Listen to learn what it takes to become a QSA and what it is like to be a QSA.
"Don't jump into becoming a QSA for a year and think 'I'm now going to go somewhere else and make a ton of money.' Spend some time really learning. That's the advantage to this job you can get so much experience so quickly and get exposure to so many aspects of cybersecurity."
Breaking the barrier to the cybersecurity workforce can be difficult, especially if you don't know where to start. Gary Glover (CISSP, CISA, QSA, PA-QSA) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to explain the steps one should take when wanting to become a QSA (Qualified Security Assessor).
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone, and I'm one of the principal security analysts here at SecurityMetrics. If this is your first time here, welcome.
Sure appreciate all of our our listeners and and, viewers. And today's topic actually came from someone who is a listener of the show and wanted to know a little bit more about how to become a QSA. So I got the perfect person.
I I brought in Gary Glover. Gary is the vice president of assessments here at SecurityMetrics. Happens to be my boss as well. He's pretty awesome.
So you better be good.
Right? I'm always thinking that, oh, no. No. No. It's not what I'm thinking at all.
But Gary is, let me tell you a little bit about him. I know we've had him on the show before, but just as a refresher and for people who are new, as the vice president of assessments at SecurityMetrics, Gary manages a team of qualified security assessors, that's a QSA in the PCI world, and penetration test engineers con conducting remote and on-site security assessments for large and small companies. As a senior security analyst, Gary conducts various types of on-site network and computer security audits. Most of the audits are assessments from merchants and service provider compliance to the payment card industry, data security standard or PCI DSS.
As part of this process, he consults with customers prior to the on-site visit to help them design and configure their network and computer assets to ensure the security of sensitive data. Gary also has experience connecting audits for credit unions, HIPAA compliance, CIS compliance.
Actually, he's you're part of, like, any new thing or or any any type of assessment we do. You're always part of that conversation, how we do what we do.
Welcome. I appreciate your time here.
It's good to be here. Thank you.
Did I miss anything?
No. No. I think that that's or probably more than what I do, actually.
Well I used to do a lot more auditing than I do now. More it's more it's kind of, again, consulting and getting people ready for things and and also working on new products. Right.
So And so, one of the the the critical things it's interesting how when I talk to, people in insecurity and and asking me about I get there is this attitude that I think sometimes people conflate, which is I can do anything I want in security, which you can.
If you're new in security, you wanna do anything, you can. But but the idea is you can't do it right now.
It may take a little time.
Yeah. Some things take more time than others.
Yeah.
Right? And I feel like that's in the QSA world, it does take a little time.
Exactly. And, you know, I think that's an interesting point that you made as far as, I don't know if it's our society or whatever, but nowadays, people think that you can do we we've told everybody so long you could do anything, and I believe it. Just like you said, anybody could do anything, but sometimes it takes years. Yeah.
And it takes time, and it takes experience and patience and stick to itiveness. Right? This is not something that is just a, hey. I'm I am right out of school, or I'm just changing jobs, and now I wanna do this.
Let me do this.
And, hopefully, people will understand that some jobs in this world take some time and some expertise.
Right. And being a QSA, in in particular, is one of those things.
As an assessor, I can see why it takes the time because there are certain things that you need to do that if you don't have sufficient experience and knowledge, you're gonna really struggle and maybe not serve your customers as well as you should.
Exactly.
So from that perspective, what what training, what what experience, what what does it take to become a QSA?
Okay. Well and and I'll jabber on for a while. And and I should probably be asking you.
But I know what it took for me to become a QSA.
You know what it took for the team. Right.
And and I guess that's a perspective I can talk to is that everybody's journey is just a little bit different, and there are some common points that need to be hit along the way. And and I have had experience with a lot of people over the years, interviewing a lot of people and and and moving.
And the industry has changed Mhmm.
Frankly. I mean, when when I started as when I I was in the very first QSA class, you know, before we were called QSAs Yeah.
Training for for conducting these assessments with the PCI Council. And, you know, the test was five hours long, and it was handwritten. And it was, you know, it was just a and it was weird questions. And I spent more time writing reasons why the question was bad than answering the question.
