Hey guys, it's Bruce. Welcome to Courses Podcast. Every week we talk about cybersecurity information technology. We talk about GRC stuff. That's the main topic of discussion. And today I'm going to try to do something a little bit different. I've never done this before, but I'm going to open it up to people jumping in. And if you actually want to hear you get your voice heard, jump on this. I will send you a link to go live with me on YouTube, on Facebook, and then also on TikTok.
If you only thing is I'm hoping that you just keep it to the topic of conversation, getting into IT. Or if you happen to be even better, if you happen to be an IT professional and you want to give your two cents in and help people out to get in this field, or you want to help people to get into cybersecurity or you have comments on cybersecurity, you want to teach. This is your opportunity to jump on, on TikTok, on Facebook, on YouTube.
I'm trying this for the first time, so I don't know how this is going to go. About a couple of weeks ago, I had Ryan jump on here and that was really cool. I really loved having him on here. So that's kind of what I'm trying to do again, but just with somebody random. So I don't know how this is going to work, but we'll see. Let me see here. I got some questions already on TikTok. TikTok's pretty active already. ready. Do you know anything about vendor risk management?
Vendor risk management, are you talking about an organization is working with some vendor, Microsoft, Cisco, Palo Alto, and then they have to make sure that they manage the risk with that vendor? Because that's something that we do a lot. Every organization I've gone to, we have to do some level of that. Now, how much hands-on on that we have with the vendor really depends on our relationship with the vendor.
And then depends on our service level agreement with the vendor, how much we paid to have the vendor. So that said, no matter what vendor you're with, you have to have some level of risk management with them. I'll give you an example, Microsoft. A lot of people have Microsoft products, whether whether it's Office 365 or if it's,
Using Windows, some operating system. So in order for us to manage the risk, a lot of organizations, especially if they rely heavily on Microsoft, they have to pay some ungodly amount to have maintenance of professional services with Microsoft. And that's probably the highest level of risk management you can have because it's helping manage the risk.
Because if something goes really bad, you can contact them and say, listen, this is what's going on with this operating system, or we have this application that's not working with Windows 11. We need help with this. Or there's this vulnerability that just came out. Most top tier vendors have some level of risk management built in. And that's why a lot of organizations won't go with unsupported software.
That's why it's a really big risk to have have unsupported software unsupported software is like i'm trying to think of one when zip used to be unsupported i think it's supported nowadays but when it first came out it was like freeware and you it wasn't supported somebody just created it they put it on the internet and people would just download it but if it went down or if it had a virus on it there was no support you have
to go to this some site now it's different like now it's all it's a huge deal but there's some software that's still out there that's not supported. Somebody's created it. It's very useful. People are using it, but it doesn't have active support. So there's a lot of risk to that. But most organizations, whether it's Microsoft or Red Hat or if it's whatever, Gigant or Oracle, they already have some level of risk management built in.
But if you're talking about some specific framework, then I'm not familiar with it. I'm not sure what you mean. Can we talk about vulnerability management as well? Man, that's a big topic. So lately, most of the work I've been doing is vulnerability management. So we can definitely talk about vulnerability management. And for those of you who don't know, vulnerability management, what is it? So your operating systems, your applications, even hardware, firmware, have vulnerabilities.
You might be asking, where do these vulnerabilities come from? Come from a lot of different places. Sometimes it's built in, like they accidentally, whenever they made the software, Windows is a great example. I'm sticking with that vendor. So Microsoft comes out with a product. They put it out there, and it has...
Flaws in they don't purposely put the flaws in there right why would they do that to themselves they don't purposely put the flaws in there they they make it as tight as it can they it can be. To to suit their customer right but there's millions of people probably billions of people using microsoft products and they find things that are wrong with with and it makes sense i mean I mean, Windows is millions of lines of code.
So it makes sense that there's humans making this. So it's going to have problems with it. So people are finding these problems. They're finding errors. They're finding things that just don't work. They're finding vulnerabilities, weaknesses in the software, all kinds of stuff on Windows. And so what happens is the vendor, Microsoft, will fix those patches. They'll patch it. They'll do hot fixes. They'll do huge security patches. They'll do updates to it. And it'll fix that particular problem.
Now, here's where it becomes a full time job. Imagine an organization has a thousand computers and those thousand computers have about 50, 50 different applications and like three different operating systems.
Each one of those let's say 150 applications has vulnerabilities on them right in each one it has different vendors and so now so you can see how it becomes a full-time job because, they're they're updating software so now you your team your it department has to come and patch okay what's going on all right do we got to patch windows okay what else is going on mac macintosh We've got to update the Mac systems. Oh, we've got Android. Android has more vulnerabilities.
We've got to fix that. So it's like a constant... A constant flow of fixing applications and software, patching them and all that. That's a full time job. Typically, the organization will have one department that goes out and fixes stuff, right? You might have a server team that's pushing out patches. You might have people like help desk people going out, touching the systems and having to install directly on specialized laptops or whatever.
You might have different teams. So you might have a database team like, oh, that's all they do is maintain the database and they have to update the Oracle database or whatever. Right. So there's all these people who actually touch the system, push patches on the system, test it before it goes out and all that kind. They have their own schedule of things they have to do, like they have their own cycle of patching. And then you have a department that's watching for these changes.
And that's somebody like myself, which is like vulnerability management, cybersecurity, GRC type position. There's different names for it. There's vulnerability. I've heard it called the vulnerability management department, VM guys. you know, you've got a patching guys, you've got cyber security specialists, cyber security analysts. There's all kinds of names. Like the name is irrelevant, right?
We're talking about what they do. What they do is they're looking for new threats, new vulnerabilities on applications. And they might be, the tools that they use are like scan. They might be looking at the scan results. They might have Qualys that goes out, scans and finds all these vulnerabilities. They might have. Something like Tenable that goes out, scans, sees the vulnerabilities and see if the system's compliant with whatever standard is out there.
And so you have different tools that this team uses to find vulnerabilities.
So you have a team that actually fixes these things. You have a team that's looking for the patches and they work together to patch those, to patch the systems in a on on a periodic and a level that the schedule is determined by the organization put it to you that way because it varies from organization to organization some organizations say look we patch every tuesday when microsoft gives us our patch or some organizations say look we patch if it's a critical we patch immediately
if it's a if it's a moderate we will patch it it within seven days. And if it's a low impact vulnerability, we can patch it within 30 days. Some different organizations have different schedules on how they do it, but normally this is the landscape of vulnerability management. So let me see if anybody else is chiming in on the vulnerability management discussion. All right. I got some people jumping in on YouTube. YouTube. OK. Live and learn. How are you doing live and learn? My man Larry's on.
Larry says vulnerability management becomes even more critical with the work from home explosion and employees using company devices on home network, similar to when companies use used to bring their own devices. Devices it depends on the organization larry from what i've seen so i've worked for three, I'll give you three different examples. Like the organization I'm working for now is government. I'm using their laptop. I cannot use any of my own stuff.
It's not bring your own device for them. So when I'm on their network, it's on the government network. When I'm working with their computer, it's a government computer. They control everything. I can't I can't do anything out of pocket on that system. I can't download any new software on it. I can't I can't do any. And I can't even whenever I connect to the Internet, I'm connecting through their VPN. It's on there and everything is theirs. The last place I worked was purely is all corporate.
It had nothing to do with the with the government. Right. It was B2B. We I worked for Verizon and we we did vulnerability risk assessments is what we did. And so we we use our lab to our trusted laptops controlled by the company. It was still locked down. Like I can just download random stuff on there. But they had their own baseline of how it was locked down. And so it was they don't trust users to download their own stuff.
If it's a good if they have a good cybersecurity program, then they're not allowing people to randomly just download shit on there because that's when it gets crazy. When it gets crazy is when you, like you said, allow people to bring their own device, and then they can just download wherever they want on that computer because the company or the organization doesn't control that computer, so they can download wherever.
They got their kids surfing the internet and downloading viruses, all kinds of shit, right? So that's where it gets bad is where the organization – and I've worked for organizations like that that don't have a good control over the devices. Devices, it's so much more work when that happens. But there's a way to do it with work from home that you lock down that box and you're not allowing the users to just download random stuff.
So there is a way to do it. Somebody said, oh, Mike, Mike says, when can I. When can we call and call and how? Oh, so if you want to call in, I'm going to take calls here real shortly. Let me know if you want to. And I will send you a link. Give me an email. Send me an email. How are we going to do this? Let me see. How are we going to do this, Mike? Here's what we're going to do. I want you to send me your email to Convo to contact at Convo courses dot com. and I will get your email.
