CCT 082: CISSP Supplemental - Job Roles That Often Require a CISSP Certification

Promise to learn and a personal story: "You're about to unlock the complexities of cybersecurity and the CISSP certification, a sought-after credential in our industry. Walking you through this journey is me, your host Sean Gerber, sharing my two-decade-long adventure navigating the ever-evolving landscape of cyber warfare."

Painting a vivid picture of the cybersecurity landscape, we delve into the increasing involvement of hacktivists in geopolitical conflicts. We dissect the industry roles from Information Security Analysts, security consultants to Chief Information Security Officers, outlining their duties and scopes. The pivotal role of CISSP certification, its extensive security topics and best practices is explored in-depth to equip you with the knowledge needed to ace it. It's a dynamic, fast-paced episode that leaves no stone unturned - we've got everything from the technical aspects of security systems engineering to the skills required to be a successful security architect. Brace yourself for a deep dive into the world of cybersecurity, a journey that promises to be as enlightening as it is exciting.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey y'all, sean Gerber, with CISSP Cyber Training, and I hope you guys are all having a wonderful day. Today is what day is today? Today's Monday, right? So today we're going to be talking about job roles. We're going to take just a little bit of a spin off of what has been occurring with the Domains 1 through 8, because we actually hit Domain 8. So now we're going to start back over again, but before we do, we have some supplemental training that I'm going to put out there around job roles that do require a CISSP certification. But before we do wanted to just kind of throw out there an article I saw and there's a bunch of them that are hitting the news lately as especially as it relates to what's going on in Israel and the Palestinian conflict that's occurred. Political stuff aside and the terribleness that's happened with what's going on, it just blows my mind how quickly things have changed. One aspect that's come up that's interesting is around the hacktivists that are joining into this overall cyber attacking. So when you got both sides, you got from Hamas and you got Israel. They're both attacking various levels of the infrastructure within those locations. And there's just a couple of articles out there in dark reading, and a couple of others as well, that the focus has been off the war and the Ukraine has now focused its attention to what's going on in Israel and that part of the world. So it's just interesting how in the past, you had countries that went against each other and you would have this Cold War that would occur between you'd have hackers from the US would attack hackers from China, russia, wherever it might be, and vice versa. They would all go back and forth a tit for tat kind of aspect. But now what's occurring is when these ideological thought processes occur and if you want to go on the side of the Israelis, you will attack the Palestinians. If you want to be on the side of the Palestinians, you are attacking the Israelis, and it's just amazing how anybody can now get involved in this. The downside, obviously, is like anything in life those who live by the sword will die by the sword, and you get into this fray. There's a lot of things that can occur from a fracture side standpoint, where you can get pulled into aspects that you may not see the intended or unintended consequences for your actions. So it's interesting how they're talking here. The Jerusalem Post was taken out by a cyber attack by a different gang that had launched that against the, also a Tel Aviv Medical Center. So it's just interesting to see where the world is moving to and how. In the past it used to be government against army against army, and now you've got hacktivists all around the globe that are attempting to use their capabilities to move and sway people's situations. So just kind of very interesting, and I would just keep your eye on how that's going to play out in the future, as we none of us have any idea, but before we was, we talk off of that. We'll move on to. Something. Else is around the job roles that do require a CISSP certification, and I wanted to bring this up because part of CISSP, cyber training is one of the mentorship aspects of it. We want to, I want to help you understand what is out there and available to you in cybersecurity so that you can be successful, and one of the roles that are often require a CISSP is we'll start off with the analyst and we'll kind of work our way up through a list of various roles that are out there, but one is the information security analyst and you can get all this video. I've got this on video. It's at CISSP cyber training. Eventually it'll hit YouTube, but it's there and available if you want to go through some of the talking points that are that I'm putting on the screen. Information Security Analysts they are responsible for monitoring and protecting sensitive data, and when I started working I've been doing this for 20 some years started off leading a red team working in a cybersecurity sock, a security operations center, was an architect, helped. I've done a lot of the different roles that we're going to talk about not all of them, but a lot of them and or I've hired people that have done these roles throughout different organizations. So it come. I come from a different kind of view of this, starting from someone who did not have any security background, realistically didn't have any understanding of cybersecurity, flew military airplanes to get into security and build up where I've been in the