All The GRC Analyst Job Answers YOU Want

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right what's up everybody welcome to simply cyber live the youtube channel designed to help you make and take a cyber security career further faster we got a renegade broadcast this morning thank you for being with us we're talking grc everything that you want to know grc we're going to try to answer in the next hour or so now i do want to preface this by saying it's a renegade broadcast because i'm using a new platform usually we use stream yard today we're using restream i'm also going to be mixing it up and getting crazy with multiple camera angles uh i know it's not it's a little pixelated we'll get that sorted out but uh i'm just trying to play around a little bit and whoops no that's not what i wanna try to play around a little bit and um you know just have some fun this morning we got the music uh like i said in the chat my plan is to briefly go over what grc is for those people who aren't familiar with it and then really i want to q a uh the heck out of this thing so just so you guys know uh in special thanks to base in uh chat and on discord with me being my mod this morning so okay so who am i guys my name is gerald ozier and i have been in the cyber security game for probably 17 years roughly i came up computer science i was a software engineer i found my passion for cyber security and the rest is history i came up in grc all right so you know there's really grc there's blue there's red i came up in grc i came up in audit and then i got into risk and compliance and then uh because of my computer science background i was able to pivot pretty well into uh architecture and now i run my own information security program which by the way um if you ever want to be a ciso you can come from blue or red or whatever but grc really gives you that ability to engage with the business side of the house which is very very important and it just naturally aligns to that kind of growth path if that's what you're interested in so start dropping your questions in chat with a queue if you can please um again it's a new platform so i'm still trying to figure out all the you know benefits of how this one works but let's let's get into it so what is grc and why would you even want to work in the grc space okay so i'm sure all of you are very very familiar with what um you know when you think information security you might think of pen testing mr robot maybe like the blue side i feel like is getting a lot of love lately um you know sock analyst is kind of a hot job i noticed like with simply cyber a lot of my sock analyst videos get a lot of views and attention so you know it's the secrets out on that but what what is actually grc so grc kind of it stands for governance risk and compliance and the reason that it's like less talked about and less it gets less love in the community essentially is because it it's it's less technical right it doesn't have cool tools it doesn't have a github dev community like it's just a little bit less exciting right that doesn't mean it's it's not important and that doesn't mean it can't be fun right like i actually enjoy it but i'm i'm kind of a psycho when it comes to cyber security in general so typically what you'll see for entry level positions is people will come in and they'll be like an auditor or there'll be some compliance kind of um standard person right so you're going through the different um standards that your organization might be uh held accountable to or you know like so for example healthcare there's hipaa federal i.t you've got fisma if you're contracting with the federal government dod you may start to see cmmc uh compliance standards and there's a ton of work in that space right once you've worked in um you know the compliance area for a little bit you start to see kind of what that space looks like you'll start moving into or you can move into what is called risk and risk really is about looking at what the what is the the vulnerabilities of an organization right so like when we think of a vulnerability you might think like oh this server isn't patched or it's running telnet on the internet or something like that right like you can attack it but if you think of the organization at a bigger scale like macro level there's vulnerabilities in the organization that could lead to issues like let's just say with poor governance let's say that anybody can um establish a remote access connection for vendors right so like i work in you know whatever let's pick a department guys like i work in the marketing department right and i'm gonna start using uh salesforce uh to help with marketing purposes and i've got some fat client on my machine that or some database in my machine that i'm using to help right now i know salesforce is a sas product so maybe it's not a perfect example but my point is salesforce is like oh hey like we've got engineers that will help onboard you they'll just remote into your machine and you know help you stand it up or you know do training or whatever so the marketing department's like sure no problem like just install this agent now i've got team viewer oh now i'm remoted in right so like you're having people remote into your organization that are on your internal network now that you have no idea you have no no governance around that and that can get really bad really quickly especially if it's socially acceptable at the organization right so so that's a that's a risk but it's more about the culture and and the govern the lack of governance of that organization that it is about a a pinpoint element of this vendors remotely accessing your network it's more like any vendor can remotely access without um awareness of people at the organization knowing that they're remoting in okay so now that i've defined like what a risk is with a risk analyst you can go through and typically you'll do like a risk assessment or an enterprise risk assessment it depends what you're trying to like analyze from a risk perspective and you'll go through and you'll say okay listen um sorry i'm getting facetimed over here you'll go through and you'll say like here's all of our uh controls right and or here's all of our potential issues risks and what is the likelihood of that risk being exploited and if it is exploited what is the potential impact to the organization right so you might think um i don't know like to use that remote access example again right if you have like if if you have a flat network which is pretty common meaning that like there's no network segmentation and like if you get on one box in the network you're just one hop away from the data center or you're one hop away from the crown jewels whatever that is right one hop away to the ad one hop away to intellectual property so if you have a flat network you might say okay like the risk is if someone gets on there looks like i lost my second camera angle the risk is if someone gets on there they're going to be able to to pivot around your organization and you're basically screwed so um that's that's a that's a high impact that's a high risk and on top of that it's a high um it's a high likelihood because there's dem there's there is demonstrated um incidents in the past like namely the target breach where that actually happened right so give me one second guys i'm trying to get this camera hooked up so apparently if someone facetimes you while you're on this thing it will shut your phone off okay so let's do that okay so so anyways these these are this is the idea of risk and the import the importance of governance right like you need to be able to to say like listen um remotely accessing without like using an enterprise tool or just you know whoever wants to do it can do it without running it through it um it's no longer acceptable and this is why it's so important for the grc side to be connected with the business side because you're telling business operations cans and cannots right and you need buy-in from the business or they're going to tell you to