2019 FRSecure CISSP Mentor Program: Class One

2019 CISSP MENTOR
PROGRAM
April 8, 2019
-----------
Class 1 – April 8, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO
• Maybe some others later…

CISSP® MENTOR PROGRAM – SESSION ONE
1
INTRODUCTION
Just kidding! This will be awesome!

• What is the CISSP Mentor Program?
• History
• 2010 – 1st Class – 6 students
• Today – 10th Class – 400+ students!
• Why do we do it?
• Success stories
• Heck, it’s free! What have you got to lose?
2
INTRODUCTION
Welcome!
We have a severe talent shortage problem in our industry. Good news for you…

• Introduction
• Our severe talent shortage problem…
• Mentor Program Schedule & Class structure
• What is a CISSP?
• The book. **TIPS**
• Chapter 1 – Introduction (the other one).
3
INTRODUCTION
Welcome – Today’s Agenda

2019 INFORMATION SECURITY PROJECTS
INTRODUCTION
Let’s get started, but first a joke.
4
What do you call
fake spaghetti?

2019 INFORMATION SECURITY PROJECTS
INTRODUCTION
Let’s get started, but first a joke.
5
What do you call
fake spaghetti?
An impasta.

• Co-founder and CEO of FRSecure LLC/Co-founder and CEO of
SecurityStudio®
• More than 25 years of “practical” information security experience.
• Ambitious mission; fix the broken industry.
• Co-inventor of SecurityStudio®, the platform for managing
information security risk.
• Co-inventor of FISA™, the Fiducial Information Security
Assessment. FISA™ is used by more than 800 companies across 28
industries to assess and manage information security risk.
• Co-inventor of FISASCORE®, the definitive measurement of
information security and vendor risk.
6
INTRODUCTION
About Evan
Me, on most days
When they make
me clean up (a bit)
“Evan’s straightforward analysis of information security risk as fractured, incomplete
and disconnected is spot on.” – CISO, University of Miami
@evanfrancen

• Advised legal counsel in high-profile breaches including Target and
Blue Cross/Blue Shield.
• 2014/2015 - Consultant to the Special Litigation Committee of the
Board of Directors of Target Corporation; derivative action related to
the “Target Breach”.
• 2015/2016 – Consultant to legal counsel and Blue Cross/Blue Shield related to
remediation efforts (post-breach).
• Served as an expert witness is multiple federal criminal cases, mostly involving
alleged stolen trade secrets
• Served 100s of companies; big (Wells Fargo, Target, US Bank,
UnitedHealth, etc.) and small.
• Lots of television and radio, lots of information security talks at
conferences, and 750+ published articles about a variety of
information security topics.
7
INTRODUCTION
About Evan
Me, on most days
When they make
me clean up (a bit)
“I don’t think I’ve met a more successful guy in this industry with less bullshit.” –
Roger Grimes
@evanfrancen

And then…
There’s a book. You should get your copy. I think it’s good for you.
8
INTRODUCTION
About Evan
Me, on most days
When they make
me clean up (a bit)
https://www.amazon.com/Unsecurity-Information-security-failing-
epidemic/dp/164343974X/
@evanfrancen

But…
My FAVORITE THREE THINGS are…
9
INTRODUCTION
About Evan
Me, on most days
(too)
People…
My people!
Information security isn’t as much about information or
security as it is about people.
@evanfrancen

But…
10
INTRODUCTION
About Evan
Me, on most days
(too)
The Unsecurity Podcast with Brad Nigh!
@evanfrancen

But…
11
INTRODUCTION
About Evan
Me, on most days
(too)
The CISSP Mentor Program!
2010 – Six(6) students.
2019 – More than four hundred(400+)
@evanfrancen

• 20+ years of overall IT experience, started with FRSecure in 2016
• CISSP Mentor Program Lead
• FRSecure Workshop Series Lead
• Co-host of UNSECURITY Podcast with Evan
• CISM, CISSP, CCSFP, CSSA, MCSA: Windows Server 2012, ITIL v.3
Foundations
• ISC2 Safe and Secure Online volunteer
• Wayzata Schools COMPASS program CyberSecurity Mentor
• Passionate about information security and happy to be here!
12
INTRODUCTION
About Brad
@BradNigh

Expert-level, product agnostic information security management and
consulting firm.
• Established in 2008, but didn’t really start until 2010.
• Started by a security guy who was tired of taking shortcuts, tired of the money grab,
and tired of checking boxes.
• Information security is about people, and it’s a lot of hard work.
• Eight core values, and ten security principles.
• Core services include:
• Security Risk Analysis – using FISASCORE®
• Social Engineering Services
• Penetration Testing Services
• PCI QSA Services
• Incident Management Services
• HITRUST Services
• Information Security Training & Awareness
• vServices (vCISO, vISO, and vISA)
13
INTRODUCTION
About FRSecure

Like 70+ unicorns.
14
INTRODUCTION
About FRSecure
Cool, right?!