I will send you a link to join me on YouTube. On TikTok, you can just, there's a button you can hit to request that I allow you to jump in here. And then just talk to me about your job where maybe I'll ask you some couple of questions about how you got in, something to help the audience. Because I've got a lot of people who want to get into IT, who want to get into cybersecurity, or people who want to learn about GRC type stuff.
And that's kind of who we're serving right now so if you have something to say about this or you have a question you want to ask and like dip out then that's who that's what we're going to do here that's we're going to try i don't know how it's going to work but we'll see let me see here so yeah convo contact let me put the how to contact how to send me an email if you want to jump in talk for a couple minutes or
answer some questions i'll ask you some questions it's casual guys like Like, you know, me, like I'm you hear me cussing on here and stuff like this is not formal. Right. So just it's relaxed. It's a relaxed atmosphere. There's nothing to be nervous about or anything like that. And, you know, sometimes I say stuff that's not right on here. This is about us learning together. That's why it's combo courses. Right. So let me show you a contact at combo courses dot com.
Email me here i'll get your email if you're interested i will send you a link to jump on the youtube and facebook live or if you are on tiktok you can just jump on here and have any questions you want to geek out with me whatever let me see got some folks talking chit-chatting back and forth on tick tock let me get back to my I will go back to whoops okay.
Bear with me is the first time I've done this so this is is interesting oh man, not done this before Oh comments okay shit I will learn it on the fly here guys. Okay, let me see. Kat says, if all work is done on controlled networks, security can be enforced off our VPN, VM, I can do whatever. Oh, so Kat is in this industry and saying if all work is done and security is done for the week, they could do whatever. Is that what you're saying, Kat? Let me see.
Who else? SB says, I'm looking to transition into IT. Do you know any programs or services for GRC? And somebody answered him and says, you can get free GRC training at Simply Cyber, simply cyber.io. I think I just promoted somebody's stuff here. And that's cool. I work as a T2 SOC analyst. How do you recommend I advance my career? OK, let's do one question at a time. So I'm going to start with SB the Geek, who said, I'm looking to transition in IT. So SB, let me ask you some questions, man.
Where you work right now? What's your industry? What industry do you work? Are you in retail? Are you in health care? Are you in what industry are you in? Because that will help me to to give you to answer your question. Now, you can go to whatever site that they said or whatever, but I'm just going to give you my two cents. I'm in healthcare. I'm a recruiter. Okay. Awesome. Do you know anything about HIPAA?
A silly question because most people in healthcare know something about HIPAA because that's the first thing they, yes, you do. Okay. Now let me enlighten you. Okay. So a few industries lend themselves to getting into IT. Now I say IT and not GRC because you're going to have to learn some IT stuff. Okay. You're going to have to learn some IT stuff. But But health care is special because how can I break this down?
So health care is looking for GRC people who know HIPAA, know how to implement HIPAA for IT systems. Now, you might be thinking, Bruce, what do you mean IT system on servers and stuff? Well, think about it like this. Whenever you go to a hospital, whenever you go to a clinic, whenever you go to an emergency room, whatever, you see all kind of medical equipment in there, right? Right. That medical equipment is all connected to a network. That's all I.T. equipment.
Number one, that all that equipment is is having to is taking your data, our data, you know, your health care information and is sending it to a server that allows the doctor, the nurses to all interact with that information. Now, obviously, not all hospitals are like that, but some of them are a little bit more antiquated and they're just doing stuff on paper or whatever. And that's fine. But you still have to follow HIPAA laws, which is protection of our health care information.
So that said, if you're in the health care industry, you know some things I don't about that industry. You know, you know, a certain jargon, you know, how the hierarchy of the hospital. I don't know nothing about that, man. I've done a little bit of work like risk and risk assessments on on health care places, but not much. I've not been on the inside like you are. So let me let me show you exactly what I mean.
Right. And this this right here should color your perspective on this whole thing, how how this could work for you. Now, as I'm looking at the looking for this thing, let me let me just let you know about a couple of things you can do right now. Number one, check out your IT department and ask them, tell them, you know, they're going to be your best resource.
Go talk to some some geeks, some fellow geeks there and ask them the guys who are hooking up your Wi-Fi, the guys who are looking up your hook and hooking up the servers you'll see them around man talk to them and say listen i'm trying to get into it like what do you guys recommend and they'll break it down to you because those guys are already in what you're trying to do those guys are going to be your best resource for you but let me let me
enlighten you on some other resources you can use there's a couple of certifications and i'm not saying that you're going to get the certification to magically wave a wand and suddenly have a job. What I'm saying is this certification will give you an idea of what kinds of things that employers are looking for. There's a certification from the ISC2 Square called the HCISPP. And it's a healthcare security certification.
So somebody said, is there a technical health HIPAA audit? I do you one better. I'm about to show you right now. So this is in the healthcare industry. They're looking for people in your profession. They're looking for people who know this stuff. So that's you. Now they're going to expect you to know some things, but let me show you my screen here real quick. I'm on TikTok. So bear with me guys. I don't really have a good way to show the screen here.
So you can find this site. Right. It's just all I did was if you want to find this right here, if you're on TikTok or wherever you happen to be, just go to go to Google or Bing or wherever and then type in ISC2 square. Or actually, you could just type in this H.C.I.S.P.P. Type that in. Here's the certification right here. All right. And here's the domains they cover. This is kind of what I want to show you to show you why being in the health care industry is actually fire.
So, look, they're looking for somebody. The first domain is the health care industry. Like you already know that one. Right. You already know that you know more than me about this because you're on the inside already. Then they talk about information governance in health care. You probably know more about this than I do. So this is not just auditing. Auditing is just one part of of the HIPAA process, one part of health care IT.
And they're going to talk to you about the next domain, which is information technology in health care. What kinds of things is where they're going to talk to you about. Like medical devices that are connected to the Internet, stuff like that, how that stuff works. And then I talk regulations and standards. This is straight up HIPAA right here.
A hit trust all that then privacy and health care privacy and security in health care risk management and risk assessment somebody just asked me about audits so look this is right here is a high level certification it's already being recognized by the department of defense the 8570 and pretty soon to be 8140 i don't know when the hell they're gonna do that but yeah it's already recognized globally this certification right here this
gives you an idea that you don't have to just focus on just IT stuff or just audits or whatever. This is opening that up for people who are already in the field, in healthcare, already know some HIPAA, already know what the hospital or clinic is supposed to do. So you already have a foot in the door if you you happen. That's why I ask you like what industry? And the thing is they have the same thing. If you are in retail. They have a way for you to transition over.
And if you're in financial sector, they don't have HIPAA, but they have something else that you could focus on if you're trying to do GRC stuff. This stuff is not heavy into hands-on. You're going to have to know some hands-on stuff. You're going to have to know IT, basic IT stuff. You're going to have to know this. but you know. It's more of compliance, GRC-type work.
It pays really good, right? Out the box, you're not going to get paid a lot immediately, but over time, you build up your experience, and then you can easily make six figures doing this stuff.
Stuff depending on there's a couple factors you know the bit depends on what state you're in and your role in the company your work obviously all that stuff are factors to getting six figures right i'm not promising you you're gonna do this stuff and suddenly make six figures but i'm telling you this i'm showing you a path forward if you are in the healthcare industry and it's going to open Open up your mind. I'm hoping it opens up your mind on what steps to do next, right?
Now, if you know nothing about IT, I would highly, highly advise if you don't know anything at all about IT, I would highly, highly recommend that you polish up on your IT, basic IT knowledge, how you do that. If you can't go take a course in community college or some kind of college course or something, get a degree. degree. You don't have to, but probably one of the best things you can do because it's going to give you the time to do it. And when you walk away, you have a degree.
It's still worth something. But if you can't do that, if you don't have time as a factor, you got kids, you're a single mother, single father, whatever, you don't have time for this shit. I understand. That's me right there. What you can do is take the CompTIA A+. This is for people who don't know anything. It's for people who are not IT professionals. They don't know nothing about IT. You've got to start small. You've got to start in the weeds.
You've got to know how to speak the language of information technology before you do GRC, before you do cybersecurity, before you do information security. Everything I just mentioned is based on information technology. So you've got to know the base. You've got to know that foundational information. Right. So that would be the first step. Now, if you are already, it says you're a geek. So if you're already hooking up your own systems, you're already building your
own server racks. You're already like you already in the know. Maybe you you not an IT guy, but you know more than some IT guys. You don't need the A plus certification. Like it's going to waste your time. You can go to a security plus or you can go straight to this certification. I'm telling you about is what I would recommend, which is the H.C.I.S.P.P. If you're in health care. So I hope that helps you. Says thanks for the content and advice. I'm checking into out the website. Yeah, okay.