go uh take a hike and they're just going to do it anyways right so you need you need to establish that relationship with the business side of the house okay so this is kind of what grc is in general now where does grc fit in an organization okay like again i'm going to answer all your questions guys but the whole point of what i'm trying to do is is try to frame what grc is so when we're talking about the jobs you understand where it plugs into the organization okay so now you understand like what the function is right so how does it plug into the organization typically what we see is we see um the ciso at the top or whoever's in charge of information security then beneath it is typically uh grc which is handling like um governance and like policy uh procedures audit like internal audit if you're prepping for an internal uh for an upcoming external audit that's what these people do they help develop standards they help um you know promote that uh you know information security awareness training they're responsible for all that and then there's typically some type of secops capability or blue team functionality that they're looking at the wire they're responding to phishing emails they're investigating potential incidents and stuff like that and that is kind of like your basic basic information security program and then once you start like leveling up you might have staff that are doing kind of security engineering like working the mdm or the firewalls and stuff like that typically that's handled by it until you get a little bit bigger and you can start having dedicated staff with that the grc people um will interact in some elements with the blue team but not not too often um you can see uh the the two of them start to like uh collaborate with each other when they're talking about threat intelligence because if you're a risk analyst you need to understand like what the current threat landscape is because how do you assess the likelihood an impact of of a vulnerability if you don't understand like what the threat landscape looks like so right so grc people are typically trying or they should be staying informed on threat and then the blue team should be staying informed on threat also because they need to know what they're looking for on the wire right if you're just like waiting for a similar to come up um you know there's opportunity for you to be a better uh sock analyst okay so definitely check out thread intel and by the way if you're gonna interview for a grc position um tell the like use this knowledge that like by using thread intel to stay informed that's how you're going to be a better grc analyst and i guarantee you that'll go over swimmingly with whoever is interviewing you quick uh quick sip of coffee here for for me hold on i hope you're having coffee base i'm glad you're here with my west coast people if you're if you're where are you from right now anyone in chat like if you're not on the east coast where i am um where are you at and uh thank you for being with us this morning okay all right so now now that you guys understand i've done some videos the grc analyst job is an awesome awesome on-ramp into information security so neil bridges over at cyber insecurity if you guys know him sometimes he calls this like trash job but it's it's it's because it isn't sexy right but it is perfect perfect if you don't have an i.t background so if you're an individual that is trying to um pivot into information security uh from like a different career right so like let's say you're like a finance person a marketing person you're trying to do whatever um then it's perfect for you and i'll tell you why because you can not understand i t right and you you're handed like a list of standards right like you know make sure they're doing this make sure they're doing that make sure they're doing this you don't need to fully understand like what you're asking okay i know this sounds crazy you don't need to fully understand what you're asking the system admin or the network admin you can just be you can just say like hey are you how are you protecting the the communications between resources on your network and resources outside meaning like are you encrypting the traffic is there is there some type of like choke point that you guys are tapping like again you might not know those terminologies but you're you don't need to know them you're asking the network admin you're asking the subject matter expert to explain how they're addressing this potential control right so you can do your job well as an auditor right and then you can take that data and then you go off and you do research on threat right so now you're you're getting smart on the space by reading thread intel and then then you start thinking about well if you're just an auditor for doing compliance purposes all you need to say is are they doing it or are they not doing it you don't have to explain to what level they're doing it or um you know what is the risk of them doing it right so so another thing that you guys should understand is that like a compliance analyst is like a subset of a risk analyst so you if you're a compliance analyst you just like check and say yes or no if you're a risk analyst you check say yes or no and then for no you say how bad is no right so there's a nice easy smooth career progression for people who want to climb up in grc and again this is why it's such an awesome ciso career path because is it in place yes or no okay now you have context is it in place yes or no and if it's not how bad so we went from compliance to risk if it's in place and it's if it's not in place or is it in place yes or no no how bad is it now like let's prioritize it and let's get budget for it and let's communicate to the business why we need this money and what the road map looks like that's the ciso right that's exactly what the system's job is so uh hopefully i've laid that out clearly i'm going to jump in chat right now and i'm totally open this is my stream um it's saturday morning so i'm just i'm hooking it up right now so if you got we can jump into a web browser and look up analyst jobs um you know there's no certifications really um that map to grc the way that red team and stuff goes but uh let's jump in chat oh wait you know what one of the cool things about uh about this uh platform is i can do this how do i where's my chat hold on um chat where are you chat where's my chat hold on i'm supposed to be able to do this chat overlay thing there it is there it is it's owen hey all right all right so let me let me jump into chat here guys good morning good morning i see stephen semelroth in here good morning good morning stefan good to see you all right teresa what's up teresa good to see you all right cracking me up i love that username good to see you nick awesome i'm glad i connected with you on uh on discord and linkedin yesterday okay base is asking what would be entry-level grc rules to look for so definitely definitely compliance analyst right um i will tell you right now this is probably the biggest takeaway for this stream federal i t contractors working with the federal i.t booz allen deloitte pwc these big names they they basically take a body and then they charge uh 2x 3x for that body right so and they are really interested in getting people who are entry level uh that they can train up and then charge the crap out of the government for for their hourly rate right so like look for those jobs in fact you might even be able to pull one up i would i would encourage you to like google search or whatever um grc compliance analyst maybe the word fisma fisma maybe the word cmmc i think you're going to find that there is going to be a plethora of opportunities and i will tell you you might have to move okay so this is another kind of like harsh truth uh for me personally um when i uh got you know broken or whatever into the industry although it was on the software engineering side like i went to a it was called bearing point at the time but it was kpmg's consulting arm and i