch of these systems are about to be decommissioned. They're about to leave. Like you have to figure that out.
So the only way to figure that out is to work with the team. So a lot of your work. Is working directly with the team to figure out what's going on with the, with the security controls. That's, that's the main job you do. And then you're documenting what's going on. Like, let's say you meet up with the vulnerability management team and they, you guys have a 30 minute meeting and they explain to you, um, yeah, those that is the most recent scan, but we, we just moved to this new scanner.
So here's the, here's the other scanner scan data. We just moved to another scanner. Uh, and here's the results. And then maybe you guys go through the results together, right on the call. 30 minutes later, you realize you don't have as many CRI uh, as many critical findings as you thought you did, but you do have a few and now you have to coordinate with another group, the system administrators, because you gotta figure out, okay, why is this, why haven't these, um, configurations been applied?
You meet with them. And you go through the same thing, like, okay, you're walking through. Here's what I found you. Show them what you found. Uh, vulnerability management team says that according to the new scan data, this is not configured correctly. Um, but they say that it is been patched, but it's not configured correctly.
Can you take a look at this and you guys look at it. So it's mostly with information, a security officer, it's mostly meeting with stakeholders, documenting findings of, of what's going on and continuous monitoring. That's really your main job. A lot of your time is spent interpreting controls, making sure the controls are still remain effective in the environment.
So. , this is a little different from what you might see for a cyber security analyst. So what does it look like for a cyber security analyst from day to day? Cyber security analyst is somebody who's looking at logs. They're looking at, they might work in a security operations center. They're looking at, this is just one type of security analyst by the way, cyber security analyst.
But the one that I did was I was in a sock and we just looked at, we looked at data coming in and out. So our whole day, and we did shift work because you have to constantly have eyes on the data coming out. And the data's constant. It's never, it doesn't stop. It doesn't have weekends off. It doesn't have holidays.
So the data's constant and going on all the time. As a matter of fact, when somebody really wants to hack you, they're gonna do it at 3:00 AM on Christmas Eve. You know, they're not playing around. So you, you have to have, you have to always be looking at the data. So your whole day is spent literally looking at.
Data on a screen and then taking some of it, taking the interesting traffic. That means the traffic. Like you already know, like there's, there's a certain amount of data that's gonna go in and out for, for people's work. And it looks, it might look suspicious, but you already know, like this stuff is, we already know what this stuff is, but there's gonna be just a little bit of traffic.
Like 1% of traffic that's called interesting traffic that you're gonna really look at and you're gonna analyze it. You're gonna take that data. Let's say it's like, it looks like somebody has tried to log in 5,000 times in three seconds, uh, into this one particular system. And that system might be an asset, right?
Maybe it's a, it's a, uh, system that you have in the DMZ that, uh, holds public records or something for. Uh, for, for your users, for clients, for the organization. So you might look at the, the logs on what's going on. Like what happened here? Was this an internal system you're gonna be looking at the source, the destination and what occurred, and then you're going to make a determination on whether you should escalate it to a security incident.
If it's a security incident, then you have to alarm someone else in your organization, an incident response team to figure for, for them to either check out that box, to see if it's actually hacked, see what this traffic is, and maybe even implement like a, something with the firewall team to stop. To stop that traffic.
So that's mainly what you do on a day to day basis for cyber security analyst work, where you're just basically looking at data, looking at logs and trying to find what, where the interesting traffic is to stop it, to see if it needs to be escalated or to ignore it, uh, is something that needs to be ignored because we already know what this traffic is.
It's something that our people need to do their work. That's, that's kind of your whole day and it's shift work. So you're gonna rework like either a day shift for 12 hours or a mid shift night shift, uh, a swing shift for 12 hours or a night shift for 12 hours. So, um, the last one, let me see, we talked about information to security officer.
What do they do? We talked about cyber security analysts. What do they do? The other one is technical. I where you're actually fixing things. So this one. Let me see, let me see. Uh, I was an architect doing, uh, a seam, some seam technology. At one point. My job was what I did was I was in, in, in charge of, uh, or one of the people on the team.
I don't remember what did I, I was in charge for a little bit, but I was a part of a team that made sure that this scene was up and running at all times. So if something broke, um, somebody would ring the alarm, call us whatever they have to do, and we have to come in there and fix it. So we had, we were responsible for upgrading it, setting it up and maintaining it.
And, and in some occasions we would create content, uh, for the actual analysts. So we, that means that we would make sure we would look for things like.  we would create like a rule we'd like, it was like, it's not programming, but it was, it was very similar to programming. Like you would make a rule set that would, would trigger whenever, say somebody try attempted to log in a specific system, a certain amount of time, um, within a certain period of time or something like that was what you, you could do.
Or if somebody came into this port on the firewall and they went to this system and they, they did this service, you would write a program. So it's not really a program, but you would write content to where it would trigger and then send an email or a message or pop up on a screen to tell the security analyst, Hey, look at this.
This is interesting traffic. This, this might be of interest to you check this thing out. So that's what I would do my daily routine. Was, if there was nothing going on, like if there was nothing to fix or if there, you know, nothing is down, there was no, um, there's no content to create then, you know, sometimes I'd be organizing some of the old content that they had.
Like they'd have all of these old, um, manuals. I would update those. Um, or I would, I'd be researching like the new upgrade or.  just studying a lot of times I was studying to be honest with you, cuz I, I was new to the system. So a lot it's probably 70% of my time was studying the system and trying to figure it out and then learning the back end of it.
Cuz at the time it was on Oracle, it was very complicated. So we were, I was trying to constantly study and figured things out. So that was 70% of my time was studying. Uh, and then the other percent of my time was fixing things, oh, this thing went down or Hey, we, we need content for this or creating content for people.
Uh, so that was, that was what my job was like. And I noticed like most of my purely technical jobs were like that where you were just pretty much sitting around until something went wrong until something happened. Like when I worked, when I was doing network engineering, most of my time was like studying, studying Cisco stuff.
And if something was, nothing was broken, we were just waiting. We were just sitting there waiting or we'd be on call or something like that. But um, it wasn't.  it wasn't constant meetings. It was in a way less stressful because you only would get stressed when something was broke. And then it was like a, you know, it was like an alarm and things on people's hairs on fire, people panicking and freaking out and stuff like that.
So the technical jobs I would say are actually easier. I know that sounds crazy, but actual, purely technical jobs, you're sitting around waiting for something to happen. And if nothing's happening, you're chilling. , you're chilling, man. Um, you could chill in a, a cyber analyst job. The, the analysts who weren't very good or don't know what they're looking at.
They, they kind of just, they didn't really have a lot to do cuz they don't know. They don't really know. What's interesting traffic and what's not, they don't, they didn't really know like how to. Where to go or what to do. So they were to stand at a screen of a bunch of data they don't understand. And so that we would, what would happen is they would get these other tasks.
Hey, do this task clear out this queue here. We have all of this traffic look through all of this traffic right here and see, you know, see if you see anything, stuff like that. So that's what you do on a daily basis. I hope that that answers that question. Somebody ask me, what do you do if you're information is security officer.
So I just expanded on all the other ones. Let me see, what other questions do I have here? Uh, what is it like working in it? It really depends on the job. Um, it, it depends on the job that you're doing, having done purely technical operational, and, um, like a more of a management side of the house. It's, it's different for each one.
Um, over, over, I would say number one, there is. There's way more job security in it. I will give you that. So let me, let me give you some pros and cons pros. Let's start with the pros. There's way more job security in it. Even if, even if you're a contractor and you get laid off you, if, if you're an it and you got like two, three years of experience, you can get another job.
It may not be the job you want. It may not pay as well as your other job. A lot of Americans, they complain about, they can't find a job. They really there's lots of jobs here. A lot of times they don't wanna do this or that job. And it's the same thing in it. Like a lot of times you ha there's jobs there, but it doesn't pay this.
You don't feel like moving here or there there's always something going on, but. There, I would say it, the biggest pro for me has been a job security. I can always find a job. It may not be where I want to go. It may not be not what I want to do. It may not be a great company. It may not pay well, but it is always a job that I can do.
