View Show Notes and Transcript

Episode Description

What We Discuss with Gerald Auger:

  • 00:00 Intro
  • 04:47 Gerald’s Professional Background
  • 07:12 What is GRC(Governance, Risk and Compliance)?
  • 12:07 Difference between GRC in a Large vs Small Company?
  • 15:00 Difference between Risk Tolerance and Risk Level?
  • 18:44 Quantifying Risk with Cost?
  • 20:25 Critical Leadership skills for Security Practitioners?
  • 26:24 Responsibilities of an Entry Level GRC Analyst?
  • 29:29 Stringent policies and Framework
  • 31:07 Moving from GRC Compliance to Risk position?
  • 35:50 Framework/Certification for Entry Level GRC Analyst roles?
  • 39:15 What is CMMC and is it important for Entry Level Role?
  • 43:09 Benefit of Personal Brand, Networking for Entry Level Role
  • 49:10 Fun Section
  • And much more…

THANKS, Gerald Auger!

If you enjoyed this session with Gerald Auger, let him know by clicking on the link below and sending him a quick shout out at Linkedin:

Click here to thank Gerald Auger at Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

Ashish Rajan: [00:00:00] I could not think of a better person to bring on when we’re talking about entry-level GRCs because you’ve been creating so much content in this space

If you can probably do a brief intro on, who’s Gerald and a bit about yourself, your industry, the professional background

Gerald Auger: yeah, absolutely. So good afternoon. Good evening. Good morning, wherever you are. My name is Gerald Osier. I am a cybersecurity practitioner.

I’ve been in the field for 17 plus years. I did come up on the GRC side of things, although I’ve got a lot of experience in different facets and in this. From an education perspective, I came up computer science, a very technical I moved in and I’m very, very proud that I hold a PhD in cyber operations from Dakota state university, which we could get into that.

Why, why on earth would you go get a PhD and who, who would want. So professionally I, you know, from my industries, I was in the U S federal it space for awhile. So I’m very familiar with that, which is, which is very heavy in the governance and compliance space, which is why there was so much work there.

I moved into healthcare for about six or seven years, worked in the HIPAA space. I ended that journey as a cybersecurity architect, more on the [00:01:00] engineering side of things. And today I’m super pumped because I’m actually. Building my own program. So I’m accountable for my own cybersecurity program at a fairly large manufacturing facility here in the United States.

So definitely different challenges. But it’s good in, in my side time which has always cracks me up. I adjunct faculty at a Citadel military college in their cyber science and computer science degree. And I run simply cyber, which if we get some time to talk about that, or maybe some viewers are familiar with, it’s a YouTube channel designed to help people make and take a cybersecurity career further, faster.

And for me, it’s actually quite delightful because I love it so much that it’s basically my hobby, but people are getting a lot of value out of it. So I get to, I get to claim it as like a job, you know?

Ashish Rajan: For people listening in and probably have never heard about GRC, what is it?

Gerald Auger: Yeah. So GRC is an acronym. It stands for governance, risk and compliance and effectively, you know, any, any cybersecurity program that is, you know, effective for any organization.

I don’t care if it’s small, medium, or large, you just have more bodies to throw. And [00:02:00] bigger challenges to deal with. Honestly, you need governance, risk and compliance. It may not be called GRC. It may just be like implicitly there, but effectively. It’s the tone. The governance piece is kind of the tone and attitude of the organization.

What is acceptable behavior? Are people allowed to install any app they want on their end point? Or is it a complete draconian law? Like nothing happens. You come in and that’s it. That’s governance. How, how does this work risks? Well, let’s do compliance because that’s super easy compliances. Some organizations are held to some standard, right?

HIPAA for healthcare. You know, federal government has FISMA and some other things compliance is effectively for whatever regulatory external body is imposing. Regulation or standards on your organization that you are compliant with them. Now it’s important because if you don’t comply with them in a, in a very popular one is the payment card industry.

PCI. If you don’t comply with the PCI standard, the credit card companies will not allow your business to take credit cards. And in 2020, You know, a lot of businesses, that’s the only way they take payment. Right? [00:03:00] So you don’t want to upset that group. So you need people making sure that you’re complying with it.

And when auditors come in. So that’s the compliance piece. Now the risk one I would argue is almost equally important to covenants. If not more important is organizations don’t have infinite money. In fact, it’s actually quite hard to get money from the organization to invest in cybersecurity programs because the better we are at our.

The less, that is actually happening. It’s a very perverse incentive to like strive so hard to have nothing happen and then go and ask for money to, to keep doing nothing. Right. You know, that’s not what’s happening behind the scenes, but that’s, what’s the appearance to the business. Right. So risk is about identifying where are the, you’ve only got five bucks a sheet, right?

You’ve only got five. And you’re, your car is kind of messed up and you’re kind of hungry and you don’t have any plans tonight. So what are you gonna do with the five bucks? What’s important? Is it important to eat, fix your car, be entertained, right? You’re probably going to go with eat there, but it’s still.

Logical decision that you walked through, you probably don’t even think about it when [00:04:00] you make decisions, but almost all decisions we’re making are risk-based decisions. You’re running into the bank. Do you lock your car or you forgot to lock your car? Do you run back and lock it or not? Well, no, because I’m only going to be in there for a minute.

And this is a pretty safe area. You just made a risk-based decision, amplify that up to an organization. And that’s what a GRC analyst does. And, and that’s basically it. Now I will tell you. That I am kind of the person in the space talking about it, but it’s because it’s, it’s less I don’t want to say less sexy.