moved from massachusetts to dc for one year i was dating my now wife very seriously and i moved away because it was the breakthrough opportunity to get me that experience that i needed so then i could have that years of experience on my resume right so sometimes you might have to move but obviously in this covid world with all the extra remote work opportunities um people you know people are way more attuned to uh being a acceptable of remote work so um worth checking out i see josh is dropping a thing in chat here let's see oh professor black ops very cool yeah i met him over at kevin a lot of paperwork yes it is a lot of paperwork you do have to be cool about documenting stuff how to start in gst especially for a position everyone wants to hire someone who already has some experience yeah i mean it is hard um it is hard i would just recommend uh that you here's another like uh harsh not harsh truth here's another like reality that people may not know about right so like iso 27000 nist csf fisma nist 853 sock ones talk to right like whatever blend or flavor you're you're calling it it's basically like the same set of controls like some of them don't have the same some of them do have a lot of them have the same kind of controls they might call it different things but at the end of the day the way you protect an organization it's the same way i don't care what you call it um it's basically the same way so like once you learn kind of one of the catalogs of controls uh you can map it very quickly you can move quickly across other ones okay um so long to your point arvin i would say uh get familiar personally i like this cyber security framework get familiar with that understand kind of like what the structure is how it fits into an organization identify and protect is left of boom uh detect respond recover is right of boom boom being bad stuff so um get familiar with that and put it on your resume that you understand like you're familiar you you have experience with nist cyber security framework and csf uh it doesn't matter if you've actually practiced with it it's just it's it's good to put it on the resume right so you can have that um association okay let's see thanks yeah thank you bass hit the like if you're enjoying this that's what we're doing jax loves some cmmc i know outpost gray is doing some serious cmmc work um there is a certification um i'm still trying to get some understanding around this but the idea of cmmc the c insert in cmmc is certification but it's the organization that's getting certified not the individual but i want to point out that there is a certification for you um that you can get it's called the certified practitioner so if you go to cmmc-ab or whatever and you look for the certified practitioner there is actually a certification you can also be a registered practitioner which is not a certification but it just basically states that you understand cmmc and you can help an organization you do not need this in order to practice uh basically audit prep for an organization that's going to be going cmmc but it can definitely help sell you as an individual who's like freelancing as a cmmc prep person or really key differentiate you as a candidate if you are certified in cmmc by the way cmmc i did a whole video on simply cyber for this cmmc is going to be huge there's no organization that's going to be able to work with the government unless there's well the dod unless they are cmmc certified likely to level three minimum right how do they get there they don't understand i'm telling you right now businesses don't understand cyber security all they know is they need it right the executives ask like are we secure which is like the totally wrong question to ask right so so be aware that um organizations are going to be starting to look for this i'm already like when i interviewed recently people were asking me what's my cmmc familiarity how can i help them with cnmc so that's what's going on there so definitely check out that um you know jax if you can drop it in chat uh the the certified practitioner thing that i'm talking about for cmmc 27001 a good start um i'm studying that for startup now so matt 27 0001 iso is big in europe so i don't know if you're in europe right now but like it's big in europe if you're going to work in europe go for it if you're not in europe i would not recommend starting there um but again like i said if you learn iso 27001 and you want to pivot over to nist uh cyber security framework or fisma compliance 853 whatever it's going to be like um you know like a very a lot of overlap right so you'll be familiar with it um and you'll be good to go okay what isakka certifications go with it uh the cisa certified information systems auditor um you know it's basically an audit cert you know how to audit systems uh that's i'd recommend that um key differentiator you'd obviously have to be going for an audit um if you're gonna do for compliance uh you know there's some hipaa related certifications the ahima chips uh is one uh that's i mean like the cert those search you're getting is basically just put on a resume and and and get through like it's not like you're using the knowledge of the certification to do anything um what else we got in here professor black ops i'm more fed ramp yeah so fedramp is basically fisma compliance for cloud systems um so you can definitely get familiar with that um i'm telling like fisma fisma was like you know i think 1996 or 2002 yeah 2002 fisma came out fisma morphed into rmf which is risk management framework which morphed into um i mean it's still fisma compliance but like 800 171 and now cmmc so let's see obviously grc is less technical but what tech skills and certs are actually important having a grc role for doing an audit for an example i mentioned this before you don't have to be an expert in technical you'll pick it up as you go um if i was it depends what you're auditing honestly uh but if you're doing like an enterprise audit i would say you know the basic things that you'd want to know from a information security practitioner like how networking works very basically how operating systems work because you want to be careful that like a sysadmin a network admin isn't blowing smoke up your butt uh about what they're doing right all they're going to be doing is hurting the organization if they're lying to you so you definitely don't want that okay let's see what's the best starting point in learning and getting to know the standards without having the on-the-job framework okay so you know this one i'm pretty biased on this one okay so i'll fight anyone who wants to argue with me um is that whoops that's not what i want to do guy um i i i live in the united states i've worked in the united states pretty much exclusively and nist national institute of science and technology they are the they're leading the way on what we're doing for cyber security okay ron ross uh used to lead like kind of that whole uh area he's working on um security engineering architecture now devsecops but um i i prefer personally nist i wouldn't look at koso and kobit um because i've done cobit auditing cobit is more i feel like cobit and coso are really more focused on the only the access piece like is there separation of duty what bad stuff can you do um if with the access you have um nist and iso you know if you live in europe iso is going to have more marketing value are very similar to each other but i i'm nist all day every day um so i think that that would be a great place for you to start learning go through and and just i mean i guess consider this a shameless plug i i was kind of holding off on telling people this but i'm actually working on a course like an online course that i'm i think it's going to be on heath adams platform but i'm doing a course called practical enterprise risk assessment that's going to show you exactly like step you through in a like a full uh enterprise risk assessment with a use case and we'll walk through it together but like one of the benefits of doing