So I can see that. I guess what I'm saying is we've grown up quite a bit in this industry, and I think it's been a great thing, and it's a good thing to see. I call the old days the cowboy days. Right?
Now we're, you know, we're fifteen years later, sixteen years later, quite a mature organization, and processes and definitions on on kind of skills that are needed to be a a QSA.
So, you know, starting off in the industry, I think somebody with a good solid background, maybe maybe somebody who's been in IT for a number of years and who has, you know, been on the other end of the other side of the coin, right, and actually installing systems and setting up firewalls and administering systems. I mean, that's great background. So if you're in that space already and you want to move into another space, this is a great way to go. Right?
Right.
As a possibility. So and and not necessarily I mean, in the old days, well, and even nowadays, I mean I mean, cybersecurity is important, but it's not rocket science.
If you have curiosity, if you have the ability to learn stuff on your own, and if you can if you know how to type things into Google Right.
You can learn a lot of stuff in this world right now.
And this is one of those areas too.
But cybersecurity, I think, is a do I need a degree in cybersecurity? Do I need a degree as a QSA? Do I need a degree in IT audit? I don't know that I can say specifically any of those things. Obviously, in the requirements to be a QSA, there are some specifics.
You need five years of experience Right.
And or four years of experience and and a degree Right. Of some sort. And, sadly, it's either a bachelor's degree or master's degree or PhD is the same. It's one year. So so you need and and I think that's right. It's one of those trade kind of things where you have to have Yeah.
Real life experience Yeah.
Four four years long. So it's it's it's that experience and then some certain later maybe a little bit more detail about the certifications that need to happen Yeah. Along there. But but, frankly, if I were to boil it down, you need to have kind of the the desire to deal with people Yes. Is number one. Right?
And sometimes there are people that are so technical that it's really hard for them to deal with people, and they struggle with the interactive acts act part of this.
So There's so much more of personal interactions, personal relationships in this job than I than I realized there would be going into it. And I love that part of it. And so I'm fortunate in that way. But I have seen where if people aren't as comfortable with just talking to people, you sit down and to do an assessment, and it's not just reviewing firewall rules. It's, hey, can you tell me why you're using these firewall rules and who, who approved them? And can we talk to them? And can we so bringing in and getting everyone on the same page through conversation is not everybody's favorite thing.
No. It's not. And and but to me, that's one of the fun parts of this job. Mhmm.
You can develop relationships that last multiple years. I have people in this industry now that I've known for seventeen years that I still like to talk to Yeah. And that they still like to talk to me, that I developed a relationship while doing one of their audits or at a conference or something. And so to me, that's part of the reward.
And and and let me say, the the penalty of this of this job is writing. Yes. The reward is the people and and learning about the technology. And, frankly, if you like to figure out how systems work, how things move through and my background is mechanical engineering. And so to me, I loved seeing how things worked.
And, you know, initially, when I was approached by this job by our CEO, I said, well, I don't do that. That's not what I do. Uh-huh. And and he he said, well, you just think about it. Look at it. I started looking at it, and it and it really is just design work in another area. And I do like design work.
Mhmm.
So it appeals to a lot of people, I think, and I'm talking way too much here. But it appeals to a lot of people because it's not always hands on.
Uh-huh.
And so you don't have a beeper or a pager or a phone. Nobody's gonna call you saying the server is down.
Yeah. I like that a lot.
You may wake yourself up in the middle of the night saying, oh my gosh. I don't know how to help this customer. Right? But but but, you're not being woken up and you're and it's more of a design. And I to me, as a designer, as an engineer, I really love design work.
And and the one of the really great things about this job is that it sounds like you do the same thing all the time over and over, but it's not.
It's not. Yeah.
It's not because everybody's network is a little bit different, and you have to figure it out. And everybody else wants to do everything just slightly differently.
And you have to know how to apply the rule set that we've been given Mhmm.
To all kinds of situations. And that's like the engineer's dream world in some ways. Right?
It's super fun seeing how different organizations solve similar problems using similar but not not the same in a call. All of these different places and ways that they can apply, kind of the the general outlines of how how does information get stored and shared and, because that's really what it's about is the protection of very specific information in PCI. That that credit card data, everybody, is involved in paying for things. Mhmm. Right? And merchants are a super important part of our daily lives.