• Chapter 10 – Unsecurity
• No shortage of stories about our impending doom.
• Another take (from me) - No Easy Button Solution To Cybersecurity’s
Skills Shortage (https://www.cybersecurityintelligence.com/blog/no-
easy-button-solution-to-cybersecuritys-skills-shortage-4150.html)
• Some people claim that there is no shortage, or that it’s overhyped.
• The truth is probably somewhere in the middle, but there is plenty of
opportunity!
15
OUR SEVERE TALENT SHORTAGE PROBLEM…

16
Some truth.
Source: CyberSeek – www.cyberseek.org

17
Some truth.

18
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Some truth.
Source: United States Census Bureau

• Report from Cybersecurity Ventures estimates there will
be 3.5 million unfilled cybersecurity jobs by 2021, up from
1 million openings last year.
• ISACA predicts there will be a global shortage of two
million cyber security professionals by 2019.
• National Association of Software and Services
Companies (NASSCOM) estimates India will need 1
million cybersecurity professionals by 2020.
• Cyber crime is expected to cost the world $6 trillion by
2021.
19
Some truth.

• One of the most in-demand cyber security roles is security analyst.
• In 2012 there were 72,670 security analyst jobs in the U.S., with
median earnings of $86,170. Three years later, there were 88,880
such analysts making $90,120.
• Compensation for the most senior roles in cyber security, like chief
information security officer, can reach $400,000.
• 70 percent of cybersecurity professionals say the cybersecurity skills
shortage has had an impact on their organization.
• More than two-thirds (67 percent) of cybersecurity professionals
claim they are too busy with their jobs to keep up with skills
development and training.
• 49 percent of cybersecurity professionals are solicited to consider
other cybersecurity jobs by various types of recruiters at least once
per week.
20
Some truth.

• There is no shortage of bad advice, and some of it can be attributed
to the “talent” shortage.
• “Information security training and awareness is a waste of time
and resources”
• “An information security risk assessment is not necessary for a
well-run security program”
• “You must get an information security degree to become a good
information security professional”
• “Information security is an IT issue, not a business issue”
21
Bad Advice
Consider the source

• What makes a “good”
information security
professional?
• Recent backlash from the
Equifax Breach, noted that
Susan Mauldin (former Chief
Security Officer) had a music
degree; therefore, she must
have been unqualified.
22
“Good” Security Talent
“a problem emerges: according to LinkedIn,
Mauldin’s stated educational background has no
security or technology credentials, and consists
of.... a bachelor’s degree in music composition
(magna cum laude) and a Master of Fine Arts
degree in music composition (summa cum laude),
both from the University of Georgia. Once again,
this is the person who was in charge of keeping
your personal and financial data safe — and
whose failure to do that have put 143 million at
risk from identity theft and fraud.”
(Source: https://www.zerohedge.com/news/2017-09-15/another-
equifax-coverup-did-company-scrub-its-chief-security-officer-was-
music-major)

• What makes a “good”
information security
professional?
• Recent backlash from the
Equifax Breach, noted that
Susan Mauldin (former Chief
Security Officer) had a music
degree; therefore, she must
have been unqualified.
23
When Congress hauls in Equifax CEO Richard
Smith to grill him, it can start by asking why he put
someone with degrees in music in charge of the
company’s data security.
And then they might also ask him if anyone at the
company has been involved in efforts to cover up
Susan Mauldin’s lack of educational qualifications
since the data breach became public.
It would be fascinating to hear Smith try to explain
both of those extraordinary items.
(Source: https://www.marketwatch.com/story/equifax-ceo-hired-a-
music-major-as-the-companys-chief-security-officer-2017-09-15)

• What makes a “good” information security professional?
• Some people believe that you cannot be “good” without a technical degree, others
believe that you cannot be “good” without certifications like a CISSP, CISM, etc.
• There are thousands of awesome security practitioners who have no information
security degree whatsoever.
24
Defining “Good”
• At FRSecure we “grow unicorns”.
• There are three things that make a unicorn:
• Intangibles – the things you can’t teach.
• Education – the “book smarts”. Education can come in a variety of forms; degree
programs, books, in-person instruction, mentorship, certification preparation, etc.
• Experience – the “street smarts”. The best way to gain experience is by doing.
• The three ingredients are not mutually exclusive and there are all sorts of ways.

