From Tech Support to Senior GRC Manager: A Professional Transformation

Speaker 1: 0:00

Welcome back to the Tech School Talk, the podcast where we talk about tech news, career advice, business advice, life advice and much, much more. I'm your host, unri, and today is episode 115, and it's all about GRC. Joining us is the super savvy Jordane, who's mastered the game of GRC and she's here to spew all of it From her accidental dive into the world of PCI compliance right out of college. We're going deep into how our past gigs and college majors turned us out to be the GPS's for our careers. We'll be chatting about those light bulb moments that made us think differently about making bank and how we went from fresh faced college kids to big kids playing in the tech sandbox. Jordane's going to drop some tube bumps about a job interview that was more like a bad quiz show and how search alone aren't the golden ticket in our world. We're not going to just hang out on the surface. We're going to go deep into the serious bids, like the importance of stepping up for yourself, never hitting pause on learning, and why you gotta work those soft skills like a boss. Plus, we've got the scoop on what's scary in data privacy, the rise of deep fakes and how to arm her up against the cyber baddies that keep changing their stripes. If you're curious about PCI compliance or climbing the GRC ladder, jordane's lived the tell-tale. We're all about sharing that good karma. So we also have a link for a free 14 day trial with R to make sure your data is safe from privacy brokers. So come hang with us. It's going to be laid back chat with some solid gold info, whether just breaking into tech or your walking IT and psychopedia time to get into GRC with the techs you're talking to Remember, we're all about keeping it real. This video is being sponsored by Tech Paneuers Club. If you're interested in getting to GRC, then watch this. Tech Paneuers Club provides comprehensive training and governance, risk and compliance, empowering individuals to play a pivotal role in fostering trust between organizations and their value vendors and clients. Here are some of the things that they offer in their program recorded video content, live sessions, advisor meetings, meetings with coaches, resume and account bidding and job applications. In the last couple of years, one of the hardest things for people to do is take all the information they learned and put it together in order to stand out in the interview process, and that is what Tech Paneuers shows people how to do going through their program. Here is some of their alumni work and here are some of their success stories. So if you're interested in starting your career in GRC, then I suggest you check out Tech Paneuers Club. The link will be in the description below. Welcome back to the Tech Show Talk podcast. Welcome to your host HD. If you're watching us on YouTube or listening on Apple Podcasts or Spotify, you know, do the leaves of review. Share out the podcast really helps us out in the algorithm. And if you're still on YouTube, please hit the subscribe button, hit all the notification bells so you can be notified when I'm dropping a lot of new content. This episode 115, and I ain't even tired of it. Yet it's a Saturday. It's going to be a double double for me. Y'all know what that means. Later, after I log, we've got a great guest for you guys. I know you guys hear about a GRC all the time. I did a couple of episodes on it, but now I found like a real veteran in the game and she's coming to tell us about GRC and why you should get into it. So let's welcome my guest, jordan. Jordan, how are you doing today?

Speaker 2: 3:12

Doing great. How are you?

Speaker 1: 3:14

I'm doing good. I'm getting ready to go for a double double, and I think this is going to be an excellent episode. We started off pretty well, all right, so can you just tell the audience a little bit about yourself?

Speaker 2: 3:26

That is a loaded question.

Speaker 1: 3:28

Yeah, a lot of time Right.

Speaker 2: 3:32

So, as you said, a GRC veteran feel like a GRC go. I've been a GRC for like nine years this year will make nine years but I've been in IT for 11, 12 years I don't even know where to start, but pretty much I got my start with GRC and PCI. I worked for an e-commerce company and that point I was doing tech support and that was my first job out of college. I sucked at tech support. I hated talking to the customers and like my people skills is just not customer. So I wasn't doing good at the job. And they had a project they had just developed software that needed to be PCI. So I was just like, yeah, sure, I'll do it, I'm trying to prove to them that you know I'm valuable, to keep me at this job because at the time they had just got interns and the interns are doing the same thing that the tech support people is doing. But they got them cheaper. So I was like, do you really need me if you have these interns? So I pivoted to the project. So that project I helped them with PCI got them their first ever PCI level one certification and it was up from there. I became their cybersecurity administrator and that was really my first step into cybersecurity.

Speaker 1: 5:06

That's cool. Everybody around our age range kind of has to go through those similar paths. It's changed now. That's why I don't normally tell people, hey, you got to go do tech support and so on. I was like because it's a little bit different. I'll say easier is a relative word to use, but it is different now.

Speaker 2: 5:28

I feel like easier, like you said, like when you had a department that you can pivot from. It's easier versus now trying to get your footing in. You're just coming in straight into the company, versus like you worked at some other, like sales or something else.

Speaker 1: 5:47

Yeah, well, I was just saying like now, like you said, you can just come straight in and possibly do something else, but you got to have network and everything else. We're back then. It wasn't about people talking about cybersecurity and you wasn't about the most time, leave school and get a cybersecurity job. You're going to be doing what you was doing or what I was doing in 2014. But you say it's something interesting. But before I get to that question about the PCI level one, I wanted to ask you briefly before we get into like professional stuff. I see that you went to USF. I'm saying it right, right. Yeah, I think my last guess went to USF too. She's younger than us, her name is Micaiah. I believe she went there as well.

Speaker 2: 6:33

Okay.

Speaker 1: 6:34

And I think my friend Patricia went there as well.

Speaker 2: 6:37

I was like look at all these.

Speaker 1: 6:39

Florida people. I'm coming on, they come and say but I want to ask you briefly, like what did you, what did you major in in college, and how the college prepare you to go into the career field that you're in now?

Speaker 2: 6:54

My degree is in information studies. I believe Information studies, but pretty much. When I started school I chose a major computer science. So I was a computer science major. After I pivoted from business when I got to college. I really wanted to be a music producer but being Jamaican, that would be frowned upon in our community. So I was like I'm going to just go be a business major, get my business degree and do that. But I failed. I don't remember what the class was, whether it was like macroeconomics or something, and I failed that class like three times and I was like this is not for me. In high school I was in an IT academy so I graduated with like, like IT honors and things like that. So I just went to computer science because it was easier. And during the time I was looking for an intern, my junior year and when I'm looking for internships, all the internships said pretty much IT or computer science or computer science and IT related degrees. So I'm like thinking like why am I busting my butt in engineering and Calc when I can just get IT? And I switched my major to IT. So, being at USF, they took away the IT major from their main campus and I ended up in one of their other branches and they changed the majors to like information studies, so, but it's an IT degree. Cybersecurity was not an option at that time, but I have the most basic IT degree.

Speaker 1: 8:45

I think most of us do. I start off in pre-architecture and say, hey, I like computers, so I'm going to do CIS, and that happened. I think I made that change quick. It was one quarter. One quarter is all it took for me to realize I didn't want to be an architect.

Speaker 2: 9:01

The commitment like the 10 year commitment they would live in too.

Speaker 1: 9:07

So the architecture buildings called Hill Hall. So they were being there working on projects, going to sleep, and I looked at all the work there was going on and what they would start off making. I was like, nah, this ain't it, let me go try to enjoy college and choose a much easier major. And so that's what I did. I picked something that I know I'd be good at anyways and I knew 10 years ago to where we are now will still be in demand. What is CIS, computer information systems. Oh, so it's really all the same thing with IT, whatever Management information, all of them really the same.

Speaker 2: 9:43

Everything. That's when I when I seen IT, I said, yeah, let's switch to IT.