Um, another pro is, um, I noticed that it is less and I, I know this is not gonna apply to everyone, but they don't tend to care where you're from or what you look like. As long as you can do the work. I, this is such a huge bonus because I've worked in other jobs before. You know, when I was much younger, I did other jobs.
I was a cop, um, for a, a, a whole like five years. And for being a cop, first of all, is the most stressful job I've ever done in my life. Number one, number two, you had there's.
they're not gonna discriminate necessarily against your size or weight or whatever, but you did have to be in some kind of physical shape and then you, uh, Hmm. How can I  there is not Des I mean, I'm not gonna say it's discrimination, but there in it, they, it just takes your mind. Like you don't have to be a physically fit.
You don't have to be so tall or you don't have to, you know, like it's, it's less based on physical and more focused on what you can bring, who you are, what can you can bring to the table skill wise. And I really appreciate that. That's a huge pro that I have not seen in any other jobs. I was, I was. In my life.
Um, another pro, let me see what are other good things, benefits of it. It pays, it usually pays better than most jobs. I would say. That's another thing. It usually pays and has more benefits like medical and stock options and 401ks and all. I bonuses, all that kind of stuff you see regularly in it. You don't always see that in security jobs, like physical security jobs, you don't always see that in, in some of the medical field jobs that I've my, my wife is in a CNA.
She doesn't see a lot of stuff that I see as far as like, it has so many extra benefits and perks and more money on as, as a whole. It, it pays more, not all jobs, but on average it pays more than.  whether you're in retail or you're, you're, uh, a cook, or if you're, if you know, restaurant hotel industry, they, they make way less money.
As a matter of fact, a, a old coworker of mine, um, who worked on that sea system with me, he was like a professional services, sea, uh, guy, and a sea is a security in, uh, information event manager that collects logs. And then people look at the logs or whatever, but he worked at this company. He told me that his dream was to become a cook.
And he did, he actually, he was an older guy. He was like, I don't know when I met him, he was like 45 50, something like that. He's my age now. But back then, you know, he was, I was in my thirties, he was, uh, 15 years older. He, something like that anyway. So he was telling me how he used to be a cook back back in the day, like in his thirties and twenties and stuff.
And he. He, it was his dream job. He's a great cook. Apparently he actually ran his own hotel and he was, he said, it just didn't pay that good. It just wasn't. And he own, he owned his own, uh, restaurant DESA hotel. He owned his own restaurant at some point he was a cook and he did, he went to school to be a cook, all that.
He spent $30,000 to become a cook, all this stuff. And he, he wasn't making a lot of money. And, uh, he said he moved into it because it makes more money. He didn't necessarily wanna do it, but it just made so much more money. Like he was making like six figures when I was talking to him and had all these crazy bonuses from selling stuff, like from selling it products and services.
So yeah, I.  it pay is way better. Some of the cons let me see. So pros, we talked about it doesn't they don't look at you physically. Um, they just wanna know what you can do. That's why they'll hire people from other countries with a huge accent. They'll hire people who are super, who, who are goth and have earrings in their freaking face, you know, have tattoos all over.
Uh, they'll hire people that, you know, black, white, Asian doesn't matter. Like they don't care. Can you do the job? That's what they care about. You know, that's a huge for me, huge bonus. I love that. I love being able to work with other people too, all from all over the world. For me, that's a, a huge bonus. Um, and it pays well, has great benefits.
So we talked about all that. Now let's talk about the negative stuff. The negative stuff with it is I would say it kind of depends on what, what part of it you're going to, it can be very stressful. Um, and.  in what I do, which is more of, uh, it's more governance and risk management framework. It can get very, it can be very stressful at times.
And then if you are a, um, another one I've done, I currently do is risk assessments. It can get very stressful. There's a lot of money involved and companies, uh, you know, their whole, sometimes their entire livelihood depends on the assessments that they get.  cause they, you know, there's a lot of stress involved and, and they're constantly under attack by, by all of these D.
by all of these different, um, you know, hackers and stuff. Like it's a, it's a war going on all the time. So it can be very stressful depending on what job you go to. I've been at some jobs where like the network engineering job wasn't stressed. It was, it was pretty chill. Like we didn't, we just didn't do anything until something happened.
Like we studied, of course, you know, or, or maybe they want us to document the, the, the network or something like that. But if there was nothing going on, so there's nothing broken, you were chilling. It depends on the job. So it can be stressful. Um, it can be volatile too. I know one of the pros I said was that it makes more money and it's more stable, but you can always find a job.
But that said, it's constantly moving. Like it's volatile. Like you constantly have to learn to keep up with the craft and you, you know, in that way, it's not like banking where you learn it one time and then you're good. Right. You, you learn how to flip houses one time and then it doesn't, it's not gonna just suddenly change.
It's gonna remain that way for years in it. Like you constantly have to learn so that for some people that's definitely a con um, if you, if you, you can lose your skills, you know, it's, it's almost like a musician, like a, a really good guitarist. Like if you don't play for a long time, you can, you can lose your, your skills, but also it's constantly moving.
So, and then, like another thing that's volatile as a company is, are constantly moving. Like you can get into a small company and they, they get this huge opportunity to have a contract with this gigantic organization. And then they make millions of dollars for a while. Then boom, it's gone and they hire someone else.
It's just volatile in that way. So those are the main pros and cons of it. Uh, it can be stressful, it can be volatile, but on the other end, it makes more. It is pretty stable if you have the skill set and, uh, and it has good, pretty good benefits. So somebody said techno piece says, I have a question during an, an interview.
Uh, what is the question? I have a question during an interview, so says, uh, they ask me, how will I configure a new it information system as an ISSO? I told them as an ISSO, I don't configure them, but I ask, uh, they ask me to just explain the process if I'm faced, uh, with the job. Here's what I would say.
And I don't know if this is right or wrong, but anytime I I'm asked questions like this, I always tell them, like, I will. I'll re rely on my team. Like, uh, what am I configuring? Number one, like, it depends on what I'm configuring. Let's say I'm configuring. This is what literally what I would say on this interview.
I, I would say, well, it depends on what I'm configuring. I have done it before. Right. Important piece. I have done it before, but normally what I do is I consult with the person who is in charge of that system. Let's say it's a, uh, um, let's say it's a firewall, right? So number one, what kind of firewall is it?
The person who's in charge is gonna know what kind of firewall that is. Um, if it's a, let's say, oh, okay. It's a Cisco ASA. It's a Cisco ASA firewall. All right. I would sit down with him and I would wanna see how they've configured the firewall. I'd sit down and, and, and work with them to figure out, um, how we can best implement security on this system.
So. What I'm so right here, what I'm telling them is that I am willing to do that work. I wouldn't. So if I tell them, well, I don't do that. I'm I'm an ISSO. I don't, I don't do that. I'm right there telling 'em what I'm not gonna do. You don't wanna do that. What you wanna do is tell them, you wanna tell you want to always emphasize how you can help them right now, if you don't want to do anything technical, then yeah.
You said the right thing. Cause you don't want the job basically. But if you want the job, you don't wanna tell 'em no, you don't wanna tell 'em no, you wanna, you wanna find a way to tell'em. Yes. Does that make, I hope that makes sense. So like I said, so number one, I'm telling them immediate.  well, the first thing I'm gonna first.
So first of all, I do have experience con um, configuring systems. I do, um, now as your is, so I'm gonna work with the people who are in charge there. I'm assuming that you have a team that's already doing the firewalls and by the way, what is it? Is it, is it a firewall? Is it server depends kind of depends on what I'm doing.
They let's say they say server, what's the server 2012. Okay. So the server, uh, windows, Microsoft 2016, whatever server it is. So I'm gonna sit down with the team and I'm gonna learn what it is, what we're doing to the, to the standards of the organization. So yeah, I'm gonna work with the team, figure out what's going on and then do, and make sure that the system is configured within the security standards and policies within the organization.
I'm telling them yes, I'm gonna do it. I'm telling them I'm willing to work with a team I'm telling 'em. Yes, yes, yes. That.  has gotten me hired almost every time, almost every time, because nine times outta 10, the place that you're going to is working with a team of people. They wanna know that you're willing to work with a team of people that you're willing to roll with the punches, because some, some especially smaller organizations, smaller organizations are awesome by the way.
