2018 CISSP Mentor Program Session 1

CISSP® MENTOR
PROGRAM SESSION #1
BRAD NIGH, DIRECTOR OF CONSULTING SERVICES, FRSECURE
EVAN FRANCEN, CEO & CO-FOUNDER,FRSECURE
2018 – CLASS #1

CISSP® MENTOR PROGRAM – SESSION #1
Just kidding! This will be awesome!
CISSP® MENTOR PROGRAM

Welcome!
• What is the CISSP Mentor Program?
• History
• 2010 – 1st Class – 6 students
• Today – 9th Class – 300+ students!
• Why do we do it?
• Success stories
• Heck, it’s free! What have you got to lose?
We have a severe talent shortage problem in our industry. Good news for you…

Agenda
• Introduction
• Our severe talent shortage problem…
• Mentor Program Schedule & Class structure
• What is a CISSP?
• The book.
• Chapter 1 – Introduction (the other one).

INTRODUCTION – ABOUT EVAN
• Co-founder of FRSecure.
• Co-inventor of SecurityStudio®, FISA™, FISASCORE® and Vendefense™
• Member of the Forbes Technology Council
• 25+ years of “practical” information security experience (started as a Cisco Engineer in the
early 90s).
• Worked with 100s of companies; big (Wells Fargo, US Bank, UHG, etc.) and small.
• Written more than 750 articles about information security.
• Developed the FRSecure Mentor Program; six students in 2010/ 163 in 2017/ 300+ in 2018.
• Dozens of television and radio appearances; numerous topics.
• Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.).
A much better picture of me 
Sorry that I can’t be here in person today. I’m traveling.

INTRODUCTION – ABOUT EVAN
BOOK ANNOUNCEMENT
Just finished the draft…
The Information Security Industry is Broken
Publishing in June.

INTRODUCTION – ABOUT BRAD
• Not as much cool stuff as Evan but….
• Director of Consulting Services at FRSecure
• Assessment Team, HITRUST, PCI, SOC2, vCISO
• Started in IT doingY2K updates (and asset inventory) with a floppy disk
• Volunteer for ISC2 Safe and Secure Online program and Wayzata Schools
Compass program for CyberSecurity
• Lots of public speaking
• FRSecure CISSP Mentor Program
• FRSecure Workshop Series
• Information Security Training & Awareness for clients
Available most days for class.

INTRODUCTION – ABOUT FRSECURE
• Information Security Consulting and Management company. It’s all we do.
• Our core services include:
• HIPAA Risk Analysis – using FISA™
• Social Engineering Services
• Penetration Testing Services
• PCI QSA Services
• Incident Management Services
• HITRUST Services
• SOC2 Preparation Services
• Information Security Training & Awareness
• vServices (vCISO, vISO, and vISA)
• Methodology fanatics, mentoring champions,and product agnostic.

INTRODUCTION – ABOUT FRSECURE
• 55+ Unicorns.
Here are some of them 

OUR SEVERE TALENT SHORTAGE PROBLEM…
• Chapter 10 – Too Many Few Experts.
• No shortage of stories about our impending doom.

23%
25%
46%
45%
51%
0%
10%
20%
30%
40%
50%
60%
2014 2015 2016 2017 2018
Survey Respondents Claiming to Have a "Problematic" Shortage of Security Talent
Source: 2017 ESG & ISSA Research Report – “The Life and Times of Cybersecurity Professionals”

• Chapter 10 – Too Many Few Experts.
• No shortage of stories about how to fix things either.

The Truth
Source: CyberSeek – www.cyberseek.org

The Truth
Source: CyberSeek – www.cyberseek.org
Source: United States Census Bureau

The Truth
• Report from Cybersecurity Ventures estimates there will be 3.5 million
unfilled cybersecurity jobs by 2021, up from 1 million openings last year.
• ISACA predicts there will be a global shortage of two million cyber security
professionals by 2019.
• National Association of Software and Services Companies (NASSCOM)
estimates India will need 1 million cybersecurity professionals by 2020.
• Cyber crime is expected to cost the world $6 trillion by 2021.

