The document summarizes a career talk on security risk careers given by four professionals with CISSP and other certifications. They discussed topics like IT risk management roles and responsibilities, common career paths, necessary experience and education, and tips for breaking into the field. The presenters also described their own backgrounds and day-to-day work in areas like risk analysis, vendor assessments, and managing technology and business risks.
This presentation is aimed at a technical security audience seeking to advance into a security leadership role. In this interactive presentation, attendees will learn how they need to apply their technical skills in a CISO or security director role. In addition, they will learn the fundamentals of leading people, managing budgets and projects, presenting to an executive audience, and dealing with other challenging issues security leaders face.
A review of the "lessons learned" in establishing a CISO/CSO role in two different organizations. The things that security folks DON\'T tell you...
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
Summary: To have positive authority upon Information Security is one of the goals every organization should achieve. A CISO (Chief Information Security Officer) is the responsible person in the company who should protect the business from the IT infrastructure. CISO will lead a security professional team which will take care of all the security components within an IT infrastructure.
Presenter: This week’s presenter will be our partner Mr. Daniel Robles, President of Cyborg Consulting, a company involved with Information and Cyber Security consulting, training, auditing and coaching. He is an experienced trainer and consultant with more than 20 professional certificates gained from credible institutions.
This presentation is aimed at a technical security audience seeking to advance into a security leadership role. In this interactive presentation, attendees will learn how they need to apply their technical skills in a CISO or security director role. In addition, they will learn the fundamentals of leading people, managing budgets and projects, presenting to an executive audience, and dealing with other challenging issues security leaders face.
A review of the "lessons learned" in establishing a CISO/CSO role in two different organizations. The things that security folks DON\'T tell you...
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
Summary: To have positive authority upon Information Security is one of the goals every organization should achieve. A CISO (Chief Information Security Officer) is the responsible person in the company who should protect the business from the IT infrastructure. CISO will lead a security professional team which will take care of all the security components within an IT infrastructure.
Presenter: This week’s presenter will be our partner Mr. Daniel Robles, President of Cyborg Consulting, a company involved with Information and Cyber Security consulting, training, auditing and coaching. He is an experienced trainer and consultant with more than 20 professional certificates gained from credible institutions.
With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failure to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.
Join Lancope's Director of Security Research to learn about five key challenges that computer security professionals face in 2013, including:
1. State-sponsored espionage and sabotage of computer networks
2. Monster DDoS attacks
3. The loss of visibility and control created by IT consumerization and the cloud
4. The password debacle
5. Insider threats
In the modern-day climate, more and more industries have had to increase IT security
expenses to provide a trusted system of security to all client/company PII from unauthorized users. The massive spike in IT security spending was brought on by the recent cyber breach on Equifax, in which millions of clients’ PII was accessed and distributed by an unauthorized user infiltrating the system. Like the Equifax attack, so many of these attacks require user-interaction to be activated or spread, so organizations must be on the forefront of understanding the internal threats of their own employees can impose.
How to Build an Insider Threat Program in 30 Minutes ObserveIT
People are the core of your business, but they are also responsible for 90% of security incidents. There is no patch for people. To reduce the likelihood of insider threats, you need the right people, process and technology to make it happen.
Join our upcoming webinar and learn how to own the insider threat program at your company.
After this webinar you’ll know:
Terminology – what are the buzzwords (Insider Threat)
People – who needs to be involved to make it happen (exec team, legal, HR, etc.)
Process – how do you operationalize an insider threat program
Technology— how Insider Threat Management solutions work (ObserveIT)
About the speaker:
Jim Henderson is the CEO of TopSecretProtection.com and InsiderThreatDefense.com. Jim is a renowned Insider Threat Defense Program Training (ITDP) Course Instructor and has 15 years of hands-on experience developing successful Counterespionage-Insider Threat Defense Programs.
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
This submission examines the emerging need of the Chief Information Security Officer (CISO) to include the associated roles and responsibilities. One of the key artificacts associated with the CISO shall be detailed such as the security plan.
Dr. Shawn P. Murray was invited back to the National Security Institute in April 2013 to speak on a familiar topic, but with a new focus. The accidental insider threat is becoming more of a concern for companies today. Dr. Murray is a Cyber Security Professional and has worked in various Information Assurance and Information Technology Security positions for many years.