Exactly.
This episode is brought to you by the SecurityMetrics twenty twenty two guide to PCI compliance. I personally help with this guide and can highly recommend it to anyone going through PCI compliance. It goes through what the the requirements are and then tells you in the real world what they mean, how to meet them, recommendations from, auditors. So, it's a great resources to get the fundamentals of PCI compliance. You can get it on our website www.securitymetrics.com.
And that that, again, was you know, it reminds me of one of the other attractive things about what what I finally figured out in this job that was different. I I developed software for years for large corporations. I worked in engineering projects for large aerospace corporations, all these kind of things. And none of the projects that I worked on in those jobs exist anymore.
Right? All of the all of the, you know, space things, the Mars rover, the whatever, everything Right. They're they're gone now.
But and the software I've developed, nobody uses anymore.
But the people that I helped seventeen years ago with security are still doing it.
There's they're doing other things and growing, expanding It's interesting how and and and maybe it's a coping mechanism to deal with writing, but I like to think of that I I have a job that can actually slightly make an improvement Yeah.
Rather than something that's disposable.
Right. So anyway It it matters that that what we're doing is is keeping information safe. So it helps the organizations that we're working with, but it also helps all of their customers. Mhmm. You know, that the, nobody wants their credit card information out there for somebody else to use. You you've mentioned writing a couple of times now, and that really is sometimes these reports are hundreds of pages long.
Right. Luckily, they're not hundreds of full pages. They're a hundred pages of columns. Yeah. But it is a daunting thing.
And and let me let me, talk for a second about this is my I'll give you my spiel about writing Okay. That I when I talk to a college, I often ask ask to go talk to college classes and talk to them about security and whatnot.
But when I was in when I got out of school, I thought that I knew everything I needed to do to be an engineer. And I knew all the equations and all the stuff, and it was really exciting.
And the first thing I was asked to do is write.
And and I'm going, no. No. No. No. No. No. No. You don't understand. That's not what I was supposed to do.
I'm supposed to do this cool differential equation thing. Right? When do we do that? Well, after you write the proposal that lets us win the thing, then you can do that.
But you also have to write a report every week about what you're doing Mhmm. By the way. So so it was a huge revelation to me that writing was such a big part of working.
Yeah.
And and I think, you know, I wasn't good at writing. I didn't like to write, and I had a manager that forced me to learn how to write, and and I can do it. I still don't enjoy it, but I can do it. And and I think that's a a daunting thing sometimes when people will will come and think about, well, I'd love to be a security assessor. I want to just do the fun stuff. And for a while, we had a a guy that worked for us that that would say, well, I'll go out and do all the audits if somebody else will write the reports for me. And I'm going, that's exactly what we all want.
This.
That's exactly what we want. Sorry. That's not part of it. You have to write up what you do. So Right. Writing is a challenge, but it's not like novel writing. It's like, can you describe what you saw Mhmm.
So that somebody else could read it and understand what you said Right.
With enough words, but not too many.
Right.
And that's and so it's not a scary amount of writing, but it's It it it does take commitment.
Yeah. And and it takes focus. Sometimes my focus is better than others, but but part of the the the writing is you read the the question that it asks you in in the template that, the council sends out.
And this is similar in in In any any of the frameworks in senior frameworks.
CI kind of today. But but really any of the frameworks that's similar, you know, this is what it says should be in place. And then you talk about how you know it was in place.
Or or Or not.
Right.
And so it really does come back to your technical knowledge and the communication skills you had while, you know, working with people is just write it up so that, like you said, can someone else read that and know what your experience was with that with that requirement?
And and one of the things I like to do when I write too is to think, what if I needed to read it in a year? Could I remember what I did?
Right.
Because it does become a document of what you've done and kind of a journal in some ways of your security work. And so it's important to include enough detail that that you know, early on when we were writing reports, it was awesome because you could say, verified by observation that this was true.
Yeah.
Right? And and so you're going, well, reading comprehension, it was the part you talked about earlier. I have to read the question and understand it enough to know how to answer it.
