Comparing GRC Career Resources and Talking Shop with Cyber Salih!

Ideas for Your Career Development Plan + NIST CSF Overview and Course in Simply Cyber Academy

Author

Steve McMichael
August 04, 2024

Search YouTube for GRC and you can’t miss Cyber Salih! I and thousands of others have found his setting certification BHAGs and diligently following through on them very inspiring.

Cyber Salih

I got into Cybersecurity with no experience, no degree, and no certifications, I then went on to pass CISA and CISSP within my first 2 years. It wasn't easy... My goal is to help as many people as I can by sharing what I have learned so far.

www.youtube.com/@cyber_salih

We recently caught up on his channel to talk about:

  • 4:41 - GRC Certification Roadmap

  • 13:17 - Cert study approach and mindset

  • 16:24 - Top GRC career resources

  • 20:44 - Why GRC is awesome and underrated

  • 31:33 - The GRC superpower

  • 33:57 - NIST Cybersecurity Framework 2.0 Primer

  • 38:37 - Where Compliance Can Go Wrong: Password Complexity Requirements

  • 44:40 - AKYLADE Certified Cyber Resilience Fundamentals (A/CCRF) - Complete Training

Check it out for some great ideas to add to your career development plan.

Podcast Agenda

Setting and Achieving Certification Goals: Skills, Methods, Mindset

Podcast clip: Is the stigma around GRC true?

Cybersecurity is a team sport that needs diverse skills to advance its mission. If I were a L33t hacker with 10k hours understanding IT systems so well that I could break into them I’d think differently, but from my business background vantage point GRC is awesome and underrated!

Steve - CPA to Cybersecurity

Why Careers in Cybersecurity GRC are Underrated: Rant Part 1

1. Revenue enabling, 2. Breadth, 3. Top management exposure, 4. Immersion, 5. Business is booming, 6. Feeder role to get a foot in the door, 7. Blue ocean environment

www.cpatocybersecurity.com/p/grc-awesome-underrated-part-1

Question for Salih:

🔲 Any to add, or any favourites from this list?

CISA Exam: How I passed and how you can too with this study technique

Your grit and determination to set a Big Hairy Audacious Goal (BHAG) and achieve it are admirable! I can relate to the texbook being dry (LOL!), and given that your advice on how to consume the course content is very smart.

Steve - CPA to Cybersecurity

Question for Salih:

🔲 How has CISA helped you in your job?

How to pass CISSP - 2024

Top 10 CISSP Surprises

1. It got a bit ugly for me around question 76, 2. Database polyinstantiation, 3. Thor Peterson let me know my initial study strategy was weak!, 4. CISSP subreddit, 5. SimplyCyberCon keynote, 6. Hardest topics for me, 7. There was a lot I studied I didn’t see on exam day, 8. Financial questions, 9. OSG Mobile app!, 10. Lockpicking Lawyer

www.cpatocybersecurity.com/p/cissp-surprises

Question for Salih:

🔲 Any top surprises you experienced, on or off my list?

CCSP - How to Pass the Exam

Hey you overcame significant obstacles and doubts even 1 week out and cleared this high bar! How inspiring - congratulations and kudos!

Steve - CPA to Cybersecurity

Question for Salih:

🔲 Has this one been helpful on the job?

Cyber 2nd Brain Resource Library

🆓📚 Free to use library of resources and materials related to cybersecurity

This site is designed to make your life easier when it comes to education in the cyberspace. I have also included resources, frameworks, standards and regulations you may need to reference throughout your career. Feel free to save it, edit it, re-purpose it and tailor it to your unique requirements.

cybersalih.notion.site/Cyber-2nd-Brain-8f4321f2aee24e578815ad31d2647add

🧐 Content Recommendations

Blogs to read

Name

Link

Top 3?

Schneier on Security

https://www.schneier.com/

✅ 

Unsupervised Learning

https://danielmiessler.com/

🔲

CISO Series

https://cisoseries.com/

🔲

Other?

❓️ 

People you should follow

Name

Link

Top 3?

David Bombal

https://www.youtube.com/@davidbombal

✅ 

Gerald Auger

https://www.youtube.com/@SimplyCyber

✅ 

Ira Winkler

https://www.linkedin.com/in/irawinkler/

🔲

Other?

❓️ 

Note: all of these are awesome! Hard to shortlist a “Mount Rushmore.”

