Cyber Security Career - Getting an Entry Level GRC Role

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so [Music] so [Music] so [Music] so [Music] ladies and gentlemen we are live as this is the main event you've all been waiting for brought to you by exodus the cyber security asset management company [Music] hello and welcome to another episode of virtual coffee with the sheesh on cloud50 podcast and today we are talking about another cyber security career option that you would have coming into cyber security if you're a new beginner person and you're looking at options to get into cyber security this is probably one of the well i don't want to say easiest but i i'll let the expert talk about this who has been working in this space for a while but i definitely feel it's something that what is worth considering if you are someone who's like an entry-level role and trying to find uh what that what that next step would look like all right let me cue the music in uh and not make you guys wait anymore [Music] i love the walk-up music that's a nice touch yeah yeah i i always wanted to recreate i don't know i know we've been kind of in this online world for some time so i wanted to recreate what it would be like if i had you on a like a live stage i would love to do this and i think my my hope is actually my secret desire one day when we can all i mean at least was the australian lockdown and when we can go out and have live events again my hope is uh to have people like yourself come in but this was playing on a live stage and all of us you know you you come in with this like this vibe going on everywhere anyway i can whole concert fire i i like it i like maybe a fog machine going on there some streaks yeah they go already going but uh so i i know we digress but i definitely would love to do this uh but welcome man welcome thanks so much for coming in man i really appreciate this yeah thank you very much i'm a fan of your show and i'm really uh honored to be you know asked to come on and share my thoughts and experience with your audience uh awesome and i could not think of a better person to bring on when we're talking about n2l grc as well because you've been creating so much content in this space and uh by the way i i hope you have a drink as well man thanks for coming in for me i do cheers cheers cheers cheers i gotta i gotta i got a cherry limeade flavored water so it's uh keep me hydrated because i like to talk a lot of shisha yeah is that even a thing a cherry lime what did you say it was it's cherry limeade it's just like you know like one of those squirt things into a watermelon all right right right right right okay cool i mean but i i was going to say so now since we since i have you here and maybe i know a lot about you i don't know how many people know about you so uh i'm if you can probably do a brief intro on i guess who's gerald and a bit about yourselves your industry against the professional background and wait what are you doing these days yeah absolutely so uh good afternoon good evening good morning wherever you are my name is gerald ozier i am a cyber security practitioner i've been in the field for 17 plus years i did come up on the grc side of things although i've got a lot of experience in different uh facets in in in the space from an education perspective i came up computer science a very technical i moved in and i'm very very proud that i hold a phd in cyber operations from dakota state university which uh we could get into that why why on earth would you go get a phd and who would want that so professionally i you know for my industries i was in the u.s federal i.t space for a while so i'm very familiar with that which is is which is very heavy in the governance in compliance space which is why there was so much work there i moved into healthcare for about six or seven years worked in the hipaa space i ended that journey as a cyber security architect more on the engineering side of things and today i'm super pumped because i'm actually building my own program so i'm accountable for my own cyber security program at a fairly large uh manufacturing uh facility here in the united states so uh definitely different challenges uh but it's good in in my side time uh which is always cracks me up i adjunct faculty at a citadel military college in their cyber science and computer science department and i run simply cyber which if we get some time to talk about that or maybe some viewers are familiar with it's a youtube channel designed to help people make and take a cyber security career further faster and for me it's actually quite delightful because i love it so much that it's basically my hobby but people are getting a lot of value on it so i get to i get to claim it is like a job you know yeah and by the way that's an amazing intro as well i think we have uh one of your uh i was gonna say supporters and fan fan folks here as well hi jax yes thanks jack appreciate that jax is wonderful yeah yeah uh and i i wanted to get into a bit more about the grc space because i mean i i must say if if someone does a youtube search in grc i'm probably on the internet as well it you you just dominate that space man it's like it's almost like every time it's gerald coming in i'm like okay i never need to get this guy to talk about grc so for people who may be listening in and probably have never heard about grc what is it and i mean i guess is that like let's just start with what is it first let's just go with this sure yeah so grc is an acronym it stands for governance risk and compliance and effectively you know any any cyber security program that is you know effective for any organization i don't care if it's small medium or large you just have more bodies to throw at it and bigger challenges to deal with honestly you need governance risk and compliance it may not be called grc it may just be like implicitly there but effectively it's it's the tone the governance piece is kind of the tone and attitude of the organization what is acceptable behavior are people allowed to install any app they want on their endpoint or is it a complete you know draconian law like nothing happens you come in and that's it that's governance how how does this work risk is uh well let's do compliance because that's super easy compliance is some organizations are held to some standard right hipaa for health care um you know federal government has fisma and some other things compliance is effectively for whatever regulatory external body is imposing regulation or standards on your organization that you are complying with them now it's important because if you don't comply with them in a very popular one is the payment card industry pci if you don't comply with the pci standard the credit card companies will not allow your business to take credit cards and in 2021 you know a lot of businesses that's the only way they take payment right so you don't want to upset that group so you need people making sure that you're complying with it and when auditors come in so that's the compliance piece now the risk one i would argue is almost uh equally important to governance if not more important is organizations don't have infinite money in fact it's actually quite hard to get money from the organization to invest in cyber security programs because the better we are at our job the less is actually happening it's a very perverse uh incentive to like strive so hard to have