Right. But like the, the red side is notoriously, always been known as like the cool side, the dark hoodie, breaking into stuff, doing cool stuff. The blue side has kind of amped up itself in the last maybe four or five years to be more prominent and having more solutions and more training and more just visibility.

Right. And now purple purple teaming is like joining forces, like wonder twins unite. Right. And GRC is like over on the side. You know, pushing the glasses up with their little clipboard and it’s like, Hey, what about me? Right. So, no, one’s given the GRC people some love. And while I do stuff on simply cyber for red and blue, I do make sure that that GRC group [00:05:00] isn’t marginalized and they get repped.

Ashish Rajan: I can definitely relate to that as well. And I do want to get into the YouTube video side of things as well, because for me, I feel like I’m doing the same for cloud security. And it’s not, sexy as pentesting or going bug bounty, but it’s definitely something which gets people, jobs, helps people pay bills.

You mentioned the importance of it as well. Like all of us make a risk-based call every day, like that shop done that you might take well, which might be a bit more of a faster than what you want to target.

You would take it as that’s a risk call as well, but is importance of GRC more from a perspective of say protecting against bad guys or girls, or as it more. Around the fact that, Hey, this would help me sell more because there’s two sides to that story as well. Where if you’re a startup, a lot of GRC focuses more about, Hey, how do I get to compliance so I can get that next customer.

And I know you do some space work in the SMB space. So it is the important, different between GRC in a smaller organization versus a larger organization?

Gerald Auger: Yeah. Cause I mean, you have less cycles, less manpower to apply [00:06:00] at the small organization. I, I would say that. For organizations that haven’t really experienced any type of pain, meaning an incident, right?

They are seeing it as a business enabler, right? We want to do business with Walmart, right? Walmart’s a massive player. We want to do business with Amazon massive player in the space. Walmart and Amazon are not going to negotiate terms with you. They’re going to give you the terms and you’re either going to accept them or you’re not.

And if they say that you are going to do X, Y, and Z, and this isn’t even a complaint standard. Walmart’s compliant. Like you will comply with. Right. If you can’t tap into that market, that’s a huge amount of opportunity that you’re leaving on the table. And obviously you’re going to do the cost valuation, right?

Well, it costs us, what’s the cheapest. I hate this question, but what’s the cheapest we can, what’s the cheapest. We need to get compliant. Like let, like let’s make it, you know, stand it up and make it look compliant, which there are ways to pencil, whip compliance and, and have minimum compliance. Right.

But I always say. Maximum compliance equals minimum secure. You should never be striving for compliance. That’s [00:07:00] that’s, it’s, it’s a dangerous road. It’s like, I always tell people like these small businesses. Okay. Yeah. Yeah. You can drive on the highway at a hundred miles an hour. You can do it. You can do it all day long.

You can do it without seatbelts on. You don’t need to say. But if there’s an incident, you are going to be very happy that you have that seatbelt on it. It doesn’t prevent you from going a hundred on the highway. It protects you if there’s a problem and the chances of a problem happening are unpredictable.

Right. There’s some metrics we have some yeah. Actuarials and stuff like that, but I can’t tell you with certainty, it’s going to happen. So do you invest in seatbelts or do you invest in like a ping pong table? You know, in the break room, like, cause you’re a tech startup in Austin. Right. So yeah. So anyways, yeah, I could flip out about that all day long.

Ashish Rajan: Jack’s mentioned, I hear people say Risk tolerance and then they talk about Risk level.

What’s the difference? Or are they interchangeable?

Gerald Auger: That’s a great question, Jack. I, I hear you. So risk level, I feel is like a quantifiable thing that you can say, like, you can assess your program against whatever you want. Like, so I’m a big advocate of NIST cybersecurity framework.

So you can you can take the [00:08:00] framework, you can measure yourself against it and qualify as this is your risk level, right? Like where. You know, at medium risk, right. Which you should never distill your overall organization risk to like low, medium or high that’s like insane, but you could, you could break it down further, obviously.

And then what is your, and then, so then you take that as an input into what is your risk tolerance and risk tolerance is where the rubber meets the road. Listen, we are, don’t have that MFA and phishing is getting credentials all the time. Like, it’s a, it’s a major risk. Is your tolerance, are you willing to invest in, you know, 32 bucks per user, per month for Azure MFA in order to re eliminate this risk.

And, and then it becomes a financial question for the business and it’s their risk tolerance. Right. We always talk about appetite risk and that’s like the most nebulous thing that no one’s ever been able to define. But like, when you say here’s our problem here, Likelihood of it happening and the probability, right.

That’s how we get our risk. What’s your tolerance for it? Are you willing, are you willing to get that call in the middle of the night or would you [00:09:00] prefer to sleep peacefully? It’s it’s so not, not to pivot too far she’s but like there’s a main thing in our industry about who owns, who owns cybersecurity risks.

Or the board or the CIO or CEO. And I always say my job as a Cisco is I am there to advise, yes, I have some ownership of it. But at the end of the day, I’m an, I’m a very specialized consultant who is there to advise. I, you know, I can make a strong case on why we need MFA, but at the end of the day unless I’ve got my own budget and they’re going to allow me to do that, it’s a business decision.

Right. And that, to me, that’s the difference.

Ashish Rajan: I agree as well. Cause I’m just trying to think about it as a CSO. A lot of the budgets that I get as well is primarily focused more on , uplifting the security, or maintaining or reducing the risk.

I’m sure you’ll agree. You can never get at zero risk. Everyone has a risk register that’s filled with, I’ll just say at least 10 plus items in there on an ongoing basis. That they’re reviewing and ongoing working on. Right? So that’s, that’s acceptable. But to your point, that’s the risk tolerance that they’re going with?