Speaker 1: 9:47

I found a. I had this video on my channel from four years ago but it's a little chart. I found that they had the college of business and they said, oh, these people make this. I was like, okay, you ain't got to tell me twice For real. I mean, coming from my background, people wasn't making any money. So I guess crazy to back then of how small my mindset was. I was like I just want to make. I think I want to make like $68,000.

Speaker 2: 10:14

You know at least you know what kind of money you wanted to make. I never had money, or new money was an option until, like, I got into my career. But I was doing what came easy to me. I always did IT. So I was either going to be a music producer, a videographer, like anything with IT it was just easy.

Speaker 1: 10:35

And I was like, yeah, nah, I feel you on that one, cause I was like, had it, had it my way, I've been one of two things a wrestler, or I would have been like a professional drummer. I mean, I played at church but like my cousin in the room, they're like still in the hometown, so they're actually still a part of another band where they like cover band and go play places and stuff like that, which is he probably forgets that I've mentioned this years ago, almost 10 years ago, like yo, we should go play at weddings. I know for a fact that I said that cause I wanted to do that. But being a musician is not as stable and you got to make a lot of sacrifices until you kind of like hit it off and this economy. That's kind of tough to do.

Speaker 2: 11:18

What do you got Tic-Tac Once you get famous on Tic-Tac once that little snip.

Speaker 1: 11:23

Well, you got to think about it. I'm practicing everything back in 20, 20, 2013, 2014. So I'm thinking back then, like now, if you got any type of professional trader, something like that, a person like me likes watching it. I like watching people paint, cut grass, build stuff in the bathroom. These people get paid on Tic-Tac just for doing that. So they put the content out, Like my dad knows how to finish concrete. I mean, I'm not there with him, but if my brother start going with him and they start recording it, I was like, hey, shoot pops can blow up on Tic-Tac just for showing people stuff. And I want to go back to the money question very quickly, because I think that a lot of us from our community don't know about that. When it comes about the money or what even to think about, and the reason why I say that is as I got older, I realized, hey, the type of money that I want, if I think about it and manifest it, eventually it comes to me in some sort of way, and sometimes you can get that earlier if you're taught it. But then if you learn it, then it's like okay, cool, that's happened with everything like women, cars, careers, opportunities, anything I've thought about. I just really put in the work and then thought about, okay, I want to do this. It eventually happens. It's maybe not always on my time, but it happens. And I have a mentor at the time that really put things in perspective for me when he was like yo so how much money you want to make, and once I started being specific about what I wanted, that's one thing that's gonna happen.

Speaker 2: 12:54

That's good. I had a mentor. I wish you would. My mentor did give me some good advice, but before I go to that advice, when it came to the money thing, when I was tech support and then they finally promoted me to the information security administrator, that promotion was about a good like 30k right. So now I'm making close to 60k in this job and that was a lot of money to me at the time because I was really young, but at that time I'm like 24, making 60k. That was a big deal. So I'm thinking I'm making money. I went to Defcom for the first time and I think there was a Blacksons cyber like meetup. There was just a large group of Black people and we were like having drinks, eating and people started talking about how much they were making and someone said I think someone says they made like 190 and people are just like spitting out other six figures and I'm looking and I'm calculating and I'm like, yeah, you can make that much money in the field. So after I left Decon I wanted to find a new job and I had told my mentor and I was getting like interviews but they wanted to pay me like 68, like stuff like that. It wasn't enough for me to like leave the company I was at. But my mentor was just like scare money, don't make any money. And once he said that I was like I'm shooting for the stars and I definitely doubled my income.

Speaker 1: 14:30

The next role that I took on as a contractor- Nice, I'm glad you said that, though it's a real current thing that I bring in. A lot of my episodes is about a network of people you know. Most of the time if you're a loner and don't know people in the same industry, you probably will be remained underpaid because you don't know. Think about you said 60. I knew this is how I knew when I was getting underpaid. Even back then I was getting like 17 an hour when I was doing the help desk stuff. Everybody was contractors at the time. Another guy on our contract he was at a different contract. He was already at that role getting like 35 an hour just to do that and he got out of that role and went to another role like across the hall that was paying like 45 an hour to do really less work but get paid more. So then when I started realizing I ain't really getting paid what I need to get paid, because I started realizing at help desk I was doing more work than everybody else but we get paid the list and honestly I think our help desk is just gone like hard help desk, not the help desk you just plug anybody in, but the ones you need skills for gone, strike, get your money so they realize that they need you because they get over a lot just because the and that's the reason I tell when I do my consultations and listeners and viewers hope you're watching A lot of times when I say, hey, I look at your roles and what you're doing and if I do your resume I change from help this. I was like they put help desk and stuff on here so they can justify paying you a low wage and if you were system admin or system engineer or whatever other title, they would have to pay you more because we have engineers. And I was like they don't. They know you don't know that they know that most of people that they surround you with on that help desk getting paid relatively around the same, so they are good. It's not until you bump into somebody who is a cloud engineer and they say oh yeah, I'm making 150. And they tell you what they did is. And you was like I kind of do a lot of this stuff that they doing, but I'm getting 50,000. That's when they should be scared. That's, that's definitely a good story. I'm glad that you were able to bring that up. Now, what did you? So I know you said you helped them with the PCI level one. That's what's called right PCI level one. Okay, can you? talk about what like? First of all, we've probably gave these people the acronyms and maybe we got some first time listeners or some novices and tech. Yeah, can you actually even explain to them what PCI is?

Speaker 2: 16:51

Yeah, so PCI stands for payment card industry data security standard. This is brought by the different merchant groups, so that's going to be visa, mastercard. They have a set of security regulations for any organization that takes credit card information. So they're taking credit card information. They have to go through a set of requirements, which is 12 requirements from PCI, and those 12 requirements have sub requirements. It ranges from network segmentation, making sure you have information security policy that you do is security awareness, training, encryption, things like that. So there's different levels. So level one is really kind of like they're I want to call it their basic one, but more geared toward like if you're doing like online stores and things like that. So there's different levels but a very rigorous, painful audit. So if anybody has gone through PCI, they have to buy by PCI. It's kind of a really good footing for framework for GRC because you can really get to learn the details around security, because once you really comply with PCI, you kind of can fit into anything any other framework. So NIS, iso, things like that. But pretty much it's to make sure that you can take credit card information safely and that you're protecting customized data.

Speaker 1: 18:25

Yeah, I appreciate you for that. That that definition. I just remember, like my first role in Dallas was actually at a company. Well, they they were absorbed by income. People are familiar with income. They do payment card stuff as well, and the specific company that I worked for was online strategies and they had developed some type of software that all the companies wanted for, like gift cards and everything else. And I didn't know at the time what industry I was actually in. I knew what we were doing, but I didn't have a mentor then to say hey, you could even know I was working at a knock. I technically could have started pivoting more into PCI stuff Just because of all I did in the knock. We monitor transactions for our different companies. Make sure they weren't down there. A couple of times that incidents happened there where you could listen to the call, figure out what's going on. If you don't take that stuff the right way and you say, hmm, I can learn this stuff, you could go now and you're probably doing PCI DSS. But they, I do know for a fact, like all those companies, they do pay well when it comes to the higher up roles, because it's critical dealing with money, dealing with important information, and that's the whole reason why even when you start I mean if you go overarching when it comes to cybersecurity why the salaries are higher just because you're paying for protection. So after you help them get level and certified in that first cybersecurity role there, what did that consist of? Because I saw the role when I was looking through like your LinkedIn and I don't know if you could kind of remember that far back, kind of like you know the gist of your role. But if you could, could you talk about it?