• Supply – we don’t have enough information security people.
• Acquisition – we can’t find enough good information security
people for ourselves.
• Retention – we can’t keep good information security people for
ourselves (and in some cases, in our industry).
• Culture – we have a “bro culture” problem that isn’t helping.
25
Supply and Demand - acquisition, retention, and our culture

• Two sources; people willing to change careers, and younger people entering the
workforce.
• Career Changers - If you were interested in getting into our field, where would
you start?
• A bachelor’s degree in cyber security will cost somewhere between $20,000 -
$60,000, or more. This might get you an entry-level job. A master’s degree
will cost much more. (Source: https://www.onlineu.org/most-affordable-colleges/cyber-
security-degrees)
• Certification? Training to pass the CISSP® exam can range from $3,000 -
$5,000, or more, and the exam itself will set you back another $699.
• Cost is a barrier to entry. Most people don’t have this amount of money lying
around.
• Younger People – Not enough education options (getting better, but not fast
enough).
26

• Early Education – schools are starting programs, and they’re working. Many
examples.
• Free Education
• FRSecure’s Mentor Program (https://frsecure.com/cissp-mentor-program/)
• SANS Cyber Aces Online (http://www.cyberaces.org/courses/)
• Cybrary (https://www.cybrary.it/catalog/)
• Cyber Degrees (https://www.cyberdegrees.org/)
• Mentorship – no single dominant program; this requires more of us giving back.
• Hire Intangibles – and train/educate for the rest. Can be a good acquisition
strategy too.
• Internships – becoming more popular, but we need more.
27

• Our industry culture is not always conducive to attracting and retaining talent.
• Some of the results of our culture are gender inequity and minority inequity.
• Women make up 49.56% of the world’s population, but only make up 11% of
the information security workforce.
• 26% of our workforce is non-Caucasian (or “white”) male.
28
“In a survey of 580 scheduled attendees of the
Black Hat 2017 conference to be held in Las Vegas,
Black Hat found that 71% of respondents felt their
companies lacked sufficient staff to defend itself
against current cyberthreats. And, although less
than half of respondents (45%) were "concerned"
about the shortage of women and minorities in
the information security”

• Since our industry is so male dominated, there’s a “bro culture” that exists.
• “It’s a very male-dominated culture.” “It can be a little more crass, a little bit
more rough and maybe some … females don’t like that, and it is off-putting.”
– Ellison Anne Williams, Ph.D., founder and chief executive of Enveil, a
Fulton, Md., data security company.
• It’s not only the people in our industry that contribute to the problem. Customers,
clients, and other normal people also assume that information security is a male
sport.
• “They have clients who won’t speak directly to them, It’s the assumption that
the woman is not the lead on the project. They just default to speaking to the
men.” - Leah Figueroa, lead data engineer at Gravwell, a data analytics
company out of Coeur D’Alene, Idaho (Source:
http://www.govtech.com/workforce/Why-Are-So-Few-Women-in-Cybersecurity.html)
• This culture didn’t start in our industry and it’s not exclusive to our industry either.
29

• Promote and participate in more diversity initiatives and programs.
• Studies prove the more diverse work groups produce more creative a better
results.
• A partial list of resources for women:
• SANS CyberTalent Immersion Academy for Women -
https://www.sans.org/cybertalent/immersion-academy
• Computer Science for Cyber Security (CS4CS) Summer Program for High
School Women - http://engineering.nyu.edu/k12stem/cs4cs/
• Women’s Society of Cyberjutsu (WSC) - http://womenscyberjutsu.org/
• Women in Cyber Security (WiCyS) - https://www.wicys.net/
30

• One more thing.
• Go get this.
• It’s free.
31
INTRODUCTION
Our severe talent shortage problem…

32
MENTOR PROGRAM SCHEDULE & CLASS
STRUCTURE
Syllabus (not really), but close.

• Online, FRSecure homepage  Events  2019 CISSP Mentor
Program
33
MENTOR PROGRAM SCHEDULE & CLASS STRUCTURE
Class schedule

• There is a boatload of information to memorize for the
exam, and you’ll appreciate the breaks; we’ve built in
three of them (4/22, 5/8, and 5/27).
• Evan and/or Brad will lead classes, switching things up to
keep things fresh.
• We’re easing into things this first week; only this
introduction and one domain (Domain 1: Security and
Risk Management).
NOTE: We do have some volunteers to teach. We’ll figure
out how to use them. 
34
Class schedule