Pinpointing the source and scope of data theft is often hard to quantify, especially since your largest internal threat may actually be one of your most loyal employees. This presentation presents the findings of the first-ever global insider threat study that catalogs common practices used by leading organizations across numerous verticals. This presentation will define the insider threat, quantify the prevalence of the problem, and uncover controls that have proven most effective at minimizing the risk of insider threats.
One of the most critical aspects of safeguarding the IT assets of any corporation is dealing with the Insider's Threat. With so many diversified IT components, it is a real challenge to design an effective IT security strategy. It is critical to recognize this particular threat and take countermeasures to protect your assets. So, this webinar covers: Insider threats, how to mitigate insider threats, how to design an effective IT security strategy, and how to protect your assets.
Main points covered:
• Insider threats
• How to design an effective IT security strategy
• How to protect your assets
Presenter:
The webinar was hosted by Demetris Kachulis. Mr. Kachulis is an expert in the field of Information Security. With over 20 years of Wall Street consulting experience, he has worked with many Fortune 500 companies. He is currently the director of Eldion Consulting, a company offering Security, Trainings and Business solutions.
Link of the recorded session published on YouTube: https://youtu.be/hXe5HHjnBeU
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
Deral Heiland - Fail Now So I Don't Fail Latercentralohioissa
With network data breaches being reported weekly, it appears our implementation of prevention solutions is failing. With the average time to detect a breach being greater than 6 months our detection solutions also appear to be failing. Maybe these solutions and technologies are working correctly and we are just not training our teams how to manage, maintain, and leverage those solutions effectively. In this presentation I will be discussing security testing and validation methodologies that includes Internal/external pentesting, social engineering, and red team/blue team exercises. In addition I will be covering how using these methodologies we can better prepare and build a more robust security environment that will keep your organization off the front page.
This presentation was discussed in a Webinar with MetricStream in September 2016. It is applicable for small, medium and large businesses when considering information and cyber security risk.
With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failure to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.
Join Lancope's Director of Security Research to learn about five key challenges that computer security professionals face in 2013, including:
1. State-sponsored espionage and sabotage of computer networks
2. Monster DDoS attacks
3. The loss of visibility and control created by IT consumerization and the cloud
4. The password debacle
5. Insider threats
In the modern-day climate, more and more industries have had to increase IT security
expenses to provide a trusted system of security to all client/company PII from unauthorized users. The massive spike in IT security spending was brought on by the recent cyber breach on Equifax, in which millions of clients’ PII was accessed and distributed by an unauthorized user infiltrating the system. Like the Equifax attack, so many of these attacks require user-interaction to be activated or spread, so organizations must be on the forefront of understanding the internal threats of their own employees can impose.
How to Build an Insider Threat Program in 30 Minutes ObserveIT
People are the core of your business, but they are also responsible for 90% of security incidents. There is no patch for people. To reduce the likelihood of insider threats, you need the right people, process and technology to make it happen.
Join our upcoming webinar and learn how to own the insider threat program at your company.
After this webinar you’ll know:
Terminology – what are the buzzwords (Insider Threat)
People – who needs to be involved to make it happen (exec team, legal, HR, etc.)
Process – how do you operationalize an insider threat program
Technology— how Insider Threat Management solutions work (ObserveIT)
About the speaker:
Jim Henderson is the CEO of TopSecretProtection.com and InsiderThreatDefense.com. Jim is a renowned Insider Threat Defense Program Training (ITDP) Course Instructor and has 15 years of hands-on experience developing successful Counterespionage-Insider Threat Defense Programs.
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
This submission examines the emerging need of the Chief Information Security Officer (CISO) to include the associated roles and responsibilities. One of the key artificacts associated with the CISO shall be detailed such as the security plan.
Dr. Shawn P. Murray was invited back to the National Security Institute in April 2013 to speak on a familiar topic, but with a new focus. The accidental insider threat is becoming more of a concern for companies today. Dr. Murray is a Cyber Security Professional and has worked in various Information Assurance and Information Technology Security positions for many years.
Pinpointing the source and scope of data theft is often hard to quantify, especially since your largest internal threat may actually be one of your most loyal employees. This presentation presents the findings of the first-ever global insider threat study that catalogs common practices used by leading organizations across numerous verticals. This presentation will define the insider threat, quantify the prevalence of the problem, and uncover controls that have proven most effective at minimizing the risk of insider threats.