They're awesome. Because especially if they're on the rise, you can, you can get stock options early in the company. You can get, um, you can be a part of the building, their, their actual organization to this next level. Um, they're usually way more flexible with you. So anyway, you're in a smaller organization and a lot of times they need you to wear multiple hats.
Like, it sounds like what they were really asking is are you willing to do.  right. Not necessarily because it, especially if they didn't tell you the con, if they said, okay, it's a firewall, you're on a firewall, ASA, Cisco, and you need to configure it to, um, to block the, any anys on the firewall. Now they're asking you, okay, are you a firewall administrator?
That's kind of different. They're asking you to step through what you're gonna do. You know what I mean? That's, if you don't have the skill, you don't wanna lie to 'em and try to, to fake it. You want to be like, no, I'm not really a firewall administrator, but I'm willing to learn, you know? So once again, you're telling, you're telling them yes.
Like I don't, I have not done it before with an ASA, but I'm willing to learn. I, I have worked with a. Uh, Juniper, firewall, whatever. I don't know if Juniper even has a firewall. I have worked with a P I'll tell firewall, but I've never worked with an ASA one, so I'd be willing to learn it. You know, I'm not sure directly, immediately how to configure it, but I'm willing to, to work with your team and learn it.
So, so that, that would be how I would answer it. And it's worked every time. As a matter of fact, current job that I had asked me something to that effect. They asked me a question. I didn't know. They asked me, um, well, I think it was PCI compliance. I'd never done it before. I've never done. I'm not a PCI guy.
PCI is a, a risk management framework for credit cards. Uh, for credit card systems, systems that take your credit card information, they have to have a certain level of security, uh, to protect our privacy. Whenever you run your credit card through. And I didn't know it, I, and I flat out said, well, you know, I told here's what I said.
He said, so have you ever done PCI? Because we have a couple clients to have PCI and we need somebody who has that skill set. What do you bring to the table for that? If you were asked to work with PCI, what can you, you know, what can you bring? And I said, well, you know, sir, I, I've not done PCI DSS before I am familiar with it.
I've heard of it. I know it's in line with what I've done before risk management framework. But to be honest with you, I've never done PCI on. On, uh, on a system before, but I'd be willing to learn. It is something I'm actually very excited to learn about, you know, and I'm, and actually I have looked at it before and it looks very similar to what I've already done many, many times with risk management framework.
So I'd be very interested in, in learning that with the boom. All right. Somebody said, I just completed online course risk management framework and, and FSMA. And I watched a lot of your videos and I will like to know your best advice on getting my first job. What kind of job, uh, what kind of job you willing to recommend?
I apply? What kind of job will you recommend? I apply to, um, okay, so for this, I would ask you brown. What kind of background do you have? What's your, what's your background? First of all, is what I would ask you. Because what your background is, is gonna determine what I would recommend to you.
Um, I, I get this question often. I get this question often brown. So it really depends on what your background is
SCA at brown. Are you okay? Michael Fernandez? You're saying SCA, are you brown or , I'm wanting to know what Brown's background is. And I can answer this question to the best of my ability,
um, because what I could tell you is like what I've told some other people I can give you a couple examples. Um, I had a teacher. Who was like a superintendent and, uh, he or she, uh, I have, I've had a couple teachers ask me this and I don't blame 'em because teachers are not paid super. They're not paid.
Like they should be, I'll put to you that way. But a couple of teachers more than one have come and reached out to me and said, Hey, look, I'm trying to do what you're doing. How, how do I get into it? And I told them, listen, I said, in this, they, they don't have technical background. I said, look, you might not even want to do it stuff you might wanna do.
You know? And I gave 'em some examples of stuff that are in parallel with it, such as, uh, program management program managers make as much or more than your average it person, but they're not having to do all this technical stuff. They don't have to take a security. Uh, they don't have to take an it certification.
They they're, they have their own whole path that has its own certifications. And if you've done administrator work before, it's gonna be just, it's gonna make sense to you. It's gonna make if you're a program manager. So that's one thing, but brown says I do not have a background in risk management. I'm a cable technician and I'm looking to branch into it.
Okay. So first of all, you're in, you are in a certain, you are adjacent to it. So what I would do personally, if I was where you're at, you're, you're actually in a good position here. And then let me explain to you why, um, explain to you why, so as a cable person, uh, when you get into networking, Networking has some stuff about cable, cable, uh, land cables, how it can, how to, how to, um, oh my Lord, I'm having a huge brain.
I can't remember what it's called, but you have your four pair or your eight pair wires and you have to, uh, configure the wires to in a certain way to send data or dis send voice. And I, the names are escaping me. I just haven't done it in a really long time.  but what I'm trying to tell you is what I would do if I was you.
If I was a CA if I laid cable, if I, if I was a cable technician, what I would do is start to, uh, get into networking, cuz networking is gonna make a lot of sense to you as an, as a cable G person. Um, let me show you, let me show you if I can, uh, show you my screen here and now, now keeping my I'm doing this.
Straight off my, off the dome here.  so, um, if I was in doing cable, if I was running cable, cable technician, and maybe cable for like, uh, people's homes, like actual, um, what is it called? What's the cable called that you run? Is it it, do you mess around with cat five at all? Or is it all, um, what is it called?
10 base T man I'm really dating myself. What kind of cable is it? Is it actual? So regardless of what kind of cable it is, I'll put it to you like this. If you get into networking now I'm on indeed.com. I use this a lot. A better site would be dice.com or linkedin.com, monster.com. All those are very good places to go.
But what I would do if I were you, is I would look into.  entry level networking. It's gonna make sense to you. It's some of the, what stuff that you do in cable in cable lane, cable, cable technician is going to align with networking. I guarantee it cuz you're gonna understand some of the stuff that they talk about with signals.
You're gonna understand some of the stuff they talk about as far as different types of cables, having different kinds of signals. If you ever worked with fiber, if you've ever worked with, um, a 10 base T I don't, I don't remember coax cable or if you've ever worked with, um, uh, ethernet E um, cat five or cat six.
So those are all things that you probably have touched before or have heard of. So it's in line with what you're already doing. So number one, if you go to nd.com and you look for entry level networking jobs, Entry level networking. You can follow along with me if you want. I'm on indeed.com and I'm just typed in entry level networking.
So here you have tech, you have a help desk technician. Now, you know, don't, don't laugh at these positions. You want somewhere to start, right? It's very important. You get your foot in the door with the technical entry level position, cuz nobody, you know, and think about your bank. Like you want your banker to be fresh off the street and not know anything about banking.
No, you want 'em to have some level of experience and the more, and so I'm kind of going through these entry level networking so that in net networking itself is not a good, is not good key word. Um, so you said CCN a, so you said, I totally understand your answer. I've looked into networking courses and I'm very familiar with the CCNA exam.
There you go. Now, this guy knows what he is taught. That's this direction you go CCNA. So let's type that in entry levels. In fact, you can actually start with a CC E N T, which is, um, entry level, uh, certification for Cisco that I think you have to start with a CC E N T these days. I don't know I've been so I'm so out of that, outta touch with networking these days, but look, it support engineer one.
It doesn't start off with a lot of money, but you're not looking at the dollars per hour just yet. Right now you're focused on the skill set, the skills and the experience that you get equal money. Okay. That's the, that's the key it field technician is another one that you will fully understand and, and completely.
because a lot of this is actually implementing people's local networks. Uh, it help desk it, you wanna start off from the beginning and you go on to say, uh, I want to work remotely because I recent a recently family dynamic. And so I took the course in, um, I took a course in risk management framework and FSMA.
So to start off with that's good. I'm not saying don't, don't study risk management framework. Very, very important. And I'll tell you why. Okay. You're gonna wanna make your money initially and get your foot in the door with networking. Here's what I would do. Here's my strategy. Cuz what I would do from you, from where you're talking about, you're going to wanna get your foot in the door with networking.
Why? Because you're gonna, first of all, you're gonna understand it almost immediately because it's gonna be talking about signals. It's gonna be talking about different. Media that you use to transfer data. You're gonna get that. So you're gonna, it's gonna click to you number one and not, not a lot of people understand networking and it's super important piece of being an it person that a lot of people don't get.