The Truth
• One of the most in-demand cyber security roles is security analyst.
• In 2012 there were 72,670 security analyst jobs in the U.S., with median
earnings of $86,170.Three years later, there were 88,880 such analysts
making $90,120.
• Compensation for the most senior roles in cyber security, like chief
information security officer, can reach $400,000.

The Truth
• 70 percent of cybersecurity professionals say the cybersecurity skills
shortage has had an impact on their organization.
• More than two-thirds (67 percent) of cybersecurity professionals claim they
are too busy with their jobs to keep up with skills development and training.
• 49 percent of cybersecurity professionals are solicited to consider other
cybersecurity jobs by various types of recruiters at least once per week.

The Problems (too many to list them all)
• Bad Advice – most with good intentions, some with bad.
• “Good” Security Talent – we don’t even agree on what “good” security
talent is.
• Supply and Demand - acquisition, retention, and our culture.
• National and Economic Security

Bad Advice
• There is no shortage of bad advice, and some of it can be attributed to the
“talent” shortage.
• “Information security training and awareness is a waste of time and resources”
• “An information security risk assessment is not necessary for a well-run
security program”
• “You must get an information security degree to become a good information
security professional”
• “Information security is an IT issue, not a business issue”

Bad Advice
Consider the source

“Good” Security Talent
• What makes a “good” information
security professional?
• Recent backlash from the Equifax
Breach, noted that Susan Mauldin
(former Chief Security Officer) had a
music degree; therefore, she must have
been unqualified.
“a problem emerges: according to LinkedIn,
Mauldin’s stated educational background has no
security or technology credentials, and consists
of.... a bachelor’s degree in music composition
(magna cum laude) and a Master of Fine Arts
degree in music composition (summa cum laude),
both from the University of Georgia. Once again,
this is the person who was in charge of keeping
your personal and financial data safe — and
whose failure to do that have put 143 million at
risk from identity theft and fraud.”
(Source: https://www.zerohedge.com/news/2017-09-15/another-
equifax-coverup-did-company-scrub-its-chief-security-officer-was-
music-major)

• What makes a “good” information
security professional?
• Recent backlash from the Equifax
Breach, noted that Susan Mauldin
(former Chief Security Officer) had a
music degree; therefore, she must have
been unqualified.
When Congress hauls in Equifax CEO Richard
Smith to grill him, it can start by asking why he put
someone with degrees in music in charge of the
company’s data security.
And then they might also ask him if anyone at the
company has been involved in efforts to cover up
Susan Mauldin’s lack of educational qualifications
since the data breach became public.
It would be fascinating to hear Smith try to explain
both of those extraordinary items.
(Source: https://www.marketwatch.com/story/equifax-ceo-hired-a-
music-major-as-the-companys-chief-security-officer-2017-09-15)

• What makes a “good” information security professional?
• Some people believe that you cannot be “good” without a technical degree,
others believe that you cannot be “good” without certifications like a CISSP,
CISM, etc.
• There are thousands of awesome security practitioners who have no
information security degree whatsoever.

Defining “Good”
• At FRSecure we “grow unicorns”.
• There are three things that make a unicorn:
• Intangibles – the things you can’t teach.
• Education – the “book smarts”. Education can come in a variety of forms; degree
programs, books, in-person instruction, mentorship, certification preparation, etc.
• Experience – the “street smarts”.The best way to gain experience is by doing.
• The three ingredients are not mutually exclusive and there is no one “right” way.