Mhmm.
And and I think the industry is pushing us as assessors now to actually answer better. Mhmm. And and and reading comprehension English, interestingly, is important in this world, kids. Right? I mean, this is important.
It is. Yeah.
And being able to read a question and interpret it in a way that is right, you know, is correct, and answering it that way, and then writing an answer that addresses it is a a skill that's needed in this world. So anybody who's thinking about moving into this field or, interested in it, you know, embrace that part of the job and just say, this will make me a better person because I can write a little more.
Is it Can you write in a way that is accurate, complete, and concise? Mhmm.
That's But it's the worst it's the sucky part of the job.
It is.
Alright. I'm a little weird because sometimes I like that part because, well, hey, you know, it gives you an excuse to put on, like, antiques roadshow in the background. Mhmm. And then you just write, well, these lovely people talk about antiques off to the side here.
Mhmm.
That's how I deal with it. That's not how everybody deals with the writing. And that's important.
You have to be in the zone.
Yeah.
When you're in the zone, you can crank out a whole lot of stuff.
My hardest thing is getting in the zone.
In the zone. Yeah.
Some people will avoid the zone as long as possible.
Mountain Dew for some people is how they get in the zone. But, yeah, there's there's different ways. You you find but you hit your stride. You find your way that that it that, you can make it happen.
And and so I don't want, you know, the inability to write to scare people off of things.
We've had people that have you know, I've worked with with young QSAs that that was not one of their strengths is writing. And I've seen them grow to be better writers. And and we have QA departments and people that will help you and management. So it's not like you're all alone and don't even try to do this if you've never written anything before.
It's no. What I'm saying is if you want to invest the time to learn a skill that's not only important in this job and in in your whole life, then, yeah, this is Yeah. A great thing to do. And, yes, companies should work with you a little bit and help you understand how to do that.
So it's not a scary thing. Right?
Exactly. Well and and that's part of the process is you write the report, but then there's somebody who's going to QA that report.
Right.
And so if you haven't written it properly, we have a a great technical writer who goes through it and says, hey. This is the way grammar actually works.
Right. Right.
And then we go, oh, yeah. New. Perfect.
And, and then also we have the the technical review. So if someone, you know, gets to second guess how we chose to look at that report, which which makes us, you know, kind of anticipate that and say, do I really feel like I know their technologies that they've implemented in ways that that they feel is is correct? Do I Yeah. Do I understand it well enough to be able to write about it and and back that up to a third party? And that's what makes a really great report.
You you mentioned earlier, and I wanna just kind of, swing back to it, was are specific certifications required?
They're not required in all In all things.
Regulations and all standards, different ones apply different things. But we our our our listeners specifically asked about the QSA. So that's why we're kinda focusing on it.
And that's been an interesting journey over the last seventeen years as well. I mean, it started again, I started, and there was no requirements. I didn't have to have any sort of I mean, I was a software engineer and a mechanical engineer with a lot of networking kind of experience, and I thought, well, yeah, I could probably figure this stuff out, and I can read, and I can I can work the Internet? Right?
Uh-huh.
So but then soon after, they started saying, well, what we'd like is to have a common body of knowledge of these guys. And and let me just step back one quick second and say, that is an interesting part of this job. A QSA is that and I think some people think and sometimes when you even read the requirements to be a QSA, you think, well, I'm sorry. I have to know everything in the world to be able to do this job, and and I don't.
So don't let that scare you. No. Yeah. You can't know everything. None of us will ever know anything.
You have a team of people to work with. But more and more, it feels like they're asking us to know a little bit more.
Yeah.
Networking has changed. Servers have changed. Virtualization. All these things are technologies that are growing. We have to keep up with it. So they started saying, well, we need this common body of knowledge. So CISSP was the first thing that they started asking for the Mhmm.
Certified information security professional Right.
Through, I think it's ISC squared.
And and that's not the only one No.
There were the only technical that's the one everybody gravitates to.
Gravitates to.
There's CISA and CISM Right.
Where some other ones, but those were the three that we started with. CIS CISSP, CISSP, CISSP, or CSM. You could do one of those three and be a QSA. Then a few years ago, I think the council is saying, hey. We're getting mature enough.