One of the most critical aspects of safeguarding the IT assets of any corporation is dealing with the Insider's Threat. With so many diversified IT components, it is a real challenge to design an effective IT security strategy. It is critical to recognize this particular threat and take countermeasures to protect your assets. So, this webinar covers: Insider threats, how to mitigate insider threats, how to design an effective IT security strategy, and how to protect your assets.
Main points covered:
• Insider threats
• How to design an effective IT security strategy
• How to protect your assets
Presenter:
The webinar was hosted by Demetris Kachulis. Mr. Kachulis is an expert in the field of Information Security. With over 20 years of Wall Street consulting experience, he has worked with many Fortune 500 companies. He is currently the director of Eldion Consulting, a company offering Security, Trainings and Business solutions.
Link of the recorded session published on YouTube: https://youtu.be/hXe5HHjnBeU
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
Deral Heiland - Fail Now So I Don't Fail Latercentralohioissa
With network data breaches being reported weekly, it appears our implementation of prevention solutions is failing. With the average time to detect a breach being greater than 6 months our detection solutions also appear to be failing. Maybe these solutions and technologies are working correctly and we are just not training our teams how to manage, maintain, and leverage those solutions effectively. In this presentation I will be discussing security testing and validation methodologies that includes Internal/external pentesting, social engineering, and red team/blue team exercises. In addition I will be covering how using these methodologies we can better prepare and build a more robust security environment that will keep your organization off the front page.
This presentation was discussed in a Webinar with MetricStream in September 2016. It is applicable for small, medium and large businesses when considering information and cyber security risk.
Building Application Security programs from scratch or dropping into existing organizations with some AppSec functions can be a war zone. As practitioners are on the front lines of implementing AppSec programs, there is no one-size fits all or a magic supplier who can come in and solve all opportunities. It takes a dedicated staff to drive an effective program beyond the check the box mentality, with a critical focus on security culture.
Through the talk, I'd like to provide insight into the nuances of dealing with different environments large to small and the associated lessons learned to help drive the culture of security to truly provide defensive capabilities and empower the organization.
CISSO Certification| CISSO Training | CISSOSagarNegi10
You will gain practical knowledge regarding a range of aspects in the INFOSEC community as part of the CISSO Certification program. It will teach you how to secure assets, monitor them, and comply with data security policies.
How to Boost your Cyber Risk Management Program and Capabilities?PECB
The webinar explores how understanding your organization in crisis due to an exploitation of risk can develop the organization’s resilience and team in the drive for a stronger level of compliance maturity.
Main points covered:
• Information Security maturity
• ROPI
• Risk Management
• Incident Response
• Forensic Readiness
• Table Top Exercises
• Training
• Legislation
Presenter:
Our presenter for this webinar is Peter Jones, an experienced management professional, digital forensic analyst, cybersecurity professional, ISO 27001 and ISO 17025 auditor and University Lecturer. Peter has a wealth of experience and expertise which incorporates knowledge from being an academic and a practitioner in relation to best practice, data management, cyber security, digital system security and digital forensics, where he has conducted thousands of examinations on behalf of law enforcement and the private sector. Peter has extensive information technology and telecommunications experience which ranges from retail to enterprise environments including supporting the BBC with their hit drama series, ‘Silent Witness’.
Link the the YouTube video: https://youtu.be/aREo4l-pDgc
CISSO Certification | CISSO Training | CISSOSagarNegi10
Our CISSO Certification course is designed for forward-thinking security professionals that want the advanced skill set necessary to manage and consult businesses on information security.
Information Security Analyst- Infosec trainInfosecTrain
The information has more exceptional value in today's highly competitive world. It helps organizations in many ways. From making accurate decisions to set up strategies to achieve their business goals, organizations rely extensively on the information system.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
The digital presence of organizations continues to expand, and with that expansion comes greater exposure to digital risks. Visibility into those risks is critical in order to effectively manage that risk.
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
WHY IS THIS IT RISK ASSESSMENT WORKSHOP IMPORTANT?
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE360 BSI
This 4 day training program combines advanced technology and relevant practical experience to develop your IT security policies & create a robust IT infrastructure.
Information security is critical for modern business models today.
Organizations must be prepared to take crucial steps to strengthen their IT infrastructure from both internal & external threats.