past 20 some years, and so I'm coming to you at it with a different perspective than maybe the traditional way that you went through and maybe got your information or your certification or your experience. So, an information security analyst these typically are the folks that start off and they're monitoring and protecting sensitive data and they also help identify various vulnerabilities that are out there. You'll get this role will be in a sock. It could be in health care, it could be in various range of different areas, but that's typically the entry level between an analyst and an engineer, which we'll talk about a little while. Those are the the most entry ways into the cybersecurity space. But why is the CISSP required for an information security analyst? Well, you do need to understand a broad range of security topics and best practices, and this would be from monitoring, incident response, vulnerability assessments and policy creation. All of those pieces you will touch as an analyst. Now, you may not be the person that's actually responsible for those, but you will be helping craft all of that for the CISO, the director of security or maybe even the CIO, and so you will have to understand that if you, if you're in a small organization and let's say you have a CIO and you operate as a security analyst. Well, you may actually even be like a CISO light, because you come with a level of knowledge and expertise that the CIO may not have and he or she may rely on you to help with overall crafting your security posture and your security plan. So again, that's the security analyst. Is it required for a security analyst? In most cases probably not, but if you have it it would be one of those great things to help you get you in the door. Now the next one we're going to talk about is a security manager or a director. These folks are responsible for overseeing the security programs, managing the security teams, and they deal a lot within the corporate and government structure. A director can be the CISO. They usually typically depend on the size of the organization. That role may be dual-hatted, they may do both, and that is usually a leadership and strategic type of role and it can be backed with the overall CISSP managerial aspects. So if you get into a director role, the managerial pieces that we talk about in the CISSP will basically parlay very well into that space. Now a director will deal with strategic planning, team management, budget control and various compliance monitoring pieces. You will deal with a lot with compliance. If you're a security manager or a CISO, it it's a lot and you go through that path depending on the size of your organization and if you're a global company, those will be areas that you will deal with. But so the CISSP is pretty important for a director or a manager of security within an organization. The next one is a security consultant. Now, a consultant can be a can wear many different hats. From the point of day, it can be a pen tester, which they're really not doing much with from a CISSP standpoint, other than maybe helping them craft policy. Two, all the way up to a security director or virtual SISO. Those people can do all different types of things. So having a CISSP would really be helpful if you want to be a security consultant, because you may, especially if you're dealing with various contracts. You may be dealing with security in one aspect around vulnerability management, and then the next gig that you get, you're focused on policy creation. So having a CISSP and being a security consultant, in my personal opinion, I feel that would be very valuable and it would give you a level of breadth and understanding that you may not normally have within the overall security landscape. So a lot of times, like with a consultant, we'll deal with is client assessments, solution recommendations, implementation, oversight and then training awareness. So again, you will touch the gamut as a security consultant. I've got some friends that do they do expert testimony on the courts. So if someone will call up and say, hey, I need a security person to help me with this legal litigation suit, they will then be expert witness and go in and provide expert witness testimony during a court proceeding. So there's lots of different ways you can be working as a security consultant. The next one is a chief information security officer. This person is responsible it's the executive level management for a overall security program Corporate government. They all have various CISOs and, like I said before, you could be in any one of these roles and be operating as a CISO, depending upon the size of your company and organization. I've got friends that are CISOs, have very, very large companies and they have a whole team of people working for them and they have monster budgets. I know I think JP Morgan's overall budget was like $200 million or something crazy like that. Or you can have a very small budget and be a very small team and be a team of one within a multi-level, or not multi-level, but a mid-sized, mid-cap size company. I know a company that had about a billion dollars in revenue and in that billion dollars revenue their CIO and their CISO was the same person and they had a team of infrastructure folks like four or five people and they operate a dual-hatted for that. So it just depends on the role and where you're going to go. Now, again, while we talk about the CISP is required for a CISO executive decision making, stakeholder communication, obviously talking with senior leaders, policy development and risk management. All of those are pulled into a CISO and it's important that you have that information and that's where the CISP really does come into play a lot, especially