Supply and Demand - acquisition, retention, and our culture
• Supply – we don’t have enough information security people.
• Acquisition – we can’t find enough good information security people for
ourselves.
• Retention – we can’t keep good information security people for ourselves
(and in some cases, in our industry).
• Culture – we have a “bro culture” problem that isn’t helping.
Now it gets hard…

• Two sources; people willing to change careers, and younger people entering the
workforce.
• Career Changers - If you were interested in getting into our field, where would you start?
• A bachelor’s degree in cyber security will cost somewhere between $20,000 - $60,000, or more.
This might get you an entry-level job. A master’s degree will cost much more. (Source:
https://www.onlineu.org/most-affordable-colleges/cyber-security-degrees)
• Certification? Training to pass the CISSP® exam can range from $3,000 - $5,000, or more, and the
exam itself will set you back another $699.
• Cost is a barrier to entry. Most people don’t have this amount of money lying around.
• Younger People – Not enough education options (getting better, but not fast enough).
Now it gets hard…
This is all education related too, remember that
education is only one of the three ingredients.

• Early Education – schools are starting programs, and they’re working. Many examples.
• Free Education
• FRSecure’s Mentor Program (https://frsecure.com/cissp-mentor-program/)
• SANS Cyber Aces Online (http://www.cyberaces.org/courses/)
• Cybrary (https://www.cybrary.it/catalog/)
• Cyber Degrees (https://www.cyberdegrees.org/)
• Mentorship – no single dominant program; this requires more of us giving back.
• Hire Intangibles – and train/educate for the rest. Can be a good acquisition strategy too.
• Internships – becoming more popular, but we need more.
Now it gets hard…

Supply and Demand - acquisition, retention,
and our culture
• Our industry culture is not always conducive to
attracting and retaining talent.
• Some of the results of our culture are gender
inequity and minority inequity.
• Women make up 49.56% of the world’s
population, but only make up 11% of the
information security workforce.
• 26% of our workforce is non-Caucasian (or
“white”) male.
Now it gets hard…
“In a survey of 580 scheduled attendees of the
Black Hat 2017 conference to be held in Las Vegas,
Black Hat found that 71% of respondents felt their
companies lacked sufficient staff to defend itself
against current cyberthreats. And, although less
than half of respondents (45%) were "concerned"
about the shortage of women and minorities in
the information security”

• Since our industry is so male dominated, there’s a “bro culture” that exists.
• “It’s a very male-dominated culture.”“It can be a little more crass,a little bit more rough and maybe some
… females don’t like that,and it is off-putting.”– Ellison Anne Williams, Ph.D., founder and chief
executive of Enveil, a Fulton, Md., data security company.
• It’s not only the people in our industry that contribute to the problem. Customers, clients, and
other normal people also assume that information security is a male sport.
• “They have clients who won’t speak directly to them,It’s the assumption that the woman is not the lead on
the project.They just default to speaking to the men.”- Leah Figueroa, lead data engineer at Gravwell, a
data analytics company out of Coeur D’Alene, Idaho (Source: http://www.govtech.com/workforce/Why-Are-So-Few-
Women-in-Cybersecurity.html)
• This culture didn’t start in our industry and it’s not exclusive to our industry either.
Now it gets hard…

• Promote and participate in more diversity initiatives and programs.
• Studies prove the more diverse work groups produce more creative a better results.
• A partial list of resources for women:
• SANS CyberTalent Immersion Academy for Women -
https://www.sans.org/cybertalent/immersion-academy
• Computer Science for Cyber Security (CS4CS) Summer Program for High School Women -
http://engineering.nyu.edu/k12stem/cs4cs/
• Women’s Society of Cyberjutsu (WSC) - http://womenscyberjutsu.org/
• Women in Cyber Security (WiCyS) - https://www.wicys.net/
Now it gets hard…

• Promote and participate in more diversity initiatives and programs.
• Studies prove the more diverse work groups produce more creative a better
results.
• Arguably the leading resource for information security professionals is the
International Consortium of Minority Cybersecurity Professionals (ICMCP)
(Source: https://icmcp.org/).
• Our industry will benefit greatly through a more inclusive and diverse
workforce.
Now it gets hard…

MENTOR PROGRAM SCHEDULE & CLASS
STRUCTURE
Syllabus (not really), but close.