Organizations must look to develop a security network that enhances business operations while improving its security position. Successful security architecture combines a mix of the latest policies & practices, technology, and a robust awareness program.
This 4 day intensive training workshop addresses the latest concerns on IT infrastructure and security. Participants will develop key skills and core competencies that will allow them to meet the ever-changing security demands of the 21st century.
Course Participants will:
- Master the tools & techniques for effective information & network security.
- Discover how to create a complete & sustainable IT security architecture.
- Gain knowledge on how to develop sound security policy together with your security architecture.
- Learn how to perform an IT governance assessment using CoBIT 4.0
- Learn how to perform smart security risk assessment within your organization.
- Gain valuable insights on implementing a proactive & robust security management system.
- Learn how to detect & prevent information security breaches due to inadequate IT security awareness within the organization.
Who should attend:
Vice Presidents, Directors, General Managers
Chief Information Officers
Chief Security Officers
Chief Information Security Officers
Chief Technology Officers
Contact Kris at kris@360bsi.com for further information.
Mayur Rele - How to become a Cyber Security ExpertMayur Rele
Mayur Rele says many organizations lookout for people who are already experienced in the field or any related one. This no doubt is what aggravated the low supply of talents. An aspiring cybersecurity specialist can consider internships in any organization.
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Finance Industry. ArcSight, Fortify, Voltage, NetIQ, Data Discovery and File Analysis suites.
Information Security vs IT - Key Roles & ResponsibilitiesKroll
Marc Brawner is a Principal with Kroll's Cyber Security & Investigations team. In this presentation to the Tennessee Bankers Association, Marc explains the key roles & responsibilities of the information security and information technology teams for increased cyber security
How to Become a Cyber Security Analyst in 2021..Sprintzeal
In today's tech-era, the internet will always remain the second sustaining factor for life after oxygen. We are much affiliated with the proceedings of websites as we continue to live in this modern technology-driven era. We are continuously utilizing the internet and feeding our information on computers and phones. Works that used to take several hours or days can be done with one click now. All these processes have been possible because of cybersecurity analyst specialists. But we are aware of the fact that every credential bears some advantages and negative points. The information fed on computers increases the rate of cybercrimes. Any company or an individual can fall victim to these perpetrators. It is hazardous not only for an organization but also for the nation
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...360 BSI
This 4 day intensive training workshop addresses the latest concerns on IT infrastructure and cybersecurity. This course covers effective strategies, techniques, systems, policies, and procedures to establish stronger cybersecurity and cybercrime controls, reduce operational risk, and improve online working whilst covering international best practices, ISO standards, compliance, audit, and industry regulations.
Course Participants will:
- Develop strategies and ways of working to improve detection of cyber security treats and improve information compliance
- Understand the security-related international information compliance and regulations, including industry specific standards
- Expand the expertise of personnel involved in developing skills and knowledge in the latest techniques, processes, and systems on cyber security, which will enable teams to become more effective
- Align cybersecurity, cybercrime and information compliance within the organization with related initiatives, including HR training and legal departments
- Help managers gain more confidence in cyber security awareness and understand information compliance in their industries
- Improve the overall process for secure working and reducing risk when dealing with different kinds of information such as confidential and sensitive data
Contact kris@360bsi.com to register.
Similar to How To Become An IT Security Risk Analyst (20)
Quick Summary:
What are cyber threats and why are they a big deal
How to figure out what risks your business might face
Cool tricks and tools to keep those cyber baddies away
How to put it all together into a plan that makes sense for you
Title: How To Fix The Most Critical API Security Risks
Description:
Businesses are constantly looking for ways to improve their operations. One way to do this is by using APIs. APIs allow businesses to automate workflows, systems and applications. This can be helpful in many ways, but it can also be a source of security risks. If your business uses APIs, it is important to take precautions to protect them from cyberattacks.
Learning Objectives:
Importance of APIs in the digital ecosystem.
Understand the top API Security risks.
Practical tips to effectively secure APIs and workloads.
Niloufer Tamboly, presented Top Ten Challenges of Securing Smart
Infrastructure at the New York Metro Joint Cyber Security Coalition
2020 Conference & Workshop on October 22, 2020.
Niloufer Tamboly and Mallik Prasad presented 'Securing The Journey To The Cloud' at the first (ISC)2 New Jersey Chapter meeting.