being a CISO Security systems engineer. This is the step up, probably from an analyst. Again, this it depends on the company. Some companies will take the engineers a starting role and the analyst is more of a the secondary role. But just keep in mind that the engineers more of the technical aspects. They design, they build, they maintain security solutions and that is a really good place for you to build up people coming into your organization. If they're, especially if they're technical, give them those technical responsibilities and let them run with it. The industries can be obviously any technology piece or defense department. The engineers are more technical. Again, keep that in mind. If you're working for a company that you maybe you have an infrastructure folks that take care of all of your technical pieces then you need more of a policy or a monitoring aspect. That would be the analyst role. If you have a bunch of security tools that need a specific engineer to work on those, that would be a security systems engineer. Now, why would be the CISP important for them? Because it does provide technical depth and understanding on how to integrate security into the various systems there's developed. They help develop security systems, they evaluate effectiveness of the measures and they ensure that the software stays up to date against any new come in interesting threats. I've dealt with security engineers that are handling your mobile device management plan, that's your MDM. They handle a lot of the upgrades, the patching and all the vulnerability assessments that go along with your various systems. So would it be required for an engineer? No, would it be a nice to have? Yes, and so that would be a place that if you're going to be, if you start off as an engineer and you want to be the CISP you want to have it. Now's a great time for you to start working on that. Next one is security architect. This deals with planning, designing and researching security elements of IT projects. It's usually IT, e-commerce and so forth. There's a broad knowledge and base, especially around designing security architectures. This deals with planning, designing various security controls, extensive documentation. They deal with vendor relations. I was an architect, did an architect for about six years and learned a lot during that time, especially around the overall security elements of the various IT projects. It helped me grow my base knowledge, especially around designing security architecture. I will tell you that it has moved so fast from when I was an architect that I feel like I'm behind. I was listening to some things around the cloud and cloud security, just not just yesterday, and I'm like, oh my goodness, I need a lot of help because it is way beyond me. And then that beyond to the point where I can't figure it out. But I realize I have a deficit in that space, and so it's important that, as you can't be the expert of all of it, you need to have a good knowledge and understanding of it and how to communicate with it. But realistically, there's no way you can know all of this information, and that's where the architects really come into play. They kind of help with that, bridging the gap between an engineer and, potentially, a director or manager of security or a CISO. I think it's a really good stepping place. Security auditors these are also folks that would need the CISSP because they do audit this and assess the effectiveness of various security policies within an organization. This could be accounting, could be corporate audit, it could be various assets, could be a third party that does that as well, and these auditors need to really have a good understanding of information security standards and having the CISSP will help them understand that. It'll help guide the questions that they need to ask to ensure that the policies are correct and that there's current security measures that are in place to mitigating controls for the overall vulnerabilities that might be out there. They'll do data collection analysts, they'll do reporting and then they also obviously do the follow-up as it relates to security auditing stuff right, assessor kind of things. Another one is an incident responder. This is a person who will handle security incidents and help minimize the overall damage that could be ensued or incurred due to a breach or an event. A good example is MGM right there. I just saw article that they expect it's going to way surpass $100 million for that incident that they had just a few weeks ago. So you're talking a huge amount of money. So having an incident being an incident responder, they get paid very well. They can get paid very well. Their life is that of a dumpster fire where they basically have to go and deal with all of these various events that occur, and so their life is kind of upheaval in many ways when they're going to take care of incidents. But there's good pay in that and having an understanding of a CISSP would be extremely valuable in knowing those skills as it relates to understanding the assessment how do I contain it, how do I investigate it, and then how do I recover and learn from an incident. So all of those things will really truly come into being as an incident responder. And this is especially important why the CISSP is very valuable for those types of roles Network architect or engineer. Again, this is a little bit of a spin off of different of a security architect. This is more focused on the network side of the house. I do feel that that's important just because, if you are going to be architecting networks, having an understanding around security and how to better look at it from a strategic perspective is extremely valuable. Some of my best friends that