CCT 001: CISSP Cyber Training / Reduce Cyber Risk - Shon Gerber

00:00:00] Hey y'all. This is Shon Gerber. Thank you so much for listening today. But before we get started, I have a question for you. Would you like to finally pass the CISSP and get started building a lucrative and rewarding career in cybersecurity? I can help you over at CISSP Cyber training.com with the resources and tools you need to pass the CISSP the first time.

At CISSP cyber training.com, there's a vast array of resources available that will give you the guidance direction and training you need to pass the CISSP exam. As soon as you get done with this presentation, head on over to css p cyber training.com so that I can begin helping you today to meet your CISSP goals and grow your career in cybersecurity.

All right, let's get started. Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Shon Gerber and I'm your [00:01:00] host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge.

Alright, let's get started. Let's go. Hey everyone, this is Shon Gerber with CISSP cyber training.com and reduce Cyber Risk podcast. I hope you all are having a beautiful day today, and I will tell you that it is amazing here in the great state of Kansas in the United States. It is an awesome, awesome day.

Actually. It's about. 42 degrees, and I can't complain. 40 degrees Fahrenheit. That is so for my friends that are in India, that's a little bit different than what you guys have from a temperature standpoint. But as it relates to the CISSP and studying for the CISSP, I am just bringing forward this podcast.

I've been in business for a while, but I'm gonna talk a little bit about that. But I'm bringing forward this podcast to help give you some understanding and training. Around taking [00:02:00] the CISSP exam. So before we get started, this is podcast 0 0 1, obviously the first, but you can also check out some of my other podcasts on Reduced Cyber Risk podcast, and I'll kind of get into the reason behind both of those.

But at the end of the day, as this is just kind of an intro for those that are starting to listen to my podcast. Why I'm doing it and who I am. So a little bit about myself. So I am, I grew up in a very small town in Iowa, so just a state north of where I'm at in Kansas and I was basically, I've been there, was there my entire life growing up.

So the town was, from the folks that I've met around the globe is about 250 people, which is extremely small as it relates to a place to be from now as I got. Family that we've got kids that are from China, you know, obviously the smallest town in China in many cases is like a million people. So out of two hundred fifty, two hundred and fifty people, it's pretty tiny.

It's about the size of a block. But again, I've been based outta the [00:03:00] United States and I've lived now in Kansas, in Wichita, Kansas, which is in the middle of the United States. And I'm married to a beautiful wife of 30 years, and I am just, Completely amazed at what that, she still sticks with me, but I have been married for about 30 years to Trish Gerber, and she's amazing lady.

I have seven children and I am basically a son-in-law and a potential son-in-law that might be happening here in the near future. I have my children, as you may Abby be asking, going, what? Seven? Yeah. Well, I only have three biological that my wife and I produce, but we have four adopted kids that are from Uganda.

China and uh, yeah, tho those, those two places. So we have three kids from China and we have one from Uganda. Now, the reason I was had a pause is my potential future son-in-law. Again, I say potential, he's from Sri Lanka. So we have a very diverse family. I also have, uh, a granddaughter and she is [00:04:00] about two years old and she lives in Kentucky.

So my family's pretty large and it's growing quite rapidly. So that's just a little bit about me and where I came from as far as my, my family life. Now, why am I even doing this? And you probably, most of the folks that listen to these podcasts and especially reduce cyber risk and pod and people I introduce, introduce with and I talk to, they all have a, a very strong background in some level of cybersecurity or in some level of it well, I don't, but I started off with looking as a kid, the Texas Instruments T 80 and the Apple two E's, and I was part of the video game craze that hit Okay.

And I'll just tell you, I'm an old guy compared to most of you that are probably listening to this podcast. I'm pretty old now. I'm, I'm in my fifties, so yeah, that's, That's like dirt old in many cases. However, I've been doing a lot of stuff in those 50 years of my life and of which has been cybersecurity and the C I SS P, but I got, [00:05:00] part of my growing up time was around computers and when they just started hitting the market and the T I 80, the Apple twos, all of those were part of it.

I also started a beginning of programming within just. Basic programming, so I always had an affinity to really enjoy that type of activity. I liked using my brain. I like thinking of things outside the box, and it was, it was really an awesome, awesome time. But when I grew up, one of the things I always wanted to do is I wanted to be a pilot.

I wanted to fly airplanes. And so as a child growing up, learning to fly, I started off with really small planes. Some of these that are two seat planes, you know, basically only the pilot and the co-pilot, some of them were a little bit larger, six eight passenger type planes. But as time went on, I learned to fly airplanes with the goal of becoming an airline pilot.

That was my ultimate purpose, is I wanted to be an airline pilot. Now, fast forward to my current position. I am not an airline pilot, [00:06:00] so if you're trying to listen to this podcast and you wanna know how to be an airline pilot, I can tell you how to get there, but I don't have the experience to say that I lasted very long in that space.

