Speaker 1: Hey, Cyber Heroes, Boyd Cluess here, the Six Figure Tech Career Coach, and in this video, I'm going to teach you guys how to get paid to become a certified cybersecurity professional. I know, this might seem crazy, but by the end of this video, you will be blown away. Are you ready for this? Let's go. Hey, Cyber Heroes, welcome back to my channel. If you're new, I'm Boyd Cluess, internationally recognized cybersecurity expert, and I help people upgrade their jobs to a six-figure tech career. If you want to join me on this journey, be sure to like this video, subscribe to the channel, and hit the red bell so that you're notified whenever I drop new content guaranteed to take your career to six figures and beyond. All right, Cyber Heroes, before we go into the specific training and certification that I'm talking about, I need you to understand something. This is not just something that you're going to be able to walk into. This is going to require work, right? It's going to require work. So I'm going to show you the specific type of role that I'm talking about, and then how you can get the training, the certification, et cetera, to make this a reality. So let's jump over to my computer and take a look at salary.com. So we're talking about the role of an information security auditor. Most people don't talk about this. Again, this type of position is in the realm of GRC, which is governance, risk, and compliance. And this specific role has a salary range from $102,000 to $146,000. And I personally know people doing $200,000 and above because I was one of them. Anyway, so this is the type of role that I'm talking about, but I'm going to show you how you can get access to the role and what specific area you need to focus on so that you can get training and certification for free. Okay, guys, in order to get the big tech bag, we're not talking about just any kind of information security auditor. We are talking about a very specialized one. And I'm going to give you the details, but I think it's important before we go into the details about the specific niche, we understand at a high level what an information security auditor is in the first place. Think of it like this. Because of different industry standards and government regulations, companies have to abide by a certain set of rules. For example, publicly traded companies, meaning companies that you can buy stock in, they have to follow a financial regulation that's called SOX, Sarbanes-Oxley, S-O-X, not S-O-C, not S-O-C-K. We're talking about Sarbanes-Oxley compliance, right? As well as companies that work in the healthcare field, they have to follow an industry regulation that's called HIPAA, right? They have to maintain compliance with these regulations and frameworks or bad things could happen to the company. So when we're talking about an information security auditor, an information security auditor is a person that verifies controls have been implemented to the specific standard. So I'm going to break this down for you real quick. So what we have here on my computer right now is a Windows 2020 member server security policy. And so if we look right here, the security policy, this is specifically around passwords and account lockouts. So the policy says enforce password history, 10 passwords, maximum password age is 90 days, minimum password age is one day, minimum password length is 12 characters, password must meet complexity requirements enabled. So these are the, this, where it says settings value, these are the specific values that must be implemented on a system. And if we look at the account lockout policy, we see the account lockout duration should be 30 minutes and the account lockout threshold is three invalid attempts. Meaning if someone enters three invalid passwords, that account needs to lock for 30 minutes and then it can reset after 30 minutes. Right? So like as the information security auditor, I am going to be the expert on understanding the company policies so that I can actually verify the company policy has been implemented correctly on the systems. Now, company policies are going to be derived from industry standards like NIST, CIS, as well as other security standards, like maybe PCI DSS, for example. And so like what we would do is we would take a look at the configuration that's implemented on the server. Now understand as a security auditor, I don't have the ability to log into this server. So the system administrator is going to have to share screens with me or send me a screenshot of the system configurations that I need to review. If we look at this screenshot here from a windows server, it's showing the password history being 24 passwords. Remembers maximum password age is 30 days. Minimum password age is one day. Minimum password length is eight characters. So as a security auditor, we need to compare what has been implemented on the system to what should be implemented based on the security policy and then determine whether or not these changes, these configuration settings in the system are actually in agreement or compliant with the policy. And so I've already done this little audit right here, and maybe you can pause and do the audit too to determine whether or not the system configurations are compliant or not, because this is important. So if we go down and we look at the audit information, we understand that the minimum password length of eight characters is not compliant. The account lockout threshold of five invalid attempts is not compliant. Why? So if we talk about minimum password length of eight characters, our security policy says that the minimum password length needs to be 12 characters. And because it is not compliant, it creates what we call a finding. So we would need to notify whoever owns that system or whoever manages the people or team that owns that system. And in this case, this is windows server aid. It needs to be remediated. Remediation just means it needs to be fixed. So as the security auditor, we're going to track this finding on a spreadsheet or in a GRC tool until it is fixed. And then we're giving additional evidence for us to determine that the fix has actually been done. And that is the role of the security auditor. So now we need to get into where the training and the big tech bag comes in. Let's go. Hey, cyber heroes right now is a great time to like this video, subscribe to the channel so that you're notified whenever I drop new content guaranteed to take your career to the next level. Boom. All right, now let's get back into it. So in terms of being an information security auditor, one of the most powerful frameworks that you can learn is the PCI DSS. That is payment card industry data security standard. This is an industry regulation for companies that store, process or transmit credit card data. If they do this, especially on a large scale, they have to comply with the PCI DSS every year. They have to certify and maintain compliance every single day. You got to think about it like filing your taxes. You have to file your taxes every year and you may or may not get audited. Companies are audited for compliance with the regulation, just