🤓 Education

📝 GRC Training

GRC Certification Roadmap

Recommended Training and Certs v1.0

www.cpatocybersecurity.com/p/certs

📋 Control Frameworks and Standards

SOC2 Trust Services Criteria (North America)

2017 Trust Services Criteria (With Revised Points of Focus – 2022)

The 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (With Revised Points of Focus — 2022)

www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022

TISAX (Automotive, Europe)

Welcome to TISAX

By nature, industry-independent standards are designed as one-size-fits-all solutions rather than tailored to specific needs of automotive companies. A long time ago, the automotive industry formed associations that aimed — among other goals — to refine and define standards that suit their more specific needs.

portal.enx.com/en-US/TISAX

🏅Certification Resources

CISSP

Resource

Link

In Cyber 2nd Brain?

1. CISSP Subreddit

https://www.reddit.com/r/cissp/

🔲

2. Official Study Guide (OSG)

https://a.co/d/6kVj4Jt

✅ 

3. Cert Mike

https://www.certmike.com/

🔲

4. Thor Pedersen

https://www.udemy.com/user/thorpedersen/

🔲

5. Gwen Bettwy Mock Exams

https://www.udemy.com/course/cissp-mock-exams-master-all-8-domains/

🔲

6. Destination Certification Mind Maps

https://destcert.com/cissp/

✅ 

7. Pete Zerger: CISSP Exam Cram

https://youtu.be/XZr2wLKdoVc

🔲

8. Andrew Ramdayal: 50 Questions

https://youtu.be/qbVY0Cg8Ntw

🔲

9. Kelly Handerhan: Why you will pass the CISSP

https://youtu.be/v2Y6Zog8h2A

✅ 

10. Prabh Nair

https://youtu.be/1krYtSQbMWc

✅ 

11. Boson

https://www.boson.com/practice-exam/cissp-isc2-practice-exam

Simply Cyber Academy

Want to learn real in-demand skills from cyber experts and the theory behind those skills?

Cyber Resilience w/ NIST CSF, GRC Analyst Master Class, Cybersecurity 101

academy.simplycyber.io

🐙 Career Resources

GRC Career Development Plan Template

GRC Career Development Plan Template

So you want to become a GRC Analyst? Awesome! Here’s a free Career Development Plan template full of resources that I think you’ll find helpful. It’s the best-of-the-best I’ve discovered in my mid-career transition to GRC, broken into Harvard’s recommended ratio to grow yourself faster of: 10% Education, 20% Relationships, 70% Experiences

www.cpatocybersecurity.com/p/cdp

Cyberseek.org (US)

Cyberseek

Hack the Gap: Close the cybersecurity talent gap with interactive tools and data

www.cyberseek.org

Cyber Career Pathways Tool

Cyber Career Pathways Tool

Interactively explore the NICE Cybersecurity Workforce Framework according to five distinct skill communities and attributes for 52 work roles.

niccs.cisa.gov/workforce-development/cyber-career-pathways-tool

SANS Templates

Information Security Policy Templates | SANS Institute

SANS has developed a set of information security policy templates. These are free to use and fully customizable to your company's IT security practices. Our list includes policy templates for acceptable use policy, data breach response policy, password protection policy and more.

www.sans.org/information-security-policy

  • Their Acceptable Use Policy is really good at being end user focused

SOX

The Public Responsibility of a CPA

“Accounting gimmickry at companies such as Enron, WorldCom, Tyco, Adelphia and Global Crossing included: cooked books, phony earnings statements, undisclosed transactions with corporate executives and other related parties, and inflated revenues, all of which went undetected by the auditors until it was too late, leading to massive restatements.” -Steven B. Harris, PCAOB Board Member

pcaobus.org/news-events/speeches/speech-detail/the-public-responsibility-of-a-cpa_656?utm_source=www.cpatocybersecurity.com&utm_medium=referral&utm_campaign=sox-vs-soc2

SOX vs SOC 2: A Convergence of Compliance

Customers with third-party risk management programs are raising the bar, demanding trust and assurance from their vendors. This creates external demand. Internally, cyber risk is becoming a boardroom issue, adding more work for compliance teams. These factors are driving the headlines.

www.cpatocybersecurity.com/p/sox-vs-soc2

NIST Cybersecurity Framework 2.0

NIST CSF Origin

February 2013 Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

EXECUTIVE ORDER - - - - - - - IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY  

obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.