Oh, this I can [00:10:00] tolerate having 10 high, medium or low. And I know we’re going into a bit more technicality for people who make for entry-level perspective, but I definitely find that it’s an easier conversation to ask for more money when you, when you understand the risk tolerance of your organization.

And if you see something and you go, oh, actually, yeah, That can be solved by MFA, but I know that you guys would love to secure this and MFA is the way to go. There’s nothing else that we have in our arsenal. That’s going to help us. So a hundred percent with you on that one. And I love the answer about the difference between the level and the tolerance, because probability is something which is really interesting.

I’m sure you guys do this as well, where every risk is attached to a monetary value. If it’s a high risk, it’s going to cost me $10 million.

I know I can take a million dollars, but not a $10 million, I think. Do you find that that’s helpful as well?

Gerald Auger: Yeah, I find it’s, it’s sometimes difficult to qualify a quantify with financial. I mean, in some instances you can say this will result in production downtime.

Like ransomware is super easy, right? Because if things go down, you can say, how much do we make a day in revenue? And then multiply it [00:11:00] by six days, which is the typical ransomware downtime. All right. So I’ve got a nice, easy number, but it’s hard to say, like what’s the financial impact if we lose exchange for a day, right?

Like you can email, well, you know, we’ve got phones like w it’s very, it’s very squishy, very quick. Yeah,

Ashish Rajan: she has an interesting point because even that’s an arbitrary number that you kind of pulling up some, oh, I guess it would be a million dollars. What does, what do you think Gerald? Oh yeah, I guess it is a million dollars.

Let’s put that in. So it’s more of the agreement of like,

Gerald Auger: Yeah. And I’ll just as a pro tip for the entry-level people who are tuning in, like anytime you bring a quantifiable number to an executive, they’re going to ask you where that number came from. And you’re going to have to be able to defend exactly where it came from.

So finger in the air, you better have some like little footnotes to support that. The astronauts

Ashish Rajan: I’m kind of understanding kind of like what you mentioned with like, oh, $20 per user outlook. If outlook goes down, we have 500 users. We are 520. We come up with the number after that, but I just want to repeat, I hope that answered your question jacks, but that was a good question.

I’ve got a question [00:12:00] from Tesla. What leadership skill do you think is more critical for security practitioners?

Gerald Auger: Hm, that’s interesting. Well, it’s kind of tricky, right? Like, so are you talking about like, from leadership, when you say the word leadership? I think of managing down, right. I think of leading my team. So from the. You know, kind of qualifier of what you’re asking. If that’s what you’re in fact asking. I actually think communication and communication is important both up and down, but communication to actually lead and provide for your security team.

Right? So technical skills are great, but they get rusted. If you don’t use them tech stacks, Maybe you switched jobs, like yeah, the concepts stay the same, but you got to learn new tech stack and stuff, but the way that you engage with people and the way that you can unify a team towards a common goal, that is incredibly valuable because I don’t care how good.

You’re going to be more effective with, with a team that’s all rowing in the same direction. Right. And, you know, that’s, that’s that’s for me. What I think a critical skill is for [00:13:00] leadership. And I know it’s, it doesn’t really, it could be any industry, right. It could be cloud. It could be it, it could be anything.

Yeah. But I think it’s so important to understate. What is important to the people and what do they need to do their job? Like that’s, that’s how I see leadership skills.

Ashish Rajan: If I can add something to it. Cause you touched on something really interesting, right? Well, it was more about understanding the business and their risk tolerance as well.

A lot. I feel like a lot of at least security leadership. If we were to kind of put that hat on it, a lot of that comes down to an organization would not spend too much money. If you can explain the risk properly and B if it’s not something that they care about. So you having an understanding of the business, like, do you have Walmart example?

They would not care about the latest cloud technology, because unless it’s actually helping. Say it deliver a goods faster to anyone who’s ordered online today, they do an Amazon thing. Like next, within an hour, the thing is outside your house. If you tell them that they would, oh my God. Yes. Sign me up.

But if you tell them like, oh, it’s a massive cloud technology, you would do this amazing thing. If would just be like roses and petals [00:14:00] everywhere and only website, like don’t care about that. Right. You know what I mean? Like.

Gerald Auger: Yeah, it doesn’t, it doesn’t, it doesn’t translate directly to revenue. Like, I mean, maybe you could make a case for it, but you’d have to really refine that elevator pitch on, on why it’s going to you know, be that way.

But we’re, we’re, we’re kind of a cost center right now, which basically means we don’t generate revenue. We’re just like an expense that the business has to absorb, but we’re, we’re changing that. We’re changing that. We’re also seeing it in Insurance cyber insurance space. So like every business right now, one cyber insurance, because that’s how you protect yourself from ransomware.

And a lot of cyber insurance and companies have gotten burned because of those policies coming due. So now it’s like, what, what’s your security posture? And if it’s not up to snuff, they won’t even write you a policy. They won’t even talk to you. So you’re, you’re almost motivated and incentivized for the business.

At that point, the business comes to you and says, Hey, we need these four things. Please do it. You know, how do you even know where my office is? Like I never seen down here.

Ashish Rajan: Oh, I think he agrees with what he was saying as well, Tesla, but I think I just want to quickly add something there. Cause I think I’ve [00:15:00] been lucky enough or the last couple of years that I’ve been running the podcast.

Right. I met three CSOs , who changed that whole cost and the conversation for me and it was amazing. I definitely want to share with you. I want to come back to entry level.