this course is like basically you can take it and learn to be like a compliance auditor because like i mentioned earlier you can like you don't have a choice but to be a compliance audit or an auditor up to a certain point and it's when you start applying the threat model and how bad things are is when you it turns into a risk assessment versus a compliance audit so you'll get basically this audit kind of experience and and we'll go through the entire nist control catalog basically because that's how i roll when i do enterprise risk assessments so uh stay tuned for that it'll probably be out in the um end of the end of the year um all right so what's the next question um can't go wrong with nist 830 yeah so nist 830 um i believe that is that risk assessment the guide to risk assessments i think it is hold on one second calen please hold on one second i know please don't do that come on son okay sorry i had some off off camera thing i had to address here yeah i think nist 830 is the risk the guide to risk assessments um and that's definitely a great a great path in fact it's it's essentially what my enterprise risk assessment approach is it'll show you the whole life cycle of doing a risk assessment so great great call out august thank you for that question how much oversight does a grc analyst have on over their job um david i'm not entirely sure do you mean like how how much is someone like monitoring a grc analyst or how much is a grc analyst monitoring over people typically grc analysts are measured by um like if they have to develop policy um you know is the policy getting developed is it taking into account like business operations is it feasible to implement at the organization is it working with the organization in order to to basically put controls in place that are make sense reduce risk but also enable the business to do what they need to do that's how they're measured also with the risk assessments like you know um is it actually actionable intel is it is it is it stand on its own like is it based on threat intelligence um you know so and the nice thing is people don't really see the value in risk assessments initially because it doesn't seem like it changes anything but in reality um once you have that risk assessment once you develop a plan of action milestone which is basically like what your your game plan is for reducing risks at the organization because you need to get budget and stuff like that um people people the business starts to see value for that and by the way you want to talk about a way for the business to absolutely love love you um the first time they get externally audited or they're trying to get uh cyber insurance one of the questions they're going to say is like when how how often do you do risk assessments and the the fact that the business is going to be able to hand this like really well done report to an external party it's going to make it's going to make you look great and the business is going to love it so just you know a little a little teaser for what happens when you get into the role okay all right let's keep let's keep trucking through these questions what do we got here pmp iso 27000 is a must for most government contracts um okay so yeah i guess in australia thanks jack um i i don't see this in the united states uh it's very much a non-united states standard but it's it is out there um oh cool mike jones is dropping that uh twenty seven thousand one would be phased out i wouldn't be surprised i think it's antiquated i don't think it actually takes into account risk i think it's more of that traditional like model of like here's a bunch of controls put them on you know so that's not not my speed um okay jax is having some tech issues stefan's up in here what will replace 27001 i would argue that nist csf uh will replace it then this you know what makes the csf so brilliant is that it's actually a voluntary community developed program so it's not like nist was like oh we're the government we're the smartest people like what's here's what you need to do like we're up in an ivory tower do this no they actually hold workshops they bring in people from um various industries uh to collaborate uh through iterations of the development of the framework so they say what's working what's not working for example um originally the framework didn't account for side uh supply chain uh issues in management but we've all seen with like huawei and like you know the chips right now like intel chips and stuff happening right now like supply chain's a complicated problem but there was no accounting for it so they've they've baked that in uh and that that was because of uh response from the community right like you know so this thing is built out built and matured and grown on a an industry private public sector collaboration which makes it awesome because it's actually you know it's it's it's it's it's being tested it's being put through the paces it's not like an idea that came out of some um nerdery right it's it's practice so look for twenty seven thousand one um yeah twenty seven look for nes csf okay uh mike jones is saying cmmc will replace that okay so let me just point out really quick he makes a good point because cmmc is going to be what people are going to have to comply with so it's probably going to be what they what they reach for um but cmmc is literally just a subset of controls that you would do of nist csf right so think of this csf as let's say um 100 controls right of that hundred controls there's probably like 40 that are cmmc required right so and don't quote me on this but i'm almost positive that the full scope of cmmc controls is a a complete subset of the nes csf control so there isn't like there's no venn diagram where there's ones outside it's like fully inside so if you're doing csf you're going to get cmmc as well okay let's see let's see i love the chat you guys are killing it today by the way 44 people uh let me know if you like this format with the just from a production perspective because uh you guys uh are or what makes the show like i don't like talking to myself uh if you like the chat on the screen i kind of think it's cool um you know let let me know what you think about the production like with the videos like the multiple camera angles the videos the chat in here i am kind of curious if you all are liking that or if it doesn't matter to you um what else we got oh jess bishop's up in here what's up jess good to see you uh let's see what's this my company goal of twenty seven thousand one okay yeah i mean you can go 27 01 again luis i would say like look talk to the business like are you guys operating in european markets are you planning to go into the european australian markets like do you have business like you have to align to the business right like stefan semelroff will tell you every every day it's like it's all about like providing value to the business right no like no one's going to just have you do something over here for the sake of doing it it's got to align to the business now personally like i've said i would align the information security program around this cyber security framework but i guarantee you there's a i mean you could google it there's definitely a mapping between csf and iso 27001 so you could do csf and then basically extract what the 27001 control catalog is and then be able to attest to compliance with it but um they i should just get like a shirt that says like trash 27001 because that's basically what i'm doing here um yeah nist 830 good place to start 837 uh by the way when we say the 830 if you're not familiar with this naming convention it's the nist special publication 800 series and it's a list of documents that are um that are basically put out by nist all around cyber security so 830 is like i said the um uh risk assessment one 837 is uh cyber uh the risk management framework um can i share a screen in here how's this functionality work at a source all right good share screen chrome tab all right guys let's see what it looks like when i