Let me see here. That's other questions comments You guys happen to want to jump on here There's my email contact at combo courses and I'll invite you in and we can I. Now, keep in mind that if you do jump on here, this is going to go everywhere. I don't have a lot of people watching right now, but what happens is I chop these videos up and I and I post it. So some of those go viral. You know, some of those shorts are repurposed content.
Go like a lot of people see them. I got people from old jobs. I was at people from when I grew up talking to me like I got people I got. It goes everywhere. So somebody, you know, will see this is what I'm trying to tell you. So don't if you do jump on here, many people will see it. If you have a problem with that, don't don't jump in here. All right. Let me see here. Larry says he says, same. My laptop phone are issued by the government. No downloads are allowed without a dot gov approved.
Yes, exactly. They also push updates routine and also not routine and give time to comply for employees. Yeah, Larry knows what's up. So Larry's working directly for the government, just like myself. Well, maybe I'm a contractor for the government and I have to use their equipment and I'm not allowed to. It's locked down pretty tight. You can't.
You can't. Number one, I can't even travel with it. I can't take their stuff outside of the country where I can go anywhere in the United Continental United States I want. But I cannot take their equipment out of the country. I can't download anything on it. I can't lock down like I don't have rights to do anything on that computer. I mean, I'm sure if I tried, I could probably figure something out. But since I don't want to go to jail, I'm not going to do any of that.
So, yeah, that's if you work, if you have a contract job, they work for the government. They give you if they issue a laptop and you're remote working, that shit's locked down. So you're not you're not going to be able to change it. So that's how they do it for vulnerability, man. That's how they. And by the way, it's important because.
We were talking about vulnerability management before. That's a really important part of configuration management is baseline, having a secure baseline that can't be changed without doing like a security impact assessment and then having a group of people saying, yep, it's good. It's not going to impact the rest of our infrastructure. Go ahead and put that new software on there. You can't use this form of Telnet, use this SSH secure version of remotely getting into that Linux system or whatever.
So it has to be on their approved list. They have it locked down. So that way, if everybody could just put whatever they want on there, that's a really big problem for you as a security team, especially vulnerability management people. Because if they're putting if they're using software that we can't control, then how do we know how do we know how to when it needs to be updated?
How do we know if it's supported or not? How do we know if it's like we don't it's going to make it harder for us to do our job to protect that system? So that's a part configuration management and baseline security is a part of vulnerability management. Management it all it's all wrapped together you know and if you can't have one without the other let me see d mark email proofing best practice comes down to this let me see.
Armani how you doing man he says that's why i ain't coming i ain't coming on here i don't know how i what i could say what i can't say i'll text you you can say whatever you want but i'm whatever you say is gonna be it's gonna be everywhere so, you know so i mean i find myself like some old stuff i have me and my girl are going through some of my old videos i'm like what the hell like oh shit i said that like okay delete that got some old shit
that it's kind of crazy to see stuff i did like five years ago going viral and then i'm like oh shit i gotta delete that shit you know okay jeff hawkins says i work as a tier two sock analyst i think that's what t2 means and he says how do i reckon how do you recommend i advance my career a 10 tier 2 sock and it depends on what you were trying to do i think. Jeff, it depends on what you're trying to do, because there's a couple different directions you can go with it.
I mean, if you wanted to go GRC, if you felt that that was an upgrade for you, you could do that very easily from a SOC analyst position. It will be how you worded your resume, because they're looking for people who have a technical background, right? And you probably, as a SOC analyst, you have exposure to probably several different frameworks. You just don't Don't think about them. You probably know NIST 800.
You probably even if you don't know it, you've done it. So in some ways you have a more visceral understanding of things like security controls because you've actually implemented them. You just don't know. You don't know what you're you don't know what you're. I want to say you don't know what you're doing, but you do know. Yeah. You don't know how much you know of the frameworks is what I'm trying to say. You know a lot of it because you're actually doing it.
So you probably know NIST 800 risk management framework. You probably know NIST CSF cybersecurity framework. You probably know ISO 27001. You probably know SOC 2. You probably know several frameworks that you're actually implementing in your environment because you know incident. Incident, you're very familiar with any kind of incident response stuff, incident handling. So you can go several different, right? You can go the GRC route. You can go the management route.
You might even be able to cut and run and go like forensics. SOC analyst, I used to do SOC analyst work. I was a tier two SOC analyst in the Department of Defense. And it was really fun. I liked it. It was really, really fun. You really, really had to know your shit. I've been thinking about having one of my old partners or my old peers from that job come on here because he went a whole different route. Like that guy is working for Google doing doing threat analysis type shit.
Right. Which is really cool. Really fun. He was really good at that. So I might have him on here. If he if he will do it, I'll see if he can do anyway. So you can go any different route, like just to give you an example. So at that tier two and I did this like six, seven years ago or something. And I was a cybersecurity analyst for the Department of Defense. I was tier two and doing shift work the whole nine yards. We had a seam. We had IDPs.
We had intrusion protection systems. We had all kinds of equipment, all kinds of stuff going on. We worked directly with the incident handling department. We had forensics team. We had everything. And myself, I went back to GRC, and I'm doing pretty good. I work from home. I'm making six figures.
I'm doing pretty good. it right another guy he went deeper into the threat intelligence type world and that dude's working at google doing threat intelligence stuff i'm sure he's making way more than i do and then another guy who is running our team that guy's a director at some company, i don't know if i could ever get him on here and then and then a few other people are still doing the same they just remain they're doing their managers doing
tier two sock analyst you can go Go any different directions. Management, you can go GRC, you can go direct route, whatever you want to do. It depends on what you want to do. Let me see. Insecure default configurations, patch management. It's so much work in an enterprise. Man, especially like the bigger it gets, it gets like exponentially harder the more systems you have. The more software you allow, the more systems you have, the more people you
have, the more software you allow. That's a big one. It just gets exponentially harder as you. So these large environments like DOD or like, I don't know, Department of State, like those they have. This is so challenging. You have to have people who know what they're doing. You have to have a really good, solid processes in place. They run a pretty tight ship there because they've been attacked so many times. And it's very clear when I go to other agencies how good the DOD is.
When I go to outside of the Department of Defense or whatever, I'm always having to go back to them to see how it's supposed to be done. I had no idea when I was in there. I was like, man, this is what what are they doing? This is bullshit. You know what? They should be doing this and they should be doing that. No, they I mean, there's some units that suck. Don't get me wrong. There's some units that especially the army. So some army units suck really bad.
Some army units suck really bad, man. I mean, some of the ones I've seen are really bad. Not just Army, though. I'm messing around. But some Air Force, some units are not good. But overall, when I compare the Department of Defense and some of the branches and stuff with some other organizations, they do pretty good, to be honest with you. Especially if you happen to be in the Department of Defense, you should know it's ugly out in these streets.
Like whenever I work for when I work with banks or if I work with in the in the past, my previous position, I was working with different B2B and some of it. I'm just surprised. I'm like, damn, these guys really suck. You know, like. Yeah, you know, I really can't say much more about it without I want to keep my job for some time, so I'm not going to say shit else. but it gets pretty bad out there.
I mean, department fence, they, they get the, they got the shit together. I mean, the, If you think about all the stuff they have to do and all the systems they have and how complex the environments are, it's a difficult task, but they've done a pretty good job. Somebody said a farmer transitioning to IT. That's a new one. That's a new one. He says A+, Security+, CYSA+, Certified. I live in a small town in Hawaii. Any advice?
Yes. So what I would do, what you could do, just off the top of my head, what you could do with all of these certs is get as much hands-on as possible. You've probably already done that. So I'm probably preaching to the choir.
Get as much hands-on as you can in a small place one of the great advantages is they don't have a lot of people who know what you know so you could you could probably what you could probably do is do a freelance business what i would do if i were you especially if it's as small as you're saying in hawaii what are you at maui or something like that the more isolated the better is why i'm asking because if you're in a place that's isolated and a lot of people don't know how to say say,
set up Wi-Fi the right way, right? With security in mind, all that kind of stuff. They might not know how to do it, but you do, right? You can set up like your own company, sole proprietorship, LLC, whatever, and then just do it for people around the surrounding area. And then you can put that shit on your resume. So if your business doesn't go well, you still have experience. And you take that experience. So check this out. If you start your online,
there's two things you can do with it. Here's what I would do for you. You could be a freelance IT support specialist, right? Look locally and hook up people's Wi-Fi securely, a secure Wi-Fi. Hook up. Do it for cheap or do it for free, whatever, right? Just do it. You got to get your hands dirty and do it under your company. Company, fix people's wifi, fix people's computers, remove viruses, that kind of stuff.