Gerald Auger: This is good stuff though, but please go,

Ashish Rajan: because this is still information that you would appreciate as someone who’s spent consuming content in this space.

I met three CISO’s. who made their companies deliver security products. Like one was Akamai’s CSO. He made the company realize, Hey, we are more than a website delivery. We could be a security service on top of it. And then I met the snowflake CSO. Who’s made a data security as a thing, like they actually offered that as a service.

So that was really interesting examples. And I’ll definitely encourage people to go check out as someone who’s already working in an organization. If there is something that you feel is a security. And if you, I guess, present a good enough business use case to the organization, like, Hey, you can make money like this as well, by giving more value to your existing customers.

And I’m like, oh my God. Like, so we’re no longer a cost center at that point. We actually revenue generating at that point because security product is a product suite in the business at that point. But I [00:16:00] want to stop there, but I’ll give you a quick thoughts on that. And then you can come with, come to the next question.

What do you think of that?

Gerald Auger: Oh, I, I think it’s completely awesome. It’s tough though. Cause like that can be done in the big tech space pretty easily, but other industries, I’m just thinking myself manufacturing. Like I can’t, I can’t add a cybersecurity. Widget to a ball-bearing like it, you know, like it’s like, it’s

Ashish Rajan: interesting though,

Gerald Auger: but it doesn’t translate as well, but, but to take it back to entry-level GRC, I just, for the people in the audience, as we migrate back into those conversations, the questions we’re talking, the answers we’re giving in the discussion we’re having is starting to paint.

What I would argue is like a full scope picture of the cybersecurity program. And as you get that entry-level role, you’re going to be asked to do a couple things and I hope you do them. But don’t, you know, you won’t have your head down the whole time. If you look up, you’ll see these things that we’re talking about, and that once you figure out where you sit in the bigger picture, you can start actually, you know, expanding your roles of responsibility, figuring out what you actually like and starting to level up.

So there is a lot of value in these complex. A hundred percent.

Ashish Rajan: And I think you [00:17:00] kind of we can definitely answer Tom’s question as well. Just came in as well. What would an entry-level GRC analysts expect to do? I would think the company policies would come from a senior manager.

Gerald Auger: Yeah. So thanks Tom.

You know, Tom’s a member of the simply cyber community, so it’s good to see him on this. Yeah. So in entry level analyst, what you’re going to be doing is I don’t want to call it grunt work. Like Al like a lot of the stuff that you’re saying the policy would come from the senior manager. Yeah. So the policy probably would come in like a rough format and then the senior manager might send it to you and say, Hey, listen, why don’t you run this up against like a couple of different industry, best practices, industry, best practice policies.

See if there’s any gaps. See if there’s anywhere we can collapse it down. You know, think of it like a pro like a professor and like a grad student kind of like that way where you’re doing, or, you know, a Mason and a Mason tender, like there’s the CRA there’s the artisan. And then there’s the person who’s like apprenticing essentially from the artisan.

I would argue. That’s kind of like what entry-level GRC is also. There’s a [00:18:00] lot of documentation on the, on the GRC side. So you might get someone who’s like, all right, we need this, this and this. And then you go off and collect those artifacts. When you’re trying to put together a system security plan, which is a really important document that outlines how your program is built and actually implementing.

And when an auditor comes, if you can hand them one of those, they like give you a high five and buy you a cup of coffee. Right. So that, but that’s like a 200 page document 300 page document, depending on how big your program is when it’s based on a million other factors. So by. You know, an entry-level person you might say, I might say to them, Hey, listen, we’re going to be doing an enterprise risk assessment for 2022.

We’re starting to plan. Now I’m going to schedule all the meetings. I’m going to schedule all the work for you. So you don’t have to understand the scope of our program. What I need you to do is take. You know, checklist or audit list or punch list or whatever. And I want you to go talk to the people that I set up the interviews with.

I want you to get their answers. How are we doing this? I want you to get evidence artifacts and stuff like that. I’ll meet with you weekly. Cause [00:19:00] I’m working on other things and we’ll meet weekly. I’ll keep you online, keep you on track. And, and basically that’s, that’s how you should be going through it from a progression perspective because you go through those a couple of times and then yeah, I’ll still meet with you, but you really don’t need me.

Because when you come meet with me, it’s already sorted out the way you are. And now you’ve moved into like a mid tier and a analyst basically, where you can go off and Hey, we’re good. We got upcoming. Like, IATF on it. Here’s the standard, you know, the drill go for it. And like, it’s a complete standard that I’m not even familiar with, but I’ve got confidence that your mid tier, oh, by the way, congratulations on the promotion, Tom, because now you’re going to be running this project by yourself.

That that to me is what entry-level GRC analysts work could look like in most organisations.

Ashish Rajan: One other question from Tesla, have you noticed how stringent these policies have now have to be tied to some regulation or framework or they pass.

Gerald Auger: Yeah, I think he’s talking about insurance policies. Yeah. They, they really are. There’s there’s, it’s you know, insurance companies, aren’t printing money.

They’re, they’re, you know, trying to hedge between the money they take it and the amount that goes out and they get a little margin for themselves, right. Or a lot back in the day. [00:20:00] And these, these new ones, like if you don’t have MFA, for example, like good luck, you’re either not going to get a policy or your premium is going to be so ridiculous that it literally would be cheaper to just get rid of.