Systems are getting complex enough Mhmm.
That now we'd like to be able to say and and we have a a highly educated group of people already. Right? We've got a pool of QSAs.
Let's raise the bar just a little bit and say, now you need another certification on top of, you know, one of the other.
So now instead of just CISSP or one of the three Right. Or whatever, now you need one of those and a few others plus one other Yeah.
And a few others. So and I I don't remember all of the certifications. Maybe we could find in the video.
We can put up a list of all the ones that you could do.
But There is a it's actually really well, documented in Absolutely. On the PCI security standards page, and you can search that out. No problem.
But I think the two that most people gravitate to are the CISSP on the technical side and the CISA on the audit side Right. Because you have to know technology, but you also have to know how to perform an audit. So those two are very, you know, complimentary. But there there are others that are in general, they want you to know technology, and they also want you to know how to audit things. And that's really kind of how the breakdown is.
Now they yeah. They've added this audit Yeah.
Realm recently. And that's and that's been and I think I think that's a good move. I mean, it's hard and frustrating, and everybody didn't really wanna go get the second certification when you're already doing the job.
Right? We are we all kicked and complained and did it anyway.
But but and it's diff it's it does create a little bit higher barrier to entry when you wanna start. You know, you it's it's harder to say, today, I would like to be a QSA.
Yeah.
And and okay. Well, if you already have one of those certifications, then maybe in a couple of months, you could get there.
Yeah.
And it it you know, unfortunately, you have to be a good test taker sometimes too. These these tests are standardized tests.
Mhmm.
And you can make it through them. It's gonna be okay, but it's a standardized test. Yeah. And you have to kinda be good at how they ask ask questions and answer them.
And and you're trying to say, well, I have this common body of knowledge now. So that's what the council is trying to say is, let's have a common body of knowledge at some level because we know that everybody can't be everything, but let's give somebody a little bit of experience so that they know, oh, I've heard about that. I'm gonna go do more research. And that's the key.
Right. And I think that, for me, the the knowledge, the experience that I had before, the hands on that you were talking about earlier, If you understand how to look at firewall rules and and evaluate Mhmm.
How it's going to affect an organization's security, then you have a leg up on somebody who who hasn't done that. But it doesn't mean that you should feel like just because you can't do all of the things that you shouldn't aim for it. You know, we we as in any job, I I think that the conversation a lot of people have heard of the, imposter syndrome. And a lot of us in a lot of fields feel imposter syndrome. But I think it that the QSA, more than more than a lot, really lends itself to that because somebody says to you, hey. Do you know this very specific thing about Kubernetes in AWS If you're gonna be my security assessor and you say, well, I will by the time I get there.
Exactly. And I think that's you know, if anybody's listening to the podcast that is looking for a QSA or or has dealt with QSA's in the past, I think that's an interesting perspective. I think you're right. A lot of times people think, well, I need a QSA that has done exactly what I've done, and I'm going, yeah, good luck.
Right? Because it's really difficult to find somebody who's done that. But I think what you should do is is know that you know? And and as a QSA, I think we know we don't know everything.
Mhmm. But we have resources to go find out them. And and one of the skills and qualities of a QSA that makes a really good QSA is recognizing and saying, you know, I don't, and I'm okay with that, but I will go find out.
Right.
And I'll be get right back to you. Can we table that?
Yeah.
And being able to handle that rather than being I remember the first couple audits I had done, in my in my first year, you know, I had an IT guy that just sort of plastered me with, well, we do this, and you should accept that, and you do this. And I'm going, Mhmm. And after a while, you know, I'm going, you know and and I felt, oh, shoot. He thinks I'm an idiot. Yeah. He just he I know he thinks I'm an idiot.
Yeah.
But at the end of that happen often, but every once in a while, you run into someone like that.
And you just think, okay. Are you just having a is this your normal behavior?
So but then when I had time to sit down in the evenings or back in the office, where to sit sit about it, learn about it, and I can apply the principles, then I was able to have a discussion with this person and say, no. Here's the situation. Right. And this is why. And I agree with you or I don't or whatever. And so, being able to make through make it through those situations without freezing up and without giving up and thinking that you're a worthless person and just saying, you know, I don't know that.