Speaker 2: 20:07

Oh yeah. So in that role with helping them become PCI compliant, they didn't have security in the organization so I had to help build that from like the ground up. I had to help, I had to figure out how to write a policy, write a procedure, a standard. I worked for the CIO at the time so I leaned on him heavily to get buy in, to get the engineers, the sys admins, it to kind of pivot and shift to, you know, embrace security so we can meet this compliance. But I did the overall. I was responsible for the overall compliance for the organization. Making sure I scheduled the pentests, making sure that the vulnerability scans are done quarterly. Everything that PCI is asking us to do was what I was responsible for. And also at the time the company I worked for was based out of California, so CCPA and GDPR was starting to become a thing, so I had started doing like privacy stuff for the organization. But everything GRC really, this really was responsible for. So governing, making sure that we're keeping up with our quarterly and periodic reviews that we need to do. When auditors come, I'm the one that they speak to, making sure security awareness when training gets out, and I had to figure that out out within the nine months that it took us to get that certification, so it was really like a fire hose effect. I'm grateful for the experience now, but it was tough.

Speaker 1: 21:42

Yeah, because you listen to all the stuff you doing. I'm like, and they, first of all, that was based out of California, but they thought it was okay to pay you 60 K. They knew that was well, I live in.

Speaker 2: 21:51

I don't care where you live.

Speaker 1: 21:52

They knew for a fact they was getting over. That's the role you was essentially doing a director role and a manager role and whatever endless role under that.

Speaker 2: 22:03

I was so young I wanted to like get out of this.

Speaker 1: 22:06

I mean, but you did that to your saying you got so much. You can still. You can still go and interviews and talk about that right now and get a job just because of how extensive that is, but they knew for a fact that it was getting over. I bet that CIO went in pay 60 K he was. He was Exactly, and they learned a valuable lesson they lost you because they underpaid you.

Speaker 2: 22:28

I don't know. I was like, at the end of the day, you're a number two.

Speaker 1: 22:31

Oh, yeah, that's all I've been talking about and I say it all the time, even when the feds be watching. That's cold. For other stuff I can tell you off the line about the feds be watching my page, that's cool. So you said the next contractor role. What title was that role? I mean, I know we think about security, but you can give me just like a title or whatever you want to say to top in the air.

Speaker 2: 22:54

No, after I left that organization I ended up getting an opportunity for a contract role and my title said risk analysts. But when I got into the role I was really internal audit for the technology risk group. It was a financial organization, so I was really internal audit before internal audit comes in to make sure that the technology groups could pass their internal audit. So any previous findings, they had any risk, any gaps, we tested them, we gathered the evidence and we helped them close out and mitigate their risk.

Speaker 1: 23:33

Check you out. No wonder you got that bag. You went to the finance sector. I do tell people that, though like the pro is like you can get paid a lot, the con is sometimes finance operates just like the government does, in a sense of like that technology and late to adapt and it just so much red tape. And now I got to touch on something that you said earlier and I forgot about it, but you said something that was huge of why either people stay at a company or leave when they want to make change to cybersecurity. And you said you worked with the CIO to get buy in from other departments, and a lot of people understand how hard that is to do, because if they get it from them, then they had no choice but to conform or they out. That's the reason why, like a lot of hold up happens is like everybody want to do something their own way until somebody come down with the hammer saving dog. We got to do this.

Speaker 2: 24:26

Pretty much, and the issue is really like you've already had this culture right. I was their first security person. This is the first time they've had to adhere to like a security framework, so they don't want to do these changes. They don't get the purpose of implementing these rules or different things. Mind you, it's just checking a box Maybe you're you know, running a little script or something like that, but they were not open to change.

Speaker 1: 24:57

Yeah, that's that sucks. Now I'm going to. These are some of the. We'll do this right here in the middle real quick, some of the questions that we typically see on the Twitter or the LinkedIn. So, but what part of GRC do you currently work in?

Speaker 2: 25:16

I feel like that's a hard question for me to answer because now I'm still. My title is literally cyber security GRC manager. I'm responsible for the overall compliance for GRC in the organization. That means our risk that we have. I do the risk assessment. I make sure that we mitigate those risks. Compliance the organization I work for now also does PCI. I just finished their PCI audit last year in December. So I work in all facets. So, like when I was a risk analyst, that was the risk portion right, but I work in governance, risk and compliance in this role.

Speaker 1: 26:03

So, with that being said, then how would you advise? Like, if we got a new person, we'll do a scenario that they have worked, because I work with people that did like all type of stuff for retail baristas, you name it. We're going to say this person, let's say this person, they've been a teacher. So let's say, a person wants to come from like education and then now they want to get into governance, risk and compliance. What would be some of the things that you would tell them to look into, to kind of build their foundation, to get ready to embark on this career path?

Speaker 2: 26:42

That's tough. I try to get people to like leverage the skills that they already have. So if you're a teacher, you already know how to keep on top of schedules. You know they're developing coursework all the time, but really just getting the basic knowledge. So security plus is what I will always say and, out of everything, utilize for resources. Youtube is free, okay, and your network. Try to meet other people. Go to conferences. I went to a security summit because I got a free ticket. You never know what's out there, but I always try to tell them start with the security plus and leverage the skills that you have. I feel like it's harder to say see if you can switch departments, especially if you're a teacher. Right, you're not going to go into the IT department Really going to work and actually why not teach cyber security? Once you learn it yourself, you're already a teacher.

Speaker 1: 27:47

You know it's funny that I did one of my first episodes I did with her. What's her name? Something I'm out of T training. I cannot think of her real name. We follow each other on LinkedIn. I haven't talked to her in a minute, but I need to get her back on for episode because that's what she would do. She used to go to different companies and teach people like the skills they needed or training for certifications. It's a matter of fact. It's a woman on my TikTok. I think she's a teacher. She got sick plus and she made these flashcards and she got this stuff to help people get it. Initially, I actually reached out to her because it wasn't to try to bash her, but because I've been in this space. I've seen so much food-gazing stuff. I just wanted to talk to her behind the scenes. I think I said what do people get with getting this or your qualifications or something Like I said we still fight each other. It wasn't like no ill will. I think she saw that I probably was coming from a good place, because I deal with people coming to me and they've gotten the worst advice ever. It's a guy out here with a here's a bootcamp. It's not a program. Our program actually is showing you skills that it may not just pay off when you finish, but eventually it'll pay off. Here's a bootcamp where I know for a fact all they're doing is getting security plus net, plus AZ 900, some spunk stuff and applying to like 1,000 resumes. It's like 8,000 books. I got the screenshot. I can send it to you. I've talked about this person before on the pod, but I was just like that type of stuff, right, there is just you can spend way less than that and go take a little search on your own by yourself.

Speaker 2: 29:28

That's why I try to tell people like please be resourceful. I don't know what happened in the last couple of years, maybe because we all been at home, we burned out, but people are not resourceful.

Speaker 1: 29:39

They won't. They won't Google, or sometimes to have consoles with me, they ain't writing no questions. So it's like, okay, I know how to do this because I've been doing it so long, but if you want to have your best console with me, please write down your question, because at the end of the day, you paid me to talk to me. So just like when I'm getting ready to interview for a role, so handy dandy book got questions in it Like ask your questions.

Speaker 2: 30:06

But I'm sure when they're coming to you they want you to just give them the answers. They think like once I talk to HD, he's just going to give me all the tools and I'm going to.