Right. And then there's two different ways you can go. If the company go, if your company goes, well, that's great. That's great. Then you can just keep building up your company, hire people, whatever. If it doesn't, right. It's fine. Now you can use that stuff that you did hooking up people's Wi-Fi securely, fixing people's tractors, hooking it to the network or whatever. I don't know, but whatever you do, doing all that local IT work, put that on your resume, right?
And then go work for a larger company. You know, you could work for Caterpillar. You could work. These are gigantic companies, man. Caterpillar and all these other big agricultural companies are looking for ITP professionals, too. And now you happen to be know what that equipment is. I don't even I can't think of three different pieces of equipment that might have to connect to the Internet. I can't even think.
You probably have four or five dozen of them in your head that you can think of that have software attached to it that you could fix. So that's what I would do. I mean, that's just one thing you could do. Another thing you might want to consider is hooking up. Now, one thing my man Ryan said on here, words of wisdom, is connect with the local ISSA. That's the Information Systems Security Association.
I'm freaking going senile. It's ISSA. So just type, go to Google, type in ISSA, and then your city, whatever city you're in. And then ISSA is an organization that every major city, every major state has. And what they do is it's a combination of all the local IT professionals, cybersecurity professionals specifically, and they have job markets, they have recruiters, they'll have people promoting their products, their security products or their IT server products or software,
whatever, and they get together like monthly or something, right? Right. So that's another thing you can do. Just just a couple of ideas for you. But good luck to you. Dame, how you doing, man? Long time no hear from. And we got it. We got to catch up after this. I catch up for sure, man. I see you, by the way. He's like, greetings, Bruce. I see you, man. We'll talk. We'll talk real soon. Let me see. Larry says, I highly advise not being afraid to start a small start to start small pay.
In my opinion, getting your foot in the door in I.T. is hardest is the hardest part. Once you're in going, growing from there is is part of the hard work and a lot of networking. Man. Yeah. Larry. Larry knows what's up. Getting your foot in the door is hard. The way I got my foot in the door was in the military. Military was an incredible step up for me. I mean, I know, I realize it's not for everybody, but for me, it was a huge, huge step up for me.
And it wasn't easy. I had to go to two different wars. It sucked. It sucked. It sucked. sucked. But when I walked away from it, I mean, it really, the hands-on experience that I got from it was, it's something that's still benefiting me and my family. So that's one way you can get, but getting your foot in the door is hard. That was hard. That was a hard decision. I didn't know what the hell I was doing.
I'm hoping and praying it's easier for you. I think it should be because nowadays it's kind of, IT's kind of everywhere and they're really looking for people to get in there. Okay, let me see if I got anybody wants to jump in here Nope Okay, that's cool Let me see, what other comments I have here Madi said, live in learning force Says Cyber security needs to, Get together, collaborate With some of us survivors Ha ha ha ha.
Now, if you want to do that, live and learn is live and learn live, live and learn, live and learn for if you want to there collaborate with others, cybersecurity professionals. You can go to the ISSA. They have a local if you have if you're near a city, local towns, things like that. It's a great place to network with other people, like minded people. ISSA, huge, huge. When I first started, that was one of the places I went a lot when I got out of the military. This, it doesn't play, though.
Yeah, this is not messing around, man. This is not. They can't. You know, they're getting attacked all the time. They really can't. They can't. They can't afford to play. Like, one slip and it lights out. And they've got systems that are literally protecting people's lives. Not not just like money, not just the bottom line, like a bank or something like that. It's not just embarrassing, like with HIPAA or something like that with a hospital.
It's like some of the systems that they have, some of the weapon systems are like people's lives on the line. So they don't have their shit together. It can go real bad, real fast. It's lives. Yeah, I'm sorry, man. I can't freaking read me. I can't. I'm sorry. I apologize for that. Would you say that mastering network field is the core technology to learn? It's one of them, Jeff. Sorry, not Jeff. It's that's Zoo. Zoo. Okay. Yeah, it's one of them, Zoo.
I would say, what do you guys think? I got a couple of IT people on here, and I want to get you guys' opinion on it. So Zoo asked me on TikTok, he says, or she says, would you say that mastering network, the network field, I'm assuming you mean like network engineering, is the core technology to learn? What do you guys think? I got a few IT professionals. I got Big Gay Al on here. I got Armani on here. I've got Dame on here. I got some other IT professionals. Larry,
what do you guys think? What would you say? Why don't you list to me like your top two, top three core things to learn? I'm going to give you mine while you guys think about that. So I would say core things to learn in I.T. Would be definitely networking is a core thing. Like once you there's a couple key things that you once you learn, it's going to make everything much easier. And networking is one of them. That's for sure.
Another one is how computers actually work, like how computers work, just like the components and how they work together. Other because some of the vulnerabilities some exploits take advantage of the architecture of computers like you might have some some malware that specifically attacks.
Computers do cpu processing you might have some vulnerabilities that attack storage by filling up the storage or whatever but if you don't know if you don't know the difference between the memory the storage and the cpu you wouldn't like really understand what i just said and it's a basic thing to understand once you get it when you first look at it it just seems like a hard egg to crack but But once you get it, it just makes sense and opens up a lot of other things.
It makes it just makes it all fit together much easier. So I would say learning computer architecture, like how does a computer work? Because here's the thing. Once you know that, you realize that this is a computer. A server is a computer. A laptop's a computer. Hell, a lot of things we use are computers, but just different forms. And you just it just opens up a lot of things for you. So that how how computers work is a big one. Another one will be networking.
When I say networking, learning like what is a public IP versus a private IP, how and then how how the client server model works, how clients work with a server over a network.
And then like things like the top ports protocols and services like those that's all networking concept basic basic networking concepts that you have to and you'd have to learn more than that but those are just a few things if you know those things like it opens up all these other doors stuff starts making sense these days probably another one would be cloud computing and that's That's kind of hypocritical coming from me because I don't I'm not a big cloud guy.
But I mean, I know and I know the basics about it, but those probably that would be one. I wouldn't say I was a top three, but that would be on my top five. Top two would be how computers work and then how networking works. Those would be my top two. And so let me see what other IT professionals have come to say. Okay, here's a couple here. My man Dame says A plus and security plus have been very valuable. Cybertrav says understanding IPv4 addressing has been valuable for me.
Public IP versus IP subnetting versus VLANs, and then the purpose and general functions of network appliances, routers, switches, firewalls, et cetera. Yeah, that's huge. Like once you get into the basics, you start cracking into IPv4 versus IPv6 and all that kind of stuff. And then public IP versus private IP addresses and things like that. Your gateway, IP addresses, why that's important on a network, things like that.
And then my man's security expert says, my three are network concepts, cloud concepts, and computer, how computers work. Yeah, I'd have to agree with that one. Yeah, that's a really good one. Let me see if anybody else has anything. What's your top? My question was, somebody asked, what are the top things somebody needs to learn in IT?
And I would argue that it's similar for cybersecurity, because if you know those three things, if you know networking, the basics, like security expert in Cybertrav just said, the basis of networking, if you know the basis of cloud technology and the basics of how a computer works, it cracks the code on knowing how to To protect the confidentiality, the integrity, and the availability of a computer, of an asset on the network.
So if you understand those basic things, it opens up all the security stuff too. So let me see. Oh, Armani says, when the information is requested. Where does it go to reply, such as the server, IP addresses, ports? Yeah, he's talking about networking stuff. How does that work? The three-way handshake, TCP, IP, UDP, all that kind of stuff. Once you start, you can go deeper. You don't even have to get super deep into it.
But once you understand how it actually works and you can connect your own network and stuff like that, it just opens up a lot of doors for understanding all of it. Armani says, I don't master it all. I don't master it all. I learned a bit in college, such as how computers communicate, packets, OSI model. You already know more than 99% of the population. The stuff you just said is a foreign language to most people. But that basic stuff, once you know that, it just cracks the code.
It just opens up so many other things. things, and then you can kind of start leveling up from there. It's exhausting to learn everything backwards since 1985 coding. I would argue, live and learn, that you don't have to know everything. You don't really have to know the history. I mean, that's just fun stuff to learn, right? Right. You have to know you have to know how it works, just how it works now.
Networking is a good example. You don't necessarily necessarily if you're not going to be a network engineer, you don't necessarily have to know. How old Ethernet worked, you don't have to necessarily know how ring a ring network used to work, unless you're going to be like a network engineer with a CC and a. Or something like that, then you probably have to know all that shit.