You're gonna understand it. Okay. Now it does go into, uh, TCP IP and all that kind stuff, but that's your bread and butter. You gotta learn it. And, um, you gotta learn it. I P V four, I P V six. You have to learn it all. It, it has a little math in it. It is not impossible. It's not fricking rocket science. Um, so if I put to you like this, if I can do it, you can do it.
All right. So anyway, so I was from cable, uh, technician. I would go into networking as an entry level person. All right. You're not gonna just jump into risk management framework and FISMA. All right. It's just, it's really, it's. Any kind of security stuff. It takes three to four years of it to get into cyber security.
All right. Cyber security is not an entry level. It's not entry level stuff, but I can tell you how you can start to get on the on ramp for, uh, risk management framework, FSMA and, and cyber security, where, where there's money by the way.  but networking has money too. So start with networking. Get your CC and E N T get your CCNA.
CCNA is money it's cash money. See, let me show you something else here. Let me take you back to the screen here. Here's here's why I would take the strategy of starting off with networking. Let me show you something I'm just gonna type in CCNA here. CCNA is a damn good certification. I know because I had it before and my first it job outside of the military is because I had a CCNA.
CCNA is no joke. Uh, if you get a CC, especially now, it's much harder to get. Now, when I get, when I did it, it was like one test. Now they've broken up into two or three tests. Um, it's, it's much harder now, but look at these jobs, like, look at this, look at this. I don't know if you can see this, but that says net, uh, network operations technician.
Now, all I did was type in CCNA and this is a $60,000 job. Okay. Now there's some for $22 an hour, but these are entry level positions you wanna get into those entry level positions do 'em for about six months to a year, put it on your resume. And then the next step is gonna be something like a network administrator, a junior network administrator.
Okay. You're and with networking, you really gotta know your stuff, by the way, you can't just, you can't fake it with networking. They'll test you right on the spot. It's kind of like software engineering. Like if you don't know, if you cannot fake. Network engineering or software engineering, they will, they're gonna, they're gonna see immediately if you know what you're talking about or not.
That's why it's imperative that you start off get your CC, the CCNA, CC, and T is so that you can study and know the common body of knowledge that you need to know in order to, uh, navigate these fields that you're about to get into. All right. And start to, uh, start to create your own virtual environments, cuz you can literally start to study it and have your own network virtually on your PC and start to know how to network, uh, routers and switches and uh, and stuff like that.
IP routing, all that kind of stuff. You can literally start to do it on your own system with something called, um, GN. GNS three is one of the ones that you can use. And they've got tons of other applications that you put on your computer, and it has like a little network diagram, and you can configure this.
You can log into this little, uh, virtual router and then configure the interfaces on the router and all that kind of stuff. So, yeah, like I'm excited for you, man, if you're actually doing this, um, I'm really excited for you to, to start your career, cuz I think you're gonna click on it and it's it's gonna work.
And you say in, in risk management framework, I'm familiar with documenting, uh, FIPs 1 99 FIPSE 200, um, system security plans. I believe I am competent for the task. I want to move out of, out of the networking field. So you're saying that you are already in net, in the networking field. Is that what you're.
because you said that you are a cable technician. If you're cable, I'm assuming that you, you are somebody who installs cable for people, whether that's so you, you, so if you're okay, let me give you a couple of, of things here. It let's say you are a network engineer and you've been in the field, um, for, let's say a year, like you've been a network engineer.
You worked for an organization who has routers and switches. You understand routers and switches. You, you can set up a network and you have about a year of experience and you let's say you have a C uh, you, you didn't say yeah. Any certification. So I'm assuming you don't first, uh, first step, if you are a network engineer and you have a year of experience is go ahead and go for a security plus, go for a security plus security plus is a very good certification and it, it will get your foot in the door of a many different jobs.
All right now I know people. There's gonna be some people who watch this video, especially it guys gonna be like, why is this guy always talking about certifications? I'm trying to make people money. Listen, the industry, you may not like it. But the industry does look at certifications and they, they look very highly on certain certifications.
Security plus is one of those certifications. So get the certification. I mean, if you wanna make, do you like money? If you like money, get the certification, you don't have to like the process, you know, don't, , it doesn't make sense to hate the, to hate the, the game. Like, I mean, you can hate the game, but play it.
You gotta still play it. You know what I mean? So get the certification. Okay. So brown. Like you rightfully said, my job is borderline networking. Exactly. That's why you start off brown with networking because you already understand it. Get your CCNA, get your CC. E N T. I'm talking about if all you do is if you're a cable technician, your next level is network either, either help desk or network engineer.
And I'm saying network engineer, because if you understand networking, you are already a three steps ahead of most people who are entry level in this in it. I mean, if you're an it guy, tell me I'm wrong. Most people don't understand network. And they get through this whole field without knowing, understanding it without doing any of it.
You already have a little taste of it. And all you gotta do now is take that next step, which is get that CC E N T CCNA, whichever one, I think CC, you gotta get C, C E N T first then, uh, get your foot in the door with a networking job, like a junior level networking job. After you get about six months to a year in, you could probably go straight for a security plus and apply for a risk management framework job.
You, you can apply. I mean you can, you not probably you can apply for it. I can't guarantee that you would get it. Um, they're looking for a little bit more experience, like two, three years of experience being doing it stuff. Um, but you could, if you, with your cable background, you could probably have a little bit more leverage in there.
Another question is, do you have a degree? That's another one. Michael, uh, Fernandez says they will ask you for a security plus and a C E H. Um, , uh, don't hate the game. Yeah. I mean, that's another one C it's funny because CCE C H people hate that's, especially hackers, man. They, they talk so much crap about C, C, E H.
And I'm like, listen, the HR departments who are hiring people and paying people who are, hold the purse strings, those are the guys asking for the C, do they know what they're talking about? Of course not. They're not it people, you know, the real certification to get is the O S C P or the, you know, Cali Linux, those kinds of certifications.
Um, San's course pen testing certifications are legit. C is, is know, listen,  ch is a list of different, um, is the processes that, uh, you use for, uh, pen testing and hacking stuff like that. And it's just a list of tools and that's the test. , I mean, that's from what I've heard. Oh, okay. But guess what? It pays a lot of money.
Like if you like money, then do it. If you like, if you like money, if you don't like money, okay. You know, go hack some systems or something. Uh, brown says, uh, and I know people are gonna hate me because I said, just said that, but I'm just saying like, I mean, do you, do you wanna make money in this field or not?
Uh, brown says what if I was a teacher or a nurse? Um, like I said, You brown, if you are a cable technician, you already have a leg up on a teacher or a nurse. I do get teachers and nurses contacting me, asking me to if they to do risk management framework. And what I tell 'em is I'm honest with them, like doing cyber security takes two to three years of solid it.
Now, if you've been doing cable work for a while, guess what? Some of the stuff you've done qualifies as it work. So you're, you're almost there. Your next step is to do pure networking stuff or help desk either one would do, but networking would be way, bit more beneficial to you in the long run to, to I'm just telling you.
Um, so I would, if you were a teacher or a nurse, what I'd normally tell them is I tell them that either go into, um, , uh, he some kind of entry level help desk job, which is gonna be hard for them cuz they they're starting from nothing. So I'll tell them, Hey, use your current job at, as you nurse, let's say you're a nurse.
I say, use your current job to at your hospital. Let's say you work at, um, I don't know, Centura or some local hospital. Right. And you're a nurse there. What I would do if I was a nurse at a hospital, I want to go into its, I would start talking to, uh, the it guys there. I, I talk to them, see if you even want to get into that career field then if they're, if it's, if it's legit and you're like, wow, you know, this is something I really want to do.
Talk to the, uh, talk to your HR department. See if they have any programs for nurses to go into it. You'd be surprised. Talk to the organization you work for. Even if it's, if you're going to a college, talk to the organization that you currently work for.  and say, Hey, I'm, I'm really wanting to get into it.
Um, do you guys have any programs to start it work? Ask him, just ask him, ask the local help desk guy. Usually some geek will really wanna talk to other people about their job, um, about either how horrible it is or how great it is, you know, and they're cuz they're, you know, um, you, you can really, they wanna talk about their craft, especially if they love the work that they do, they're gonna want to talk about it.