Speaker 1: 30:16

Well, you know what? I have a unique set of followers and people that rock with me. They are A lot of them are familiar with my content, so they know I'm like no nonsense, I'm straight to the point. I straight, no chaser. So they don't come to me with those expectations. They just want the one-on-one time to get their certain needs addressed and I like that. Over these four years I've kind of built that out. I've always told people hey, I'd rather have a thousand silent people rock with me over having 200,000 subs. That's only 300 people rock. I told Upset for the longest. I want what I say from this mouth to be highlighted more than anything. I ever show you Like far as, oh, you can be in cyber and do this and that which you can, but, like you said, you decade in. I'm a decade in now. It takes a lot of time to just stay in and maintain and keep on getting better, and that's what a lot of people are bringing on. When we're like experienced professionals, we tell people a lot about our time. But of course you see on Twitter anytime us with that's been in the game and trying to just tell people hey, relax and put in the work we gatekeepers but some of these people didn't got laid off in these last couple of years and they realized that there was something to truth, or some people who needed some help, who didn't want to invest in the help still in the same place. They was four years ago. It's like it's a lot of different things, and last night I actually made a tweet and I told people. I was like do y'all know how rich I be if I told y'all, hey, come book with me and getting security in two weeks, just because I had one person to do that? I was like, would I be lying if I said that? No, however, I will be setting a lot of false expectations for people who want to do service with me, and I couldn't consciously do that. That's only happened to one person and that's just the luck of the draw. That same one person was able to double the salary in less than a week, and then a year and some change later, I helped them double the salary again, but that's not the norm for all of my clients, so I never tell somebody hey, come in, I'm happy to be a seller. It just really depends on the luck of the draw, how the company likes you, how you sell yourself, all the things that is really based on you and not necessarily me, is what also goes into you getting that salary you want and everything else. That's the other stuff that clients don't understand. It's a lot of crap that comes with it. But sorry to go off on that tie rate, but I wanted to ask you about this. We talked about it earlier and I think that people find this part interesting. So, guys, I was on Jordans LinkedIn and I saw that she had an article she wrote and it was titled. Well, I'm not going to butcher the title. The gist of it was she was talking about how I don't need no to do the name, but it was had to do with encryption and watching the show the Wire.

Speaker 2: 33:06

How the Wire talks.

Speaker 1: 33:08

There we go, there we go.

Speaker 2: 33:09

Literally the box. Thank you.

Speaker 1: 33:10

Thank you, I did not want to mess it up, I could not think of it, but I just thought that was interesting because we're going to talk about why you said that and you can probably explain the article. But I thought that was so interesting because I think that's eye catching how many. I want to ask you a quick like over the years or how many interviews ever did. How many people have actually actually about this and interviews they look at your page about that article, how you been asked about it.

Speaker 2: 33:35

Yes, I, literally I want to say at least three interviews based off of that Wire article, Like I never forgot. I had an interview and the guy was like oh, I read your blog, I was excited to talk to you and I was like, wow, wow, like people are actually reading this.

Speaker 1: 33:52

Yeah, I say that because I've told them and telling you hire managers, people I've been interviewing with, they all go through and watch my content. So I had an interview open one time and she started off with like the iceberg. I asked in like the previous episode and yeah, so I always tell people like Don't get me wrong, guys like Jordan and no tap away, is an actual like influencer. But when I'm telling you to make your blogs or post your work or, as Dr Umar recently said, site your source. If I'm telling you to do all that, site your source, you never know who's going to see it Like. If I wanted her for a role, I might hire her just up the street that she made an article about the wire. I teaching her about encryption because I don't think any other applicant I have is going to have that.

Speaker 2: 34:42

That is like if nobody gets anything out of this conversation, be an advocate for yourself. I did those blogs when I was just starting out in security because I wanted to show that I had the knowledge and I was thinking of like creative ways to do that. I love hip hop, I love the wire. I'm always into like the old school black movies, so I think at the time I was obsessed with the wire and I was able to like put those things together and those articles are, you know, for us by us articles. So if you're looking to learn security, I'd hope you bump into my article and it will help you understand. But be an advocate for yourself. Right, I did those blog posts. People I've gotten interviews for that. I've gotten like the request to speak at conferences just off of like if I was a guest person. People done articles about me and my experience. So please put yourself out there. I stopped doing it as much because kind of like that whole tech influencer thing, I feel like I started advancing more in my career and the more I tweeted about GRC and security stuff, people felt like you owe them, responding to them about how to get in tech, how to do what you do you come into my DMs, you and you say hi. You didn't say hi, you didn't come with your own research, so it's the lack of resourcefulness too. You just think I got the answers and now I don't even respond to my DMs anymore. I have no getting to cyber schemes for you. I feel like I talk less about security now. I even had a podcast at one point to demonstrate my knowledge. They saw the podcast. Anything I did to put myself out there always had good traction and led to opportunities.

Speaker 1: 36:53

Yeah, I definitely understand that and that's why I move the way that I do now, even with me being very visible. Unless you know me personally, you don't know where I work. I don't mention their name because of other things, because, hey, you say where you work name and they don't like the episode, hey, we got to take it down. You represent us, so it's all that stuff. And you're right, I've given out people so much free game over four years that sometimes people still feel entitled. I was like did you click the link in the bio? Even the thing I'll talk about just now, about what that thread I made? The guy was like oh, you can offer consoles or something like that. I was like I already do. Nobody ever just clicks the link in the bio for that even comment to me. I promise you I probably answered every question you have. You just go do your research through my topics and everything else. I'm just like because it does get, and that's the reason why what was it? Two or three years ago I either did my ebook like 2021 or early 2022. I can't remember. But that's why I put the ebook out. I had got tired of having consoles and just talking about the same thing every time. I was right here. Now I'm doing some group coaching to where I can just handle people in a group with that aspect. But it gets tiring because it's like okay, at some point at the artist free information you've got you got to be the person to do something with it, not me. I was like you and I are going to do it. I'm just talking. You just wasted money with me. You got to put in your own work. I can't do it for you. If you're looking around at what everybody do, I got people. There'll be clients and they'll be upset. I'm like I know you're not doing what you want to do. I was talking about I did an IG live with my friend Miranda. What was that? Wednesday, I believe we were talking about incident response. We were talking about just different things. I was talking about how one of my clients, while I was telling them about how there's a misconception about oh, I'm going to do an entry level sock analyst role, I'm not telling a lot of people. I said most people who say that have never worked in a sock. They think it's entry level. I said I'm here to tell you now, in 2024, that it's not so entry level anymore because we have automation, ai, machine learning. It's automating a lot of those level one tasks that you typically do. Five, six, seven years ago you got to know more Now. I had brought that up with how I had just listened to my clients interview that he got asked for at this company. I said there ain't no level one interview, even though he oversold himself on his resume, which I had no idea about. I told him about that. I was like why don't you put this on there if you can talk? I was like that's why they started asking you all those questions. I was like you black? I said we black, we not having no easy interviews, bro, we not? You're going to have to know everything you need to know on there by the skinny, hopefully you got some diverse people on the interview panel that's going to say, no, we like him because it's tough. That's one of the things we all talk about but yeah at that. Then after that I'll tell you you need to go get this certain certification, because the practical certification and this is going to feel like not the steps that you have. He's like yeah, I'm still on the February. I was like, bro, start on it tonight. You ain't got no kids, you ain't got nothing. If you don't have no kids or anything, I don't want to hear no type of excuse from you. You got all the time in the world. I got kids, I asked them work, I put out this content, I do console, I do this and do that and I get it done. I don't want to hear nothing when the client come to me and say something like that. I'm like figure it out, figure it out, but you feel like. I feel like you want to say something.