But if you're just going to be a help desk person, if you're starting off as a help desk person, you don't have to know. You only have to know an IP address, the private IP address, a public IP address, subnet masking. You would have to know that, a bit of it. You would have to know a little bit about some ports, protocols, and services, what they are, maybe a little bit of TCP IP stuff. You wouldn't have to know topologies necessarily.
If once you're helped, if you're trying to get in, that's the beauty of IT is like, you have to know the basics at first. And it is a lot. It's a lot. Even if you don't know the history since 1985, like you said, coding on a Macintosh, you know, even if you don't know everything, like you have to know. Start with those basic concepts is already too much to get into.
And once you know that and you want to go into specific areas, that's when you start to get deep into like, networking is a good example. You probably have to know, it would help you to know the history behind it because then then you would know what's issues with collision detection. If you had a, forgive me, I'm ignorant on networking.
I haven't done it in a long time, but there was an issue where if you had too many nodes on a, on a network, you'd have, you'd have something to where it would, it would slow the network down. And why it, if you knew the history of, of, of it, Then you would understand why that network might have congestion. And that would make sense. It would you have to go deep. See, I don't even know. I don't listen to me. I'm talking. I don't even know how to speak on networking
stuff anymore. I'm just not smart on it anymore. I used to be, but I just I've lost it. I have to pick my lane and then stick with it and go super deep into that. My stuff is frameworks. I could talk to you all day about that. So you have to know the basics. There is a lot. You don't have to know the history of everything. Once you start deep diving into certain aspects, then you have to know super deep into cloud computing, super deep into frameworks and standards,
super deep into networking stuff. You don't have to know everything. So just my two cents. Yeah, we have to move pretty fast. It depends on what field you're in. I mean, one of the great things about GRC stuff is that I don't I don't have to get super deep on networking. If if there's a vulnerability on a switch on a Cisco switch or Juniper switch or something, I just go to Google. I just go to Google like, OK, what's going on? Oh, OK. OK, since I have a basic
understanding of networking, then I'm like, OK, got it. Got it. I see what's going on here. And then when I get on the call with my subject matter expert, then we figure out how to fix it, you know, together. That's that's what I do, because I can't know everything. I can't know everything. The biggest issue, try to know it all, know enough to where you can communicate with the team. That's exactly right. My man Armani knows exactly what he's talking about. That's it.
But I have to be able to articulate what's going on to managers and sometimes the C-level execs. And that's tricky. That's not that's not an easy thing to do, because a lot of times I'm talking to my subject matter expert on Palo Alto firewalls and they're telling me why this rule is already done. And we don't we we don't need to worry about the any any that's at the end of this firewall rule set of rules or whatever. Right. I'm not a firewall guy.
I need to talk to my firewall guy to explain it and then understand it enough to articulate it to my managers and to get everybody on the same team so we can march forward. I'm a subject matter expert in my own area. And then he or she is an expert in her own area. So that's kind of how this works. It kind of gets it gets overwhelming when you're on the outside looking in and you're wondering how I'm going to learn all this stuff. You don't have to learn it all.
Common body of knowledge for basic IT, if you're coming in, is a lot. There's a lot to consume there. So that first start, like Larry was saying, when you first try to get in that, your foot in the door, it is difficult because you don't know anything. You're coming in, it's all happening at once. All right, let me see. I got some other folks talking to me here.
Security expert says, as you move on to more intermediate senior roles, definitely non-technical knowledge like project management, architecture skills are necessary. Yeah, it really depends on what you're doing. You're going into management or architecture. I noticed some of my architects, some engineers, they do know quite a bit. Right. But even them, they'll be really, really good at like network engineering.
But they won't be super deep on, I don't know, software engineering or something, right? There'll be some aspect of IT they don't know. Even the most brilliant people that I've met in this field who are very, very talented or have a photographic eidetic memory, even they don't know everything because like Live and Learn 4 said, it's all moving so fast.
There's new stuff all the time you got ai you got quantum computing you got and if you're thinking well this isn't going to affect us in a couple years man quantum computing is already affecting us it's already it's already we're already getting prepared and we're already making sure that some crypto. Cryptographic modules are not able to be cracked by quantum computers because it's coming it's it's It's just around the corner.
So we have to get off of certain cryptological – certain crypto has to go because it's just – it's going to be – you'll be able to crack it with a certain kind of computer called quantum computer. So that's one thing. AI. AI is another one. Like AI, you might be thinking, oh, AI is not going to – it's going to affect us. It's creeping into every aspect of computers. Like it's Microsoft is already putting it on Windows.
I'm sure it's going to find its way on on Red Hat and on. I'm sure it's going to be on a Mac and iPhones. Is it going to replace every human being on Earth? I don't personally think
so, but it is going to be something we're going to have to learn. So. See let me see i remember seeing vulnerability i remember seeing vulnerability in our code and i was lost but the developers explained it now i know exactly like let me think of one that that got me recently there's so many to choose from so many to choose from man one that got me the cisco the cisco ios ones get me the cisco has its own operating system and uh
every now and then we'll have a vulnerability where we have to update this that particular operating system so that's i i'm not super deep on that stuff anymore so i have to go and research what that is and then i I I'll get with a subject matter network engineer and be like, OK, here's my understanding of it. Here's what here's what Cisco says we have to do to meet this, to remediate or fix this vulnerability.
And then they'll say, well, yes, however, and then they'll put, you know, put their two cents on it. So or sometimes it's like, yep, we're already working on it. We already have the patch for it. It's going to go out on the X, Y, and Z day. That's just one of many different examples of another one is databases. Right. That's a very specialized field updating particular parts of the database.
So you can't know everything. Right. And it's one of the mistakes that I made early on was that I thought you did. And I would study everything. You don't have to know everything. You do need to know the basics. And be able to articulate it. Let me see. What can I actually speak on? Larry says, don't sleep on PM roles. If you have a tech background, people are needed to bridge the gaps between the hands-on technical folks and executives.
Absolutely. And a lot of times, lately, most of my job is doing that because in larger environments, nobody can know everything. And you have subject matter experts on different fields. The place I'm working at now, we have people who work on the servers who are the subject matter experts on that. And it's not about just what you know, right? Like, it's not just, oh, I know Windows 2019 or whatever. It's people who know that environment, who've been in that, who know everything.
The ins and outs of that particular configuration of that environment, because you might know 20 Windows 2019 or 20 to whatever operating system you're on. But you might not know the configuration, the baseline configuration of that organization and everyone's different. So the subject matter expert for the servers, they know not only what the servers that whatever servers were using, but the configuration, how it works. Some of them are in the cloud. Some of them are on-prem, premises.
Some of them are, you know, they are touching the boxes all the time. They know that, hey, before we put out a patch, we've got to move it to this testing environment. The testing environment is on this range of IP addresses. And then I have another team that we work with, which is the help desk guys. And those guys, they're specifically at those sites. They have to hands-on and touch the laptops in that area. area.
So it's really, no one person can do all this stuff, especially in larger and medium-sized environments. You're not counting on one person. You've got one team doing servers, one team that's on site doing hands-on because some laptop is not working properly and they got to figure out why. You've got people like myself, the GRC, Information Systems Security Officer people, People who are saying, okay, what do we need to do?
What are the vulnerabilities out there? Working with the vulnerability management team, working with the scanning team, bringing everything together. So you have different people doing different roles with different skill sets. AIAPTs. Let me see. Susie says, do you find that job responsibilities are different depending on the organization? When you say ISO, I'm assuming you mean information system security officers or information security officer.
And if that's your question, yes. So what they're – let me just break down their question here. So what they're saying is everywhere you go as a cybersecurity professional in GRC, right, and in my case, we call it information systems security officer, and I work for a federal organization. The last place I worked for that was a federal organization. I worked at NASA. And that ISO position was very, very different than where I work at now. Very, very different. How is it different?
So for one thing, the place I'm working at now way more in the weeds on the vulnerability management piece. I'm way involved with that part. When I was working at NASA as an ISO, we had a whole other team that did vulnerability management. Whole other team that did it. And I thought that was a way smarter way to do it. We had so many, there's so many vulnerabilities coming out that that whole team, that's all they did was they did patching.
They worked out which ones are we going to hit first. They prioritized them. All that kind of stuff, right? And they worked directly with the system admins to send out those patches. Those guys were part of vulnerability management group that we had. And that's how we did it. So on this job, doing a lot of that stuff, which means I've got like three hats on. I'm doing meetings to figure out what documentation to do for this system security plan.
