How to get started in regulatory compliance

Last Updated on April 15, 2017 by Dave Farquhar

I had a search query about getting started in regulatory compliance, which I’ve written about before, but more from an organizational perspective. That won’t help you much from a career perspective.

I think most any CISSP will answer that question similarly, so I’ll take a stab at it.

First things first: Get some sysadmin experience, if you don’t have some already. I don’t think Windows vs. Unix or Linux matters much, but if you can get both, get both. You’ll have to deal with both types of systems in the real world, and deal with people administering both types of systems, so if you speak their language, you’ll gain credibility with them and you won’t waste time trying to understand each other. I once had a security manager ask me to set up a cron job on a Windows server. Lucky for her, I had enough Unix experience to know she meant a scheduled task.

And if you get a certification that requires a certain number of years of security experience, they let you count your time setting up user accounts and resetting forgotten passwords, so you aren’t wasting your time.

Once you have some sysadmin experience, volunteer for security-related tasks like deploying antivirus and deploying security patches. Again, it’s about understanding the work, solving problems and, to a certain extent, proving yourself. I occasionally got an order from on high to deploy a patch in a completely unreasonable amount of time. Knowing about how long it takes to deploy a patch to 100 servers will help you not make a fool of yourself later in your career. And, later in your career, if a sysadmin is struggling to meet your demands, if you have the experience yourself you can help guide that person through the struggle. Then, the next month will go better.

In the meantime, build and harden some systems, even if it means doing it at home after hours. Take a look at the DISA STIGs, which I’ve written about before, which are a practical implementation guide for a Department of Defense standard called DIACAP. Harden a system to the relevant DISA STIG, then download Retina and scan it to see how you did. Then change to a different standard, like PCI DSS, and see how far off it is. See if you can fix the findings you get. I worked with auditors in the past who didn’t have any experience on the build side, and it showed.

Do these things, and you’re well on your way. It will take a few years to get where you want to be, but be patient. Pay your dues up front, and you’ll plateau a lot higher up in the organization than you would otherwise–if you plateau at all.

 

If you found this post informative or helpful, please share it!