nothing happen and then go and ask for money to keep doing nothing right you know that's not what's happening behind the scenes but that's what's the appearance to the business right so risk is about identifying where are the you've only got five bucks a sheesh right you've only got five bucks and your your car is kind of messed up and you're kind of hungry and you don't have any plans tonight so what are you gonna do with the five bucks what's important is it important to eat fix your car be entertained right you're probably gonna go with eat there but it's still a logical decision that you walk through you probably don't even think about it when you make decisions but almost all decisions we're making are risk-based decisions you're running into the bank do you lock your car or you forgot to lock your car do you run back and lock it or not well no cause i'm only gonna be in there for a minute in this pretty safe area you just made a risk-based decision amplify that up to an organization and that's what a grc analyst does uh and that's basically it now i will tell you that i am kind of the person in the space talking about it but it's because it's it's less uh i don't want to say less sexy right but like the the red side has notoriously always been known as like the cool side the dark hoodie you're breaking into stuff doing cool stuff the blue side has kind of amped up itself in the last maybe four or five years to be more prominent and having more solutions and more training and more just visibility right and now purple teaming is like joining forces like wonder twins unite right and grc is like over on the side with like you know pushing the glasses up with their little clipboard and it's like hey what about me right so no one's giving the grc people some love and while i do stuff on simply cyber for red and blue i do make sure that that grc group isn't marginalized and they get wrapped up yeah yeah and i think i i can definitely relate to that as well and i do want to get into the youtube video side of things as well because uh for for me i feel like i i'm doing the same for cloud security and it it's it's kind of like it's not sexy as pen testing or going bug bounty but it's definitely something uh which is still i guess gets people jobs make helps people pay bills and i there are people who are passionate about it as also nothing wrong with glc but it's just i'm glad someone's talking about it man and i'm glad you also mentioned the fact that the uh how do i put this uh you you mentioned the importance of it as well like all of us make a risk-based call every day like that sharp turn that you might take which might be a bit more uh faster than what you would have thought it would take it as that's a risk all as well but um is is the importance of grc more from a perspective of say protecting against uh i guess bad guys or girls or is it more around the fact that hey this would help me sell more because i'm because there's two sides to that story as well but if you're a startup uh a lot of grc uh focuses more about hey how do i get a compliance so i can get that next next customer and i know you do some spa work in the smb space as well so is there importance different between grc in a smaller organization versus a larger organization uh yeah because i mean you have less cycles less manpower to apply at the smaller organization i i would say that yes for organizations that haven't really experienced any type of pain meaning an incident right they are seeing it as a business enabler right we want to do business with walmart right walmart's a massive player we want to do business with amazon massive player in the space walmart and amazon are not going to negotiate terms with you they're going to give you the terms and you're either going to accept them or you're not and if they say that you are going to do x y and z and this isn't even a compliance standard this is like walmart's compliant like you will comply with these right if you can't tap into that market that's a huge amount of opportunity that you're leaving on the table and obviously you're going to do the cost evaluation right well it costs us what what's the cheapest i hate this question but what's the cheapest we can what's the cheapest we need to get compliant like let like let's make it you know stand it up and make it look compliant which there are ways to pencil whip uh compliance and have minimum compliance right but i always say ashish like maximum compliance equals minimum security you should never be striving for compliance that's that's it's it's a dangerous road it's like i always tell people like these small businesses okay yeah yeah you can drive on the highway at 100 miles an hour you can do it you can do it all day long you can do it without seat belts on you don't need a seat belt but if there's an incident you are going to be very happy that you have that seat belt on it's it doesn't prevent you from going 100 on the highway it protects you if there's a problem and the chances of a problem happening are unpredictable right there's some metrics we have some yeah actuarials and stuff like that but i can't tell you with certainty it's going to happen uh so do you invest in seat belts or do you invest in like a ping pong table you know in the break room for like because you're a tech startup in austin right so yeah so anyways yeah i could flip out about that all day long i get you man but i i just want to quickly acknowledge some of the uh supporting some of your supporters as well uh hello jack and so jack's mentioned i'm security expert quinn michael is on youtube right now as well there you go we have no more that's pretty awesome we've got more people joining including my dog with his part in the background i'll have to check out so is jack beanstalk are you saying that quinn michaels is also a cyber security person that's talking about the grc space as well i i mean yeah i'd be curious yeah yeah uh cool and i think i've got george talking about uh he appreciated the non-marginalization as well yeah definitely i think a lot of people expect or are thankful for that uh i hear so jax mentioned i hear people say this tolerance and then they talk about risk level what's the difference or are they interchangeable oh that's a good should i take it yeah sorry but for you i mean yeah no that's a that's a great question jax i i i hear you so um risk level i feel is like a quantifiable thing that you can say like you can assess your program against whatever you want like so i'm a big advocate of this cyber security framework so you can uh you can take the framework you can measure yourself against it and qualify as this is your risk level right like where we're you know it's uh medium risk right which you should never distill your overall organization risk to like low medium or high that's like insane but you can you could break it down further obviously and then what is your and then so then you take that as an input into what is your risk tolerance and risk tolerance is where the rubber meets the road listen we are don't have mfa and phishing is getting credentials all the time like it's it's a major risk is your tolerance are you willing to invest in you know 32 bucks per user per month for azure mfa in order to eliminate this risk and and then it becomes a financial question for the business and it's their risk tolerance right we always talk about appetite risk and that's