the way I showed you the audit before. And they are audited by an external company, generally speaking, depending on the size. But all the companies need to have an internal resource to be able to help them prepare for the auditors to come. So in the situation that I showed you guys earlier with the Windows server, that would be me acting in the role of ISA. That is an internal security assessor. I would do a pre-assessment with the company to find issues that are noncompliant, to have them fixed before the external auditors comes up because it actually adds value and saves the company money. So if we go over to the PCI counsel's website, we're actually going to see one of the most powerful certifications that you can get in terms of the knowledge of the PCI DSS. Okay, guys, I'm on the PCI security standards website. Now here's where things get a little tricky, right? So I'm going to show you this certification that I'm talking about. So we go to training and we go to certifications, ISA, internal security assessor training. This is what I was talking about, performing the internal security assessments to help the companies become compliant. And you're probably wondering how much does this cost? Well, the internal security assessor training is around $3,000. I believe it's around $3,000, but here's the deal. Notice how you don't see where you can actually buy it. You don't see where you can buy the training. You know why? Because you can't. Now let me explain this. The reason why I said this gets a little tricky is because in order to become an ISA, you first have to be hired by a company as a PCI professional. And then they send you to the training to get certified because the company has to sponsor you. So what am I saying? Most people take the approach of, Hey man, I'm going to go get this certification so I can go get this job. It does not work like that in the PCI space. What you have to do is get the skill to get the job. Then the company certifies you. I know this is completely foreign to most people because it's like, how do I get a job if I don't have a certification? It is what I've been telling you guys for years. And I'm hoping it's starting to click now, guys, hoping it's starting to click. Certification does not equal skill guys. You get hired for your skill, not the certification because there's entirely too many people that have certified, but they can't actually do the work. In fact, you can pay someone overseas to go take and pass these certifications on your behalf for very little money out of pocket, which actually devalues the certification. Why this is so powerful is because guys, if you've seen my video, where I talk about how I went from 33 K to 200,000, it was because of this core skill of PCI DSS. And it's how I've been helping people make the transition into tech, because I want you to think for a second, something that you probably hadn't even imagined. Say you have no tech experience, right? And you are following along at the beginning of this video where we went through a windows server audit. How many of you have actually configured a windows server? Let me know in the comments. If you have not, if you have, I would guarantee that most of you watching this video have never configured a windows server in your life, but you were able to perform that security audit. Guys, you literally performed an audit of a windows server. And so what it comes down to is learning the PCI DSS standard so that you can help companies fix the challenges that they have before the QSA shows up. QSA is Qualified Security Assessor. They are the third party auditors that come out and audit companies to make sure that they are compliant with the PCI DSS standard. Because if companies are not compliant, they could be fined millions of dollars or even lose the ability to process credit cards altogether, which is very, very critical. And it could collapse many businesses if they lost that ability. So what is important to do is understand the standard. And let me show you where the standard is. All right, guys, I'm back on my computer right now. So if we go over to resources, we go to document library, and then we want to filter this to PCI DSS. The current version of PCI DSS is version 321, which will be retired in about 12 months or so, somewhere around that. Version 4.0 is going to be the new version that's coming out that will take precedent. Right now, companies can still certify with version 3.2.1. You can download this standard and take a look at the requirements. Understand there's more than 200 plus sub requirements. But having an understanding of these security requirements will help you take your career to the next level. Because what you can do is update your LinkedIn resume, update your digital resume, and look for jobs based on the skill of PCI DSS, because there are tons of them. Okay, cyber heroes, just to reiterate, the way this goes is learn the skill, right? Be able to speak to it, get the job, become certified. That is the way that it should go. And you may be wondering like, okay, okay, I see what you're saying, Boyd. How do I even make this happen? I'm so glad that you asked. I would love to be able to teach you this skill that will help you transition into one of these six-figure tech roles as a security auditor. I invite you to apply to the Baxter-Clewis Training Academy. You can go to BoydClewis.com forward slash GRC to check out our case studies of how we've helped hundreds of people just like you upgrade their jobs to six-figure tech careers in as little as 90 days with the coaching, mentorship, internship, the success advisors to walk with you through this program while you learn these skills and get hands-on application so that you can get the confidence and the abilities to go land a job. And you may be asking, okay, okay, so I'm watching this guy on YouTube. What makes him even qualified to be able to teach me this skill? Let me show you. So first of all, guys, remember, industry-recognized cybersecurity expert. I have been QSA security consultant for some of the largest companies in the world, and I regularly speak at the PCI community meetings in North America and Europe. You can check me out here. In fact, if you want to meet me in Portland, Oregon at the PCI community meeting or in Dublin, Ireland, this year, come see your man. And like, this is what I have been doing for the past decade, guys. So I would love to be able to share my expertise with you to help you overcome challenges and things when it comes to growing your career and taking it to the next level. So remember, you can go to voidclues.com forward slash GRC to apply. I would love to work with you to help you take your career to the next level without needing any college degrees, certifications, or skills like hacking or coding. We've been doing this for years, and I'm sure that we can help you if you're willing to put in the work. Well, guys, if you haven't already, like this video, subscribe to the channel so that you're notified whenever I drop new content, guaranteed to take your career to six figures and beyond. And I will see you on the next one. Peace.