Speaker 2: 40:34

The overselling yourself. I feel like now that I'm a hiring manager, you've used chat, your BTU or someone's done your resume. Boy, when I tell you that's hurting the industry right now, you think you have a good candidate. They can't speak to anything in their resume or they've gotten the job, they can't do anything they said they would do. So I feel like we're losing the integrity because of the drive. They just want to make the money.

Speaker 1: 41:06

Yes, I remember years ago I talked about it but I had a chick. She did some class or something like that and they embellished a lot on the resume. They're not even better. They flat out a lot. She had some SIM technology and everything else on there. I was like, oh, do you know what this does? No, I was like why you got it on here? That's what separates me from other resume writers. I actually reacted to some content on TikTok about that. That's on my TikTok and on one of my past podcasts she was talking about how she don't like resume writers because the resume writer most of the time just going to write your resume to fit the role, but in the end it don't really help you if you don't really have them skills to do the role. That's why I come in and I tell people right now hey, you apply the stuff that don't fit your skills, I'm only going to write what you give me. I'm not going to just make you look good just for the sake to make you look good to get interviews, because if my end goal is to get you to a job, I want you to learn the skills. I'll help you add them back or a project, but I'm not just adding stuff just to add it, because it's not going to help you. I was like all the finesse people did in 2021, 2022, that's dead. Companies then got back hard on interviews. They make you be on camera. You used to have people interviewing for other people and then somebody else would start the job and they didn't know how to do the job and people was getting burned like that. That's what I'm saying. People that's taking shortcuts. That actually made it hard on you all to actually want to learn. That's been put into work. They have made it so hard for them to try to give people with no experience a chance. It really sucks, to be honest, but when you have people like you talking about just coming in and they're just trying to finesse their way, it's everything. You don't know anything, don't have the integrity. You say man, look like how the integrity in an interview to just say I don't know that, but I'm pretty sure I can figure it out If I was given a chance to just Google it or to some notes, like everybody Googles at work. I'm not going to say I mean, I'm actually looking for you to say that instead of just trying to waste my time on the answer Correct.

Speaker 2: 43:03

Like please don't ever be afraid to say I don't know that right now, but I'm open to learning, I'm a quick learner, Things like that. People just lie.

Speaker 1: 43:13

They do they do? This is a question that I also want to ask you too. I know we have like all the different TikTok stuff like Sally, transparency street and stuff like that. It's not for your salary, right, since now you're like, you're more of a hiring capacity, what's like. So you say it's your first role. So we can say you made about 121.30 when you doubled for that contractor role.

Speaker 2: 43:37

Yeah, I wasn't at 100K yet, but I was close to it by the time I got my second role.

Speaker 1: 43:44

Well, so in the industry now, whatever you've been seeing from a government's risk compliance, like salaries, I guess we can go from like entry, mid to senior principal, whatever you want to call it.

Speaker 2: 43:56

I don't know. That's a tough question, so I guess it depends on industry too.

Speaker 1: 44:00

I feel like my freaking.

Speaker 2: 44:01

It does depend on the industry and I feel like a lot or trying to be high market, trying to keep you at is 130. I literally I think I posted this a few months ago a job at SACs, senior GRC analyst or something. Either way. They list my manager's job Okay, and the salary is like 130 in New York. That's underpins that person. That's ridiculous. But it really all depends on the industry. Honestly, I just seen the VP job with the max is like 190. So it all depends. Yeah, that's all go to that.

Speaker 1: 44:44

I tell people the same thing too, because most people are. When they talk about I'm just gonna draw on the red team, I was like, well, blue team, get paid too. And, like you said, industry. So I've been in finance the last what three, four years now and I've seen all type of different ranges. You've seen seen the 190s, I've seen the twos, I've seen the threes. It is just depending of the companies. I've seen what it's like if the company's public and not how big the infrastructure is do they want to compete. All those different things that come into play.

Speaker 2: 45:15

Yeah, and then don't let you work for a thing. Yeah, once you get them, stocks our issues, you make him over 200 K. You can make some good money if you can get into that.

Speaker 1: 45:27

Most people stay about two years or three years and dip some time, just because what depends? I got people just need to like a resume. I got people that that's been there or worked at one point in time and you know it was cool being there. But then once they start like trying to make the teams leaner but make them do the same type of work, there's like I'm out, so that's. That's another whole conversation in itself that that happens. So your current title is, I believe you said, sub-security GSC manager, right, so at a high level, I ask you two things Is this a manager of people or is this actually a manager of, like a GSC, like GSC process and procedures? Okay, I just wanted to ask that because sometimes in my resume, like my title was incident manager when I was working at Goldman Sachs, but it really was just a manager of incidents and not a manager of people, and so I always like have to distinguish that on interviews. Like no, I did incident management, so I managed incidents from beginning to end. I didn't manage people. So that's the reason why I want to ask you that. But okay, let's talk about some of the things. I guess that, like you said you're talking about you've been interviewing people, that you've been seeing that they don't know how to do the job, what type of we already gave advice about, I guess, for people that want to get in. But let's talk about I don't think I do enough talking about people who are maybe past entry level or they're mid and trying to go to senior what type of advice would you give them to navigate their career in GRC?

Speaker 2: 47:01

Apply for those schedules, apply for the roles that you don't have the experience in. When it comes to GRC, never stop learning. That's the only other advice that I can honestly say. I've slacked on that in the last couple of years, but I have a whole bunch of certifications. But never stop learning. Always stay ready for your next position, but always go for that stretch role.

Speaker 1: 47:27

Okay, now, since you bought up certifications because I want to actually bring that up, that's like let's go with because we're talking about career pivots, right, and I've seen a couple of certifications that are like a lot of GRC roles when I'm doing these consultations with potential clients. What outside of security plus what baseline minimum certifications would you advise somebody to get just to and not like, because I think sometimes certs do get a bad rap because a lot of them is just memorization. But what are some certifications in that realm that would help somebody show that they have some type of foundation and at least understanding maybe not doing the work, but just understanding what it takes to be in a GRC?

Speaker 2: 48:18

That's a good question because security plus if you can pass the security plus, you are golden to me. You think so. That is a tough exam. I failed the first time I took it.

Speaker 1: 48:31

But I see I passed it the first time I ever took it, but I still felt like I didn't know anything. I knew some terms, but in terms of making what I learned practical, I didn't know much.

Speaker 2: 48:41

And that's a hard part. And that's why I'm saying if you have the security plus, at least I know you know enough to be dangerous. You know enough to be dangerous versus know nothing at all. Honestly, truly, I don't feel like security plus is really an entry-level exam anymore when I was instructed for it, even the new exam now. I'm confused myself.

Speaker 1: 49:05

You think so I haven't hang on a lot. I tell people all the time a lot of my certifications lapse, unless they just want me to get it. I need to put it in the time to just study for either CISM or CISSP, but outside of anything else I'm not getting a new one.

Speaker 2: 49:25

Honestly, I have no interest in getting a new one. So I have my security plus. That lapse and the security plus now seems hard as heck when I tell you I'm not sitting for it. So I'm just going to go ahead and get my CISM or my CISSP, because that exam at this point is not entry-level. I also have my SSCP, so I still have that one and I feel like that one is a really good. If you want to take the CISSP, you don't have the years of experience. The SSCP from ICSQ is a really good one because it's, honestly, just a baby from CISSP. I think it's System Security Certified Professional and that one's by ICSQ, Don't? They have a cloud one too. They have a cloud plus. Now they have the CYSA. Yeah, I got the CYSA in like 2019.