like the most nebulous thing that no one's ever been able to define but like when you say here's our problem here's the likelihood of it happening and the probability right that's how we get our risk what's your tolerance for it are you willing are you willing to get that call in the middle of the night or would you prefer to sleep peacefully it's it's i so not not to pivot too far sheesh but like there's a main thing in our industry about who owns who owns cybersecurity risk the ciso or the board or the ceio or ceo and i always say my job as a ciso is i am there to advise yes i have some ownership of it but at the end of the day i'm an i'm a very specialized consultant who is there to advise i you know i can make a strong case on why we need mfa but at the end of the day um unless i've got my own budget and they're gonna you know allow me to do that it's a business decision right and that and to me that's the difference what are your thoughts yeah i think i agree as well because i think what i'm just trying to think about so as a cso a lot of the budget that i get as well is primarily focused more on operations uplifting the security or i guess maintaining the risks a lot of times maintaining or reducing the risk that's pretty much and two i'm sure you'll agree you can never get at zero risk everyone has a risk register that's filled with yeah i'll just say at least 10 plus items in there on an ongoing basis that they're reviewing and ongoingly working on right so that's that's acceptable but to your point that's the risk tolerance that they're going with oh this i can tolerate having 10 high medium or low and i know we're going into a bit more technicality for people who may for entry level perspective but yeah i definitely find that it's an easier conversation to ask for more money when you when you understand the risk tolerance of the organization and if you see something and you go oh actually you know what that can be solved by mfa but i know that you guys would love to secure this and mfa is the way to go there's nothing else that we have in our arsenal that's going to help us so 100 with you on that one and i love the answer about the difference between the level and the tolerance because probability is something which is really interesting it's different for different people like what's the probability of it's going to rain today like i don't know like like it's kind of like a finger in the air thing as well a lot of times yeah very subjective yeah yeah and i think to your point uh i'm sure you guys do this as well where every risk is attached to a monetary value if it's a high risk it's going to cost me 10 million dollars to solve it am i am i willing to take that or um i know i'm i can take a million dollar risk but not a 10 million dollar risk i think do you find that that's helpful as well yeah i find it it's sometimes difficult to qualify to quantify with financial i mean in some instances you can say this will result in production downtime like ransomware is super easy right because if things go down you can say how much do we make a day in revenue and then multiply it by six days which is the typical ransomware downtime all right so i've got a nice easy number but it's hard to say like what's the financial impact if we lose exchange for a day right like you can't email well you know we've got phone like it's very it's very squishy very quickly yeah actually that's an interesting point because um even that's an arbitrary number that you're kind of pulling up suddenly oh i guess it would be a million dollars what is it what do you think gerald oh yeah i guess it would be a million dollars let's put that in so it's just it's more of an agreement of like it feels right yeah and i'll just as a pro tip for for the entry level people who are tuning in like any time you bring a quantifiable number to an executive they're going to ask you where that number came from and you're going to have to be able to defend exactly where it came from yes so finger in the air you better have some like little footnotes to support the the ashrae yeah yes some kind of understanding kind of like what you mentioned with like twenty dollars per user outlook if outlook goes down we have 500 users that's 500 into 220 like we come up with a number after that but i just want to quickly uh i hope that answers your question jax but that was a good question uh and so jax loves it when you go into rant yeah and robert loves it because that means he's extra additional content that he doesn't have to pay for yeah it's just it's too much passion it's just passion it's just oh my god uh i've got a question from tesla what leadership skill do you think is more critical for security practitioners hmm that's interesting uh well it's kind of tricky right like so are you talking about like from leadership when you say the word leadership i think of managing down right i think of leading my team so from that you know kind of qualifier of what you're asking if that's what you're in fact asking i actually think communication and communication is important both up and down but communication to actually uh lead and provide for your security team right so technical skills are great but they get rusty if you don't use them uh tech stacks change maybe you switch jobs like yeah the concepts stay the same but you got to learn a new tech stack and stuff but the way that you engage with people and the way that you can unify a team towards a common goal that is incredibly valuable because i don't care how good you are um you're going to be more effective with with a team that's all rowing in the same direction right and you know that that's that's that's for me um what i think a critical uh skill is for leadership and i know it doesn't really it could be any industry right it could be cloud it could be i.t it could be anything but i think it's so important to understand uh what is important to the people and what do they need to do their job like that's that's how i see leadership skills yes i think it's pretty and if i can add something to it because you touched on something really interesting earlier where it was more about understanding the business and the risk tolerance as well a lot i feel like a lot of at least security leadership if you were to kind of put that or hat on a a lot of that comes down to an organization would not spend too much money a if you can't explain the risk properly and b if it's not something that they care about so you having an understanding of the business like you a walmart example they would not care about the latest cloud technology because unless it's actually helping them say deliver uh goods faster to anyone who's ordered online today they do an amazon thing like next within an hour the thing is outside your house like if you tell them that they would oh my god yes sign me up but if you tell them like oh it's a massive cloud technology you would do this amazing thing it would just be like uh roses and petals everywhere and on your website like don't care about that right you know what i mean like with the business understanding yeah it doesn't it doesn't like it doesn't translate directly to revenue uh like i mean maybe you could make a case for it but you'd have to really refine that elevator pitch on on why it's gonna uh you know be that way but we're we're a kind of a cost center right now which basically means we don't generate revenue we're just