But then I'm also doing vulnerability management stuff. And then I'm also helping with the security implementation impact assessment or something. So I'm doing like multiple things. Every position I've done is different. When I was doing DoD, it was different. It was also different.
So yes, they're all different. And it depends on, and if you want to figure out like what am I going to be doing in this position, you got to read the job description because every, every organization has different needs and different requirements for that particular mission. So you might, there was one while I was, I was working with the department of defense and we, I was hands-on. I was literally working directly with the system administrator and we had a
security technical implementation guide. And we're just going one by one, all the controls on workstation. We are just one by one, one by one. And we are installing it. And then we test it. I was part of the guys implementing it. And so at this place, I don't do any of the implementation work. So it depends. It depends on what the organization's mission needs and what the job description is for you. So to answer your question, it's different. It depends on the job. Let me see.
Let me see. Got some more stuff over here. More and more stuff here. Live and learn forces being compromised a few times is the best lesson learned, unfortunately, from experience. Yeah, I have to agree with that. When you get hacked a couple of times or scammed or fraud or some shit like that, then you realize how important I.T. Is. I mean, security in particular is like, then you're like, oh, damn. And you start to see the big picture. I've been in organizations that got had compromises.
I've been I've personally been had some stuff happen. You know, when it happens, you just like I'm you get paranoid. I'm paranoid. I'm personally paranoid. I'm so paranoid. I don't even use my real information on the Internet. And that is there's a reason why. There is a reason why I don't. And that's from exactly what you just said, live and learn for exactly what you just said is why I on social media, I would just give you cautionary tale.
Like, don't as much as possible. Don't use your real information on the Internet. I had to learn that the hard way. And I'll just I'll give you a little piece of it. I had a local business. I had a local business. I'll tell you guys, personally hacked. It's not what you think. I was using my real name and had a local business and it was going pretty good. It was so good, people recognized me. The business was going so well, people recognized me locally. week.
And it went, we did it for like, it was me and a partner. And we did it for like, I don't know, three years or something like that. It was, it was doing all right financially. It was doing okay. The reason why I still don't have is, is some business issues with my partner. Anyway, I used my real name at that time, my real name, all that.
And one of my, one of the employees that we had there looked up my real name on the internet and at the time I was on a dating site and so they they were able to pull that up and just publicly freaking put that shit everywhere for all eyes to see because the thing is if you. For example, take your real name, do this on your own personal time, do it on something that's not public, do it in the privacy of your own home.
Take your real name, put it into Google, and then put the state or city after your name. The city will be better. And then see what you find. And for me, when I do that, I find all kinds of stuff. Like, I'm like, damn, I had no, it has, it'll have your phone number. It'll have your, or previous phone numbers. It'll have everybody you've been associated with, spouses, ex-spouses, anybody you lived with, kids, your parents. It'll have where you lived.
It'll have, it will have everything. Listen, just be careful what you put on any website at all. There's ways to remove your stuff from the internet but just be just be careful because that's a great way for people to hack you it's it's so easy people are soft targets if you have their first name last name and the city that they live in you can find out a lot about them publicly you don't have to pay an investigator you know it's on google right now so just be just be
careful All right, let me see. I got some stuff here. My man, Dame, says, what does assessing controls involved? OK, it's a great question. What does assessing controls involved involve? So. It depends on the framework you're using and the organization, but typically. A security control assessment is going to require. It's going to require you to first have what's called a security assessment plan.
The security assessment plan is going to consist of the who, what, when, where, and why of the assessment. Who's going to conduct the assessment? Is it a third-party assessor who has an objective perspective, an independent assessor coming in from another place? Or is it a self-assessment? Who? Who? What are we going to assess? What's the boundary? Very, very important. Specifically, what systems on that boundary are we going to assess?
And where? What area? Where are we going to assess? Who, what, when, where, and why? That's what's going to be in our system security plan. And typically you have a document that breaks all that down. The who, why we're doing it, like I have a purpose of why we're going to do it, and then what we're going to hit. Like it might be on this particular assessment, we're not going to do a physical part of the assessment. Meaning we're not going to walk around the campus.
We're just going to scan and then we're going to get figure out what what what the vulnerabilities are. Right. Or it could be a full blown assessment where we're looking at the heart, the hardware, where it's located, the physical. We're going to walk through the area, look at the damn fire extinguishers and making sure you have the guards out in the look at your documentation. documentation.
We're going to look at your system security plan documents and your policy, make sure that's up to date and signed by the appropriate people. So that's a full bonus that we're going to do. We're going to do a pen test, everything, right? So first step of a control assessment, security control assessment is going to be a security assessment plan.
Who, what, when, where, and why, right? Once we have the plan and everybody needs to agree on it, like the person The person doing an assessment has to agree on it, and the organization who's going to be assessed, very, very important, is going to agree on when it's going to be done, who's going to do it, and what they're going to hit. Once everybody's signed off on it, the next step is to conduct the actual assessment. And that –.
Depends on what you put in this security assessment plan. So security assessment, let's say for the sake of this example, that all you are going to do is it's a network scan of 15 different systems on a small network of systems. And it's mostly, let's say it's one server and the other 14 systems are workstations. We're going to scan those and our team is going to come in at six o'clock in the morning on Thursday, whatever. And we need to have our point of contact
there. Our ISO is going to be there. And then maybe the system administrator is going to be there to watch and witness us scanning it. We do the scan.
We get all the results from the system. them and we in advance when we were collecting all the information for the security for the the sap the security assessment plan we already have like all the username all the the admin passwords everything we need to do conduct the scan because if you have a credential scan it's going to be very thorough it's going to log into the system it's going to gather all the information and it's going to give you a very in-depth idea
of what's going on with that system because it's It's going to be able to look at all the way down to the damn HKEY local keys. It's going to scan everything and then it's going to give you this report. Right. So the last part of an assessment is the report. Well, actually, you could say there's a report and there's a post assessment. So let's start with the report. So this report is a security assessment report.
And that's going to be a breakdown of everything that they found when they did the scan. And so that is going to include things like criticals, medium, impact, vulnerabilities, and low. Like you got criticals, highs, and mediums is what they normally look at. Critical, high, and medium. It depends on how they rate the vulnerabilities, depends on how they're doing, how they measure the vulnerabilities. So it could be critical, medium, and low. It could be critical, high and medium or whatever.
It just depends on how they do it. But usually from the assessments that I've been a part of, they look at the criticals, the highs and the mediums vulnerabilities. And the scanner that we use is going to have its own.
To have its own measure way to measure this and how we interpret the information sometimes is different from what the actual scanner says because a scanner could see for i'll give you an example like if the scanner finds the scanner finds out that the the the browsers are on internet explorer an old version of internet explorer that's that's problematic right and it found this And that's a critical finding because this is a vulnerability
that could allow an adversary to get right into the computer, right? But if the computer is not on the internet, then how vulnerable is it, right? So there is some room for context and interpretation on what levels – how we measure those things. So anyway, so you have a security assessment report and that report is delivered to the organization.
And then the last part of your assessment is the is usually like a post assessment, like the assessment team sits there in front of the information security officers, cybersecurity professionals, the the whole the whole team and says, listen, here's what we found. And sometimes they'll let you have a time to dispute with some of the – like I said, like if there's – you have an Internet Explorer issue, but there's no Internet connection.
It's – how vulnerable is it if there's no Internet connection? So they might dispute that and say, listen, you're saying this is a critical, but we think it's a moderate, it's a medium vulnerability at best. So then they'll say, okay, we'll mark that one down. Yeah. So that's that's an assessment in a nutshell. I've been on a part of the actual assessment team, and I've been the person who's actually receiving the assessment.
And I can tell you this. If you're going to be the person receiving the assessment, one of the best things you can do is a self-assessment. A self-assessment is figure out what they're going to assess, and then you do the assessment yourself first. And that's looking – if you can do a scan, do that. If you can look at all your documentation, if they're going to look at that, look at all your documentation.
Whatever they're going to do you do it first so you can be familiar with all the vulnerabilities that they're going to find another thing is poems before an assessment poems are a friend of yours poems suck poems are like herpes you can't get rid of them they suck i hate them they don't go away there's no cure for poems some of them they just stay they just stay around and they only go away way.
But during an assessment, they're your best friend, because if you can't fix something, you can just poem it and say, listen, we know that this exists, right? But we've documented it. We know that it's here and we're going to fix it in this timeframe and blah, blah, blah, blah. So that's an assessment in a nutshell. I hope, man, that was really long-winded. Apologize for that. Larry, thank you, man. Thanks for that 20 bucks. I appreciate that.