  • Recognized the growing threats to critical infrastructure and called for the development of a framework to enhance the cybersecurity posture of the United States.

  • It aimed to foster collaboration between the government and private sector, to improve the protection and resilience of critical infrastructure.

  • Established the requirements for NIST CSF

Applicability of the Cybersecurity Framework 🌎️ 

Bottom line why this framework is needed:

  1. Cybersecurity risk continues to increase, with no signs of slowing down

  2. Costs of cybersecurity risks continue to grow

Why? 🤔 

The greatest threat that faces any of us today is the threat of complexity: Trillions of lines of code in billions of devices, with ubiquitous connectivity across the globe.

Dr. Ron Ross, Distinguished Fellow of NIST

Why Cybersecurity is Hard

#1. Technology is Everywhere, #2. Technology is Inherently Flawed, #3. Technology is Rarely Secure by Default, #4. Technology is Complicated, #5. Cyber is a Dynamic Threat, Not Static, #6. Cyber is a Silent Killer, #7. Economics Drive More Actors and Capability, #8. Early Innings: The Science Isn’t Settled, #9. There is a Skills Shortage, #10. What Did I Miss?

www.cpatocybersecurity.com/p/why-cybersecurity-is-hard

Characteristics of the Framework 📏

Voluntary Framework

The CSF is a foundational resource that may be adopted voluntarily and through governmental policies and mandates.

NIST CSF 2.0

Flexible, Adaptive

The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations.

NIST CSF 2.0

Focus on Risk Instead of Controls

Organizations will continue to have unique risks — including different threats and vulnerabilities — and risk tolerances, as well as unique mission objectives and requirements. Thus, organizations’ approaches to managing risks and their implementations of the CSF will vary.

NIST CSF 2.0

Focus on Risk Instead of Compliance

  • While compliance with regulations and standards is important, an organization’s goal is first to reduce risk, and to foster a risk-based mindset

  • Next, from that point compliance will naturally follow

Where Compliance Can Go Wrong: Password Complexity Requirements

Is this password secure?

A*QSuda@PxiTvwgDA2tG

Other Options to Improve Authentication Security

  1. Multi-Factor Authentication (MFA): This method requires users to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. Common factors include something you know (password or PIN), something you have (a smartphone or hardware token), and something you are (biometrics: fingerprint scans, facial recognition, or iris scans).

  2. Using Known Password Lists: Implementing checks against lists of known compromised passwords can prevent users from choosing passwords that are already exposed and easy to guess. This can be particularly effective in stopping common and repeated password-related vulnerabilities.

  3. Time-based One-time Password (TOTP): This is an algorithm that generates a one-time password which is valid only for a short period of time, providing an additional layer of security by ensuring that the password is not reusable.

  4. Geographic and IP Restrictions: Limiting access based on geographic location or IP addresses can help prevent unauthorized access from high-risk areas or unfamiliar sources.

  5. Anomaly Detection and Login Monitoring: Tools that monitor login attempts and detect anomalies (like logins from new devices or locations) can trigger additional authentication requirements or alerts.

Facilitates Communication and Collaboration

When implementing the CSF, managers will focus on how to achieve risk targets through common services, controls, and collaboration, as expressed in the Target Profile and improved through the actions being tracked in the action plan (e.g., risk register, risk detail report, POA&M)

NIST CSF 2.0

Holistic Cybersecurity Framework 🌐 

  • Confidently navigate the complex landscape of cyber threats

  • Identify vulnerabilities ➡️ protect critical assets ➡️ detect potential breaches ➡️ respond effectively to incidents ➡️ recover swiftly from disruptions

  • Provides a high-level, strategic view of an orgnaization’s management lifecycle of any given cybersecurity risk

6 Functions ➡️ 22 Categories ➡️ 106 Subcategories

Cyber Resilience is Probably a Better Name than “Cybersecurity”

Term

Definition

So What?

Cyber Resilience

An organization’s ability to withstand and adapt to cyber threats by implementing proactive measures, effectively responding to and recovering from cyber attacks or disruptions, and maintaining essential functions while minimizing damage.

This encompasses a range of strategies, including robust security controls, regular vulnerability assessments, employee education on cybersecurity best practices, and the establishment of incident response plans.