STRUCTURE
Class Schedule
Date Class Lead Onsite Remote Notes
4/10/2018 Course Introduction/Q&A Brad Brad Evan
4/12/2018 Domain 1: Security and Risk Management Brad Brad Evan
4/17/2018 Domain 2: Asset Security Evan Evan, Brad
4/17/2018 Domain 3: Security Engineering Evan Evan, Brad
4/19/2018
4/24/2018 Domain 3: Security Engineering (cont.) Evan Evan, Brad (tentative)
4/26/2018 Domain 3: Security Engineering (cont.) Evan Evan, Brad
5/1/2018 Domain 4: Communication and Network Security Evan Evan, Brad
5/3/2018
5/8/2018 Domain 4: Communication and Network Security (cont.) Evan Evan
5/10/2018 Domain 5: Identity and Access Management Brad Evan, Brad
5/15/2018 Domain 6: Security Assessment and Testing Evan Evan, Brad
5/17/2018 Domain 7: Security Operations Evan Brad Evan
5/22/2018 Domain 7: Security Operations (cont.) Evan Evan, Brad (tentative)
5/24/2018
5/29/2018 Domain 8: Software Development Security Brad Evan, Brad
5/31/2018 CISSP Exam Final Preparation & Practice Testing Evan Evan, Brad
BREAK
BREAK
BREAK
2018 CISSP Mentor Program Schedule

STRUCTURE
Class Schedule
• There is a boatload of information to memorize for the exam, and you’ll
appreciate the breaks; we’ve built in three of them.
• Evan and/or Brad will lead all classes, switching things up to keep things
fresh.
• We’re easing into things this first week; only this introduction and one
domain (Domain 1: Security and Risk Management).

STRUCTURE
Class Structure
• Every class is structured similarly, starting with a brief recap of the previous
content/session, then:
• Questions.
• Quiz.
• Current Events.
• Lecture.
• Homework (you’ll appreciate the breaks…)

STRUCTURE
Class Structure
• We are here to help!
• If you have any questions, at any time, please send them to
CISSPMentor@frsecure.com
• We are willing to help facilitate a study group too.Whatever it takes to give
you the confidence to take (and pass) the exam and build a career!
• Content will be made available to all students, including slides, handouts,
and video recordings.

WHAT IS A CISSP?
The Certified Information Systems Security Professional (or “CISSP”)
• Maintained by the International Information Systems Security Certification
Consortium (or (ISC)2®
)
• Tests your knowledge (or memorization) of the Common Body of
Knowledge (or “CBK”).
• “a mile wide and two inches deep” (or maybe just an inch deep).
• 2015 CBK, updated in April, 2015
• CBK consists of eight domains… next page

WHAT IS A CISSP?
Domain Changes
Previous CISSP Domain Name New CISSP Domain Name
Domain 1: Security and Risk Management Domain 1: Security and Risk Management
Domain 2: Asset Security Domain 2: Asset Security
Domain 3: Security Engineering Domain 3: Security Architecture and Engineering
Domain 4: Communications and Network Security Domain 4: Communication and Network Security
Domain 5: Identity and Access Management Domain 5: Identity and Access Management (IAM)
Domain 6: Security and Assessment Testing Domain 6: Security Assessment and Testing
Domain 7: Security Operations Domain 7: Security Operations
Domain 8: Software Development Security Domain 8: Software Development Security

WHAT IS A CISSP?
DomainWeights
Major Domains Weightings (Percentage)
Domain 1: Security and Risk Management 15%
Domain 2: Asset Security 10%
Domain 3: Security Architecture and Engineering 13%
Domain 4: Communication and Network Security 14%
Domain 5: Identity and Access Management (IAM) 13%
Domain 6: Security Assessment and Testing 12%
Domain 7: Security Operations 13%
Domain 8: Software Development Security 10%
Total 100%
CISSP Domain Refresh FAQ
https://www.isc2.org/Certifications/CISSP/Domain-Refresh-FAQ

WHAT IS A CISSP?
The Certified Information Systems Security Professional (or “CISSP”)
• For the latest (and official) information about the CISSP, refer to the (ISC)2
website; https://www.isc2.org/Certifications/CISSP
• The four steps to the CISSP:
1. Meet CISSP Eligibility
2. Schedule the Exam
3. Pass the Exam
4. Agree to the Code of Ethics and get endorsed.