share a screen okay so this is the nist 800 series okay and like okay guys it's a lot of documentation it's it's not it's not you know there's no dark mode there's no um you know bubble gum there's no donut charts there's no um you know terminal screen when it comes to cs um grc okay so that's that's a reality that you got to kind of accept um how do i get into here let's let's just do this nist messiah set i mean missed sp 830. okay let's do that okay of course i'm running dark mode for my um browser here okay so check it out um guide for connecting risk assessments you can um you know pull these down right here it's a it's very um it's it's there's a lot of documentation to it right and this goes through quite a bit of effort to make it like comprehensive um i'm trying to find like i don't know why i can't pull up uh the cs here like uh publications like there's a whole like page of old uh sps so you could actually like really you know i guess enjoy them like here it is i i love this personally guys um like this this is like a really great resource if you want to take advantage of it for your own organization right so i know it's kind of hard to see but like um here maybe i could do this no that ain't going to do anything you could see let's see hardware rooted security mobile devices how to secure them how to do abac how to do supply chain risk management right so like there's tons and tons of tons of things bios integrity measurement guidelines if you if you're like feeling that okay so this is a catalog of resources that you literally can just take advantage of and read it right and by the way there's no shortcut there's no like there's no easy button guys right like so here's another harsh truth right there's no easy button you have to read this documentation you have to digest it you have to read multiple things watch videos like you have to do the work to understand what you're talking about because if you're going to say you understand it you have to understand it okay all right let's keep rolling uh let's see there we go that's a good idea blue team shadow irs that's that's that's a good one i mean you could have you should bring the grc people into the space so they can see hey cal can you close the door please yeah um let's see um if you if you're giving the grc people exposure to like what actually is happening um on the secop side of the house it can only benefit them right so when they're talking about security awareness training and stuff it's actually rooted in reality instead of just like whatever you know cool thing is in the news that day uh get some coffee yep there it is jax get some coffee got some people in indy london uk what's up i love it love it let's get some questions answered people love it socal yep scotland loving it i love this international group people i i love you i love my i love the simply cyber community you guys make this like so much fun people are like why do you do this jerry i'm like just come to one of the live streams you'll figure it out all right what's your thought on risk assessment tool cisa put out on october 1st i don't know about it um what is that can someone drop a link in that what it what is that i don't know what that is here let's let's just do this really quick i'm not going to like review it right now um live with you guys but i do want to see what's up with it i guess maybe cyber resilience review this thing is it this thing james um oh they got some downloadable resources self-assessment package so i'm sure it's probably good i really like what uh jen easterly is doing that the director over it says so they just put her in place like a couple months ago and she's she's bringing a fresh cam a fresh camera she's bringing a fresh angle to um to cyber security so um i would definitely um you know at least check it out you know one of the cool things that you can do um with with grc is like you can download these things and like do an audit on your own network right it's not a cool big ass or big well geez hopefully that doesn't it's not a cool big thing right but you can walk through the paces and the steps and figure it out right so there's definitely value in doing that okay um let's see outpost gray irish whiskey uh let's see have a camera behind home so we can see the magic yeah i'll if you guys like the multiple cameras i think it's actually pretty cool uh what's the most non-i.t skill required in grcc i got told excellent written communication skills yeah i mean so like grc you're writing a lot and you're speaking a lot okay because you're you're communicating with the business grc is basically like the interface again this is why cisos make good grc people grc is the interface between the information security or uh department and the organization right that's the it's the interface so if you can't communicate well you you're you're you're doing your disservice to the information security office and by the way just because you know a lot of like cool terminology and stuff like that the business doesn't understand our language they don't know the difference between authentication and authorization okay so like it doesn't matter how cool you are how smart you are you have to break it down and communicate to the right audience at the right level in order to get what you need right because at the end of the day what what are we trying to do we're trying to change behavior and we're trying to fund our program right so you have to be able to you know succinctly quickly and effectively communicate to the organization on you know what's important what is it appropriate if you tell them that they can't do remote access like our example earlier they can't do remote access or if they want to they have to do it over vpn tunnel or someone on our side needs to initiate the con the connection every time well that that's an impediment to business operation so why jerry explain to me tell me communicate to me why and if you can't do that you're going to find yourself a bit challenged on moving your program forward and reducing risk because if they just give you the heisman and stiff arm you um what are we doing here right so okay let's keep moving okay all right let's see we are streaming across four platforms um which is pretty cool i could do that on stream yard but you know whatever we're pushing restream today uh greetings from transylvania what about seacacert for cloud grc focused roles i have insert i haven't heard of the ccac cyber security cloud i'm sure assessment or audit i don't know what the k would stand for if there is cloud-based grc certifications i would strongly encourage it right now um just as a you know whatever it's unrelated to grc but like right now cloud security and identity and access management are like the two hottest things within cyber security right data science is also hop that's outside of cyber um so if you're doing cloud security that's a that's that's a good space to be in right now so if there is a certification around it i would recommend it again as mentioned earlier fedramp is like the cloud fisma kind of standard so look into that you can also if you want to get some more exposure to fisma you can google like microsoft azure is like the cloud solution microsoft has you can google microsoft azure fedramp compliance or or microsoft azure compliance and like they have a ton of documentation that is provided so like organizations can just download it and provide it to an auditor to explain how beneath their you know the platform as a service beneath that all the stuff that microsoft's responsible for how they're securing it uh but it's publicly available so you can pull it down and read through it okay um let's see um david loves hey stefan if you're still in here the video series that we've been doing is getting some love i appreciate that so if you're if you're not familiar with what david's talking about stefan and i did a six-part video series i've released four so far number five is coming out monday number six will come out the monday afterwards and