Speaker 1: 50:25

Now I'll tell you, now you tell my security, plus CYSA, plus that joint was hard. I was in there sweating and I knew it was hard because at the time, tavion and I were working together and he had just recently passed it and I had went and took it. I was like bro, I started sweating by like and I answered 10, because now, although that's still not a practical certification either, it was directly geared to people on the blue team and I don't advocate people to take that test without experience, because it really is hard and I feel like if you don't have experience, it's kind of like you just took it for nothing. I mostly advocate for people to do security blue team, which is blue team number one certification, which teach you like what six domains I forgot how many domains they cover. However, it's also a practical test. So if you do everything, you got like 24 hours to do this practical exam. So that's why I like it, because then you could tell higher managers I don't have necessarily experience, but I passed the blue team number one and this one in what's called, and I would be interested in that versus a lot of times, because now people go get a test bank. You just hey, just keep on taking all the tests that you memorize and then go take it. That's what people are pushing people to do.

Speaker 2: 51:41

I don't feel like this, is that? So the test bank and now that you brought up it's hard to pass without the experience. I will say I passed my security post when I was in that security administrator job because they told me I had to get a certification. So if I wasn't doing that job already, I don't think I would have been able to pass the security plus. So you are definitely.

Speaker 1: 52:06

Yeah, because I mean, now, that's what, and that's the reason why I get people out of just the cert mindset is good, but I want you to be able to explain concepts to me. If I ask you a simple question, like if my client got asked something simple about fishing and he could really answer the concept right one, because he was just so focused on this course he had just did and he just fumbled that all the way because I don't have to answer fishing questions in the past. But that's the thing is like, hey, we want simple answers. Like, hey, what would you do? And you're, I'm going to do a video on this soon. But even on your home you get these junk emails Like if you want to investigate it, what are you going to do? That's like the simple stuff.

Speaker 2: 52:50

So yeah, I just feel like the cert talk is hard because I've been in interviews. I had the experiences when I'm like mid-term right and they're like, oh, if you have the system, if you have the CIS, you'd be the perfect candidate for the job. And, let's be honest, as someone that's a black person because person of color is not universal anymore they want you to have some sort of certification before they even try to see can you apply this or do you know the information? So, unfortunately, you're going to have to get that cert unless you know somebody that's going to help you get land that job without that certification. Yeah, we we talk about that all the time like the network, part of everything.

Speaker 1: 53:36

And also and that's where, like, the conundrum comes on, that's why I tell people, if you can find a cheap way to go to school like my route right now for some people, and it's all dependent on the attitude if you don't really have any skills, hey, I have an IT course not my IT course, but one that I'm affiliated for course careers I took me. Get this put in the work and get your feeder role and then, while you have that feeder role, go back to school, get the company pay for it, and now you can get a Spanish, you have your degree and it's going to make it easy for you, especially black, to get a better job. Because sometimes when I'm talking to recruiters and I'm like, ok, this is what I want to say to you, right? I said, ok, cool, let me see. Ok, you got your, you know your 10 years of Spanish, you got your bachelor's, you got your master's. Oh, yeah, ok, let's see what you know. Your peers in this range of company would make it. Ok, yeah, we can do that Like they've said it. They've said this to me on the phone. So when I'm telling people a lot of times like I'm not going to say you just got to go to school. But I always say you know, school can only help you, not hurt you. And sometimes it helps you in those salary negotiations, unless your skills are just top tier.

Speaker 2: 54:43

You know what? I saw somebody recently on LinkedIn. He got his CISSP but they told him they could not get him the job because he did not have a degree. Mind you, I want to say he's senior level also when it comes to security, and I just feel like that is so, so crushing.

Speaker 1: 55:01

I think it's crushing. But these companies will tell you have stunts. Requirements must have a degree If they have it. I have an episode I did with Shanae Ecker, the recruiter cousin, and we talked about as a recruiter. She tells people hey, if you don't meet the minimum qualifications, don't apply, just because of what could possibly happen on the back end. They say you did get the job and somebody who had the more qualified stuff than you found out about it. They can come back and sue us because y'all hired somebody that didn't have the stuff. So she always tells people that If you're looking at something that's saying, hey, you need this, this and this, then you get a tax of a coup d'etat. Y'all flex money, so do I have to have this? And that way nobody wastes each other's time. But, like I said, a lot of people go into WGU. I like WGU, I think it's affordable. I just do not like that. I think it should be optional on those courses. Do you have to get those certs in that class or not? I think that's the only thing I don't like, because you'll have people getting like all these certifications that they don't really need at WGU. That's why it's better for people who are already in a job to go WGU versus, sometimes, people with no experience, because it pulls them a lot of different ways with all those different certs. And let me ask you this as a hiring manager, Do you view people with a lot of certifications as if they should know more than the person that does not have a lot of certifications?

Speaker 2: 56:21

I'm ashamed to say this. I'm not looking at your certification or your education. I just looked at what you did in your previous roles and can you talk to that and can you do a job that I'm hiring you to do?

Speaker 1: 56:33

I mean that makes you perfect. I know people and I probably spend it to like basically either skills I had or whatever I have. People have certain certs on there Like they've gotten grilled.

Speaker 2: 56:46

I've had that. When I first got my security plus, like I promise you, I went into an interview and I feel like every question the guy asked me was from the exam and he was grilling me hard and I was, so he was the hiring manager. He would have been up here that I was working with, but I didn't like that experience at all. Yeah.

Speaker 1: 57:07

That's not inclined on something. Earlier he ran through something like that with an interviewer at this company to actually work for it at one point in time and he just was asking them all a lot of stuff off Google. I was like that doesn't prove your attitude to do the job. If you're not going to ask some actual scenario type of questions, you're going to ask me all this, the top 100 substituted questions. I can just go memorize that. That under me much, and he had horrible people skills at that too. So I was just like. I was like bro, this is this dude's trash.

Speaker 2: 57:37

I just it just felt I don't even know how to describe it, but I feel like if I didn't just pass my security plus at the time, because there were very much certification questions, they had nothing to do with either. So I was just like. I felt like that was their way to vet to decide if they were going to keep me or not. They ended up, did make it me an offer, but not enough for me to leave.

Speaker 1: 58:00

Yeah yeah, definitely, sometimes I'm up. So I want to ask you this Because I don't even know if we I know we briefly kind of talked about your article and I got to come back to it because I want to know. I didn't get a chance to finish reading it, but what made distinction? The wire and encryption just hit for you.

Speaker 2: 58:21

I was bitch watching the wire and then there's just a little stuff they're doing. I was like, oh, I can relate this back to security. I think I was studying for my cert at the time. So, like I said, I took the approach. If anybody else is studying for a cert or they're trying to understand encryption, I hope they come across this article to make sense and I like real world concepts Right. How does this make sense in a real part, even when I'm studying for certifications? Unless you can apply it back to the real world, it will not make any sense to me.

Speaker 1: 58:58

Yeah, I definitely agree on that one, I definitely agree. I'm like we talked about earlier something oh, yeah, you know, in power they try to see like who is either snitching the mold so they keep on rotating all their burners out so now, hey, you got to figure out what you know or giving they, were they really much exercise, a lot of concepts. I might. I might do some episodes like hey, how watching power can help you understand some. Security is like least privileged.