So, After fly greeting, uh, my commercial pilot's license, so I grew up small airplanes, got my commercial pilot's license, got my certified flight instructor license, and I was teaching people how to fly small airplanes. Well, an opportunity came up where I could fly the B one bomber. Now if you are connected with any of the US military, there is a plane called the B one, and it's a four person bomber, very large intercontinental bomber, and it goes really fast and it's super sexy and it's really cool and I always had the opportunity to fly in that plane.

Now, growing up as a pilot, that's what I wanted to do. However, because of my age at the time and what I was trying to find as far as military options, they were what they call banking pilots, which means there weren't enough pilot [00:07:00] seats available for the number of people wanting to fly. So I got banked and because of that I want, but I wanted to fly and I didn't wanna wait.

I wanted to take any role I could in flying airplanes. So an opportunity came up for me to become the weapons systems officer on a B one with the goal that once I got in, I could then hopefully upgrade to becoming the pilot. Did that for, I Flew until 2002. It was amazing opportunity. I just loved it.

Went really, really fast, really low, really high. Did all kinds of fun, crazy stuff. And I did that. I flew with the Navy, flew with the Air Force, and so I've had a really awesome career in aviation and so many people would think that is like amazing. And it was. But life changed a different path. So as a transition, the B one s had decided, there was leadership and Washington that made a decision that the B one s were going to leave my organization.

So after the B one s went away, then what ended up happening is, is that there a, we [00:08:00] had to go out and try to find a new mission. So we went on a roadshow looking around the country trying to find a new mission to help employ people within the, to some extent, we didn't know what that was going to be.

However, what ended up happening was is that we stumbled across that Air Force Red Team. The cool part about the Air Force Red Team was, was that it was in cybersecurity, which was a relatively new space, but at the end of the day, we knew we could teach people that had been on. Been doing maintenance on airplanes and we could teach them potentially to become hackers for the government.

Now, the cool part about it was there was no training path in place. Nothing existed, so we had to build this from scratch on how to go from basically teaching. Wrench Turners, okay. Maintenance people to being a hacker on a global standpoint. And it was amazing. I learned a lot out of it. Learned some good things to how, what worked.

We also learned some things that didn't work. Now, the cool part about all this though is, is that. [00:09:00] After the, we pitched our idea to our leadership and they bought into it. We then took these folks and we taught them up in a series of timeframes, and the cool part is, is it happened within a very short period of time, but we had a methodical standard approach on how you could actually get that done.

Now again, we took these group of people, ended up being about 82 people, totally. Total of that, there was about 40 of them became hackers for the government. Now we had full-time and I had part-time folks, and of those they, I would say the mix was probably around 60, 40, no, probably more like 80 20, 80% full-time, 20% part-time.

But we did global operations. Everywhere. Okay. All over the globe. We operated, I actually was one of the initial cadre to help teach the NSA their red team, cuz they were just standing one up at that time as well. So it was a really dynamic time, uh, especially in the cybersecurity space. The interesting part was though, is it was really before.

We had the [00:10:00] vision to see where it was going, but we just didn't know how big it was actually gonna get. I mean, I, I had a sneaky suspicion it was gonna be this big if, if not bigger, but we didn't really know. The other part about it being with a red team is our ultimate goal is to teach the d o d Department of Defense and US Air Force employees on the threat.

So I had to teach people who didn't understand cyber at all, what to do to be successful, to protect themselves from external entities trying to steal their information. So again, it was awesome. It was extremely successful military squadron. It's been around, it's still around. It's, it's was an amazing experience.

Now, fast forward to my CISSP journey. What is that? Well, it was a result of the d o D requirement for CISSPs and managers. That's really what it came of. So I, I'd been leading the company. Leading my squadron, I became o a squadron commander, so I was leading them in their organization and their vision of where we were going.

But the d o D requirement came out that you had to have a [00:11:00] CISSP. I didn't necessarily have to have it, but it was highly recommended and encouraged. Well, that was really personally the first exposure I had to the CISSP. So I went, went out there and I started studying for it. Now, I was the first person within our squadron to actually get the CISSP and I.

There was no resources available. The only resource that was out there was a book by Shon Harris and the ISC Squared Study Guide. That was pretty much it. So I took those books and I started going through them line by line by line. Now understand, I came from a military background first, a pilot, then military, it.

And then trying to understand, in some respects, corporate it, which they were very different. So it was a very challenging process when I was doing this. So the first time out there, I studied for about four months reading the books, reading Shon Harris's book, reading the IC Square book, and I took gobs and gobs of notes, practice test, after practice test after practice test.[00:12:00] 

Again, it was a lot of work and I felt confident. Sort of in taking the test. So what did I do? I went and took the test. Guess what? I failed. So just like 80% of the people that take the CISSP exam, they failed the first time. Now, the problem is, is that it was a lot of work to go in there that first time and then fail the test.