it's basically like everything that you need to know in order to like go from zero to getting a job in cyber security and it includes uh how to find a cyber security job how to write a killer resume how to interview like a boss and what to say what not to say how to negotiate your salary which i'm really appreciative because i stink at that and i needed that video also uh how to crush your first 90 days and then how to level up like how to get promoted how to how to brand yourself how to kill it so that whole career arc is pretty awesome and it's on the channel so check it out um yep thank you juliet it is my pleasure and it is all of our pleasure i speak on behalf of the entire simply cyber community it is all our pleasure and welcome to the stream uh josh dropped a uh chat a job in chat can i click on that like how do i how do i oh how do i i can't click on that josh will you send that to me in discord please i'll pull it up and we can look at it i can digest or dissect it and stuff like that that stinks that i can't click on that hyperlink uh yeah plethora i do have uh command of the king's english so uh i do i do uh nerd out quite a bit um let's see cispe has has this content but not so great without expecting a fire hose you can pick apart the body of knowledge too from ise yeah definitely hey everyone good morning good morning yes kimberly it's good to see you thank you uh location for compliance is sunny warm maryland these days yes uh what certs would you recommend again if we're if we're just talking about grc um look at the cmmc certified practitioner that could be a good one it's not in demand right now but it could be that seacac one you know i'm not even familiar with that one but you know we should both look at it the isaca cisa is a good one and then any certification that's mapped to a compliance stand standard in an industry that you want to work in it would be a good one so like in healthcare you might want to look at um you know like the ahima chip cert or you know like some something that like makes you demonstrate that you're an expert at complying in the healthcare environment okay uh does anyone need to serve for this position no there is no minimum there's no minimum cert like that's the cool thing about grc like it's it's very very um what is the word it's very forgiving or it's very it's very um it's it's it's a good on-ramp i guess that's the best way to put it okay uh you're going to help me get my first cyber security job with all this knowledge i hope so jess i just sent me a personal note the other day on discord uh that i'm going to be rapping into a bigger show but uh jess you want to you want to talk about someone who is a use case for how to crush it and how to network uh properly and and like what the fruits of that labor looks like jess is one uh connect connect with jess she's she's great okay i'm undergrad right now planning to do a master's infosec management i want to get into grc as my path right oh yeah dude if you're doing infosec management that is that is what grc is so you're you're right on track but uh critical infrastructure clients is hot yeah yeah and with thanks mike and with critical infrastructure it's like if you like what is critical infrastructure critical infrastructure is like the 18 domains that the united states identifies as critical for the operation of our society okay so it's not just oil and gas but it's like dams water treatment plants um health care finance you know the economic system like if you google critical infrastructure uh you'll find those 18 domains um so you know basically if you're working in any of those spaces transportation logistics i don't know be sex in the crowd but you know like that is in critical infrastructure so um yeah you can like those industries are having more money thrown at cyber uh opportunities what's this one say i have 10 years experience in my network in network security okay okay lead auditor sir but i'm finding it difficult to break into grc can you please advise oh my god dude if you have 10 years of experience in in network security and you have all of the firewall and sim and edr experience and all that um what i would recommend what i would do is i would start talking to whoever the grc side of the house is or whoever somebody at your organization is responsible for information security so there's either grc department or there's a ciso or there's an infosec manager whoever that person is tell them that you would like to help them with like upcoming audit or compliance or like or or start documenting what you're doing like actual pop processes and procedures and basically start doing grc type work you know almost not pro bono but like integrate grc type activities into your actual role and then you'll demonstrate that uh capability to whoever the ciso is whoever the expert is in that space and you can naturally start to transition i say this all the time like it's it like switching roles especially within a company is is fairly uh easy but you don't do it as like a start stop right what you should do is start taking on that kind of responsibility because when they want that job to be filled you are already doing it so it it becomes obvious right and it's not like oh jerry you're talking about basically having two jobs that sucks no what i'm saying is you start doing that work and then maybe the organization realizes so either a you're getting the skill no matter what right so you can put on your resume or two once they realize that they have a need for grc type work either they're getting big or they have cmmc coming up whatever it is you're the obvious candidate right so there you go okay let's see good on you too because that's a pretty uh baller a resume let's see august is dropping some frameworks for risk management yep definitely definitely jax is awesome thanks mike i agree uh check out jax's youtube channel too outpost gray she's doing some great stuff over there uh what's a typical day work environment in grc solo collaborative use of software so it depends if you're doing like an active audit at that time or if you're uh it can depend right so you could be working solo like so i'm doing an enterprise risk assessment right now so i spend like literally hours just looking at word because i'm in the early phase of the assessment where i'm actually just like setting up what i'm going to be doing i've got all my interviews scheduled already and i'm putting together all of my resources that i'm going to use during the interviews and my framework for after when i have all the raw data and i'm going to um you know do do my risk assessment with my threat intel right so that's that's lonely and that's just me but at the same time i regularly uh like i'll make a video uh the way i do information security awareness training at my organization is i make like little 30-second videos of like this is what a fish is don't fall for a fish or here's why you shouldn't use the same password across sites and then i'll send it out to the community and then maybe i'll do individual like i'll go to like the marketing department and i will talk to the marketing people or i'll go to finance and i'll tell them what business email compromises so there is some engagement in that capacity and then if there's like an external on-site audit um you're definitely going to be talking to the auditors um so you know it's it's it's collaborative in that way you do talk to the business quite a bit um because you need to understand what they're doing so what you're trying to put in place actually makes sense uh for the business see yeah you'll have to forgive me guys obviously nightbot i typically have guests on here uh what created compliance pci compliance oh yeah mike's just uh mentioned that yeah pci is another one i forget about so pci is payment card industry and basically any organization that takes credit cards needs to be pci compliant or basically outsourced fully how they're doing the transactions so that is actually a standard that i wish i knew more