like an expense that the business has to absorb but we're changing that we're changing that we're also seeing it in um insurance cyber insurance space so like every business right now wants cyber insurance because that's how you protect yourself from ransomware and a lot of cyber insurance and companies have gotten burned uh because of those policies coming due so now it's like what what's your security posture and if it's not up to snuff they they won't even write you a policy they won't even talk to you so you're almost motivated and incentivized from the business at that point the business comes to you and says we need these four things please do it and you're like how do you even know where my office is like i've never seen him down here oh i think he agrees with what he was saying as well uh tesla but i i think i just want to quickly add something there because i think uh i've been lucky enough over the last couple of years that i've been running the podcast right i met at least three csos who who changed that whole call center conversation for me and i it was amazing i definitely shared with you so and i love where this is going uh anyway i want to come back to entry level as well yeah i'm sorry for for the audi this is good stuff though but please go yeah yeah because yeah this is still information that you would appreciate as a as an as a uh as someone who's been consuming content in this space uh i met three ceos who made uh their companies deliver security products like one was akamai's cso he made the company realize hey we are more than a website delivery service we could be a a service on top a security service on top of it and then i met the snowflake cso who's made a data security as a thing like they actually offered that as a service so that was really interesting examples and i'll definitely encourage people to go check out uh as a as someone who's already working in an organization if there is something that you feel is a security product and if you i guess present a good enough business use case to the organization like hey you can make money like this as well to the by giving more value to your existing customers and i'm like oh my god like so we're no longer a cost center at that point we're actually revenue generating at that point because security product is a is a product suite in the business at that point but i want to stop there but i'll get you a quick quick thoughts on that uh and then you can come up with come to the next question what do you think of that no i think it's completely uh awesome it's tough though because like that can be done in the big tech space pretty easily but other industries i'm just thinking myself manufacturing like i can't i can't add a cyber security widget to a ball bearing like you know like it's like it's it's not that would be interesting though but yeah it doesn't translate as well but but uh to take it back to entry level grc i just for the people in the audience as we migrate back into those uh conversations the questions were talk answers were given and the discussion we're having is starting to paint what i would argue is like a full scope picture of the cyber security program and as you get that entry level role you're going to be asked to do a couple things and i hope you do them well but don't you know you won't have your head down the whole time if you look up you'll see these things that we're talking about and that once you figure out where you sit in the bigger picture you can start actually you know expanding your roles of responsibility figuring out what you actually like and starting to level up so there is a lot of value in these conversations 100 percent and i think uh you we're kind of uh we can definitely answer tom's question as well just came in as well uh what would an entry-level grc analyst expect to do i would think the company policies would come from a senior manager yeah so thanks tom uh you know tom's member of the simply cyber community so it's good to see him on this welcome tom yeah so an entry-level analyst what you're going to be doing is um i don't want to call it grunt work but like like a lot of the stuff that you you're saying the policy would come from the senior manager yeah so the policy probably would come in like a rough format and then the senior manager might send it to you and say hey listen why don't you run this up against like a couple different industry best practices industry best practice policies see if there's any gaps see if there's anywhere we can collapse it down you know think of it like a perf like a a a professor and like a grad student kind of like that way where you're doing or um you know a mason and a mason tender like there's the crap there's the artisan and then there's the person who's like apprenticing essentially from the artisan i i would argue that's kind of like what entry level grc is also um there's a lot of documentation on the on the grc side so you might get someone who's like all right we need this this and this and then you go off and collect those artifacts because when you're trying to put together a system security plan which is a really important document that outlines how your program is built and actually implementing and when an auditor comes if you can hand them one of those they like give you a high five and buy you a cup of coffee right so that but that's like 200 page document 300 page document depending on how big your program is what it's based on a million other factors so by um you know an entry level person you might i might say to them hey listen we're going to be doing an enterprise risk assessment for 2022 we're starting to plan now i'm going to schedule all the meetings i'm going to schedule all the work for you so you don't have to understand the scope of our program what i need you to do is take this you know checklist or audit list or punch list or whatever and i want you to go talk to the people that i set up the interviews with i want you to get their answers how are we doing this i want you to get evidence artifacts and stuff like that i'll meet with you weekly uh because i'm working on other things and we'll meet weekly i'll keep you online keep you on track and and basically that's that's how you should be going through it from a progression perspective because you go through those a couple times and then yeah i'll still meet with you but you really don't need me to tell because when you come meet with me it's already sorted out the way you are and now you've moved into like a mid-tier analyst basically where you can go off and hey we're get we got upcoming like iatf audit here's the standard you know the drill go for it and like it's a complete standard that i'm not even familiar with but i'm i've got confidence that your mid-tier oh by the way congratulations on the promotion tom because now you're going to be running this project by yourself that that to me is what entry-level grc analyst work could look like in most organizations that's pretty that's a great answer and hope that answers your question as well tom a quick comment from josh uh i've seen pretty details our security question is and yes some will deny coverage if answers aren't sufficient yes that's true as well uh i've got another question from tesla have you noticed how stringent these policies are now have to be tired to some regulation of framework or they pass on you yeah i think he's talking about insurance