Chapter officers:
Gurdeep Kaur, President
Niloufer Tamboly, Membership Chair
Mallik Prasad, Secretary
Anthony Nelson, Treasurer
QR code is being leveraged for fraud and degrades public trust when some bad actors weaponize technology like using email for phishing or deploying ransomware or calling users to intercept one-time passwords.
Once users are scammed or know people who tell them about the scams, there is a distrust created for the technology which results in distrust towards its use.
We rely on technology like emails, one time passwords, QR codes, and others for efficiently delivering service to our customers, securing them, reducing cost in this presentation we are going to learn how to drive digital trust one code at a time.
The Scholarship For Service program provides funds to colleges and universities for student scholarships to support education in areas relevant to cybersecurity. In return for their scholarships, recipients must agree to work after graduation for the Federal Government .
https://www.sfs.opm.gov/ProspectiveStud.aspx
As IoT devices are deployed in physically exposed environments there is a need to protect the hardware. Medical IoT, Consumer IoT, Secure Smart Cities, Industrial IoT
(ISC)² IT security certification CISSP - Certified Information Systems Security Professional is the industry's Gold Standard. These are the 5 Ways To Improve CISSP Exam Score Without Studying.
More from Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE (11)
Exploring Career Paths in Cybersecurity for Technical CommunicatorsBen Woelk, CISSP, CPTC
Brief overview of career options in cybersecurity for technical communicators. Includes discussion of my career path, certification options, NICE and NIST resources.
This comprehensive program covers essential aspects of performance marketing, growth strategies, and tactics, such as search engine optimization (SEO), pay-per-click (PPC) advertising, content marketing, social media marketing, and more
han han widi kembar tapi beda han han dan widi kembar tapi sama
How To Become An IT Security Risk Analyst
1.
2. Security Risk Career Talk
Chris Dozier - CISSP, CSSLP, CCSK
Matt Mescher - CISSP, CISA, CRISC
Prabha Jha - CISSP
Niloufer Tamboly - CPA, CISSP
3. Disclaimer
The views expressed in this presentation and during the session are the
personal opinions of the participants and do not reflect the official
policy or position of their respective employers.
This discussion is a volunteer-led effort to contribute to the profession
and pay forward the many kindnesses and instances of support and
guidance that the participants have received in the course of their
career.
#payitforward #riskcareers
4. Chris Dozier
Chris Dozier brings years of experience in application development,
security and risk management. He has led development teams
throughout his career primarily focusing on traditional and cloud based
applications requiring multiple levels of compliance and security. He
currently maintains CISSP, CSSLP, and CCSK certifications in addition to
an MSIA.
Throughout his career he has focused on training development teams
in secure by design methodologies enabling them to implement
DevSecOps pipelines. He has also focused on automating and
integrating GRC components into the SDLC to further create efficiencies
and increase profitability through security and standardization
measures.
5. Matt Mescher
Matt is a cybercecurity professional who is always curious and loves to
tinker.
He believes “There is nothing that can’t be broken or improved upon.”
Over the last two decades Matt has solved problems, reduced risk
within Retail, Finance, and Telecommunications companies.
His active Certifications: CISA, CISSP, CRISC, PMP and his education is
Bachelor of Science in IT, Masters in Business Administration, and
Masters of Science in Cyber Security, Network Defense
6. Prabha Jha
Prabha is a strong Information Security & Risk Management leader with
varied experience who thrives in an ever-changing agile environment.
She has deep knowledge of Security, Cloud-based 3rd party
assessment, eCommerce, Digital Operations, AI/ML platforms, vendor
management in association with security risks in a business
environment.
Prabha Jha (Sr. Manager - Risk Management & Compliance) is
responsible for bringing transparency to existing Information Systems
risk while helping to build trust in the process. Her team provides IT
Risk expertise to Business, Operations, and other Functional Areas for
ongoing Information systems control & compliance.
7. Niloufer Tamboly
Is a risk management professional and helps companies launch profitable
products and services by managing technology and business risks.
She holds multiple certifications in IT Security (CISSP), Audit (CISA, CIA) and
Fraud (CFE). I am a Certified Public Account licensed to practice in the State
of New Jersey.
Niloufer holds two patents for System For And Method of Generating Visual
Passwords and Establishing An Alternate Call Path Using Short-Range
Wireless Technology.