Probably a better name than “Cybersecurity,” where secure seems narrowly PROTECT focused

Think both left and right of boom

“It’s not if, but when”

“There’s two types of organizations”

Be proactive to prevent or minimize impact of cyber incidents

Also be able to quickly detect, isolate, restore and recover systems if when a cyber incident occurs

Intended Audience & Purpose of CSF 👥

Critical Infrastructure ⚙️ 

Term

Definition

So What

Critical Infrastructure

“Any physical or virtual infrastructure that is considered so vital to the United States that its incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these” - DHS

The Department of Homeland Security (DHS) lists 16 Critical Infrastructure sectors

  1. Chemical - Organizations and companies that manufacture, store, use, and transport potentially dangerous chemicals used by other critical infrastructure sectors

  2. Commercial Facilities - Buildings, facilities, and spaces used for commercial purposes, including retail, entertainment, and hospitality

  3. Communications - Networks, systems, and assets involved in providing communication services, including broadcasting, telecommunications, and internet service providers

  4. Critical Manufacturing - Facilities and processes involved in the production of essential goods, such as metals, machinery, transportation equipment, and pharmaceuticals

  5. Dams - Structures, systems, and resources related to dam operations and water control, including hydroelectric power generation .

  6. Defense Industrial Base - Companies and assets involved in the research, development, production, and maintenance of defense-related equipment, systems, and services

  7. Emergency Services - Agencies, organizations, and personnel responsible for emergency management, firefighting, medical services, and public safety

  8. Energy - Resources, systems, and infrastructure involved in the production, transmission, and distribution of energy, including electricity, oil, and natural gas

  9. Financial Services - Institutions and systems providing financial services, including banking, insurance, investment, and payment systems

  10. Food and Agriculture Sector - Facilities, systems, and resources related to the production, processing, and distribution of food, beverages, and agricultural products

  11. Government Facilities - Buildings, offices, and structures used by federal, state, local, tribal, and territorial governments for administrative and public services

  12. Healthcare and Public Health - Facilities, personnel, and networks involved in providing healthcare services, medical research, and public health support

  13. Information Technology - Systems, networks, and infrastructure used for information processing, storage, and communication, including software development and cybersecurity

  14. Nuclear Reactors, Materials, and Waste - Facilities, processes, and materials associated with nuclear power generation, research, and waste management

  15. Transportation Systems - Infrastructure, networks, and assets involved in the movement of people and goods, including aviation, maritime, rail, and road transportation

  16. Water and Wastewater Systems - Facilities, systems, and resources responsible for providing drinking water and managing wastewater treatment and disposal

Valuable beyond Critical Infrastructure

Non-Critical Verticals

CSF Benefits

Retail

Protect their customer’s data, secure the company’s online transactions, and manage their supply chain vulnerabilities

Manufacturing

Address industrial control system security and intellectual property protection and to help secure product development

  • CSF is a series of best practices and guidelines and not a compliance standard that must be strictly adhered to

    • It can be scaled up or down

  • Only 32 pages long in version 2.0!

    • Concise and relatively quick to implement

  • BUT – official NIST documents tell you what to do, without telling you how to do it

    • That is why A/CCRF and A/CCRP are important to your career growth and progression!

Purpose

CSF helps organizations:

  • Describe current cybersecurity posture

  • Describe target state for cybersecurity

  • Identify and prioritize opportunities for improvement

  • Assess progress toward the target state

  • Communicate among internal and external stakeholders

Cyber Resilience w/ NIST CSF Course

AKYLADE Certified Cyber Resilience Fundamentals (A/CCRF) [CRF-002]

SHOW HIRING MANAGERS YOU KNOW ENOUGH TO BE PART OF THE TEAM Certify your knowledge in cyber resilience and NIST Cybersecurity Framework 2.0 MASTER CYBER RESILIENCE Mastering Cyber Resilience with AKYLADE Certified Cyber Resilience Fundamentals (A/CCRF) is designed to enhance your understanding and application of the NIST Cybersecurity Framework (CSF), within various organizational contexts and across multiple sectors.    
This comprehensive course with everything you need to know to CRUSH the exam includes:  * The exam voucher ($125 retail value) * A licensed e-book copy of "Mastering Cyber Resilience" by AKYLADE ($20 retail value) * 93 video lectures that include presentation material, quizzes and text transcripts * 7 practice exams * 100% pass guarantee policy * Access to support on the Simply Cyber Discord server * 12.5 CPEs with a Simply Cyber Academy course completion certificate

academy.simplycyber.io/p/accrf