Right.
But I'm gonna you know, I have people. I resource. I'm gonna go figure it out.
So the characteristics of resilience Mhmm. And then being willing to learn new things are really important in this job.
So sometimes I get asked by people, well, I think I wanna be a QSA, but what is the job like? What do you do?
Yeah. Well, that's good. And so I think, well, you know, the day in the life of a QSA. Yeah.
Right? Yeah. I think one thing that that you have to sort of understand is is that you don't just have necessarily one project to work on all the time. So you've got five projects in different phases.
Mhmm.
And and that's okay. And you have to be able to say, alright. Well, today, I'm focusing on these two I can do these three emails.
Mhmm.
You know, I get up get up in the morning, get to work, start looking at my email list, and I go, oh, I gotta answer these three guys.
I do I know I need to write this report, and I'm gonna say to be a good QSA, I'm gonna say, I'm gonna spend three hours writing this report today, right, which is the hardest thing to do.
It's so hard.
Because you can say, I'm gonna do that. And then at the end of the day, you go, oh, I never got to.
Yeah. It's easier when you have a deadline. You're like, I have to get this done by midnight before everything blows up. Deadlines usually make it work.
But but, you know, a day in the life is you're you're dealing with people and all kinds of different things. And it's emails. It may be I mean, a phone call that's call that's scheduled. Maybe somebody really early in the process and you're helping them understand.
Or you're even training. Right? You may be saying to somebody, well, I really don't understand why I need to have a firewall here or why I need to have a web app firewall, whatever it is. Well, let's talk about it, and here's what it prevents.
And here's the you have to be able to help people through some of these thought processes. So that's part of a day in the life. Writing might be part of a day in life. Communication is probably always part of a day in the life of QSA.
Way.
Little bit of project management on your own work.
Exactly. Just saying, look. I I gotta it'd be really awesome to to spend, you know, all my day doing all these emails, but I can spend an hour doing emails, and then I'm gonna do some work tomorrow.
Little of something else.
Right.
Because like you said, you have several projects. They're going at the same time, and they're in different states. So you might be scheduling a first call with one. You might be reviewing information that's been uploaded from another.
You might be scheduling an on-site. You might be performing an on-site. You might be writing the report. You might be wrapping up.
There are all sorts of different phases of a project that because you have several happening at the same time, you might be doing all of the phases of a project in one day.
Right.
Although it's really hard to do an on-site day.
There's yeah. You can't really do much else on an on-site day. In fact, even at night, it's hard to to keep doing stuff.
You you you're it's amazing how much you get exhausted talking to people.
Yeah. Your brain gets a little bit tapped out. And you say, okay. I've just had this many hours looking at your stuff. I think I need to go to bed now.
Yes.
But, but that's actually the the most fun for in a lot of cases too is the on sites.
Because you get to actually sit down with people and understand.
But also, there is kind of an element of, hey.
I got to travel to Right.
Someplace cool.
Right. Right. And I I have liked that part.
I have a little map, looks like you have in your office of all of the places I've been in the world.
Mhmm.
And sometimes I look at that and I go, wow. What a cool job.
Yeah.
What's your favorite place you've been? For this job Yeah.
Probably Bangkok. I thought that was really interesting.
Sure. Yeah.
I haven't been there yet.
And and Japan. I thought the part you know, Asia was really interesting. So, you know, and and and the other cool yeah. And so travel is something, so you also have to know that your family has to be okay with travel.
Yeah. Yeah.
Well That's part of the job.
You're gonna have to travel sometimes. And depending on the company you may work for, you may travel more or less. Mhmm.
Some companies try to control that a little bit to make sure that our you know, and that's how what we do. We make sure our quality is really good by not making people travel three weeks.
The things that I four weeks a year.
Really like about this company is that there we are not pressured to do the staggering number of audits that some of companies require for BIC USA.
But also, we have some some, wiggle room that that it very generously, our CEO says, hey. If you're gonna be in Singapore, maybe you should stay there for an extra day.