policies yeah they they really are uh there's there's it's a you know insurance companies aren't printing money they're you know trying to hedge between the money they take in and the amount that goes out and they get a little margin for themselves right or a lot back in the day and and these these new ones like if you don't have mfa for example like good luck you're either not going to get a policy or your premium is going to be so ridiculous that it literally would be cheaper to just get ransomware and pay and pay the ransom you know what i'm saying oh my god which is a perverse thing to think of but again let's think about it from the business perspective the insurance policy is a hundred thousand dollars and it has a 250 000 uh deductible right so you're in for 350 before you even do anything the average ransomware or let's say business email compromise because i know that number off top my head the average b business email compromise is about seventy thousand dollar hit right so you could absorb four of those hits before you ever get or five before you even get money out of your policy so what do what what would you rather do pay for it and then hope you don't get hit six times or just take your chances and and you know any any any business person is going to say if that's the numbers then we don't need the policy or we don't need mfa good luck you know yeah yeah hundred percent i think at your point it'll come come back to this tolerance as well at that point whether it's worth spending the money on it as well yeah and he just confirmed yep it was definitely the insurance question that he had yeah what another question from jax how could someone gain the appropriate education around glc and move into a risk management position yeah so that's a great question and as we mentioned at the beginning if you weren't here grc the r stands for risk and it's the one that really helps the organization make decisions on where to invest and what controls to make and what projects to fund and what what's our fy 22 projects right um i will i will say uh i don't know how you feel about this association i i've angered some people in the past so let me qualify this blue teamers and red teamers can become cisos okay so i'm not discounting you people all right most cisos grow out of the grc tree because they're the ciso's job is grc it's just grc they're not most systems aren't hands on keyboard like tuning uh sims and stuff like that they're doing grc stuff so i just want to tell you like if you decide to go the grc path if you're interested in ciso that's a very accessible path for you now as far as getting exposure and experience um you know like i said before there isn't a great uh cool you know uh flashing lights kind of training platform cyber range for grc grc is much more about well the governance one you can't even really train on because it's more of an attitude of an organization and the organization is kind of a living organism that takes the personality of the leadership of the company that's what governance is so you're not going to get any training on that that's actually just called life experience and you just gotta unfortunately you got to walk that walk and and you'll get it um yeah so real quick to and then get your your thoughts issues like with with risk and compliance what i would suggest you do is you know read i know this sounds bad but read like miss csf read hipaa understand what these standards are you're going to start seeing a lot of um not redundancy but you're going to see that they have a lot in common and then you can begin to like look at yourself look at your own lab look at your own home look at your business at work whatever and start thinking through like you know where are the risks whatever like that um and then you could do like a fake audit and you know so that that's how i would approach it that's pretty interesting man and i i didn't want to i i love how you mentioned the blue team red team can also become these that's true yeah 100 and because and that's funny because i came from a technical background uh into my sisa role and what i realized was if i did not pick up those grc skills along the way i would not be a great season 100 if you if you if you just did i don't know for me personally i did a lot of migration of cloud helped a lot of my enterprise get into cloud did security architecture did some sock work that's all very technical right you you go into that space but what you realize is after a certain point uh or at least in a heart i i don't use the word hierarchy but there's a bit of hierarchy in that space where once you get to that cesar position no one's really talking about what's the best theme out there or how what's the uh i i guess most you can do from the scene the questions are more around i am walmart i want to release this product tomorrow do you see there's a risk in doing this what do you think is the technical risk and go ah the same solution said it smells amazing so i think it's amazing so i i definitely bring it back to that because i i 100 agree with you that yes you can come from a red team or blue team become a cso but you still need to have that awareness of grc and you definitely need to work with either a compliance team member or you need to know compliance yourself because most organizations out there are required to fulfill some kind of compliance requirement whether it's pci or whatever so a hundred percent with you on that one and but i i i definitely i don't know if there's a official stat on the percentage of how many grc folks become csos versus the technical folks become ceaseless that would be that would be really interesting as well if you actually know of a name yeah it would be interesting maybe i'll try to uh uh david's video on that yeah david spark sometimes replies to my text messages or dm so maybe i'll message him he's got like you know a huge ciso uh audience so maybe we can get that poll uh yeah yeah for sure maybe we should ask him uh as well awesome that was that was an awesome question as well jax thank you uh erica a lot of learning coordination information gathering mapping to frameworks internal self-assessment oh i think she's referring to the analyst question that we had for yeah for what's the day like often uh the liaison between the external auditor and the internal teams as well yep that's another good one uh actually she has a question as well uh what's the what's your advice for entry-level grc analysts when it comes to prioritizing learning specific frameworks or tackling certifications what's your advice for entry-level analysts when it comes to pride towards the frameworks cycling certifications oh that's a really good question so um i always say you know security plus is a great great place to start because no matter what you end up doing uh it's kind of industry recognized as like your your entry level starter certification right not to favor one uh company or another but you know that one is um i you know it depends where you want to go right so you say framework uh so i'm an advocate in this csf if you're in the european space i think iso 27001 is actually still popular for some reason oh yeah australia as well same as 27 0001 yeah so it depends where you want to work right and then i would you know to take it to ashish's space right here um even though it's it's grc it's it's a framework right but like cloud is so huge right now i mean it's