about honestly but unfortunately i don't base just dropping this thank you oh this is actually perfect i will check this resource out afterwards bass thank you uh because i want to know more about the difference between those two eric's talking about everything has risk relate your experience through a risk lens during your interviews yeah yeah this is so true so i have a um i have a video on simply cyber about security mindset um and why you know security may not be for everybody because it is a mindset like if you're if you're constantly like think about it like when you're driving um if you're driving through an intersection you have a green light but you're probably like looking around to see if some jerk is trying to bust a u-turn uh not paying attention or someone's gonna run a red light or something like that so like you're constantly analyzing the risk of your environment all the time you may you just may not think about it right so um you know he's 100 right here like you need to think about risk and the way that you're managing risk personally because it'll translate in how you would manage risk at an organization okay uh let's see important to realize those those frameworks are industry driven if you have an industry yeah exactly 100 100 percent okay let's see oh wait professor black ops i'm sorry uh i'm mapping fedramp to cnc to find gaps and for my learning and for my learning is that a good idea yeah i mean that's definitely um not going to hurt especially because um cmmc is coming up um yeah i mean this isn't this isn't a bad idea like there's going to be a net like this mapping is probably already done what i would encourage you to do is um personally i would just like look through all the cmmc controls and get familiar with those if you're already familiar with fedramp you're going to notice that there's a lot of overlap i mentioned that earlier like all these all these different frameworks all these different things we're talking about there's a lot of overlap there okay all right would sock cyber security analyst entry position help you to get started in grc role that requires like two years of experience yeah yeah yeah so the grc rule is the easier on-ramp because it doesn't require i.t background if you're already working in the industry as a soccer analyst and by the way you want to get out because of burnout or mental health or you don't like the hours or you know you don't want to work on christmas day that's totally cool because oh by the way as a side grc people typically work 9-5 like when when boom happens when bad stuff happens they don't call the grc person okay so that is a benefit to that uh job having said that um if you understand what grc if you understand how a cyber security program works and especially understand like you know basically the threats that you're seeing from the blue side from the sock analyst side you will be a more effective um grc analyst and by the way when you have concrete examples to explain to the business why they can't have anyone and everyone just remote in uh it it's it sticks a lot more right so if you just come up with like a makeup example or you use something that was pulled from the headlines that's so salacious that it's like that's not even gonna remotely happen here um it won't have the sticking power but if you say like um you know if you say something like listen i've seen it before where an individual is googling um an individual is googling for some type of checklist and they they um they found a site that had a malicious pdf so when they click on it it actually routes them to another site and then they download an executable thinking it's a pdf because end users don't know the difference uh or this one doesn't look at the extension and then they tried to run it and then they infected their machine so what we need is we need endpoint detection and response or anti-malware tools on our endpoints to address that particular thing because it's going to happen again and we can't have that right so like a concrete example definitely goes a lot further what's what's salary for grc uh that's a tough question udix it depends on industry it depends on uh where you're doing it it depends on the level i would you know i know you're looking for a number i would say united states entry level uh maybe like cmmc related grc work or just at a regular organization i would probably say like 60 to 75 might be a reasonable guess if there's any cyber recruiters in the audience joe hudson or whomever uh correct me if i'm wrong but i would say 60 to 75 is probably a solid um estimate i'm old i was dod in the early 2000 i ate fisma yeah exactly yeah professor black ops i'm i'm 41 so i'm right there with you brother um cmmc has just rebranded fsm right it's it's less controls it's a rebranded 800 171 which was a rebranded rmf which was a rebranded fisma all right what are the first three steps uh you should do before conducting any assessment meet with key leaders conduct a pen test identify kui all right uh the first three steps you should do before conducting an assessment all right so jax what i think you're saying is before you're like actually executing the assessment so the first three steps that i would do before an assessment is um thanks fauna i appreciate that uh the first three steps that i would suggest is like hey figure out like what is your what's your control catalog what are you like going against right you got to start with something all right you're not going to just like sit down and be like tell me everything right you you have to lead the assessment you have to be the expert in the room who's guiding the questions and collecting the data so what i do like you know for example the risk assessment i'm running right now what i do is i collect the controls that i want okay so i know that i'm going to need to do cmmc but i want i i want a bigger picture so i take the nist csf catalog and i dump all the controls into a spreadsheet right these are my controls i'm going to map out are they compliant with this controller are they not compliant with this control by the way it's important to note that cmmc i mean excuse me miss csf is not controls it's basically outcomes and objectives and for each objective or outcome there's like multiple controls that make up that outcome so you know you might have one control in place and two controls not in place that make up that particular outcome and this is where like the risk assessment piece comes out like what does it actually mean if those things aren't in place so um get your get your audit plan ready essentially your assessment plan by the way pro tip call it assessment don't call it audit people freak out when you call it audit they think that they're being uh tested uh if you say assessment it's it's for some reason mentally people are more open to like doing assessments okay so you get your control catalog identify um who you need to talk to right so typically you need to talk to it quite a bit you need to talk to hr for the personnel related stuff you need to talk to legal on like contract supply chain stuff all that and you need to talk to um like some of the business people that's typically like the main audiences and the information security office depending if you're an external auditor external assessor or you're an internal one that has a big information security office because you may need to talk to the secops people about how they're doing you know secops work you need to talk to the grc people for how they're doing training et cetera so so that's two things right so you got your audit plan you identify key stakeholders then what i would suggest is you uh schedule all the interviews that you're going to want to have keep them to like 30 to 45 minutes don't try to do like a an eight hour like session people's brains melt right so you need to keep it to like an hour keep it focused on a specific topic like per like we're going to be talking about um all right in this meeting we're only going to be talking about uh access