Speaker 2: 59:25

Now you got me thinking I should do a whole series. I mean, hey, who knows that?

Speaker 1: 59:29

might be some we could do. I got some other type of content in the works where maybe you could probably come on one day and talk about them doing like the live stream, where Because, like, for example, the runners, the people who are like lower, they're not on like ghost and Tommy Love or Julio or even a Dre Right, they don't know what's going on. So, least privileged, the less you know, the less likely we already get in trouble.

Speaker 2: 59:53

And that's why that is a good thing about it.

Speaker 1: 59:56

That's why, you know, even in terms of ghost and Tommy of them, they're just not saying too much stuff because of who can say what, which I think sometimes narratively messed up stuff. They just been honest with each other. You know, brothers for life.

Speaker 2: 1:00:08

So that's a good concept. Now I got to school.

Speaker 1: 1:00:12

It's cool, that's what.

Speaker 2: 1:00:13

I'm saying Like I'm happy to, at least I'll let you know now.

Speaker 1: 1:00:16

It's totally fine. I mean, like I said, I've used the concept of showing kids, well, the audience about the dark web. I say, hey, y'all remember when Mufasa was talking to simple, and he said, dad, what's that over there? And I said, hey, that's the dark web, that's where you ain't supposed to go. Everything the light touches is good for you over there. So, no, no, so it's just simple, so like that people can kind of visualize it. You know, people are the visual learners and that's that. That's the thing. I think that's a knack that I have that I try to showcase on like our interviews. But I want to ask you this, I guess Before, before we wrap up you got any type of hot takes, kind of like cat Williams. You got any hot takes you want to say?

Speaker 2: 1:00:57

I got lots of hot takes. What's the?

Speaker 1: 1:01:01

what's the one you really want to get after the test before me.

Speaker 2: 1:01:03

Before we end the show I don't know which one, I don't know I want to get canceled. So one thing I will say you did talk about getting that education. There's multiple ways to skin a cat, to eat elephant, whatever. There's you daisity, there's you dammy, ok. Even top universities, I want to say, like Columbia, harvard, they have like free computer science classes. Sometimes there are resources out there. Um, to make is really big on promoing free programs, scholarships. Even when she did one of the programs they just sent me the thing to do the assessment because I'm trying to learn cybersecurity and AI. There's multiple opportunities out there, I think.

Speaker 1: 1:01:52

The application thing close, yeah, it was for the CWT, it was a cybersecurity AI option for free, ok so I got some friends that's like kind of like in that space and I think that's definitely the way to move into it, because that's the next. Like you said how we make, it even like now Go ahead, keep looking for jobs.

Speaker 2: 1:02:17

That asking for a.

Speaker 1: 1:02:19

Yeah, I understand. I understand all the concepts of it, right, I just want to help build something that's going to be groundbreaking. Like, hey, how do we, how do we build something and whoever watches your business they might be about how do we build something that knows when somebody's voice is called? Because, with a memory like last year, the influx of the fake Drake verse or the fake Jake Hull versus, or the weekend and all that kind of stuff I was like I know this is funny because we're thinking about this from terms of our music, but what happens when they go use Joe Biden's voice and they go find a missile that's voice activated or something, and they say and they make it sound like him? Those are the things that now I got to tell people. While I like being a sub skewer to attack, vectors are always changing, but, like years ago, we wouldn't worry about people using QR codes to put malware on people phones. Now we are. Everything is always changing and that's why you got to stay hit with it, but that's what, that's what you look for. What if we're taking on people personally? Like, shoot, what if somebody get the software and the chick wants your man? So now they didn't hurt them talking. They made him act like he talking to her and sent you a voice note and the man telling you hey, that's not me, you started doing this. This sound like you, that that is you Like all the AI deepfakes, like people are going to be getting real nasty with this stuff and it's going to make some jobs. But I think that's the part that now we got to figure out. How do we curtail that and how do we build systems that detect AI outside of us? Knowing that is when it comes to resumes, we can tell, like you said, you see the resumes. You can tell them somebody like well, you don't use the word meticulously. You don't say meticulous. I want you to stop. We don't. They did that Like because they ain't gonna lie. I told some people I have a theory. It's not me, but I would think like maybe white people, some interviewing people. I do feel like If you don't have a certain type of black I work with white people voice you get judged in the interview.

Speaker 2: 1:04:23

Oh yes.

Speaker 1: 1:04:24

One of my clients is very country and I know for a fact. I feel like they be judging Because I he thought I know for a fact they do.

Speaker 2: 1:04:32

Definitely, most definitely. That is big facts, but I do want to get back to the core of what you said of really trying to determine those deep fakes and things like that. So I also have data privacy experience and the key thing to that is not Privacy is not regulated. So for those that don't know, data privacy has to do with your personally identifiable information, pretty much who you are, and I've done a talk about you are the most valuable Person, like you are. You yourself are so valuable and cost so much money. That's why that's a purpose of breaches, right. That is why ransomware happens once I get your information. I am HD in China, india. I got a Whole different life in those places, but specifically here in the US, we have no regulation no, no obvious Regulation for privacy. There's state privacy laws, but they don't care what companies or it can do with your information. And then, as consumers, especially with Gen Z's and the young kids, when you sign up for an app, you're giving them permission to use your likeness, to give them access to your microphone, and all of those things play into us losing more and more of our rights around. You know our voice, simply Things like that. So it's like a bigger. This is me on my doctor in my hotel box.

Speaker 1: 1:06:02

Once they care about privacy.

Speaker 2: 1:06:05

Come on, man like, especially when people did the AI generated like Pictures of themselves. You're doing all these questions on.

Speaker 1: 1:06:12

Instagram like the feds.

Speaker 2: 1:06:14

The FBI agents are just eating this up. Definitely they know what you look like 10 years ago. They know what you look like now. They can tell what you're gonna look like in another 10 years. Yes, so poor regulations and the free will of companies being able to do whatever they want with your information. It's gonna make it really hard because you know what's gonna happen if Something does, something negative happens from someone using that fake recording. Right? Yeah is that fake recording gonna hold up in court if it ever gets to that point?

Speaker 1: 1:06:51

Yeah, I think it's gonna in my now think that's just gonna build a whole like I'm probably gonna type it in right now Forensics for AI. You know all the different things that's about to start coming in. That's what the money could be, so you can be an early adopter, get in and make your money now. But you were talking and I wanted to bring up something. Oh, I know what to bring up, since she was talking about your dad and everything like that. If you want to make sure you want to stop data brokers from stealing your identity, use aura. I got a code for it in the description Free 14-day trial within seconds and let me know if my information is on the dark web or these spam calls calling me. Yeah, it has a VPN password manager. It's pretty cool, very affordable. So I would say, like again, check out our and, yeah, stop data brokers from selling your information.

Speaker 2: 1:07:40

Please use that. Yeah, your information is the most valuable information. Yeah, and once you lose your identity, it's not feel like we can.

Speaker 1: 1:07:51

It's hard to prove that it's you, are you? I really feel like we could make a whole mini series because so like you talking about that, a prophecy. I don't know if you're familiar with her. I did an episode with Aaron real for last year. She does the data prophecy for Google she black woman, by the way, so you probably check the episode out. She loved this stuff. She'd been doing it. They see what 20 years in, I think 15, 20 years, and we were talking about like a lot of that stuff. So I definitely need to have her back on. Maybe maybe have both y'all. I don't know, I just always like to get good ideas and let the experts talk and I just, you know, do the narrowing of driving the conversation or giving my tip it of what I think I have data privacy experience.