WHAT IS A CISSP?
Meet CISSP Eligibility

WHAT IS A CISSP?
Schedule the Exam

WHAT IS A CISSP?
Pass the Exam

WHAT IS A CISSP?
Code of Ethics and endorsement

THE BOOK.
CISSP Study Guide – Third Edition

THE BOOK.
CISSP Study Guide – Third Edition
• ISBN: 978-0-12-802437-9
• Syngress publications
• Eric Conrad, Seth Misenar, Joshua Feldman are the authors
• If you don’t have it, you can get it in a variety of place; Amazon, Elsevier,
Borders, etc.
• I prefer the book in Adobe Acrobat format; easy reference and copy/paste
capabilities.

READY?! LET’S DIG IN.

CHAPTER 1 - INTRODUCTION
EXAM OBJECTIVES IN THIS CHAPTER
• How to prepare for the Exam
• How to take the Exam
• Sticking with it!

How to prepare for the Exam
• The Mentor Program is here to facilitate and get you through this…
• Preparation (bunches of ways)
• Note Cards
• 3x Book Read (Evan’s method)
• Read the book once fast, confusion is expected, but fight through it.
• Read the book again, focus on structure and concepts.
• Read the book the third time, focus on mastery and memorization.

How to take the Exam
• Used to be six hours and 250 questions.
• Now it’s three hours and 150 questions! (not in the book)
• Computer-based testing (“CBT”) at Pearson Vue, used to be paper and pencil (Evan’s
old!)
• Two (sort of four) types of questions:
• Multiple Choice (four options, two are almost obviously wrong)
• “Advanced Innovative”
• Scenario
• Drag/Drop
• Hotspot

BONUS – INFORMATION SECURITY
FUNDAMENTALS
What is Information Security?
• This is a question for you.
• This is a question that our industry still struggles with.
• Don’t forget this…
Information security is managing risks to the confidentiality,
integrity, and availability of information using administrative,
physical and technical controls.

FUNDAMENTALS
What is Risk?

FUNDAMENTALS
What is Risk?
Risk is the likelihood of something bad happening and the
impact if it did.

FUNDAMENTALS
Ten Information Security Principles
1. A business is in business to make money.
2. Information Security is a business issue.
3. Information Security is fun.
4. People are the biggest risk.
5. “Compliant” and “secure” are different.

FUNDAMENTALS
Ten Information Security Principles
6. There is no common sense in Information Security.
7. “Secure” is relative.
8. Information Security should drive business.
9. Information Security is not one size fits all.
10. There is no “easy button”.

THAT’S IT. NEXT?
That’s it for today…
• We’re very excited that we get to be a part of your information security
career journey!
• This will be a rewarding experience.
• It will be hard at times, but don’t give up!

THAT’S IT. NEXT?
That’s it for today…
• Homework for Thursday (4/12):
• Please get the book if you haven’t already.
• Please read Chapter 1 (pages 1 – 10).
• We will be covering Chapter 2 Domain 1: Security and Risk Management (e.g.,
Security, Risk, Compliance, Law, Regulations, Business Continuity) on Thursday.
See you Thursday!

2018 CISSP Mentor Program Session 1

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2018 CISSP Mentor Program Session 1

Similar to 2018 CISSP Mentor Program Session 1 (20)

More from FRSecure

More from FRSecure (10)

Recently uploaded

Recently uploaded (20)

2018 CISSP Mentor Program Session 1