it's i don't know what microsoft did but a few years ago microsoft decided like oh you know what i'm actually we're going to be serious about cloud and if you look at the adoption rates of azure right now it is massive and as as os's um phase out and you know identity and access management becomes more and more uh paramount and the integrations with other third-party vendors sas vendors and stuff like that and the ability to use your own identity or your you know organization's identity everybody's just moving up into azure it it's easier and it's kind of cheaper uh which again going back to the business um is going to be the the case so even though it's not really a framework i would encourage people check out um azure specifically and if you go to i think it's compliance.microsoft.com you can actually drop in to an entire space that outlines how azure is complying with all the different standards i mean standards i've never even heard of and they've got them all in there and i mean you can just read all of it and absorb all of it and if you go through kind of the azure training which is also free at you know learning.microsoft.com you can actually set yourself up for like a pretty uh easy sell on yourself as an entry-level grc analyst because you know most people um do have some level of need for grc work right uh especially at larger organizations yeah yeah and i think to uh just to add to that as well uh it's amazing how many people still don't know about cloud so it's i think there was a stat that came out of that only 43 percent of the enterprise have migrated to cloud so there's 67 still remaining or so for 57 or whatever the rating 100 is that they still need to kind of jump on uh on this and go uh understand the flaw so if you're a new person who's starting a cyber security you have the framework understanding of from a nist perspective i'd love to hear your sort on cm cmmc as well but nissa you have an understanding of nist and you come in with say some kind of a free learning that you've covered with azure or aws or google cloud and that company is already looking at migrating into it that's a great space to be in because you have the context of the environment before you even walked in so interview questions would just be like oh yeah i can talk about azure i can talk about google cloud or i can talk about aws as well that'll be amazing but i i do want to talk about cmmc because uh i i love erica's question about the framework would you consider cmmc as something that's important as well i know we spoke about iso 27001 and yeah swag 2. tom mentioned talk 2 as well there goes that's pretty interesting as well another one so cmmc what is it and is that relevant for an entry level uh position yeah so you know this is an interesting time for you to ask that question i literally just posted a video on my youtube channel simply cyber for those who weren't here at the beginning uh on uh last monday and it was called next demand job and i basically lay out a case on why cmmc is going to be an area of high demand for job opportunity and it's a complete grc role right um i won't go into too much i actually did a live stream a couple days later on what you would do like okay so like here's the job but here's what it's all about 50 000 foot kind of like little taster uh amuse-bouche if you will and then i did a live stream where i went into like an actual audit plan that i i found and i went through and i was like this is what this control this is the scope of the of the audit plan this is what cnmc is this is what you would do if you were going to audit a company or if you were going to do prep work for a company that needed to go to get audited now what people need to know very quickly at high level is that cnmc is a standard set of security controls that the us department of defense is going to require anybody winning new contract work with the department of defense now you might be like i don't know anyone that does work with the department of defense the reality is lots of companies do business with the department offense manufacturing companies department of defense consulting companies do department of defense healthcare like they're everywhere okay and if you if your entire business is hinged on doing work with the department of defense which has like a multi-multi-billion dollar budget and that's how you feed yourself every day this thing is going to stop that unless you can comply with it right so now it just got put to the forefront of everybody's list like what i just took a new job in april of sheesh and every job i interviewed for every single one said what do you know about cmmc like some of them had nothing to do with anything yeah and and you know like i mean i've got experience and it helped differentiate me but but but but they all asked me it was all on their radar um so it like i can see it coming i know it's coming that they haven't started requiring it but it's going to be required in 2025 ultimately which is when you bid on the contract you need to get audited and stuff before that 2023 probably because there's not a lot of auditors and when if you've ever been to the dmv i don't know if they have the dmv in australia but like if you go to the where you get your license and stuff like that or you you go anywhere and there's only one window open you've got to wait in the same line as everybody else right so if there's only a couple people who can do the independent audit that is a required step then companies are going to be like oh crap we got to get in line now so a lot of businesses are ramping this up for 22's budget 23 if they're behind the curve and stuff like that so anyways long story short this is a huge golden opportunity i'm telling you i i have a lot of i'm a strong buy on cmmc grc work ashish i i would definitely encourage people to go check that out as well i think tom mentioned over here about the azure resources as well azure governance and azure blueprint will help guide you and your grc policies as an administrator as well thanks for that sean that's actually pretty interesting information uh and erica sounds like a linkedin poll this is our cso question i think yeah who would get it so i definitely think it's easier for either a linkedin question thanks for that erica um you touched on interviewing and i think that's an interesting one as well because you're probably um i guess someone who creates videos but also does work in the industry kind of like me which is really interesting because a lot of people when they reach out and they talk about hey how do i differentiate myself in interview because i don't have any experience right and i i often talk about the fact that what are you doing outside of just studying in your college university like and i'm keen to know from your side what have been your advice and has youtube kind of some something that people can actually utilize as well considering you're in in that space as well yeah so you know i always tell people that you know when i look to hire candidates you know there's a set minimum thing that you know they all have to have they all got to have some experience maybe a cert you know whatever like it's it's a mixed bag right but you kind of weigh it up but then it's the key differentiators and if you have demonstrated initiative in proactivity for me that is a huge differentiator because in our space of cyber security there's a lot going on and