And pay the, pay the ransom, you know what I’m saying? Which is a perverse thing to think of. But again, let’s think about it from the business perspective, the insurance policy is a hundred thousand dollars and it has a $250,000 deductible. Right. So you’re in for three 50 before you even do anything. Yeah, the average ransomware, or let’s say business, email compromise.

Cause I know that number off the top of my head, the average business email compromise it’s about $70,000 kit. Right? So you could absorb four of those hints before you ever get or five before you even get money out of your pocket. So what what, what would you rather do pay for it? And then hope you don’t get hit six times or just take your chances and you know, any, any, any business person is going to say, if that’s the numbers, then we don’t need the policy, or we don’t need to MFA.

Ashish Rajan: Yup. A hundred percent, I think to your point, that has gone come back to risk tolerance as well. Another [00:21:00] question from jacks. How could someone gain the appropriate education around GRC and move into a risk management

Gerald Auger: position?

So that’s a great question. And as we mentioned at the beginning, if you weren’t here GRC, the R stands for risk, and it’s the one that really helps the organization make decisions on where to invest and what controls to make and what projects to fund and what what’s our FY 22 projects. Right. I will, I will say I don’t know how you feel about this as she should.

I I’ve, I’ve angered some people in the past, so let me qualify. Blue teamers and red teamers can become CISOs. Okay. So I’m not discounting you people. All right. Most CISOs grow out of the GRC tree because there, the CISO’s job is GRC. It’s just GRC. They’re not most CISOs aren’t hands on keyboard, like tuning Sims and stuff like that.

They’re doing GRC stuff. I just want to tell you, like, if you decide to go the GRC path, if you’re interested in Cisco, that that’s a very accessible path for you now, as far as getting exposure and experience. You know, like I said before there [00:22:00] isn’t a great cool, you know flashing lights, kind of training platform, cyber range for GRC.

GRC is much more about, well, the governance when you can’t even really train on it because it’s more of a attitude of an organization. And the organization is kind of a living organism that takes the personality of the leadership of the company. That’s what governance is. So you’re not going to get any training on that.

That’s actually just called life experience and is. Unfortunately, you’ve got to walk that walk and, and you’ll get it. Yeah, so real, real quick. And then get your, your thoughts that she used, like with, with risk and compliance. What I would suggest you do is, you know, read, I know this sounds bad, but read like miss CSF, read HIPAA, understand what these standards are.

You’re going to start seeing a lot of not redundancy, but you’re gonna see that they have a lot in common. And then you can begin to look at yourself, look at your own lab, look at your own home, look at your business at work, whatever, and start thinking through like, you know, where are the risks, whatever like that.

And then you could do like a fake audit and, you know, so that’s how I would approach it. ,

Ashish Rajan: I love how you mentioned the blue team. Red [00:23:00] team can also become CISO and that’s true a hundred percent because, and it’s funny because I came from a technical background into my.

And read realized was if I did not pick up those GRC skills. I would not be a great CISO, a hundred percent if you just did. I dunno. For me personally, I did a lot of migration of cloud helped a lot of enterprises going into cloud did security architecture. It’s SOC work. That’s always technical, right?

You go into that space, but what you realize is after a certain point, I don’t use the word hierarchy, but there’s a bit of hierarchy in that space where once you get to that CISO position, no, one’s really talking about what’s the best SIEM. What’s the most you can do from the SIEM.

The questions are more around, I am Walmart. I want to release this product tomorrow. Do you see that as a risk in doing this? And go the SIEM solution said it’s amazing. So I definitely bring it back to that because I, a hundred percent agree with you that yes, you can come from a red team or blue team become a CSO, but you still need to have that awareness of GRC and you definitely need to work with.

Compliance team member, or you need to know compliance yourself because most organizations are there are required to [00:24:00] fulfill some kind of compliance requirements, whether it’s PCI or whatever. So a hundred percent with you on that one. What’s your advice for entry-level GRC analysts when it comes to prioritizing learning specific frameworks or tackling certification?

Gerald Auger: Oh, that’s a really good question.

So I always say, you know, security plus is a great, great place to start because no matter what you end up doing it’s, it’s kind of industry recognized as like your, your entry level starter certification, right? Not to favor one. Company or another, but you know, that one is. You know, it depends where you want to go.

Right? So you say framework so I’m an advocate of NIST CSF. If you’re in the European space, I think ISO 27,001 is actually still popular for some reason.

Yeah. So it depends where you want to work. Right. And then I would, you know, to take it to Ashish’s space, right. Even though it’s, it’s GRC, it’s, it’s a framework. Right. But like cloud is so huge right now. I mean, it’s, it’s, I don’t know what Microsoft did, but a few years ago Microsoft decided like, oh, you know what, I’m actually, we’re going to be serious about cloud.

And if you look at the adoption rates of Azure right now, [00:25:00] Massive. And as, as OSS phase out and, you know, identity and access management becomes more and more paramount and the integrations with other third-party vendors, SAS vendors, and stuff like that. And the ability to use your own identity or your organization’s identity.

W everybody’s just moving up into Azure. It’s easier. And it’s kind of cheaper, which again, going back to the business is going to be the case. So even though it’s not really a framework, I would encourage people check out Azure specifically. And if you go to, I think it’s

You can actually drop in to an entire space that outlines how Azure is complying with all of the different standards. Standards. I’ve never even heard of, and they’ve got them all in there and I mean, you can just read all of it and absorb all of it. And if you go through kind of the Azure training, which is also, you can actually set yourself up for like a pretty easy sell on yourself as an entry-level GRC analyst, because you know, most people do have some level of need for GRC work, right.[00:26:00]

Especially at larger organizations. Yeah.