So, so that's what I would say. Um, that's what I normally say to people who are coming in off the street, meaning like they have zero background, not like you that already has. You're already doing cable stuff. You're already doing something kind of technical. You actually have a leg up on most people even I would even argue some it people you actually have more experience.
You probably  you're you'll be surprised. Um, once you get into this field, Um, you'll be surprised. Okay. Let me read a couple more comments here. It says I am a Cy, M J says I am in, I am new to the cyber security field. I received my master's degree in cyber security. Congratulations, but I cannot get my foot in the door.
I received my degree in 2018. Any suggestions of what to do? Um, when you say new to the cybersecurity field, do do you mean that you, do you have a job currently? Oh, I am currently doing help desk work. Okay, good. This is good. Okay. Here's why I say, how many years of, how many years have you been on the help desk?
How many years? And then do you have a certification? Cause now what you wanna start doing is mapping out your path, but it depends on how many years you have, or do you, how many months, how many, how long have you been on the help desk? And do you have any it certifications.  my next question would be what, where do you live?
Because some places, the reason why I'm asking these questions is because you wanna level up certifications is the way to do it. Like I said, a lot of it guys, don't like to hear this. Like they don't like paper tigers, about 10, 10 years. You have 10 years on the help desk. You have 10 years on the help desk.
Is that what you're saying? Okay. How many certifications do you have? Do you have any,
you have an, a plus a network plus and a cybersecurity plus. Okay. Something's wrong? All right. Where do you live in Maryland. Okay. Something seriously wrong. It's your resume?  because resume is the Mecca of cyber security. Yeah. There's no, there's no other place. There's no other place on earth that has more jobs for cyber security than Maryland.
You're you're in the, the Mecca, excuse my reference. Religious references here. You're in, you're in the main place where people hire everyone. There's something's wrong. Like it's either your resume or something's going on. Like I, yeah, you should, you should have people in line to give you a job. Yeah.
Maryland has the most jobs. Like it has more jobs than I'm in Colorado. It has more jobs in co Colorado is like five bases and Maryland that area. It's not just Maryland itself. It's Maryland, Washington DC. And uh, that whole area in Virginia, that whole area has more. And why, why is that? Let me explain it.
They have. More federal organizations there, I think, than anywhere else in the United States. If I had to guess they have all the three letter organizations, they have department of defense, they have several other federal departments there. Le and then you have like three states with all, with all kinds of state departments.
Like you have so many jobs there. So whenever somebody says, I can't find a job and I'm an it guy in Maryland or Virginia or whatever, I'm like, there's something wrong with your resume, man. It's it's gotta be, it's gotta be, I mean, it's people offer me jobs. I'm thousands of miles away and they offer me jobs in Maryland.
Constantly. I have to turn my phone off so, so that they could stop calling me. I don't. Yeah, something's wrong with your resume?  all the jobs. I, um, all the jobs I'm out for, they denied me because of the lack of working experience. You have 10 years of experience, it's your resume. So I mean, what I would, what you could do, um, you said you already have a security plus a compt security plus.
I mean, I, I don't know, like, are you a us citizen? I mean, I something's wrong. Michael Fernandez says he lives in Maryland too close to DC. What? The F yeah, exactly. WTF. That makes no sense, man. That makes no sense. I'm in MD and still waiting behind, uh, to be hired, maybe resume. Yeah. It's, I'm telling you, I'm telling you I get so many offers from that place.
I mean, I it's constant most of the jobs I'm. Okay. You say, uh, 10 years on the help desk? Not in cyber security field. Okay. So here's the thing, my man, and all you guys like, listen, if you're on help desk, you have done cyber security work before you just have to, you have to put it on your resume. What you do is you put it on your resume.
Have you ever updated a, a, um, an operating system before if you've ever updated signatures on, uh anti-virus. If you've updated the anti-virus software, if you've installed anti-virus software, have you ever created an account for a user? Have you ever, uh, all of those things are cyber security, uh, things that you've done.
Have you ever written a document for your organization that have you ever written instructions for your organization? Have you ever participated in helping them out with the policy? Have you ever done continuous monitoring? What is continuous monitoring is scans, have you ever, have you ever helped part of your organization run scans before?
Have you ever had to connect the system to the network and had to put security on that, on that system? All that stuff should gotta be in your resume. It's gotta be upfront cause you've done security before. You're not just some help desk guy. You've done secure, especially if you've done this for 10 years.
If you've done this for 10 years, you've definitely have 10 years of security experience. Active directory. I mean, come on, you gotta work with policies. You gotta work with, uh, domain. It's all securities. It's so many security stuff wrapped into, uh, endpoint devices, like where you have to lock down the system, lock down users, all that security stuff.
You just have to put it on your resume. It has to be on your resume so that you can say legitimately say I've done cyber security since 2000, the year, 2000 or whatever you said 10 years. So the year 2010. So yeah, you can legitimately put on there. You are a cybersecurity person. If you have done any of the things that I just said for a number of years, you just gotta put it on your resume.
So if, if you, if you are presenting your resume in such a way that it looks like there's certain things you put on your resume, that makes you look like, um, that you've been doing, you are on the help desk for a couple years. Right. But if you've done all this stuff, you need to put it on your resume in may and you need to highlight the cybersecurity stuff you've done.
And you need to put a ton of, of keywords on your resume so that people will see it. And when they do, as a matter of fact, let me, let me just show you a couple things real quick. Before I get off this thing, I gotta go cook some dinner, but, um, I just wanna show you something real quick. I wanna show you something, couple things.
I mean, I wanna enlighten who, because I'm seeing a couple people. Listen, I I've been in I'm. I live in Virginia and I don't have a job. And I'm an it person. And I'm telling you that that is nonsense. I mean, I'm not saying you're a liar, but I'm saying that's ridiculous. That is ridiculous. It's Virginia, DC, Maryland are the hotspot for this whole thing right now.
It's gonna change it. It's not, it's not gonna last forever. Just like Silicon valley. Didn't last forever. You know, it's not gonna last forever guys right now, though. It's a gravy train. It's a gravy train. There's people starting businesses out there. There's people, uh, hiring tons of people out there. I'm not, I'm not even messing around with you half the jobs that I've gotten came from Maryland.
If, and I work from I'm in Colorado, I probably took four or five of you. Guys' jobs. I'm not, I'm not lying. I'm not exaggerating. You gotta, you gotta fix your resume. Because that's the only thing I can see. That's gotta be wrong if especially if you're doing the help desk for 10 years and wanting to get out, like, they're not saying there's anything wrong with that, but if you wanna, if you're trying to level up, you're trying to move on then.
Uh, yeah, I mean, and you're in Washington, DC, Maryland, Virginia, something's wrong. And it's gotta be your resume. Okay. So what I'm doing right here on the back end here, just give me a second here. What I'm doing is I am, uh, I'm logging into a couple of, uh, things here so I can show you guys what, how I was.
I've been able to do this for years. There's a method to my madness. I have not. The only time I'm unemployed is when I'm between jobs, put it to you that way. I, I don't go without jobs. Even during COVID 19, I'm still getting job offers. It's crazy. It's crazy. And it's doing the cybersecurity stuff
and there's a reason for it. And I'm gonna show you that reason here in a second. Soon as I can log into my freaking account,  give a second here. I'm I'm really trying, I haven't logged into this thing in a long time. Oh, what is going on? I'm trying to get into LinkedIn and I can't something's wrong. I'm about to lock myself out.
Give me your second here guys. Show you a couple things number. The first thing I'm gonna do is pay some bills. So let me, I'm gonna switch over here. Let me show you something. Okay. What you're looking at here is combo courses. Okay. Now combo courses is a condensed version, a a condensed, organized version of my YouTube channel, where I take everything I've learned and I put it into a course.
Some of these courses are free. Um, some of these courses that I put out there are, are free on here. Organized I'd spent hours working on this stuff, but let me show you one. It, it doesn't get a lot of sales, but it's, it's the one as in life has been the most beneficial to me. This is resume marketing and cyber security, uh, for cyber security.
And it, this right here is why I'm always employ. This right. This course right here. What I did was I take, took the method that I have been using for years and years, since I got outta the military in 2000, I got military 2003, and I've not been out without a job. I always have a job. I'm always offered jobs.