with all due respect i will i will bring up someone who's an entry level i'll i'll mentor them right but at the end of the day like i can't do i can't like handcuff myself to you and do your job with you for 40 hours a week for like three months like there's just too much going on so what i need people to be able to do is take initiative take some guidance come like reach an obstacle and then come back to me as opposed to being led right i need them to come back to me for additional information and move forward right so if you're doing things like take an initiative and it can be it can be me uh it can be manufactured in many ways right so the home labs the classic example but i i had a candidate that i hired um last person i actually hired um i said oh like what's this right here he said oh you know i really wanted to work in the cyber security space i'm a network engineer i couldn't get in the job so i created a mentoring program at my company for everybody and then i put myself through the mentoring program and got aligned to the ciso and then you know eventually you know got mentored by him and then i got a job on his team so like this dude wanted a job on the cyber security team so badly and the only way to get it was to build a program for the entire company and then put himself through the program i mean it's ingenious it's very smart and he achieved with his goal and and he did it on his own you know what i mean it's like that level of initiative is is cool so but to you to your point about um kind of branding yourself right we talk about youtube like we often say that networking is the most important thing right so initiative is very important but how do you find the job how do you do all these things networking is is is more important than anything okay like my i've had seven jobs in my life four of them i did not like apply cold to right they were you know no one gave it to me it wasn't a spoiled system i earned the job but i didn't go through the front door okay so how do you how do you network how do you brand how do you define yourself right so you said youtube we mentioned at the onset there are not a lot of people uh doing cyber security on youtube there are some really well known people like network chuck and heath uh cyber mentors got some stuff and john hammond there's like some really impressive people out there who are doing a lot of great for the community but like i i challenge you to name 20 cyber security youtubers right i think you might have a tough time so this is like an untapped area that you could totally get into but i want to preface it by saying that they're um you know it's it would be more impactful than a blog post right but you could run a blog but it's your level of effort and time and energy right so youtube there's like lighting back here there's this camera there's this microphone i've got you know this all this stuff going on right i got editing the videos it's a lot of work right um so then you take it back maybe you do a podcast it's just your voice it's less work you can still socialize you can talk to guests which uh like ashish and i had never met before i've seen his content now we're a friend now we're friends right so we've networked so you know and then you could go down to a blog and then you could do other things and one thing that we were talking about right before we went on stream here is you know tick tock is a massive massive platform right and the the level of acceptance for audio and video quality i would argue uh there's a higher level of tolerance on instagram and tick tock than there is on youtube i i regularly get like this is a 1080p camera i have videos from earlier in the year before i got this camera that is 720 and i have people comment me all the time they're like bro 1080p or nothing like get a clue i'm like did the video help you or that you know so so people don't really uh people give me a hard time on youtube but with tick tock i feel like you could do 60 seconds what you know like just i just coming up with this on the fly like one thing if you're really pushing yourself do a video of one thing you learned every single day in cyber security right and make that what your tick tock is 60 seconds turn the camera on what'd you learn today what'd you learn today do you want to learn with me get people in the comments have them chime in on what they learned today start a following get involved like there's there's a lot of opportunity um and at the end of the day you're reinforcing your own learning which is important your networking which is you know arguably the most important and um you know you're d you're kind of like uh giving yourself a third dimension right other than just you know grinding on certs and stuff like that 100 i think uh i i'll to your point about the networking piece especially in an online world that where a lot of people are living in where there's not many networking conferences or meetups that you can go to it's only online events uh a lot of people are doing youtube searches or google searches for people so if your blog or your podcast or your video comes online and you go oh i i wonder where gerald is from oh i wonder where erica or chom and all these other people who are amazing people just asking us questions where are these people from and they're creating content and oh they're local to me or maybe they're in the same state or they're in the same country i can definitely work with them get to know them better uh maybe even hire them if their opportunity is right i mean i i definitely feel there's a lot more opportunity for i guess online networking for quote-unquote i love the tick-tock idea as well by the way i feel like i should rate uh give that a shot as well but i i do i am mine for the time as well and i i know uh i i might for the other people's time as well i i did have three questions though which are just like fun questions towards the end that i normally ask people okay and uh the non-technical questions just to get get to know you a bit it's more like so what do you spend most time on when you're not working on grc and technology like at work or like in my private life you can pick either it you can pick either you can pick because it's more your personality i guess so you can choose your personal side oh yeah i mean you know i is simply cyber is is like a hobby that i take a lot of you know individual pride in and like i'm i don't want to say i'm a perfectionist but like i like improving whatever i'm putting myself into something i like to improve on it so you know the youtube has given me a lot of satisfaction of that but i i will say i'm you know i'm a happily married man and i have children so like family time is very important to me i actually made tacos tonight for taco tuesday and that experience yeah so uh you know doing uh stuff with with my wife and kids is really good and i will tell you i'm terrible at it but fortnight is the game of choice here at the osha household so my kids are always always uh showing me or schooling me uh on the platform but you know fortnight uh yeah i can definitely i can definitely get some lessons on that one uh people are saying thank you as well thanks robert um so what is something that you're proud of but it's not on your social media oh man um so you know something that i'm proud of i have been to the south pole like i've sat around really physically sat around the south pole like indian style