Yeah. Exactly.
And and, you know, you get to go and see some things that you would never otherwise get to see.
Right. And and that has been a really part of the fun because you can watch a movie and you go, hey. I was right there.
Yeah. Exactly.
I've seen that. And and so that is a rewarding part.
So if you like to travel, it's a great way to to to see parts of the world, and to interact with different cultures and Right.
And, but, you know, that's, you know, that's the the cool part. It's not all glamour, but that is a reward.
Right? Yeah. It is a reward. And it's and it's, it's important. It's very important to have those in person interviews and the in person eyes on. It makes for a much better assessment.
But but if you get focused on I wanna be a good QSA, then then sometimes you miss out on the chance to, hey, you have an extra day here. Would you like to go where the really good mangoes are? That was the Philippines. I love that.
Or the world's largest stone stick frying pan.
Right? Right?
I've seen a very, very large The world's largest bat.
Bison in, North Dakota. So yeah.
There's some there's some great reasons to let yourself go and see things, but then balance that with doing good work.
And you know you're traveling too much when you know, oh, I like this airport.
Yes.
There's a good restaurant in this airport. Right?
Yeah. And sometimes, you you'll wake up and say, oh, the best chicken noodle soup I ever had was in Macau, and I can't go there today. Yeah. Exactly.
So no. It's it's great. So that is a really good but can also be difficult. I know that I have some colleagues who struggle because of having small children.
And if you're leaving every week and your kids are crying as you're going out the door, then then you kinda have to ask, is this the right job Right.
As well.
And we've had people that work for us that have made those decisions, and it's it's that's that's just life. It's part of it.
So I I love this, you know, knowing the day to day, it it is sustained work. Some of it is very brain intensive. Some of it is more relaxing and fun. It's never the same Right. Every single day.
And I think that's why I've never been in a job for fifteen years that I've enjoyed this this much. Yeah. And and and I was thinking about that the other day, and I thought it's because it's different. I mean, it's the same but different.
Mhmm. Exactly.
In some ways, it's comforting because you know you know enough to help anybody.
Yeah.
And you know it's gonna be different.
The next person is gonna help.
Get to learn a new thing tomorrow. So, but what if a person decides, okay. I'm gonna be a QSA, and then what if I don't, you know, try it for a few years and I don't wanna continue?
What where do they go from here?
Yeah.
Well, and I think that's a, you know, that's a great question in that the the skills and the training you get in a job like this Mhmm.
Are are really valuable in other parts of the cybersecurity or IT IT world.
And we've had a lot of people that have done this job for five years or six years or ten or whatever and said, you know, now I wanna go and be a CIO at at a company, a small company or or whatever. And, you know, it it can be a great experience thing to put on your resume.
And Jump into that seesaw role.
Thing that I would recommend, though, is and is that you don't jump in to be a QSA for a year and then think I'm now gonna go somewhere else and make a ton of money and be this really cool guy.
Spend some time really learning, and that's what's gonna teach you a lot is when you get the experience to see a hundred different people's networks Mhmm. And then somebody says, can you help us design our network? You go, yeah.
I sure can.
Do that.
Yeah.
And and I think that's the that's the advantage of this job is that you can you get so much experience so quickly and so much exposure to so many different things that it it does lend itself really well to other career endeavors. It doesn't have to be the end of your career. No. Although I'd like it to be for everybody because I don't like to hire new people here.
So I I've never had a job that I have enjoyed as much as I enjoy this one.
I I'm every every new customer, every new project that starts up feels exciting and new and fresh and different. And, also, at the same time, sometimes I get to do to to review, a company that I've reviewed before and assess them on an annual basis for a couple two, three years. And that's that gives you that kind of foundation of, oh, I know these guys.
And It's a more relaxed time, the second year.
Exactly.
Oh, now I remember what I was gonna say. And and that's it it kinda relates to that. I don't think I have ever done an audit that I wasn't nervous about. Yeah.
Right? And and so you kinda have to push through some of that. I mean, you wake up in the morning, you go, what if I miss something? What if I don't?
What if I what if I what if I and you go, well, I'm just gonna go.
Yeah.