And, and I was like, why, why am I, so why am I so lucky? It's not luck. There's a process to it. It's not luck guys. Success favors the prepared. And that's what I'm showing you how to do on this, on this, on this. Now, if you, if you don't have the money to do it, you know, I'm not listen. If you don't have the money to do it, don't buy it.
Okay. But if you do, you buy this course, I'll walk with you every step of the way. All right? Like literally you can, you can contact me and I'll, I'll look through your resume, all that stuff. But this right here, this process is how I've done it. And I, I could tell you right now, look, I'll give you a bird's eye view of this thing.
Some of this is free by the way. Some of this parts of this very course is free. Go to combo courses.com link in the description below. Some of it's free. If you sign up, it's some of it's free. So number one, what you want to do is you wanna do, you, you have to do your research. You have to do your research.
Okay. What does that mean? I'm gonna show you in a second. You gotta do your research. Once you do your research, you got to focus on keyword. You gotta put those keyword in your resume. Once you put them in your resume, once you fine tuned and dialed in your resume, you want to advertise market yourself.
That's the name of the game. Link. The description below. If you wanna get to this site, this is the bread and butter success favors the prepared. Now let me show you what I do to re to research this right here is LinkedIn. This is my LinkedIn page. Um, this is the one I use to get jobs.  all right. That's what you're looking at right here.
Let me show you something. This is my resume right here. I haven't updated this in a while. Don't need it. I got a great job. I'm getting paid at this job. I'm not bragging. I'm just telling you, this is, this could be you. All I've done is leveled up for the last 10 years. And that's where I'm at, where I'm at.
It wasn't easy and it took time. But the reason why it has worked is because I have a method to my madness. It's not random. It's not look, it's a process. Now, first thing I told you was I did my research. How do you research? You gotta know what words people are using on their resume. So let me show you something.
So if we type in. Let's say you want to be in risk management framework. Okay. Risk management, risk management. So what you do is you'll type in risk management framework, risk management frame. See how it's already auto correcting. Lot of research is just this right here. It's auto correcting. This is telling you right here, piping in to get to this particular, these jobs they're typing in risk management, risk management specialists, risk management analysts.
There you go right there. There's some of it let's find another keyword here. Let's RMF. I mean, as soon as you, if you're following along with me, you're already conducting some research on your own. Now look at this. I typed in risk management framework. Now here's this is important. First guy who pops up is a dude who has a C S S P C H.
And it L L and some other certifications. Right? Why is this important? Because this is telling you how this algorithm on LinkedIn is behaving. And this guy is number one. So let's go see what this guy is saying. You do your research by looking at this person's resume. I'm not telling you to lie. Um, but I am telling you to steal.
So what you're gonna do is you're gonna go to this person's resume, and you're gonna look at the wording that they use. What wording did this person use? You're gonna steal the wording that they use. Don't lie. You're not lying. Okay. What you're doing is you're wording the stuff that you have done with the language that is being used on this particular platform.
Now, each platform's a little bit different. You go to dice.com. It's gonna be slightly different from LinkedIn. You go to monster.com. It's gonna be, it's gonna be different from this one. One of the things I also do on the course is I go through. Many other ones that I use that have worked for me, uh, that I, I have not gone without.
That's what I do. But right now, without you paying anything, I'm telling you right now, this is how you do it. Research number one, step, do your research. There's some other stuff that I go into on the course, but if we wanna get to the guts of this thing, do your research, what is research? You're looking for the language of whatever, whatever field you're getting into cyber security is huge.
Like what if you say I wanna be in cybersecurity? What does that even mean? Think about it. Cyber security is like 20 different fields. All right. It's risk management framework. It's network security. It's cryptography, it's forensics. There's so many different fields. You gotta be specific. Now that said.
once you choose, let's say you chose chose forensics, right? You chose forensics. You gotta realize that once you do your research, you'll realize, okay, well it's forensics. The, the average person in forensics is, has a bachelor's degree, has a master's degree. The average person in forensics has a master's degree.
I don't know if that's the case. I'm just get I'm speculating. Okay. I don't, I've not been in forensics, but your research is going to allow you to know what the field is like and what you need for that field. Some fields require no less than a master's degree. Some fields don't require a degree at all.
Alright. They require certification. Some fields are like super heavy on certifications. Listen, you can hate the game all you want, but I'm just telling you how it works. So number one, do your research. What is the field you're trying to go into? What do they need? All right. Um, what kind of key words do they use?
You could, that's easy to find out. You just go to LinkedIn and you see what people are using in their resumes. You, you, you look at employers and look what they're looking for. What are they typing in when they say they want a risk management framework person? How many years on average are they looking for?
You'll find this around two to three years, by the way. Now, if they want two to three years of experience, you don't have that in risk management. Um, you might wanna look into your own organization and see if you can get in. You might even hardly have risk management framework experience. And that's one of the things I tell you how to put on.
How do you put that on your resume? If you, how do you even know if you've done it? I I'll give you one example, like, uh, MJA right here says he's been doing help desk for 10 years. And I ask him like, okay, Have you ever assisted with a policy before? What kind of policy was it? Was it Sarbanes? Oxley? Was it a DSS PCI?
Was it a risk management framework policy? If it's a, if you've helped to create a risk management framework, I know this, I know that I know that sometimes our field like me as a risk management framework person as an ISSO, I have reached out to firewall guys and said, Hey, could you ex I'm not, I'm not firewall person.
Could you put, I'm trying to write this policy or procedure about firewalls. Could you add some stuff in here? And then they will give me what they have. They give it to me. And then I use, I put it in a different language or whatever, you know, I translate it to where managers can read it to easy speak  and then it's boom, it's a policy or it's a procedure or whatever.
So, if I have helped this, if this firewall guy has helped me by giving me the data, guess what he has participated in risk management framework, you can put that on your resume and you're not lying. So that's why I ask him, have you ever written a procedure? Have you ever written a policy? That's? Half of our job is, uh, writing policies, reading through policies, correcting updating policies.
A lot of our job and risk management framework is doing that very thing. So if you've ever written a policy, if you've written a Wiki, if you've written any of these things, especially if you've done it so that you can, your organization can be compliant with SMA can be compliant with state and local regulations.
You have participated in security compliance. You have to put it on your resume, though. If you don't put on your resume, no one's gonna know that you ever did those things. I'm blown away. When people tell me that they have been. In Washington, DC, Virginia, and, and Maryland, and are not leveling up. It blows my freaking mind.
Cuz that means your resume's jacked up. It's gotta be, I mean, I don't know what else could be. I really don't cuz it's not racism.  it's I could tell you that much, uh, because they're hiring me and another state, you know, how many comp, how many companies that I've worked for that were from Maryland? Quite a few.
And I'm I live in Colorado. So just telling you the jobs are there. Um, okay. Somebody else said, um, do you think not having a bachelor's degree will really hurt my chances? Um, I would say this I'm just gonna be very Frank about this. Um, it will hurt your chances of, of making more money. Cuz a lot of companies, especially contracting companies are looking for a bachelor's degree.
Now there's things that you can.  instead of a bachelor's degree that will help you to continue to level up. And one of those is, um, a certifications. Here we go again, right. Certifications, but certain certifications make as much or more than bachelor's degrees. I'm just, just being honest with you. Uh, a lot of contracts, the reason why a lot of contractors are looking for the bachelor's degree is because, um, because it's federally, it's federally mandated by, um, they even it's.
So the federal policy and directive is called 81 40 81 81. 40 is very interesting. It's one of the things I talk about. In my, um, course by the way, 81 40, let I, let me, let me see if I could show you real quick. I really gotta get off this off this thing after this though,  81 40. Let me show you why so many people ask for this.
Oh, by the way. So while I'm typing here, one of the things that you can do, um, one of the things that you can do instead of a bachelor's degree is C I S S P or a CASP, uh, certification. And I'm gonna show you why in a second here, if I can find a good place for the, okay. You know what, let me just show you my screen real quick should be safe.
