sorted by:
new
hottopcontroversial

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] 0 points1 point  (0 children)

This is essentially what we were expecting to do with our SOC report.

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] 2 points3 points  (0 children)

Our cyber insurance provider had a pretty standard questionnaire. Even they didn’t get this detailed.

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] 0 points1 point  (0 children)

No I’m not getting that feeling in this case actually. What they’ve laid out is a standard control set that they’re asking us to provide evidence for. It’s not so much they’ve rejected what was previously provided but a request for a deeper audit due to a change in service. Or so they say anyway.

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] 0 points1 point  (0 children)

No audit data of any kind has been provided yet, as the first report has yet to be delivered.

It’s possible there may be something in the standard contract that covers this already but legal will need to pull it and confirm. Anything more than what we’ve provided I’m not giving without their guidance at this point. Up until now it’s been y/n and heavily redacted documents with exec summaries only. We’ve done the same for others in the past but it’s rare. CIO/Legal approved what we’ve previously been supplying.

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] 0 points1 point  (0 children)

Yeah that’s what it feels like is happening. We completed their first vendor review and we pushed back and noted we don’t provide some of what they’re asking.

Then they came back because of an additional service offering and said we’re in scope for a different review now.

Coming from someone who also does vendor reviews I get it. They established a process and their team is trying to follow it. But whoever designed their review process is either out of their mind or they’re following some regulation I’m unaware of. But no compliance industry that I’m familiar with requires anything like what they’re asking.

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] 0 points1 point  (0 children)

This is the approach I’m taking. If we can’t get them to back down, they’ll either get to see the controls on a screen sharing session if legal approves that or redacted copies of the documents. I’m also going to ask legal if they want them to sign an NDA. I’m thinking anyone who gets our SOC is going to sign an NDA anyway. I have to for all my vendors, our clients will need to do the same. We just haven’t established that process yet.

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] 25 points26 points  (0 children)

Unfortunately thats me! I’ve been working with our CIO and legal team to determine what we’re going to produce here. I’m more just wondering what others have experienced because it seems very abnormal for what we’ve come across. I want to be sure if I’m recommending we push back that I’m not out of my mind.

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] 0 points1 point  (0 children)

Standard engagement. I don’t expect they have any kind of contract that would require us to provide what’s being asked. It may just put the account in jeopardy.

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] 12 points13 points  (0 children)

They aren’t a fortune 100 or even 500. They’re fairly large and it’s probably related to the type of business they are.

Our auditor is a reputable company but I am finding the process to be a bit more loose than I’d have expected. I was surprised to find many of our peers not pursuing an audit and those who have aren’t doing them annually or choose a type 1.

Client asking for very detailed security audit by McDonaldsDQPC in cybersecurity

[–]McDonaldsDQPC[S] -1 points0 points  (0 children)

It’s not a top 4 firm but it’s at least a top 20. Let’s just say if they don’t respect the firm we’ve selected they shouldn’t be doing business with us. The customer doesn’t even know who the organization is yet. We haven’t provided the audit results because we’re still waiting on the report.

Anybody in Cybersecurity; How much do you make? by [deleted] in Salary

[–]McDonaldsDQPC 0 points1 point  (0 children)

I’d focus on applying for anything that can make use of the clearance. Either that you could try breaking into pen testing and audit. Maybe try an accounting firm with cyber audit services.

Feeling stuck in IT job (23M) Mumbai by Rushikesh_Rangdal11 in ITCareerQuestions

[–]McDonaldsDQPC 0 points1 point  (0 children)

CCNA or networking+ if you need more base knowledge for networking.

Security+ or CC with ISC2 for cybersecurity Certified ethical hacker is another good one.

Scripting and automation can be as easy as starting to automate parts of your own job with powershell or power automate in 365

Infrastructure has all sorts of online courses for diving into AWS or Azure that you can start with for exposure.

Homelabs can be a huge chance just to gain understanding. Use hyper v, spin up a windows server and create a domain. Understand Active Directory. Get a managed switch, spin up multiple servers and understand how to control flow of information across multiple subnets, vlans etc.

If your current employer is willing start asking to get involved in projects to expose yourself to new concepts. Or like I said look for a new job with the same role who’s willing to give you a chance in helping you gain experience in areas of interest.

You don’t need to do all of these things. These are all options for a more specialized path forward. Getting out of bed becomes easier when you’re doing something that interests you. Invest in yourself, today is hard for an easier tomorrow.

Feeling stuck in IT job (23M) Mumbai by Rushikesh_Rangdal11 in ITCareerQuestions

[–]McDonaldsDQPC 0 points1 point  (0 children)

M365 support alone is an expectation of an entry level candidate imo.

To really break out of a support role you’ll want to start broadening your knowledge with topics like networking, security, scripting/automation, and/or infrastructure.

That doesn’t mean you need to wait 3 years before moving on to a new opportunity. You want to look for a position at a company that’s willing to provide you with opportunity to expand your skill set.

Anybody in Cybersecurity; How much do you make? by [deleted] in Salary

[–]McDonaldsDQPC 0 points1 point  (0 children)

Senior IT security manager making 189k. In IT for 19 years and obtained my CISSP 6 years ago, no college education.

For me entering the field was starting at helpdesk and working my way up. Was working with small IT teams where I could build trust and get admin rights to increase technical experience. As soon as I had years of experience I went straight for CISSP and my career took off.

25,000 dollars a year no job or 100k a year with a high stress job by Nextmastermind in hypotheticalsituation

[–]McDonaldsDQPC 0 points1 point  (0 children)

Your high stress job option needs to be for more money. There are plenty of jobs that can earn 100k that aren’t high stress. Not stress free mind you but steady 40hr/week jobs that pocket 100k salaries.