control so like let's talk about how accounts are created how are they uh modified how are they disabled do you guys use our back roll base attribute control or access control like like let's just talk about access control and get all that information okay mentally move on now i will tell you so so and all right so now you've got your audit plan you've got your stakeholders and you've got your interviews and then in between and make the interviews like a couple weeks out because between now and your interviews you have to get your assessment plan ready and potentially request advanced documentation like policies and procedures plans the things that you know you're going to ask for because when you're doing an assessment if you're asking them how access control works if you've already read the the procedure on how they do access control you can ask them more specific questions like oh it says here like i know your process is to give new hires um you know set to email them uh their private email email them the username and password right so like is that how you're actually doing it explain it to me right and and you know you'll find that maybe the the way the process is doesn't match the way it's documented and that's another finding all into itself so yeah so this is why i'm doing a whole course on this uh jax is because it can get complicated pretty quickly okay all right hey bsec good to see you uh monitoring and testing as a pathway to grc hold on let me let me do this guy here real quick i love this camera angle guys i'm like addicted to multiple camera angles okay uh do you recommend a specific and i'm gonna have to be going soon guys so if you've enjoyed this drop it in chat i'll do another one of these i i love i love simply cyber live where we bring guests on and stuff but personally i love just like flipping out uh to you guys uh on stream all right do you recommend a specific grc training program for those wanting to learn more um you know i don't know if anyone's specializing in grc you know what i would check out um kimberly um miter attack um so minor attack framework is awesome but like attack iq yeah attack iq it has like uh some some training it's free and um here can i pull this up on the stream how do i uh how do i do this right this is attack iq they have some training here um right here using i know it's tough to see guys but using threat in risk management with nist 853 and miter attack i would start here like i've heard really great things about uh attack iq like really good things and you know this right here this is that sp 853 which is just a control catalog but you could start to see how it can map into actual like practice right and it says risk management right there in the in the in the title so giddy up on that is what i would recommend i see what you did there cal that's good all right um calm down son all right a big problem i see in companies i do risk assessments they do totally mean yeah so this is another kind of like harsh truth uh nimrod brings out um like don't don't be married to your risk assessment okay like you see this all the time in pen testing right like they have a requirement to do risk assessments so they'll do them but maybe you hand the risk assessment and they take it thank you very much and they throw it in the trash can that can happen because some businesses don't care they don't care they're doing it because they they have to for compliance purposes they're not interested in investing in cyber security and i guarantee you when they get popped they will be heavily interested in investing in cyber security but that's just a reality that you have to deal with sometimes all right i know i didn't get to all these questions guys um let me uh let me let me take a couple more and then i'm going to boogie out of here i want to um we got some stuff going on on the personal side hey how would you compare well i should put it up on screen how would you compare it audit versus financial audit are they working hours as long as financial auditing no i wouldn't say that because i feel like with financial auditing based on what i limited know about financial auditing you're like you're looking to make sure that the eyes are dotted the t's are crossed that there isn't like financial fraud going on who has access to what with with it audit i feel like it's it's much more predictable and laid out and you can you can message um you know like the it admins and you know the various stakeholders and say this is what we need to talk about send me the stuff and you know you have to give yourself a practical timeline for doing a risk assessment so like on a midsize org let's say like thousand employees 1500 endpoints i would i would say seven weeks is you know like you could probably do it in like five weeks but i think seven weeks is a reasonable timeline to give an organization on how you're going to conduct analyze and um and deliver uh the reporting on that okay so that's a good one one second people on one second all right all right so let's just do a couple more um um all right let's see 830 is risk assessments i know i'm way back on chat guys too um it's just i'm trying to i'm trying to touch i'm trying to touch everybody that sounds so inappropriate um let's see uh let's see i do risk assessments with the irs um yeah booze is the external auditor for the irs yeah he's saying booz allen hamilton and that's true uh so this is one of those ones where like i don't know what irs publication 1075 is but i do know if i wanted to work in that space i would want to learn that but since i don't i'm not going to learn that and i guarantee you that it has something very similar to like sp 830 or you know any other kind of risk assessment methodology it's they're all very similar okay um let's see nightbots up in here okay um oh god there's so much i i i'm sorry i can't get to all the questions guys i've got some other uh personal things uh to get get moving on today but let me um let me wrap it up i i have all these sound board things i didn't really um you know i didn't really have a chance to use them but um i'm looking forward to like like like rewinding things and going back and answering your q and a so hopefully you guys enjoyed it we got some like we're going to learn grc stuff today guys um and i hope i hope you got value out of this um out of this session out of the stream i certainly enjoyed it again if you if you dropped any comments about the actual production of it this is a new platform for me new using multiple camera angles for me so uh i've enjoyed it i've enjoyed talking with you guys this morning um you know thank you very much continue continue on it's it's it's it's a journey guys right like there's no easy button like i said whether you're going into sock analyst blue team red team grc um it's a lot of work there's a lot of people out there it's a huge market there's a lot of jobs uh just keep grinding definitely network jump on discord there's a million people by a million there's 45 people in uh stream right now i know a lot of them they're all wonderful people if you're new to the stream connect with some of these people reach out um it's a it's a very inclusive community and i want you to be part of it okay so guys thank you very much uh have a great day and we'll talk to you uh sometime soon bye
Info
Channel: Gerald Auger - Simply Cyber
Views: 1,764
Rating: undefined out of 5
Keywords: cybersecurity, information security, career, cyber, security, infosec, cyber security, career growth, get a job, cyber for beginners, blue team, red team, career development, college graduate, transitioning veteran, cyber job, cybersecurity jobs, entry level cybersecurity, entry level, no degree, cyber careers, simplycyber, simply cyber, cyber security for beginners, get into cyber security, GRC, governance, risk, compliance, careers in cybersecurity, risk management
Id: 3KCTCqaPzQQ
Channel Id: undefined
Length: 64min 37sec (3877 seconds)
Published: Sat Oct 09 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.