Ashish Rajan: I think there was a stat that came out of that only 43% of the enterprise have migrated to cloud. So the remaining 57 still need to kind of jump on on this and go.

Understand that. So if you’re a new person who’s starting from the cyber security, you have the framework understanding of from a NIST perspective, I’d love to hear you sort of CMC CMMC as well, but you have a understanding of NIST and you come in with say some kind of a free learning that you’ve covered with Azure or AWS or Google cloud.

And that company is already looking at migrating that’s a great space to be in because you have the context of the environment before you walked in. So interview questions would just be like, oh yeah, I can talk about it Azure. I can talk about Google cloud or I can talk about AWS as well. That’d be amazing.

But I do want to talk about CMMC cause I love Erica’s question. about the framework would you consider CMMC as something that’s important as well? I know we spoke with ISO 27,001. SOC2 so CMMC what is it and is that relevant for an entry level

Gerald Auger: position?

Yeah, [00:27:00] so, you know, this is an interesting time for you to ask that question. I literally just posted a video on my YouTube channel. Simply cyber for those who weren’t here as beginning on last Monday and it was called next demand job. And I basically lay out a case on why CMMC is going to be an area of high demand for job opportunities.

And it’s a complete GRC role, right. I won’t go into too much. I actually did a live stream a couple of days later on what you would do, like, okay. So like here’s the job and here’s what it’s all about 50,000 foot kind of like little taster I’ll lose Boucher if you will. And then I did a live stream where I went into like an actual audit plan that I, I found.

And I went through and I was like, this is what this country, this is the scope of the, of the audit plan. This is what CMMC is. This is what you would do. If you were going to audit a company, or if you were going to do prep, work for a company that needed. To get audited. Now, what people need to know very quickly at high level is that CMMC is a standard set of security controls that the us department of [00:28:00] defense is going to require anybody winning new contracts.

With the department of defense. Now you might be like, I don’t know anyone that does work with the department of defense. The reality is lots of companies do business with the department, offense manufacturing companies do department of defense consulting companies do department of defense healthcare, like they’re everywhere.

Okay. And if you, if your entire business is hinged on doing work with the department of defense, which has like a multi multi-billion dollar budget, and that’s how you feed yourself every day, this thing. Going to stop that unless you can comply with it. Right. So now it just got put to the forefront of everybody’s list.

Like I just took a new job in April Ashish and every job I interviewed for every single one said, what do you know about? CMMC like, some of them had nothing to do with anything. Yeah. And, and you know, like I’ve got experience, it helps differentiate me as candidate, but, but, but, but they all asked me it was all on there.

So it, like, I can see it coming. I know it’s coming, they haven’t started requiring it, but it’s going to be required in 2025, ultimately, which is when you bid on the [00:29:00] contract, you need to get audited and stuff before that 20, 23, probably because there’s not a lot of auditors. And when, if you’ve ever been to the DMV, I don’t know if they have the DMV in, in Australia, but like, if you go to the, the, where you get your license and stuff like that, or you go, you go away.

And there’s only one window open. You’ve got to wait in the same line as everybody else. Right. So if there’s only a couple of people who can do the independent audit, that is a required step, then companies are going to be like, oh crap, we’ve got to get in line now. So a lot of businesses are ramping this up for 20 twos, budget 23, if they’re behind the curve and stuff like that.

So anyways, long story. This is a huge golden opportunity. I’m telling you. I have a lot of I’m a strong buy on CMMC GRC work. Ashish.

Ashish Rajan: I would definitely encourage people to go check that out as well. You touched on interviewing and I think that’s an interesting one as well, because you’re someone who creates videos, but also does work in industry and like me, which is really interesting because a lot of people when they reach out and they talk about, Hey, how do I differentiate myself in interview? Because I don’t have any experience. I often talk about the fact that.

What are you doing outside of [00:30:00] just studying in your college university? Like I’m keen to know from your side, what have been your advice and is YouTube something that people can actually utilize as well considering you’re in that space as well.

Gerald Auger: Yeah. So, you know, I always tell people that, you know, when I look to hire candidate, You know, there’s a set minimum thing that they all have to have.

They all got to have some experience, maybe a certain, you know, whatever, like it’s, it’s a mixed bag. Right. But you, you kind of weigh it up, but then it’s the key differentiators. And if you have demonstrated initiative and proactivity, for me, that is a huge differentiator because. In our space of cyber security, there’s a lot going on.

And with all due respect, I will, I will bring up someone who’s an entry level. I’ll mentor them. Right. But at the end of the day, like I can’t do, I can’t like handcuff myself to you and do your job with you for 40 hours a week for like three months. Like there’s just too much going on. So what I need people to be able to do is take initiative, take some guidance, come like, reach it an obstacle, and then come back.

As opposed to being led, right. I [00:31:00] need them to come back to me for additional information and then move forward. Right. So if you’re doing things like taking initiative and it can be, it can be it can be manufactured in many ways. Right? So the home labs, the classic example, but I, I had a candidate that I hired.

Last person I actually had. I said, oh, like, what’s this right here? And he said, oh, you know, I really wanted to work in the cybersecurity space. I’m a network engineer. I couldn’t get in the job. So I created a mentoring program at my company for everybody. And then I put myself through the mentoring program.

Aligned to the CSO. And then, you know, eventually, you know, got mentored by him. And then I got a job on his team. So like this dude wanted a job on the cybersecurity team so badly. And the only way to get it was to build a program for the entire company and then put himself through the program. I mean, it’s ingenious, it’s very smart.