And when you're in the middle of it, it's it's really good, and you like dealing with the people and everything. But, it's again one of those life skills where you just have to go and do and and be on-site and and interact with people and see something new that that kind of occurs to you. And that's really kind of the fun genesis of this job is is that you've talked to maybe the same company two or three times in a row, and then there's a new person they've just hired, and they said something. You said, what did you just say?
Right. And it's completely different.
Wait a minute. Let's talk more about that.
Yeah. Or they're very new, and you get the chance to kind of teach them what Mhmm. What words mean from from a PCI standpoint. Right? And so there there's that there's value in in the, foundation that you've built with the companies and then whatever they decide to to rearchitect things or or bring in new people.
Right. I don't think I think sometimes I think people may worry or or hey. Maybe it was just me in the early times is that is that nobody likes an auditor.
Right? That's true. Yeah.
And and and you shouldn't always tell the truth to your auditor.
No. That's not true.
But but there is this this feeling of will people like me? Can can I have a good relations with people and help them be compliant to something? Right? And that's a difficult thing, but possible.
Exactly. But it is something that's you know, you are the auditor Mhmm. And sometimes you have to say hard things. So that's another skill I think that's really important in this job is, yeah, I can say no to that.
Mhmm.
Right? And and be okay with it and be able to defend it a little bit.
But I also can be flexible and say, so you explain to me how why you meet this requirement and convince me. Okay. You've done a good job. I can write that up.
You know?
And and it's And sometimes it's just an additional take.
Right? Additional knowledge of something. Right.
But you have to have enough to say, yeah. No.
Yeah. The nice thing about PCI, assessments is that they're they're they lend themselves to a collaborative approach. And so you start off saying, alright. Here are the requirements.
Here is your scope. You've told me this is your scope. I agree with you that this is your scope. So if this is your scope, therefore, these things apply in these ways.
Tell me how it does. And if you if you get the information and the evidence from the group before you even go on-site, then together you discover, hey. What are you doing for this? This is what it says.
I don't think it meets this. And then you don't have to deliver bad news.
Right. Right. Yeah. It shouldn't be a surprise. Most of the time when we work with people, it's not a surprise.
No. It should not be a shock finding. Yeah. Together, you find out as you go along. And then I will often have have, clients that I work with where where we'll get to something, and I'll say, explain to this to me. Okay. Let's reread this requirement.
What are you are you seeing the same thing that I'm seeing? And they'll tell me when they have a gap.
And and so it doesn't become this, you know, conflict thing Right. With your with your assessor. And I really appreciate that about about the groups that I work with where it is Right.
And I and I think that's another interesting thing to to point out about this industry. There are some IT audit or some financial audit Yeah. Financial audit things where the guy comes to the clipboard and asked you a question, and he goes, oh.
Yeah. That that's those are the worst.
What does that mean?
Just oh.
And then just taking notes.
Whereas whereas I think the thing that I like about the QSA industry from the get go is is that they allow us to help people prepare.
Mhmm.
And so you're right. There shouldn't be a you know, when we do an audit and you ask somebody a question, there should never be a, oh. Yeah. It's like yeah. Right.
We talked about them before.
That.
How is that going?
What is it gonna you know?
This is the process.
Show me now what you've done.
And, of course, you cannot accept, you know, future work as to to mark something in place. But you can together know what that future work looks like, what, what the timing is, how you agree on on when the the assessment on-site timing is going to coincide with that. So it becomes something that that is supportive of the the organization's compliance efforts rather than something that is painful and frightening and and combative.
Right. Right. So and I think that, interestingly, I'm getting this thought. Somebody could listen to this who wants to be a QSA or somebody who wants to look for a QSA.
Oh, yeah.
We've talked about a lot of things that are probably some good things to to figure out if your QSA has these abilities, these qualities, these you know? So, it's a fun job.
It is a fun job, and I'm super glad that I get to be here, and I hope that I get to do it for many more years. Thank you again for joining us.
My pleasure. Anytime.
And thank you. I always appreciate questions and, comments from listeners.
Please feel free to share this out and, leave comments, leave reviews. Love to hear from you. Take care. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
