RCR 013: Cybersecurity Hiring (Part 1) - CISSP Study and Training!

Description:  

In this show, Shon will go over the key aspects of hiring cybersecurity professionals.

This is part 1 of 5 in the ongoing series designed to help HR/Hiring managers as well as those looking for cybersecurity jobs. These videos will go over what the hiring professionals should be looking for and what potential candidates should strive to achieve to meet the growing cybersecurity job demand.

This part of the video series will go through the evolution of cybersecurity and the roles that you can expect to be part of over hiring process.

Transcript:

welcome to the reduce cyber risk podcast where we give you the tools you need to meet your regulatory requirements while helping keep the evil hacker Hornet Bay hi my name is Sean Gerber and I'm your host for this action packed in Florida podcast join me each week cuz I provide the information you need to best protect your business and reduce your company's cyber risk okay this episode where we talked about cyber-security hiring and how it's more than just a job description and if your HR person or and hiring the agent or I should say someone that's within a business that needs to hire cybersecurity professional if you probably haven't figured out yet it can be a daunting process and so it take for you to be able to be able to adequately pick out somebody from a cyber-security background that you know you're getting the right person now this could be a situation where it's maybe someone that's just hired for short-term or could be a long-term contract or could be an actual full-time employee lawyer to go through some of the key things you need to consider as you're looking at a cybersecurity person for your organization the purpose of this training is it's it's security if you haven't figured out yet can get really big words and it's confusing terms and if you don't have a background in cybersecurity stuff you're going to get like totally lost and honestly stuff all the time and I get lost I have to sit back and just kind of scratch my head going what are they saying it's only getting worse and worse I'm in and I've seen the need for my years of experience it's just this is important for HR Personnel for hiring managers to know how to hire the right person because I just did recently looked at a security officer as a service product and I went through it and you start seeing the people that are coming out and you're going if you don't know what you're looking for from a security professional this could be overwhelming and daunting so that doesn't count the purpose behind all this individual so if your business this is going to be extremely helpful if you're an individual looking for a job just going to kind of give you a career path on what you need to do to consider on in the cybersecurity space. Granted there's no perfect Panacea and there's no easy button that makes all this work but the cool part about all of this is that is at least this training will give you some level of what you need to do to keep moving forward EHR the hiring manager the first prong is an individual trying to get a break and get into the cybersecurity space okay so the evolution of a cybersecurity person in the past that used to be an additional duty or responsibility of the IT person so it some it person some guys just do our gal doing their thing making some servers keeping them up and running so everybody's happy and they go hey you you do the security stuff thermoregulation to start coming in and became more of going just an additional duty to where we need to carve out a little bit of this person's time to do the security stuff for security poo right and it so that's where it kind of startled evolve watching updating the system was a security function that's kind of the word rolled into the standard Network architecture was set up that you would have your back if you you would have your just your antivirus a little this little that but you wouldn't have a whole lot of structure in place around it and they had a little and put her inside so was just a person go do it they put the McAfee Antivirus stuff on put whatever you want to put on there and then we'll just call it good right that was the evolution of where it used to be what's a day it's it's changed a lot it's turned into a part-time or full-time roll depending upon the size of your organization and its increase knowledge around complex Integrated Systems and I mean this is this is change dramatically from having just one computer or group of computers at all talk to maybe the internet to now there I have systems that are sitting in a data center communicating with the cloud. Communicating with all these mobile devices what is a business risk Focus so you can't protect everything because of all these things that are coming in your network it's got to be a business risk approach and so it's taking a different mindset around how do you look at cybersecurity so just some guy that just does it stuff will look at a whole lot differently then a business person understands of business and the risk associated with them talk about little bit but increased Regulatory Compliance easy rules you got data breach rules you got cyber regulations from countries to states to counties and it's all ranging from all of the globe so it's getting worse and worse and worse now there's good things with this regulations that's important however at the end of the day is just more that's being added on in there so few professionals that really truly understand it and a good cyber security professional is going to be an adviser or a trust of responsible party and you'll see this there's some new regulations out with a New York Department of Financial Services nydfs obviously put out a requirement last year that requires you to have in their initially was a security officer what doesn't have to be a security officer for your organization so you need to be able to pick these people out South Carolina Insurance data Security Act just came out recently if your insurance agent with more than 200 clients you have a or you are a lawyer that deals the insurance pays you have to have someone who's a cybersecurity professional who's responsible party so do you have put on retainer or you actually buy that capability one of the two but at the end of the day you've got to find someone that can do that for you this is about an hour and a half to two million cyber security rules that are gone on Phil that's huge right so if you're cyber security guy like well cybersecurity roles and titles you have your cyber security security analyst your security engineer architect Security administrator security software developer cryptographer cryptologist and crypto analyst okay years ago they didn't exist for the most part so that's where the new technology is changing and what the face of cyber security and the internet is working on all these internet-connected devices another one is a chief information security officer that is a person's in charge of the security for a large organization a security consultant specialist these are very specialized roles that that are below those that's an intrusion detection Specialists computer security incident responder source code auditor virus technician penetration text tester and vulnerability Assessor the you-name-it there is a roll out there in the cybersecurity space are quotes right but the bottom line is that it's very confusing and you don't know what the heck you're even looking for so if you are in this space you're an HR person hiring