Speaker 2: 1:08:30

I'm definitely passionate about it. It just is not as as mentally stimulated for me as I've received. Yeah.

Speaker 1: 1:08:39

Okay, cool. So before we go, I want to give the listeners something, some actual advice real quick. So we kind of talk about certification. Now, what Skills you know, which could be including like frameworks or or software, is other things that people need to know how to do to get in the GRC that probably are Accessible to them without having to spend a lot of money. What would be like those skills that they would need to work on to start a career in GRC? And or, you know, because I think some of it a lot of times, like it says, like knowledge, like you said, I saw or socks, or sock one, sock to, or GDPR, like a lot of, so they could just read up on right.

Speaker 2: 1:09:17

It's reading and knowing how to apply those things, like what are those means, being able to interpret those regulations, or you know what this framework is asking and I don't know what. The easiest way to do it, because I've worked with this.

Speaker 1: 1:09:30

So you're not easiest way. Like and in a sense like so some no ways I teach the people is Will look through probably three, four job descriptions and they'll have At least three or four type of those like frameworks. Over and over again, I said those are the ones you need to focus on, because now I started out of TN You're gonna see those like on every like job description. But see, the thing where I stop at is I don't necessarily know how to take you to point A to point B with that, because that's not what I do. I mean some of the things I do at my job Continuous monitoring and all other stuff may apply, like to nest and other things, but that's because, like it comes from that and that's what we need to do to make sure Organization is compliant for regulation in order to make sure we can keep on doing business and if you're a public-e-traded company and all the other good stuff that you, you have to. Like you said we talked about the controls of logging on passwords, federated log-ons with multi-factor authentication, like all those different things are probably in those different Frameworks that you that you were talking. So I guess, like, should they just start like with this first, maybe?

Speaker 2: 1:10:36

Ness always do this because everything is going to be able to map back to this Honestly, and I feel like it's hard to say, hey, learn ISO. You got to pay for ISO. Iso is behind a paywall, so that is not that Easy. Even like PCI stuff, you can find like a 12 requirements, but even like finding like sub requirements, things like that is not Verbatim just out there for you to know, so always start out with this. I had retweeted the other day. I feel like it's a book that helps you learn how to apply nests. So that's really good information and, honestly, this should always be a baseline when it comes to Protecting for cybersecurity.

Speaker 1: 1:11:22

Okay, yeah, I'm definitely like there. I think and that's the second part Like I'm glad you said the book to apply it because, like I said, people learn information with they don't know how to apply it. Apply and that is whether you know we have the different rises of different programs or stuff like that which I think could be helpful only if some people have experience. I feel like I Don't know how you can go from zero to hero and PCI like like just no experience, and compete against people like yourself Like to get PCI roles. But I think if someone has experience and some type of compliance Type of role and they go like, take a PCI class or something, make a chance. I know Qalis has a lot of free training as well on their site about PCI, dss and everything else, and I've had clients where I was like yo, if you figure out of like and this is the technical part of me Everyone probably don't have to do this. But if you want to show you know what you're doing, hey, learn how to set you up a virtual environment and and maybe have some Vulnerabilities or something. Use chat, gpt to make you some type of audit tracker or something like that kind of Record your screen and detail you kind of just checking these things out and mapping them, see if they. The current CV. He's just something. I built up, a process to address these from you know load, a critical or ease of like implementation and hey, just to try to do what you could do you buy could be in vulnerability management, which I feel like is what you say. Vulnerability management would be in GRC. Okay, yeah, that's. I feel like it's like part of like in the middle of like.

Speaker 2: 1:12:51

They definitely is. That's both risk and compliance, because patchman but that's a good question. Nobody's ever asked me that question anymore, ever and I'm not too sure how do you Demonstrate those skills without?

Speaker 1: 1:13:08

Yeah, because I think that's the. I think that's the question that's not being asked, because if people either try to get the interviews but they sometimes they just can't, like man, I know, I understand, but like, what do I need to do to showcase it? And that's why I just tell people okay, we're gonna try to find people that do it and see what type of advice that they give you if you be able to replicate anything they do on a day-to-day on your own terms.

Speaker 2: 1:13:30

But that's where the blogs and stuff right and you know, do your own products. Show that you understand this. You know, like I said, they need comparing encryption to the wire. Hiring managers paid attention to that and they really liked how I was able to communicate Something that was technical in a non-technical way, in a fun way.

Speaker 1: 1:13:53

Yeah, doing my LinkedIn learning course, I found out that that particular soft skill is called know your audience. So that's a underrated one. Like I said, I was telling somebody on the live the other day with a brand. I was like it's a lot of people you'll deal with the workplace that they want to sound smart for the sake of wanting to be smart, but they sound a lot of nothing. And I'm like, bro, just tell me what we need to do. No, I care about audience. There are people busy enough. I don't feel like being on this call with you that long. Yes or no what I need to do. Okay, let's get on about it. I'm not trying to be buddy buddy. I don't want to hear about none of the other stuff. I swear I know.

Speaker 2: 1:14:32

Please tell them, soft skills is a few.

Speaker 1: 1:14:36

Yeah, some people can't read the room with their soft skills. I'm excited.

Speaker 2: 1:14:41

I like soft skills, so Pretty yeah, it's something they can work on, they learn All right.

Speaker 1: 1:14:47

Um, and then last things, I guess I say is, like anything you want to leave the listeners or the viewers with like. Well, first of all, you know, can they follow you?

Speaker 2: 1:14:57

You can find me on Twitter at J Jai Rr Ett, and that's the only place I.

Speaker 1: 1:15:08

I'll have it on. I have it in the description, where you can find her like her Twitter and, and they'll probably show up on.

Speaker 2: 1:15:15

Yeah, and also you can find me on LinkedIn and I'm sure they embarrassed.

Speaker 1: 1:15:21

Anything else, like any any I know you. Maybe if you think about that book, I'll come back to this section and put the name of that book you were talking about. That way they could figure out that book you were talking about.

Speaker 2: 1:15:30

Yes, I'm definitely gonna. I'm fine that book, because I actually just bought a book for myself for PCI Because PCI just updated to 4.0 and even as a professional myself, I still got to figure out, like, what these changes mean for the organization. So always be learning the advice I don't know. Be willing to put in the word. Discipline is gonna get you to where you want to go, utilizing that work, free resources. Most of the things that I've gotten in my career is because I got a scholarship Right, but the opportunities are out there. You don't have to spend your money. Be willing to learn.

Speaker 1: 1:16:10

Yeah, I definitely feel you on that one. Anything else, okay, okay, okay. Well, guys, I hope you enjoyed that this episode. Before I leave, y'all want to say this owner witness episode is dropping. But I want to say Go Baltimore, go Detroit. I want y'all to win your playoff games. You know, forget Patrick, my homes brought party. We don't care about you, we want y'all to lose. I thank y'all for always tuning in. Like I said, if you want to support the show, you can always join the patreon. That's how I keep on know, eventually, maybe a we pull up on her in Florida and we do this in person, or she pull up on me. So, by y'all, don't name to the patreon. That's how I'm able to get y'all a high quality content that I've been giving y'all the last couple of weeks. But, like I always say, hey, oh yeah also, it's income tax time. Don't be spending that money in the wrong place. Do something good with it. Invest in yourself. You get an income listen, but like I always say, man, let's stay textual. It's your boy, hd, and we are. Until next time, peace.