He says, Appreciate the content and the conversation. Have you ever thought of a how-to series for people who are looking into IT? Zero to a little experience, a resume, certs, jobs. So I did do something like this, but I don't think I did write something like this, Larry, to answer your question. Thank you so much for your 20 bucks. This is courtesy of Larry. Larry just purchased this for me. Larry is a patron. He's been supporting my liquid death habit.
But to answer your question, I did write a little something about this. I did a series, actually, of books. And I don't know what I'm doing wrong with it, but I can't sell those books.
And it looks a little something do i have it here yeah okay here it is right here it looks like this it's you can get this on amazon if you're interested it's cyber security jobs, it's resume marketing maybe what i can do is focus on somebody i didn't i was gonna write one for somebody with little or no experience but i did so maybe i don't know if anybody be interested in that after i wrote i wrote three books like this and then no like people
weren't really interested or buying them or something. And I don't know why, but then my fourth book in the series was going to be exactly what you just said. And I just couldn't get enough people to. Even get interested in this one. So I'm like, why am I going to write? But yeah, Larry, to answer your question, I've been thinking about doing one that breaks down. Somebody with little to no experience getting into IT or cyber.
Because I know exactly what you need to put on your resume, how you could kind of position yourself to do it, some little tricks you can use, some things I would do, some people I know who've done it, who got in this field. I could put that into a book, but I just don't know how many people will be interested in that. So I spend my time writing stuff that I know people are asking me for on a regular basis, and those books sell.
So that's what I've been doing. Maybe if I get more interest, I mean, I do have a series for entry-level people. I have the first book, and it's just starting to sell, so maybe I can do that. But you asking about it is telling me that maybe there is some interest in it. Nessus. Yeah, Nessus is really good to know. Put that on your resume for sure. Let me see if there's any other questions out here. Thank you guys so much.
I appreciate everybody who's joining me on TikTok, people joining me on YouTube week after week. Cheers. Let me see here. Here, EMAS. I get a lot of people, Dan, asking me about EMAS. And the thing is, I would love to teach EMAS, but I don't have access to it. So if I did teach it, what I would do is I would walk people through how to use it for risk management framework. And unfortunately, only the Department of Defense has access to it.
And I think there's I think there's actually a site that allows if you're if you have access to a D.O.D. System to learn e-mass for free. Let me see mass training. I get this question like at least once a month. I'm looking for the DISA version of e-mass training. Let me see if I can find it. And I think if you have if you have a cat card, if you have access to this, a dot mail sites, you might you might be able to get access to this thing.
Me just bear with me real quick i think there's training i found it before there's some kind of training on the dot mail sites dot mail let me see if i can find it let me see.
I mean just make a link to this thing so i don't have to look for it like this, yeah if you have if you have access to their portal if you guys didn't know like eat dissa has like a portal you can get to and they have a lot of really great training I have a lot of really great training that's only for people who have access to their portal like if you're, in the army if you're in the air force and actually some if you have any kind of federal access with
a cat card any kind of piv card you might be able to have it you might be able to get to it let me see if I can here's one of the links try that one this is like a pdf that i don't know if this is still valid this is from 2019 man but try that try that's, they used to have some kind of training for it to answer your question i just don't i don't know where it is i don't have access i would like to train on it i get that question a lot i've even had reached out to people and say look
if you guys know emass training join me i want to make some, and people have reached out to me but they don't have access to emass either so it's like Like, only the government can teach it. So that sucks.
Says is there a solid complete course study guide for cgrc i feel like it's been it's in bits and pieces to read in the nist but the study pointers researched isn't as direct as i'd like yes there is ryan the guy who who got who was on it i don't know if you watch me week after week but there was I had another cybersecurity professional named Ryan who co-wrote a book about CGRC, and he put it out for free. Let me see if I can find it. It's on my previous live, and I put it in my links.
I put it in the description, put the link in the description. Let me see if I can find that real quick. It was about two podcasts ago. go. So if I can find it, I will give you that. Let me look at my lives here. Give me a second. There's the one with my man. Here it is. And let me see if I can give you the resource. Here it is right here. Free ebook. If it was me, I would have charged you for it. I'm still thinking about making one because I get this question from time to
time. Why not? But my man is giving it for free. And this is from Ryan. Here it is right here. So if you're just now joining me, if you happen to be looking for a way to get into CGRC, CGRC is certified in governance, risk, and compliance. I have this certification. I got it back when it was called CAP, Certified Authorization Professionals, what they called it. And I have that certification. And what it does is it breaks down everything you need to know about being a...
For the federal government. And its focus is entirely on the NIST 837 risk management framework. And for the federal government, DOD has their own flavor. DOD took the risk management framework and they have the DOD IT risk management framework, which is basically just a ripoff of the NIST 800, to be honest with you. It's just the NIST 800. It's just, that's what it is. So the The CGRC is highly regarded in the federal government.
So let me see. Somebody said, wow, thanks for skipping my question. Thanks for nothing. I don't know what your question is, man. Let me see. Question, what can I do? 2018, got my master's in cyber, no job, can't get my foot in the door. Well, with that attitude, Ja, it's going to be really hard to get your foot in the door. You can't quit, man. You can't quit. You only fail if you quit. So. The thing is, if you have a master's degree, you should be able to get an apprenticeship or something.
Now, I don't know if you're still in school, but one of the things I encourage a lot of students to do is to get in the math into the internship or an apprenticeship to get an IT or cybersecurity job to start. Now, if that's not you, if you can't do that, that would be your best bet, to be honest with you. But you need to tighten up your resume. You got to tighten up your resume. If you want an example of how to do a resume, you could download my resume for free. Just go to convocourses.net.
Commagores.net. I got a ton of free stuff there. Look for my free resume. Download it. Check it out. See how I wrote my stuff to get an idea of how what format you should use. ATS style resume. If you don't want to use mine, that's fine. Go to Google. Type in ATS style resume. You can find some there. Another thing you can do is go to LinkedIn and look at other people's how they word it, how they word stuff for their profile is another thing that you can do.
You you've got to be very persistent and you can't just give up like you said here you said oh wow you skipped my question thanks for nothing like listen that's the wrong attitude my man that's the wrong attitude I have a lot of stuff going on here like I've got questions here I got questions here so what you got to do is attack the job market that's what I've done that's all I do too. This book right here is about how I did it.
You don't have to buy this book. I'll tell you how to do it right now. I'll tell you how to do everything in this book right now in a couple minutes. Need to do, if this is you, this is, I get a lot of people kind of, this is the last thing I'll talk about. I get a lot of people contact me saying, I can't find a job and I, you know, have a degree, have, I have a security plus. Number one, listen, here's how the job market works in IT. They're wanting people with experience.
Experience is the most valuable thing that you can do. I'm not saying your degree is, is not worth, you know, is not worth it. It It is like a degree is great, man, especially if you're trying to if you're playing the long game here, a degree is great because it's going to make you more competitive. So get a degree like it's still worth something in IT. Can you get one? Can you get a job without a degree? Yes, you can. What do you have to do? You got to tighten up your resume.
The first step is to tighten up your resume. And the more experience you have on that resume, the better. What do I mean by experience? IT experience, hands-on IT experience. And you might be thinking, well, how do I get experience? There's many different ways to do that. If you went through college, some of your projects can be part of your experience.
You if you had hands on projects where you were doing crypto cryptographic modules, if you were if you were in a project where you're setting up firewalls, if you're setting up networks, if you whatever hands on stuff, those projects can go on your experience. Another thing is you're on campus where you are helping out the campus. That's another thing you can do. If you did an internship, you definitely want to put that stuff on there.
Any kind of if you're a freelancer if you had a business anything like you've got to get that hands-on you got to let them know you got to let the employer know i know what i'm doing i've done this before right now if that's not you you don't have a lot of experience get the experience as much as you can as soon as you can even before you get the experience you got to have the knowledge base to do to do the work all right now i'm speaking to everybody
i don't even know if if MJ is still on because my man's attitude is this is not how you get a job. Just so you guys know, this right here, this comment, see this right here? Wow, you just skipped me. Thanks for nothing. That's the wrong attitude because this right here is going to take some time and some effort for you to do. You got to be strategic and be aggressive with it. Once you tighten up your resume, you can download my resume to get an example how to word it.
You can go to LinkedIn in to get an idea of what kind of keywords to use whatever job you're trying to get where there's cyber security professionals if you have a security plus whatever put put that in there figure out how they're wording these things on your get those keywords on your resume, ats style resume the next thing you want to do is advertise the ever-living shit out of yourself. To market yourself. You're going to market your resume as much as possible.