manager or even individual this podcast this training is for you understand what your desires are if your Human Resources person and what you're hiring what are your organizational requirements or needs okay what is the technical or non technical requirements of this role it security analyst is as different technical requirements than a security officer again different mindset one's more risk one's more technical but again you got to determine what is your need for your business what are your compliance requirements if you have a high level of compliance requirements for your organization hiring a security analyst or a virus protection tester person may not be the best choice and if you're looking for someone who can give you the better guidance no it doesn't mean that you can't hire somebody like that and groom them into that position and that's something I actually recommend is if you hire somebody into a lower position that has the skills or is even the drive to learn this stuff you can train and groom them up to a position where they can be a severe of serious dieting organization however the one thing around that is if you're looking for someone to come out of the gate that is a security officer type that's going to be interacting with compliance with the CEOs with shareholders with the board those kind of people Western penetration person may not be the right choice okay or it may take them some time to get there just something to consider thinking about that because you really need an influencer and someone who understands program management skills I understand what you need was driving this requirement and understand how you're going to go pay from an individual standpoint give me the knowledge experience and skills you need to understand what you're trying to accomplish as it comes to your job you also need to look at where a different growth opportunities that you can get into that you can grow your cyber-security background have a long-term strategy on how you're going to do this okay you need to understand the big picture the long game and what you're trying to accomplish as it relates to your future and your career can you look at cyber security rules and skills Rent-A-Car focused approach it this and one of the things is a security analyst now that is acceptable for most mid-sized companies to generalist is plenty look policies and doesn't disaster recovery and it's also really good starting point if you're looking to get into security space especially if you are just getting into the security point of you and your an HR person that security analyst is a really good place to begin usually income or they the cost for a security analyst is much less than a traditional security officer and then it's a good place to work them up your security engineer primarily does security monitoring data logs forensics they have a strong data analysis background understanding so they're the kind of people that will if you can't like a security operations center and they have to Look Alot of data for firewall logs they go through all the different aspects around that they can figure switches and routers that from a security point of view security Engineers are really good place to be security components of security used as a security leader so from a standpoint of eyes you my grade up within the quote-unquote chain of command or the they did good career progression most people start off as a security engineer work the way up to an analyst then at that point be an architect and then I move into the next round which should be like a security officer but the security architect usually understands the broader brush the bigger picture of what you're trying to accomplish from a security point of view your security officer your sister at the high-level management role nights at a lead a team of individuals typically and they utilize for larger organization is not a key with them though is it a lot of times they're there a key influencer as it comes down to your business they don't wrestle I have large teams they may they may have a security operations center that work directly for them but in many cases there an influencer of an organization and a of the security practices so usually large organizations or if you have to have a designated security person this is an individual that can be partner Services can be purchased specialized rules such as a pen tester which scans identifies and explains vulnerabilities and teams can range from small to large okay I used to be a penetration tester for red team you would be usually a small team you go and you penetrate the network in a very specific manner looking for very specific vulnerabilities they're usually uses a contractor brought on board to help you find some key areas that may be gaps within your network shots are they scanned identifying assessment abilities on I.T systems of computers and networks they more less kind of like this sit in line with the Auditors but there are any of vulnerability the focus specifically on vulnerabilities not just trying to crack open one spot but what are the boner overall vulnerabilities within an organization so I can take all these terms and into account when you're looking for somebody within your company or with that you're looking to hire for your company unless you have compliance requirements at you have to and train them up cuz most of the stuff is pretty much you learn as you go if you need that high level of person like a JPMorgan or a large Bank financial institution something like that you may want to pay for that level of security obviously but if your deal with a small midsize company you can probably rent the service from a Securities a service option or even just start off with hiring your own person who just an analyst and move their way up did God expect the cost for cyber security are going to increase maybe not right so Technologies me address is an artificial intelligence me address that she hears a lot it's going to keep going up right well that is true but you gotta understand the risks that you have and other Technologies out there to help you mitigate this risk so wait with us with very carefully and that's why having a good security person to help you with this is really good and it isn't her wouldn't hurt if you would go out and rent a security officer to help you do a gap assessment figure out where you're at and you know what then cut him loose and have a internal person do those finish that Gap assessment build that up also learn the network and give them the skills they need now the challenge with that is if you teach him they're going to be marketable and if there that in the back your mind as well whatever you teach him you got to have other incentives to hold them on if you're an HR person if you're a person looking for a job that's a good so understand that there's there's different nuances that roll into this tolerance is key though you need to understand this aspect it's crucial you confuse spend the break the bank and spend a bazillion dollars and try to protect your network but at the end of the day they're still going to get in you just got to determine what is your level of risk that you're going to tolerate as it comes down to putting in cybersecurity practices and Personnel again okay I hope you enjoyed this part in this section of the section 1 the next second what is the next Texans going to be specifically on human resources and talk about the human resources aspect of it and what they need to keep in mind as they're looking to hire individuals within a company alright hope you enjoyed it