Okay. So what I did was I just went into Google and typed 81 40 certification, uh, 81, 40, like I said, is a D O D directive. It's actually. Use across federal many federal organizations use this. And because of this, because, uh, so many federal organizations and state organizations are jumping on the bandwagon for this 81 40, a lot of cor, a lot of organizations, such as comp tia.org, G GIA C, and many, many sands.
All these different organizations are jumping on the bandwagon and CRE marketing to the 81 40 cuz they realize how important it is. Another thing you can do by the way is put it on your resume that you're working towards a bachelor's degree. Some will actually help you to get that degree. Especially if you have skills, if you have skills, skills is the most important thing.
It's more important than a certification. It's more important than a degree. The most important thing you can bring to the table is your skills and your experience. I mean by far bar, none experience trumps everything.  no pun intended experience over everything. Okay. So, um, if you have a skill set, let's say they hire you because you're a Splunk master, right.
You know, Splunk inside and out, you know, it's so good. And you've been doing for five years all, and, but you don't have a degree and they're like, look, we require a degree. However, we can see you have five years of Splunk experience. And you're really good. So listen, we'll hire you, but you have to get this degree within two, three years or whatever, right.
Within a year or whatever. Can you get a, can you do that sometimes? I'll do I know that? Cuz they did that. Not for a degree. They did this for CI SS P. I went into a job when I first got outta the military. One of my first jobs, my second job, actually outta the military, they said the requirement was I had to have a C I S S P and I, at the time I did not have one.
This was 2004. And um, they, and I had a security plus though. No, no, I didn't. I didn't have a security plus. So then they go, they go, listen. Um, this job require, we see that you have skills though. We see you've been doing this in the military for X amount of years. You've been doing at the times called scap diet cap.
Same thing as risk management framework. They say, you, we, we see you've been doing this. We need your skill set. Can you get a CISs P in a year? And I said, yeah, right. Always say, yes. Remember, always say yes. I said, yes, I can do it. Right. And I was confident at the time I was confident I could do it. So I get in, they hired me.
I get like a 20% raise. Right. Cause I'd been doing like straight up Linux. I, I was like a Unix administrator. Yeah, and doing like Satcom stuff that I always wanted to do, I was doing, I was networking, crazy freaking networking stuff, but I, number one, I wasn't super skilled at it.  and number two, uh, I was an entry level guy, so I, they weren't paying me very much, but, um, I was able to learn it and all that kind of stuff, but I wasn't like freaking the Michael Jordan of fucking, I mean, excuse my language of Unix.
But anyway, uh, so anyway, I got this other job and uh, they said, listen, if you can, if you can, if you can get this C I S S P and a year, we're gonna hire you. I said, yes, I can do it. They hired me. And not only, so they paid for my CI S S P by the way, they paid for me to go to a couple boot camps. And, uh, they, uh, paid for me to study all that kind of stuff.
Anything I didn't think I did. I didn't do a boot camp for a CI S S P I did a boot camp for C or something, some kind of black hat thing that they had me do, but, um, I ended up.  getting the security plus. And, uh, they, they, uh, said, okay, look, you're supposed to get the CI S P in a year. And I was so nervous to take it cuz I knew how hard it was.
I said, look, I'll take the security plus right now. But after my year I took the security plus and they said, okay, you got the, I got the security plus. And they said, okay, look now you got to get that, that CI I S S P I said, okay, I'll do it. So then the next year I studied for like two years straight to get the CI S S P and I got it.
Um, but, but yeah, so bachelor's degree. That is a really good question. Do you, does it hurt you? I would say it hurt your money.  I mean, I'm just being honest. Uh, and the, and the higher degree you have, I'd say up to a master's I'd say probably a PhD is not master's degree is good. Um, PhD is like a lot, a lot for a, for a little, um, unless you're trying to run a company or.
I mean, I'm not saying you shouldn't get a doctorate, but, um, it's not necessary to make six figures. I should. I'll put it too that way. Okay. Let me see. Um, so what I was I showing you? Okay. Yeah. I was showing you this 81 40 and, and showing you why it's important to get the cert the, uh, a certification or, or a degree this, uh, 81 40 not only goes into different certifications that you should get, but it goes into the timeframe of how long you experience you should have.
And it goes into degrees and this is not, this is not it. Okay. Let me see if I could find the actual 81, 81 40 policy.
Um, there's so many people advertising for it these days that, uh, it's hard to find the actual 81 40 here's. Um, here's the 81 40 right here.  um, I don't know if this is the full blown poly. Let me see degree. Let me see if I could find the actual, Nope, that's not it. Nope. Certification certificate. It goes into certification.
It doesn't this part. I don't think mentions the certifications by name, but they have another portion of this that does goes into how many years of experience you should have it. It details essentially. This is, this is not the, this is not the document. This is the directive, but there's another one that goes into greater detail about it.
And I'll keep looking for it. As we talk here. So there's a directive and a policy that goes into how many years of experience they want an organization to have for their workers or cyber security workforce. How many, if you have a degree, how many years, what kind of degree you should have at certain levels and all that kind of stuff is what it breaks down.
And that's what I was looking for because that right there is the reason why so many organizations are looking for looking for degrees and stuff. Yeah. And somebody said, um, the higher you education, you get, uh, go, go get the, that higher education if you can. Yeah, absolutely. I agree with that. Yeah. So I'm not, I'm not trying to bash, um, master's degrees or, or, or, uh, or doctorates or anything like that.
Yeah. You should definitely get the higher one. You get at the most prestigious co college, whatever, you don't have to get it at a prestigious college. You don't, it doesn't have to be a master's or a doctorate. I'm just saying. Uh, if you want six figures bachelor's degree, uh, you gotta have to get a bachelor's degree.
I mean, nine times outta 10, most of the time, I mean, I have met people who are making six figures with, with none of that is very rare and they were, they were geniuses , uh, but it, it does happen. So, um, let me see. I'm trying to find, okay, well, this is the best I can find right here. So let me just show you this.
I wanna leave you empty handed here. So this is a breakdown of the 81 40, uh, workforce D OD approved, 81 40, uh, eight formerly named eight, uh, 8, 5 70 baseline certifications. And so what they're saying is at this level at a I T level one, which it means information assurance, technician, level one, they're wanting you to get one of these certifications.
and then, uh, level two level one is like, uh, a help desk person. Like they're, they're usually working on this one system right here and they're fixing they're troubleshooting. This system level two is I believe that's like it's level everything in level one, but also includes networking. Like you gotta know a little bit more about how it attaches to the rest of the network.
And then level three is when you're getting into like weapon systems, the specialized systems, and like maybe multiple, uh, sites that have networking, stuff like that. So that's, that's kind of how it was explained to me. And, uh, and since I've been in the field, that's kind of how they put you into these different boxes and then information assurance management that is dealing with the people who actually manage the help desk or manage the, the land or the environments.
Uh, the enterprise level stuff, and then they have other ones like architect, which I've never, I've never been a, uh, I've worked with them. I, I've not done the, that position, uh, cyber security, uh, service providers. I've done some of these. I was an analyst at one point, uh, incident responder done that done auditing and some of this stuff and yeah, they they're looking for these particular certifications and these do, uh, change from time to time.
So I hope to answer S kind of a long winded explanation of a, of something that was a little bit more simple.  um, okay. I'll answer. Let me read one more question. I get the heck outta here. Um, would you recommend moving from a GS federal? If so, to a contractor position, the benefits and stability are. Are really good with feds, but the pay is low.
Um, Thomas Johns, I actually did a whole video. Please search out my video on this YouTube channel for this one. Cuz I've been asked this a couple times and I did a pretty thorough explanation of what I think somebody specifically asked me they were a GS person and they were trying to move into contract work and they asked me what, whether they should do it.
And what I did was I broke down the pros and cons of each, but I can very quickly do this. What do I think about this? Let me just pros and cons. Okay. GS position for is so they're not paid super high, but you gotta take into account that they have the best benefits probably of anyone in the, in the United States.
As far as the United States is concerned, right? Probably can't compare to, uh, uh, Sweden or something like that. But in the, in the United States, the, the GS positions probably have the best, the best, um, Benefits. They have the most time off, they have really good medical benefits, which is super important in the us.