• Every class is structured similarly, starting with a brief
recap of the previous content/session, then:
• Questions.
• Quiz.
• Current Events.
• Lecture.
• Homework (you’ll appreciate the breaks…)
• If you’re interested in organizing a study group, send us
an email.
35
Class schedule

• We are here to help!
• If you have any questions, at any time, please send them
to Brandon bmatis@frsecure.com. Is that right?
• Content will be made available to all students, including
slides, handouts, and video recordings.
36
Class schedule

Get your Ultimate Guide to the CISSP @
https://www.isc2.org/Certifications/Ultimate-Guides/CISSP?
37
WHAT IS A CISSP?
The Certified Information Systems Security Professional (or “CISSP”)

38
WHAT IS A CISSP?

39
WHAT IS A CISSP?

40
WHAT IS A CISSP?

41
WHAT IS A CISSP?

42
WHAT IS A CISSP?

43
WHAT IS A CISSP?

44
WHAT IS A CISSP?

45
WHAT IS A CISSP?

46
WHAT IS A CISSP?

47
WHAT IS A CISSP?

• For the latest (and official) information about the CISSP,
refer to the (ISC)2 website;
https://www.isc2.org/Certifications/CISSP
• The four steps to the CISSP:
1. Meet CISSP Eligibility
2. Schedule the Exam
3. Pass the Exam
4. Agree to the Code of Ethics and get endorsed.
48
WHAT IS A CISSP?

• Title: CISSP Study Guide, Third Edition (Paperback) by
Eric Conrad, Seth Misenar, & Joshua Feldman.
• ISBN-10: 0128024372
• ISBN-13: 978-0128024379
49
THE BOOK
CISSP Study Guide – Third Edition

• If you don’t have it, you can
get it in a variety of place;
Amazon, Elsevier, Borders,
etc.
• I prefer the book in Adobe
Acrobat format; easy
reference and copy/paste
capabilities.
50
THE BOOK
CISSP Study Guide – Third Edition

51
READY?! LET’S DIG IN.

• How to prepare for the Exam
• How to take the Exam
• Sticking with it!
52
CHAPTER 1 - INTRODUCTION
EXAM OBJECTIVES IN THIS CHAPTER

• Used to be six hours and 250 questions.
• Now it’s three hours and 150 questions! (not in the book)
• Computer-based testing (“CBT”) at Pearson Vue, used to
be paper and pencil (Evan’s old!)
• Two (sort of four) types of questions:
• Multiple Choice (four options, two are almost obviously wrong)
• “Advanced Innovative”
• Scenario
• Drag/Drop
• Hotspot
53
CHAPTER 1 - INTRODUCTION
How to take the Exam

• This is a question for you.
• This is a question that our industry still struggles with.
• Don’t forget this…
54
BONUS – INFORMATION SECURITY FUNDAMENTALS
What is Information Security?
Information security is managing risks to the confidentiality,
integrity, and availability of information using administrative,
physical and technical controls.

55

56

57

• Don’t forget this (either)…
58
What is Risk?

• Don’t forget this (either)…
59
What is Risk?
Risk is the likelihood of something bad happening and the
impact if it did.

1. A business is in business to make money.
2. Information Security is a business issue.
3. Information Security is fun.
4. People are the biggest risk.
5. “Compliant” and “secure” are different.
60
Ten Information Security Principles

6. There is no common sense in Information
Security.
7. “Secure” is relative.
8. Information Security should drive business.
9. Information Security is not one size fits all.
10.There is no “easy button”.
61
Ten Information Security Principles

• We’re very excited that we get to be a part of your
information security career journey!
• This will be a rewarding experience.
For most of you:
This will get hard. This will seem dry. This will seem
overwhelming.
Don’t give up!
62
THAT’S IT. NEXT?
That’s it for today…

• Homework for Wednesday (4/10):
• Please get the book if you haven’t already.
• Please read Chapter 1 (pages 1 – 10).
• We will be covering Chapter 2 Domain 1: Security and
Risk Management (e.g., Security, Risk, Compliance,
Law, Regulations, Business Continuity) on
Wednesday.
63
THAT’S IT. NEXT?
That’s it for today…
See you Wednesday!
Evan Francen Brad Nigh
@evanfrancen @BradNigh

2019 FRSecure CISSP Mentor Program: Class One

More Related Content

What's hot (20)

Similar to 2019 FRSecure CISSP Mentor Program: Class One (20)

More from FRSecure (7)

Recently uploaded (20)

2019 FRSecure CISSP Mentor Program: Class One