Resume marketing. That's what you're going to do. You're going to take your resume, that dope-ass resume, ATS-style resume that you've got, and you're going to put it on every single job aggregator that you can. And if you're just going to give up about it, then you might as well just quit now. Don't waste your time. Do something else.
Don't waste your time if you're just going to give up. But if you really want this job, if you're not going to take no for an answer, then put your resume every fucking where. Monster.com is one of the best places you could put it. Dice.com is awesome. Awesome. LinkedIn, of course, you're going to you're going to upload your resume on all these places. You're going to fill out 100 percent of the profile on those three job aggregators and you're not going to stop there.
You're going to put it as many places as possible. Now, I warn you, this does work. work. I'm telling you, every day, every day, I'm not exaggerating, I get job opportunities. They're not all job offers. I got to go through the whole process to get a job offer, but opportunities, people are emailing me every day with local jobs, remote jobs, jobs overseas. Sometimes they're not even jobs. Sometimes it's like they want me to do contractor work.
They I could literally be making – I could literally have two different jobs at once, two different 100K jobs at once if I wanted to. And it's because I marketed myself. I got a dope-ass resume, and I put my – I posted my resume everywhere, and I'm getting contacts constantly. I have to put it on a separate phone. I put a different phone number on the site because I get too many calls throughout the day. I get calls throughout the day, and I don't know.
I got a life to live. I can't just answer the phone all day. You know what I mean? So I'm getting people emailing me. I'm getting people messaging me on LinkedIn. I'm getting people calling my phone directly. And somehow some even get my actual phone number. I'm like, they call me in the middle of the day or when I'm working my actual job. If you do what I'm telling you to do, it works and you will have opportunities. The main thing is figuring out what keywords to use, what job you want to do.
It's going to be successful based on how well you present your resume in the very beginning. It really depends on how you put your resume together, how you put those words together. Top of actually putting it on all these job aggregators, what you want to do is aggressively and strategically start applying for as many jobs as possible. If you don't have a job, then your job should be to apply for as many jobs as possible.
I'm simply telling you what I did and it's worked. And I don't know why people don't listen to me. I have no clue. I don't even know. I don't know why. They ask me the question.
I tell them how to do it and then they don't do it. I got a couple people who did it you know and and one thing I what what they all say is like man you're right like I'm getting so many calls it's like yeah it works man but you can't quit like you gotta keep going if you even if I you do everything I tell you and you just you're getting all these interviews and stuff you gotta keep going even me with 20 over 20 years experience experience, the kind of job I want with the kind of money I want,
I'm not going to take the first job. The first job that I interview for is not going to be the one I'm going to take. I usually have to interview like three times with three different companies. To finally find the one that settles, that fits my current life situation. Because I'm interviewing them as much as they're interviewing me.
That's the concept that i've taken with it and it's been working for me i don't know how long it's gonna work i don't know but right now works everything i just told you works don't you can't quit you only fail if you quit you just got to keep going the great thing about this method is that anytime i want i could just be like okay i don't like my current job i'm gonna go work over over here for these other people, you know, so that, that's how I've been able to do it.
And it, if it worked for me, it could work for you too, but you can't quit. And it's not an overnight thing. You're not going to immediately make a hundred thousand dollars. And sometimes you got to take, I've had to take some losses. I had to, I had to, and one time I moved to another country. That was easy? That shit wasn't easy. I had to move to another country to make six figures. You know what I mean? I had to do what I had to do. It wasn't easy. And I'm still paying for that shit.
I had to make sacrifices. I had to move to other states to get the kind of money I wanted, to get my family to live how I wanted us to live. It's not always like you're going to have to, there's some give and take. There was a couple of organizations I worked for where I was I was traveling 70%, 70%. You know how hard that is? 70% might as well be 100% because you're never home. So I've had to suffer to get where I'm at.
So I'm not saying it's easy, but everything I'm doing, I guess, if it worked for me, I'm sure it'll work for you.
Susie says, should the insert risk assessment results be put in risk management it depends on the organization how they how they do it every organization suzy i'll say this every organization does it a little bit different risk should the risk assessment be put in the risk management document to align with the controls i'm currently considering doing an iso job every organization does it a bit differently They do their system security plan a little bit different.
They do their risk response documentation differently. As an ISO, as an information system security officer, I'm assuming that's what you mean. At three different organizations I've worked at, they've done it three different ways. So one organization I worked at, another federal organization, they used something called Archer GRC. And that's how we managed all of our documentation. And so it was kind of like EMAS or Xacta or something like that.
But it was like, it's like a content management database system and you upload all your documents in there. And then that sometimes that was really cool about it is it could generate documents that we wanted. If we want to assist security assessment plan, it could generate it. If we want to assist some security, a system security plan, it can generate it. If we, whatever kind of document we want, but sometimes we had to generate our own.
Like if it was certain risk documents, we had to make on our own.
Like if we had a, we had a risk response documents, like we had a risk a acceptance document and so that was like we generated that one ourselves on a word document it had the letterhead of the organization and all that kind of stuff and how they did it really depended on that organization and not usually you had to put the control that was affected in the document pretty consistently if you were doing an exception if you a risk acceptance if If it was a you name it,
it had to address whatever the risk was. You had to address the actual individual controls that were impacted by that document, by by whatever was going on. So the I would say yes, usually, but it depends on the on the organization, how they do it. And that's it, guys. I've been talking for about two hours and I appreciate everybody. If I skipped your question, I apologize.
I have so many questions going on here, and I would like to do this regularly so I can't burn myself out by answering every single question. I'll be on here for like four hours. I got a full-time job, and I got a family. So I wish I didn't have a full-time job. Then I could answer these. I could do like four-hour sessions or something. I could do mentorships and all kinds of stuff, but I don't have time for that.
That i let me see if i can answer a couple of speed rounds how would you attack the jobs on u.s jobs would you set it up as that up as well yeah i would if you were interested in doing u.s government jobs usa jobs if i'm not mistaken is all government gs type positions right i would i would answer as many as i would i would if you were interested in doing government jobs i would would definitely set it up. Would definitely go out of my way to do exactly what USA Jobs is asking me to do.
I think they have like a KSA section on there. I would set all that shit up. I would spend time in my day, set aside some time of the day to just do nothing but USA Jobs if I wanted those kinds of jobs. Now, obviously, if you didn't want to do USA Jobs, if you didn't want, you know, know, GS positions or whatever, I would, no, I would not do it. But there's so many other opportunities. Don't limit yourself. CareerBuilder is a good site. Dice.com is a great site.
CareerJet, Indeed.com. There's so many. Depending on the country, they might have a whole nother set of top 100 job aggregator sites that you want to do. If you're in India, they might not even use Use Indeed.com like we use it here in the US. So you want to go to that country. If you're in the UK, go to being in the UK and type in top UK job sites, job aggregators.
You'll find them. They'll have their own set of job aggregators that you need to put your profile on if you're trying to look for a UK job. Spain, Nigeria, wherever you happen to be, they all have their own top job aggregators that all the employers in that local area are looking for. And sometimes U.S. jobs have jobs in Kenya, have jobs in Spain, have jobs all over the world. So you could actually get jobs in any part of the world.
Now, they're not going to be easy to get. I was trying to get a job in the Philippines once And everybody had those jobs I was trying to get one in Thailand at one time. Couldn't get one. There's just it was a really, really competitive. But you can. Can you get it? Yeah, you can get it. It's going to take you some time because I know people who work those jobs. Clinton, thank you, man. Thanks for that. Twenty bucks. I appreciate you.
Says just thanking you for your knowledge. You always that you always drop. It's great assistance for me filling in the gaps with my experience. And I have a feeling more firm scale. Yeah. Thank you, man. I appreciate you. That's the reason I did that is because I remember when I first started this. It's kind of like the it's I was an IT guy and it kind of just threw me in a GRC position and I didn't have no clue what to do. And the people around me who put me there did not know what to do.
And so I asked him questions and no. So I had to learn on my own. I was reading FISMA. I was reading federal documents and stuff. And I just don't have this. Just not necessary. Right. All the information is there. And all I'm doing is gathering everything I know and saying, listen, here it is right here. Here is the knowledge. Here it is. And so that's why I do it so that people aren't in my – you don't have to be in that position.
Position it's just a hard position to be in it's just not necessary and it's because we don't have enough people doing this work we don't have enough people doing GRC we don't have enough people doing ISO 27001 we don't have enough people doing NIST 800 we don't have enough people doing this work and so I find myself in a position where job after job after job I'm doing way too much work More people need to come in this career field.
And that's it, guys. Thank you so much for watching. I will do this next week. Appreciate everybody who's watching. Talk to you guys real soon.