They have good dental benefits. They have it's solid. Right. It's so, so, and then it takes an act of Congress to get you fired. Like they do not fire people in GS positions. Um, that said, um, it can be stagnant and you're kind of in one place for a really long time. They don't make a lot of cash, but it makes up the benefits make that up.
Um, it can be a little bit boring. And that's another thing that I didn't like in particular, you're at the whims of the government and how slow the government moves on a lot of things. If you move for contracting work, the pros of contracting is, uh, you get to touch a lot more technology. It's, it's more fun, especially if you're in it.
If you're into cyber security, you get to learn more things. There's more stuff going on. Everything's moving really fast and everything. So it's, it's more fun to constantly keep up with the, with the trends and everything. The, the con it pays more, it pays significantly higher, like 30 to 40% higher  in, in, uh, in, in contracting work.
The cons the bad things is that their benefits are normally not that good. Like you get, you know, 14, if you're lucky, 10 days off a year, um, unless you find a really good company that's comparable to, you know, it's giving you way more time off and stuff. It's more OUS than other things that's really bad.
If you have a family.  I would recommend GS. Uh, it's more, it's boring, but you're not gonna get fired contracting work. I've been doing it for years. Um, is super volatile, man. It's it's crazy volatile. Yeah. You get paid more, but at any moment they can just let you go for any reason. It's just ridiculous. And especially now companies are not loyal to workers.
They really don't care. And they're just, they're being given a, like a cart blanche, do whatever they want to employees. I know I'm not trying to complain or anything. I mean, I've been living off the, the Tet of contract work for many, many years. I now am an employee at a gigantic company, even then though they can let me go at any time.
You know, they let some guys go cuz some time card stuff to happen about a month ago. So  so, um, yeah, I, I would say if you have a family, you know, if you're older, , you know, if you're, I would stick, stick with GS, I would not move in this volatile, crazy space now for you younger dude, you know, if your twenties, you don't leave, you have maybe very young family, you guys are living off of very, you know, not as much money you don't have.
You don't have a like gigantic house payment or anything like that. You have less bills, less debt, or maybe you're single. Yeah. Go for it, man. Go for the GS PO I mean the contracting positions go for it. Try to start your own damn business. Like yeah, go to take the risks. Um, if you got little less to lose, I would say that that would be my, so the thing is Thomas.
I was actually offered something. I was a, I was a contractor about man. What year was that? 2000 and, and eight in 2007. That timeframe I was a contractor and I'd been a contractor for. Like five up five years up to that point. And the GS, the government took me aside and they were about to let, they were about to let all our positions go.
And they were letting us know like two years in, in advance. And they said, look, all the positions that we have, it was like risk management framework type work, developing system security plans, um, that kind of stuff. And, uh, compliance, things like that. They said, look, sat me down, said, we're about to let this whole thing go.
We're gonna transfer over all your positions to GS positions. Are you interested in taking a position with us? And I said, Hmm, maybe. I mean, I would be able to retain my total active duty service so that wouldn't be bad. I like working here. I like working with the people. It's pretty stable, but then. I said, well, how much it, how much does it pay though?
Like, I, I'm not familiar with the GS, uh, positions, like how, what, what GS level would I be at? And he said like a GS nine or GS 10. And at the time it was, um, it was gonna pay me about $15,000, less than I was making. I was making about at the time, about 75. And it was the most money I'd ever seen in my life.
In my li I was, it was the most money I'd ever seen in my life. And I was, I was happy with it. I was making about 75, 80, something like that. And they, they offered me about 60 something and I was like, I gotta make, I gotta take a $15,000 pay cut. I'm like, I don't know, like, meanwhile, I was like, I'll think about it, you know, but meanwhile, I had a business on the side, the business was going good.
And at the time I was like, this business is about to blow up. I'll make more money than all of this. And that's not what happened by the way the business didn't go well, like it went well for a while and it folded. So  anyway. So on the other side of it, you know, I, I wasn't taking super high risk. I was still looking for another job.
I was like, well, let me look for another job and see what happens with that. And this other job offered me like 90. And I was like, what? So I had the choice of taking a job for 90. Now at the time I had a kid, one kid at the time I was married, had a house payment, had all this debt. And so I got a chance to either make 95.
65 or 65,000. Right. And I'm like, mm I'm gonna take the 95.
and, uh, yeah, I mean, if I, if I'd done it though, here's the thing, here's the drawback for me. I would've, I would've been able to retire from, from, uh, I would've been able to retire by now. So give and take, you know, and the retirement would've been oh, 2000 a month or something like that. I don't know something like that.
The 1500 by now I'd be retiring. So, so yeah, that's, that's my story and I'm sticking to it. Um, that's it guys. I gotta go make some food. Um, some rice. Um, thank you guys for watching. I appreciate everybody's questions. I'm sorry. I wasn't able to get to everyone's questions, but I always, I always appreciate all of these, uh, these sessions we have, um,  Aja MJA.
If you have my email, please send me your resume. I'll take a look at it. Anybody else send me your resume? I'll take a look at it if I have time, if, um, but if you sign up for my, um, let me pay some bills real quick. If you sign up for this, anyone else you or anyone else signs up for this? Um, I will, you know, very guaranteed look at your resume, guaranteed.
Um, because I, you know, like if you've paid for it and I'm gonna, I'm gonna walk you through what I did. If you have any questions about this thing, I will help you out. And, uh, that's it guys. Thank you guys for watching.

0:00 Convocourses page
0:59 Start of Convocourses podcast
2:47 Every ISSO Needs to Know this
37:06 Entry Level Cybersecurity What You Should Know
47:00 Types of IT Jobs for Remote Work
51:35 Military ISSO to Civilian ISSO
01:04:05 Videos about SCA work
01:08:40 PCI DSS work my opinion
01:15:34 States to find ISSO RMF jobs 

RMF ISSO Assignment https://securitycompliance.thinkific.com/courses/rmf-isso-assignments-101 https://securitycompliance.thinkific.com/courses/cybersecurity check out our courses at: http://convocourses.com
0:00 Convocourses screen
4:29 Convocoures Big Thank you
6:11 Free Training on NIST 800-37 on Convocourses
8:11 New to the ISSO no technical background Where do I get training
19:11 CISSO vs ISSO RMF convoCourses
31:49 Have I Ever Resubmitted a Resume I have […]

check out: http://convocourses.com​
0:00​ ISSO Therapy Session
14:38​ Things to read for Risk Management Framework
23:37​ How to Get a Security Clearance?
33:01​ Do I Need a Prestigious University for Cybersecurity?
43:24​ Why I don’t take calls as a mentor?
44:57​ Advice for a new SCA (Security Control Assessor)
49:31​ Cybersecurity Resume Tips for Security […]

check out: http://convocourses.com
There are privacy controls within the NIST RMF 800: NIST Privacy Controls

Sign up for free courses! http://convocourses.com 0:00 Start Page Convocourses 0:55 Earn CEUs CPEs on ConvoCourses 9:43 Failed the ISC2 CAP 22:25 Continous Monitoring in the Course 29:57 College Lab work on Resume 34:44 Separation of Duties with one person (ISSO) 40:08 Implementation of security controls resources (part 1) 49:33 Implementation of security controls resources […]

There are some updates to the RMF Courses and many more to come.
0:00​ blank intro
0:40​ Start of convocourses podcast
1:43​ Helping with Master Degree on Nist RMF
2:38​ Complete Course of NIST RMF
5:45​ RMF NIST Course as an Audio file
7:40​ RMF NIST Security Control Interpretation
11:40​ ISSO lean to Support 
 

I often get questions from other professionals on how they can get into Cybersecurity. There are a few things that you can do to start. For one thing, start where you are. If you work in a company ask the resident IT guy what the career is like. Another thing to consider is IT adjacent […]

On this podcast we discuss the following: 0:00 blank intro 0:40 Start of convocourse podcast 1:43 Helping with Master Degree on Nist RMF 2:38 Complete Course of NIST RMF 5:45 RMF NIST Course as an Audio file 7:40 RMF NIST Security Control Interpretation 11:40 ISSO lean to Support the team 15:52 Cannot get an ISSO […]

In this podcast we address what needs to go into a resume if you are trying to transition from your current career field to IT and/or cybersecurity. https://youtu.be/Fjc18455ygI