And he achieved his goal and, and he did it on his own. You know what I mean? It’s like that level of initiative is, is cool. So, but to your, to your point about. Kind of branding yourself. Right? We talk about YouTube. Like we often say that networking [00:32:00] is the most important thing, right? So initiative is very important, but how do you find the job?

How do you do all these things? Networking is, is, is more important than anything. Okay. Like my I’ve had seven jobs in my life. Four of them, I did not like apply cold to right. They were, you know no one gave it to me. It wasn’t a spoil system. I earned the. But I didn’t go through the front door. Okay. So how do you, how do you network, how do you brand, how do you define yourself?

Right. So you said YouTube. We mentioned at the onset, there are not a lot of people doing cybersecurity on YouTube. There are some really well-known people like network, Chuck and Heath cyber mentors got some stuff. And John Hammond, there’s like some really impressive people out there who are doing a lot of great for the community.

I, I challenge you to name 20 cybersecurity YouTubers, right? I think you might have a tough time. So this is like an untapped area that you could totally get into. But I want to preface it by saying that there you know, it’s, it would be more impactful than a blog post. Right. But you could run a blog, but it’s your level of effort and time and energy, right.

YouTube. There’s like lighting back here. There’s this camera, there’s this [00:33:00] microphone. I’ve got, you know, all this stuff going on. Right. I got editing the videos. It’s a lot of work. Right. So then you take it back, maybe do a podcast. It’s just your voice. It’s less work. You can still socialize. You can talk to guests, which like she should, I had never met before.

I’ve seen his. Now, we’re friends now we’re friends, right? So we’ve not. So, you know, and then you could go down to a blog and then you could do other things. And one thing that we were talking about right before we went on stream here is, you know, tic talk is a massive, massive platform. Right? Okay. The, the level of acceptance for audio and video quality, I would argue there’s a higher level of tolerance on Instagram and Tik TOK than there is on YouTube.

I, I regularly get, like, this is a 10 ADP camera. I have videos from earlier in the year before I got this camera, that is seven 20. And I have. Comment me all the time. They’re like bro 10 ADP or, or nothing. It’s like, get a clue. And like in the video help you or the, you know, so, so people don’t really people give me a hard time on YouTube, but with Tik TOK, I feel like you could [00:34:00] do 60 seconds.

What, you know, Just, I just coming up with this on the fly. Like one thing, if you’re really pushing yourself, do a video of one thing you learned every single day in cybersecurity. Right. And make that what your tick talk is. 60 seconds. Turn the camera on. What’d you learn today? What’d you learn today? Do you want to learn with me?

Get people in the comments, have them chime in on what they learned today. Start a following, get involved. There’s there’s a lot of opportunity. And at the end of the day, you’re reinforcing your own learning, which is important. You’re networking, which is arguably the most important. And you know, you’re, you’re kind of like giving yourself a third dimension, right.

Other than the. No grinding certs and stuff like that.

Ashish Rajan: To your point about the networking piece, especially in the online world, that where a lot of people are living in where there’s not many networking conferences or meetups that you can go to. It’s only online events, a lot of people doing YouTube searches or Google searches for people.

So if your blog or your podcast or your video comes online and you go, oh, I wonder where Gerald is from. Oh, I wonder where Erica or charm and all these other people who were amazing [00:35:00] people just asking us questions. Where these people are from, and they’re creating content and, oh, they’re local to me. Or maybe they’re in the same state or they’re in the same country.

I can definitely work with them, get to know them better. Maybe even hire them if there are opportunities. Right. I definitely feel there’s a lot more opportunity for, online networking quote unquote, I love the tik-tok idea as well, by the way, I feel like I should give that a shot as well, but I am mindful of the time as well.

And I’m mindful of other people’s time. I did have three questions though. Just like fun questions towards the end that I normally ask people. And the non-technical questions just to get, get to know you a bit. It’s more like, so what do you spend most time on when you’re not working on GRC and

Gerald Auger: technology?

Like at work or private life,

Ashish Rajan: you can pick either. It can be either you can be, cause this is more your personality, I guess. So you can choose your personal site.

Gerald Auger: Oh yeah. I mean, you know, it’s the simply cyber is, is like a hobby that I. You know, individual pride in and like, I’m, I don’t want to say I’m a perfectionist, but like I like improving whatever.

I’m putting myself into something I like to improve on it. So, you know, the YouTube has given me a lot of satisfaction of that, but I will say [00:36:00] I’m, you know, I’m a happily married man and I have children. So like family time is very important to me. I actually made tacos tonight for taco Tuesday. And that experience.

Yeah. So you know, do doing stuff with, with my wife and kids is, is really good. And I will tell you I’m terrible at it, but Fortnite is the game of choice here at the OSHA household. So my kids were always showing me or school in me on the platform, but, you know,

Ashish Rajan: Yeah, I can definitely, I can definitely get some lessons on that one.

People are saying thank you as well. Thanks for all. So what is something that you’re proud of? Part is not only a social media.

Gerald Auger: And so you know, something that I’m proud of, I have been to the south pole, like I’ve sat around, physically sat around the south pole, like Indian style. So I was in every time zone all at the same time.

Yeah. And I didn’t, no one really knows that, but it happened. Great.

Ashish Rajan: So is it, is it literally a pole and south pole as well? Let me just go, this is the point. This is the top bullet point. Is that, is that like,

Gerald Auger: yes. So there’s two pools in the south pole. There’s the ceremonial pole, which looks like a barber pole and it’s got a gold ball on it.