so i was in every time zone all at the same time yeah and i no one really knows that but it happened wait so is it is there literally a pole in south pole as well that we just go this is the point this is the south pole point is that is that like yeah that's it so there's two poles in the south pole there's the ceremonial pole which looks like a barber pole and it's got a gold ball on it and then all the flags of the countries that are involved that that doesn't move that's like right outside the main building and uh that's that's where people take pictures and stuff then uh there's a poll that they reset every year because it's um it's the south pole is actually a magnetic south pole so earth rotation and changes and shifts and stuff like that they they have to recalibrate it every year so like you know it's kind of funny there's like this big fancy ceremonial piece and then like way over here there's just like the stake in the ground with like this gold special gold thing uh on top that they change every year that's the one i went and sat around uh because it was truly every time zone at the same time wow okay well i definitely need to put that in my bucket list and for things that i do when i when australia comes out of lockdown well hey can i just tell you really quick grc grc took me to the south pole i went down there to audit the national science foundation's research laboratory against uh fisma compliance in 2008 yeah 13. yeah oh there you go so you can travel with grc as well as every listening and going oh i would love to do south pole maybe get a grc uh role as your first role as well then that's pretty awesome man um and it's pretty amazing story as well um last question what's your favorite cuisine or restaurant that you can share oh so i'm actually like a huge curry fan i don't know if i've ever said this on stream or publicly before but like i am i am like i could just eat curry for the rest of my life like typically if we have i make a good butter chicken dish i'm very proud of so like if we'll make a butter yeah so if we have butter chicken i always make extra sauce so then the next day i'll make like a breakfast sandwich slathered with butter chicken sauce and then that night i'll make like butter chicken pizza you know with the sauce yeah so yeah we had a knife yeah so curry is is my is my jam um you know or you know korma or vindaloo or whatever you want but like basically kind of an indian uh gravy based cuisine is that's pretty awesome man yeah yeah well and i think i i find uh of people are enjoying your south pole story by the way charm enjoys it uh jax loves it as well by the way jax mentioned her uh uh is beer if it was food that's that's that's the favorite cuisine thanks for that jax they they used to feed it to kids right during the uh you know um oh god the the blight or the black plague or whatever yeah yeah i think in ireland they this they even uh came up with a slogan that the guinness is uh it's like a healthy food so again it's a day keeps a doctor away or something else yeah yeah it's like apparently it's quite pro i mean has a lot of protein and a lot of minerals and whatever you know oh right okay yeah apparently they were even giving it to pregnant women and i'm not going to comment on that like but these are rumor mills man but i'm pretty sure they janus is definitely considered a healthy drink let's just say that uh and uh this is a practice from a way in the day definitely not anchorage right now so if anyone's listening in please do not consider i was gonna say can you imagine going to work with like three guinnesses in you and you're like i just had a breakfast it's a healthy yeah my it's my lunch bag with three guinnesses because i i i yeah i think it'll be really uh detrimental for your health if you just keep doing that let's just say that so i do i'll leave in that message so people don't hear that first part and just go like oh get here she said get this is a high protein i'm like no no no it is just something it's an old wise scale if uh for lack of benefit uh let's just let's just sort of encourage alcoholism but uh moderate and enjoy drinking and just that's what i would say on that note uh i think we're towards the tail end and i want to definitely uh i guess ask you to share where can people find you and because i really appreciate the conversation that we had really interesting conversation going about from a grc ceso we could had so much information in there so i i definitely would encourage people to go back come back and have a look at this as well what would you uh say where can people reach out to you man if they have follow-up questions or they want to reach out to you yeah more of this yeah so i mean the easiest way to find me is on linkedin i'm very overtly uh you know communicative on linkedin um i do have a discord server for simply cyber that i actively engage with my uh you know my audience or the people who are part of the simply cyber community which i'm just another member of that community um so check that out but if you go to simply cyber on the youtube or you know what actually simply cyber dot io that website is my that kind of is like ground zero for for simply cyber and for myself and then everything me and simply cyber is accessible through that site so simply cyber dot io is definitely an easy one to remember and it's got everything i will put the link on the show notes as well man thanks so much for coming in man and thanks for everyone else who joined us as well and asked those amazing questions i i think we have uh this weekend we have someone coming in from atlassian and next week we have someone coming from stock uh from a soft perspective as well so we'll see you for those ones but for the moment thanks so much for this gerald and i am looking forward to having more conversations considering now uh we have started i came here from the linkedin posting and now subscribe to achieve this channel thanks from it i really appreciate that man i appreciate that i love the bow tie as well it's very fashionable uh but thanks so much for coming this man i i'll see everyone uh hit subscribe yes thank you i appreciate that tom i i think um i would see you a soon um my friend but this has been really amazing i feel like i can talk to you for hours man yeah like the we could probably have some of the people from the audience coming out as well and chime in but thanks so much for coming in and yeah let's do it again sometime for sure man for sure i think i i think i definitely feel i need to go more grc in my channel as well i've been doing a lot of cloud security grc is definitely uh it's something especially for people who want to go down the season as you mentioned that's that's that's there for you but you've definitely dominated the space so i definitely need to bring you bring you back again all right thanks gerald and thanks everyone else that's what we'll see i'll talk to you soon see ya peace

Info

Channel: Cloud Security Podcast

Views: 163

Rating: 5 out of 5

Keywords: Cyber Security Career - Getting an Entry Level GRC Role, Getting an Entry Level GRC Role, Cyber Security Career, careers in cybersecurity, cyber security for beginners, get into cyber security, simply cyber, gerald auger, cloud security podcast, cybersecurity, cyber security, information security

Id: KZrbBAGvhxA

Channel Id: undefined

Length: 56min 55sec (3415 seconds)

Published: Wed Sep 15 2021