She is the co-founder and President of the (ISC)2 New Jersey Chapter.
8. Agenda
• Overview of IT Risk Management
• Types of Risk Roles
• What is compliance?
• Risk Management Career Paths
• Education & Experience
• Certifications / Training
• Tips for newcomers to the field
9. Overview of Risk Management
• What is risk management?
• Types of reviews
• Risk Categories – Finance / Operational / Vendor / Technical (Cyber)
• Risk in the Information Security and Compliance context
• What does the IT Security Risk job entail?
• How to launch your IT Security Risk career?
10. Risk and Compliance Impacts All Aspects Of
The Business
Security
- Confidentiality
- Integrity
- Availability
- Authentication
- Authorization
Compliance
- Finance
- Healthcare
- Regulatory
- Industry
- Privacy
- Internal Policies
People
Process
Technology
Operations
Network
Data
Risk
Compliance
11. Day In The Life of An IT Security Risk Analyst
• Vendor Assessment Lifecycle
• How to safely onboard new vendors
• Assess New Technology Risk
• Control Definition, Testing Methodology and Sampling, Walk-throughs, Interviews,
Evidence/Artifact Collection, Documentation, Testing Validation, Data Analysis and
Enrichment, Test Results & Reasonable Assurance, Gap Analysis, Types of Non-
compliance/gaps, Mitigating Controls, Mitigation Action Plan
• Different roles in a IT Security team
12. How to Launch Your IT Security Risk Career
Education
• Bachelor Degree in Information Technology or
Computer Science
Experience
• Information Technology
• Security
• Domain Specific
Certification
• CISSP
• CISA
• CRISC
13. Education and Experience - FAQ
• What is the minimum education requirement?
• Does it need to be formal or informal?
• What are some things that are nice to have?
• What if I don’t have a technical background?
• Is it necessary for me to have IT experience?
• What if I don’t have any?
• What will help my resume stand out for an IT Security Risk job?
14. Certifications
Security Certifications
• Certified Information Systems Security
Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified Cloud Security Professional
• Certified Information Privacy Professional
• Certified information systems auditor (CISA)
Other Information Technology Certifications
• AWS Certifications
• Comptia Certifications – Security +
• Ec-Council – Certified Ethical Hacker
Knowledge of regulations and standards like Sarbanes-Oxley (SOX), PCI DSS, HIPPA, GDPR, CCPA, GLBA, FISMA, FEDRAMP, NIST
CSF/800-53, ISO 27001 are very helpful and often required for IT auditors
15. Typical Career Paths
Aspiring IT Risk
Analyst
Big Four
Accounting
Firms
Associate Sr. Consultant Sr. Manager Director
IT Support Engineer/Analyst IT Risk Analyst
Risk/Compliance
Manager
Director of
Security
Jobs in Information Security, Technology
Risk Management, Cyber Assurance
16. The Human Element
Attributes of a Successful IT Security Risk Analyst
• Good with Technology
• Attention to Detail, Thorough, Focused
• Good at Collaboration, Teamwork and Documentation
• Intellectually Curious – Critical Thinking and Professional Skepticism
• Excellent Verbal and Written Communication Skills
• Lifelong Learner
• Ability to grasp the big picture quickly; Know the right questions to ask
• Emotional Intelligence - comfortable in potentially awkward situations and conflict resolution
• Business Acumen (learn/know the business)
• Understand Legal Ramifications, especially for non-compliance
Know yourself; know what the job entails. There is nothing worse than getting what you want only to find out it
is not what you really want and/or you are not a good fit for that kind of job.
17. Tips for newcomers / in transition
• Learn about IT security risk through online or in-person classes, read magazines/blogs)
• Become familiar with technology concepts and technology trends
• Network (reach out to people on Linked In or through current contacts)
• Get certified (CISSP, CCSP, AWS Certifications to name a few)
• Volunteer (best way to gain experience if your current job doesn’t provide you with that
opportunity)
• Join relevant organizations (e.g. (ISC)2, ISACA)
• Attend industry events
• Keep abreast of industry news
• Follow the big consulting firms (EY, PwC, KPMG, Deloitte, McKinsey)
• Look for openings at local audit firms
• Be realistic in your job hunt; focus on what you have to offer; don’t look for a perfect fit