Think Positive Cyber

Today I studied Third-party Risk Assessment – CompTIA Security+ SY0-701 – 5.3 with Professor Messer, using study reference R8ACE9F98-T2Phal-002-65, and this lesson connected directly to cybersecurity, vendor management, supply chain security, risk analysis, compliance, and my long-term information technology career goals. Third-party risk assessment is important because every organization depends on outside vendors, contractors, suppliers, cloud providers, payroll companies, email services, internet providers, software companies, and business partners. When an organization shares data with a third party, that third party becomes part of the organization’s cybersecurity risk. A payroll provider may hold sensitive employee information, an email vendor may process business communications, and a software provider may deliver updates that affect thousands of systems. For Security+ SY0-701, this means organizations must evaluate vendor risk, perform due diligence, review contracts, require security expectations, and understand how third-party providers protect data, manage access, respond to incidents, and recover from disasters.

This lesson also helped me understand why contracts, penetration testing, rules of engagement, right-to-audit clauses, internal audit evidence, independent assessments, questionnaires, supply chain analysis, and vendor monitoring are so important in cybersecurity risk management. A penetration test simulates a real attack and may attempt to exploit vulnerabilities, while the rules of engagement define what systems, IP ranges, dates, times, locations, emergency contacts, and sensitive information handling rules are included in the test. A right-to-audit clause gives an organization the legal ability to verify a vendor’s security before a breach occurs. Evidence of internal audits can show whether access management, offboarding, password security, VPN controls, and other security controls are being reviewed. Supply chain analysis is also critical because products and services depend on organizations, people, activities, resources, business processes, and IT systems. The SolarWinds supply chain attack showed how dangerous trusted software updates can become when attackers compromise the update process, because malicious code was distributed through a valid software update and affected thousands of customers. For my Security+ studies, the main lesson is that cybersecurity is not only about protecting your own computer systems. It is also about understanding who you trust, what access they have, what data they process, and how their security decisions can affect your organization.

I also completed my application for an IT Specialist (SYSANALYSIS) position with the Department of Defense, which connects strongly with what I studied today. If selected, the position could potentially place me in one of several locations listed in the announcement, including Battle Creek, Michigan; Whitehall, Ohio, listed under the Columbus, Ohio salary table; Wright-Patterson Air Force Base, Ohio, listed under the Dayton, Ohio salary table; New Cumberland Defense Logistics Center, Pennsylvania; Philadelphia, Pennsylvania; Hill Air Force Base, Utah, listed under the Ogden, Utah salary table; Fort Belvoir, Virginia; or Richmond, Virginia. Studying Security+ while applying for federal IT positions helps me connect my Master of Science in Cybersecurity, my information technology experience, and my goal of serving in a role that supports secure systems, risk management, vendor oversight, compliance, and mission-focused technology. With only six videos left in my Security+ study path and 120 sections of notes already completed, I am getting closer to being ready for the Security+ exam in 2026 and closer to building a stronger cybersecurity career. After this study and application work, I plan to do a session of kayaking in Mission Bay, which helps me reset, stay physically active, and keep moving forward with both my fitness and career goals.