are security or network architects. They're the ones that truly understand security and they want to implement it when they're developing their network architectures. So if you're thinking of just being, I don't want to be a security architect guy. I don't want to be. You don't want to do that, I want to just be doing networks. Having the CISSP would be extremely valuable just because you're having to deal with many more aspects of the network side of the house. So one of the aspects of network design, configuration, monitoring and then network optimization all of those can fall within the overall network architect and or engineer Compliance analyst these are folks that deal specifically around the compliance world. I have a data privacy person that I work with a lot. This data privacy person is extremely smart, she's brilliant and she has actually learned a lot around security just through osmosis, just through working with us. But if you had a CISSP and you were a compliance analyst and or compliance manager, it could be extremely valuable to you because now you understand where security is coming from from a technical perspective and it will help you be much better from the compliance standpoint, because all of the world is changing. As an example, I've got a phone call not too long from now that I'll be talking around security as it relates to various global locations and the compliance folks will be on the on the call. So it's just, it's important to really truly understand that compliance and security are interwoven, interweave together. They're a very important part in each other's world. So if you're a compliance analyst understanding regulatory research, gap analysis, documentation and training all of those are valuable as it relates to the CISSP and in your potential role. Two more to go. The next one is a forensics analyst. This is someone who deals with investigating breaches, incidents, cybercrimes. It's the CSI of cyber and people like that. They think it's Gucci and fun and it is. Except I will tell you I'm going to give you a little bit of a downside with this. A friend of mine does cyber and he gets into some aspects that are not pleasant at all. They're just actually devastated. It's devastating and he deals with, obviously, children and pornography and all of those pieces and it messes him up pretty good. So I'm not saying that that isn't some people, just they thrive on that and they feel like they're accomplishing and they're helping and I think that's extremely important, but know, as you get into the friends like side of it, and you want to do that keep in mind where you work and what your personality can and cannot handle. It's very hard on him and it's hard on his family, and so I recommend, though, but, that you can do many more than that, right? You don't have to be into the overall law enforcement piece of this. You can be in corporate and now you're just dealing with emails. You're dealing with what seeing how people are trying to circumvent the controls you have in place, and so it's important for you just to understand which area do you want to go into if this is something that interests you. Well, having the CISSP is important because you deal with evidence collection, data analysis, testimony and reporting. All of those pieces are covered in the CISSP in various forms, and so it's really would be valuable if you are going to be a forensic type, analysis type person. And then the last one is a risk manager. This is identify and mitigate risk to an organization's information assets. You deal with risk all the time. When you're in a security role, you have to determine what level of risk do you want to incur. Do you want to be able to accept the risk. You want to transfer the risk. How do you want to handle that risk within your company, and this could be corporate finance. There's risk in many different areas, but those are just a couple that you might anticipate. Now, why would it be required? Well, as we all know, the CISSP has a strong understanding around risk and it does with risk identification, quantitative analysis, mitigation, planning, monitoring and reporting. Each of those would be extremely valuable. You know, having that background would be extremely valuable within the risk manager roles. So just kind of keep that in mind where there are many different opportunities for getting the CISSP. It isn't just being the CISO, it isn't just being the director of security. There's many different roles where having a CISSP certification can be extremely valuable. And I like to equate it to basically getting your master's in security. Is it really truly is the amount of work that you have to go into, both from having the experience and then also studying, for it can be like a master's level program. I would say teach you. When I taught folks in our local college for your school, I taught the same level in that one semester is one aspect of the CISSP. So again, you can get a lot of information. You're getting your master's degree just by getting your CISSP truly are. This is from a person who doesn't have his master's but has been teaching security for 20 some years. All right, that's all I've got for you today. We're tomorrow I should say next week we will be talking starting again a domain one, dot four. That's what we'll be going after. You'll be having some CISSP questions on Thursday that will be covering basically all the domains, so I highly recommend you listen to that as well and outside of that, if you have any questions, go to CISSP cyber training. Catch out what I've got out there. It's amazing. It will help you be successful in taking the CISSP exam. All right, thank you so much. Have a great day and we'll catch you on the flip side, see you.