And then all the flags of the countries that are involved, that, that doesn’t move. That’s like [00:37:00] right outside the main building. And that’s where people take pictures and stuff. There’s a pole that they reset every year because it’s, the south pole is actually a magnetic south pole. So Earth’s rotation and changes and shifts and stuff like that.

They have to recalibrate it every year. So like, you know, it’s kind of funny. There’s like this big fancy ceremonial piece and then like way over here, there’s just like the stake in the ground with like this gold, special gold thing. On top that they change every year. That’s the one I went and sat around.

Cause it was truly every time zone at the same.

Ashish Rajan: Wow. Okay. Well, I’ll definitely need to put that in my bucket. Listen for things that I do when I met Australia comes at a lockdown. Well, can

Gerald Auger: I, Hey, could I just tell you really quick GRC GRC took them to the south pole. I went down there to audit the national science foundation’s research laboratory against a FISMA complaint.


Ashish Rajan: there you go. So you can travel with everyone listening, going. Oh, I would love to do south pole, maybe go to DRC role at your first role as well, then. That’s pretty awesome, man. And that’s pretty amazing story as well. Last question. What’s your favorite cuisine or restaurant that.

Gerald Auger: Oh, so I’m actually like a [00:38:00] huge Curry fan.

I don’t know if I’ve ever said this on stream or publicly before, but like I am, I am like, I could just eat Curry for the rest of my life. Like typically if we have, I make a good butter chicken dish, I’m very proud of. So like, yeah. So if we have butter chicken, I always make extra sauce. So then the next day I’ll make like a breakfast sandwich slathered with butter chicken sauce.

And then that night on me. Butter chicken pizza, you know, with the Sonia. So yeah, so Curry is my, is my jam. You know, or, you know, korma or vindaloo or whatever you want, but like basically kind of an Indian gravy based cuisine is like,

Ashish Rajan: Well, and I think I’ve, I find of, of people enjoying your softball story, by the way Tom enjoys it.

Jack’s loves it as well. By the way, Jackson mentioned her a beer. If it was food, that’s, that’s, that’s a favorite cuisine. Thanks for that. Jack’s

Gerald Auger: they used to feed it to kids right. During the you know God, the blight or the black plague or whatever. Yeah. Yeah.

Ashish Rajan: I think in Ireland they, this, they even Slogan that the Guinness is a, it’s like a healthy food.

So Guinness a day keeps the doctor away or something. [00:39:00] Yeah. Like apparently it’s quite pro I mean, it has a lot of protein, a lot of minerals and whatever, you know. Oh, right. Okay. Yeah. Apparently they even giving you the pregnant woman and I’m not going to comment on that, like, but there’s a rumor mills fan, but I’m pretty sure.

Okay, this is definitely considered a healthy drink to just say that. And this is a practice from a way in the day. Definitely not encouraged now. So if anyone feels thinking, please do not consider,

Gerald Auger: can you imagine going to work with like three units is in you and you’re like, I just had it for breakfast.

It’s a healthy, yeah.

Ashish Rajan: It’s my lunch. Back to weaknesses. Cause I, I, I w I, yeah, I think it’d be really Detrimental for your health. If you just keep doing that, let’s say that. So I do want to leave with that message. So people don’t hear that first part and just go like, oh, I should’ve said high-protein, I’m like, no, no, no.

It is just something it’s an old wives tale, if a, for lack of a better word. Let’s just, let’s just, I agree that alcoholism, but moderate and enjoy drinking. That’s what I would say on that note. I think we’re towards the tail end and I want to definitely sh I guess. Where can people find you? And cause I really appreciate the conversation that we had a really interesting conversation going on from a [00:40:00] GRC CSO.

We had so much information in there, so I definitely would encourage people to go back, come back and have a look at this as well. What would you say? Where can people reach out to you, man, if they have follow up questions or they want to reach out to you?

Gerald Auger: Yeah. So, I mean, the easiest way to find me is on LinkedIn.

I’m very overtly you know, com communicative on LinkedIn. I do have a discord server for simply cyber that I actively engaged with my you know, my audience or the people who were part of the simply cyber community, which I’m just another member of that community. So check that out. But if you go to simply cyber on the YouTube or, you know what actually simply cyber dot.

That website is the kind of is like brown zero for, for simply cyber and for myself and then everything me and simply cyber is accessible through that site. So simply is definitely an easy one to remember, and it’s got everything.

Ashish Rajan: I would put the link on the shorter as well. Ben, thanks so much for coming in, man.

And thanks for everyone else who joined us as well. And also some amazing questions. I think we have this weekend, we have someone coming in from our class here in, and next week we have someone coming from SOC from a soft perspective as well. So we’ll see you [00:41:00] for those ones, but for the moment, thanks so much for this Gerald and I are looking forward to having more conversations considering now Started I came in from the LinkedIn posting and thanks from it.

I really appreciate that, man. Appreciate that. I love the bow tie as well, very fashionable. But now thanks much for coming companies, man. I look, I’ll see everyone hit subscribe. Yes. Thank you. I appreciate that, Tom. I think I will see you soon and my friend, but this has been really amazing. I feel I can talk to you for hours, man.

It’s sort of like the, we can probably have some of the people from the audience coming as well. But thanks so much for coming in and for sure, man, for sure. I think, I, I think I definitely feel, I need to go more GRC in my channel as well. And I’ve been doing a lot of card security. GRC is definitely is something, especially when people want to go down the CSO pod, as you mentioned, that’s a, that’s there for you, but you’ve definitely dominated this space.

So I definitely need to bring you home and bring you back again. Right. Thanks Joel. And thanks to everyone else, but it’s, here.