So, I had a little bit of just depression. Now I'll probably tell you a strong word, but I was just really bummed out. So I took about a month off of some self-pity going, this sucks. I don't want to do this. This is no fun, right? Just why am I doing this to myself? Well, then I finally said, okay, enough of that, let's go.

So. Again, started back up into studying again. I red redoubled up my efforts on studying and I took a different approach now of, which is the CISSP study guide that I have on CISSP cyber training.com. You can get the study guide out there and that's the same study guide I use to pass it. The second time.

And [00:13:00] so what I ended up doing was I went through it over and over and over and again after much time, much thinking about it, but a really thing I came out of that second time was I understood now how to take the test, what kind of questions they're asking. So I traveled six hours to go take this test.

As I traveled to this place in Arkansas to take it there, they were having a bootcamp, a CISSP bootcamp going on at that same time. But I didn't have the funds to pay for the bootcamp, so I just was gonna take the, take the test, drop the $800, whatever it was at the time, and just take the test. So I went in there, I told myself if I fail it again, I'm done.

I don't wanna deal with this anymore. I'm done. Well, guess what? Second time around I passed, so it was good, right? Life is good. I passed the test, but I passed the CISSP in a squadron that really didn't require it, but I learned a lot during that process. Now, fast forward a little bit further. That was 2009 when I passed the C I SS P.

I'm now in 2011. [00:14:00] I leave the military, retire as lieutenant colonel, leave the military, and I go work for a large corporate entity. Okay? Large multinational. I get hired as a security architect and I'm learning the basics of corporate security. Now I have the background of it, I got flying background, I've got military it, and now I'm learning corporate IT so that I can understand all of the different gamuts that are there.

Now this was a relatively new capability with the corporate organization and I assisted. I also assisted in standing up a security operations center that is 24 by seven at that time, and it was basically on new technology. They had never done it before, and so this is a whole new environment for this large multinational.

Now, after that time, I ended up being the security operations manager for that, uh, security operations center. Okay. So I was the manager of, of aac. Did that for about two and a half years, and then an opportunity came up for me to become the [00:15:00] cso. Okay. The Chief Information Security Officer for another multinational that is under the, the whole family of umbrella.

The umbrella of this one main company. So the point of it is though, is that, As the CISO now for this other multinational, we have a global presence. We're in the cloud. I'm in iot, I'm in manufacturing. Got ip, intellectual property. I mean, the gamut is huge. You got about 6,000 employees, so it's, I mean, it's a good size company.

It's not a monster like Georgia Pacific or Microsoft or anybody else, but it's a good size company, right? So my ultimate goals is educating employees is my top priority. I want to e employ, educate them, as well as protecting our company's intellectual property. So that is my corporate stint. Now, spin off a little bit is I also am an adjunct professor at a small college in Wichita, Kansas.

Now it's not small for Wichita, but for most of you all that are listening on this podcast, it's probably. Not that big. Now it's about 10,000, [00:16:00] 12,000 students. But as a professor or adjunct professor there, I teach cyber risk and I also teach cyber physical systems, so I OT type activities. These are 400 level courses.

So again, they're not, they're not lower level. They're a higher level course. And because of that, though, I took that job with the re indication or with the idea of understanding the student's pain points, what is a big struggle? Why are they, what are some of the things they're having with, as it relates to cyber?

How do they get their new jobs? How do they get into the career? So the goal was, was to understand all of those things so that I could be better at helping out people with cybersecurity. So as it relates now to CI certifications, I have various certifications. Some of them are pretty old. Some of them are, well, they're kind old, right?

Because when it comes to certs, I think certs are very important. So as a person who's gone through this entire process from, from knowing nothing to growing up to be a, a CSO for a large company, I, I've done certs and there isn't [00:17:00] value in those, but there's also more of the value of the knowledge you gain out of getting the cert.

In my mind is much more important than actually checkbox. I got to cert now. I've got a plus Networks, plus security, plus you know, obviously the CISSP and then some various other ones out there as it relates to legals, which I think is really important. A legal course is super important for you and there's some various pieces that are in there, but you can, you can go to my [email protected] and you'll be able to see those as well.

So again, take, learn from me. Okay. This, I'm gonna give you my profile. So I didn't start till I was in my late thirties with no clue on what I was doing. Uh, but yet I was getting into this cybersecurity field. I had no experience in it. I. Or security to speak of. I saw an opportunity and I jumped in with nothing to guide or direct me.

Now, I had the military, which was a big benefit, and a lot of people say, well, it's the military's reason you got what you did. And that's probably a lot of truth in some of the knowledge that I've gained is because of the military. [00:18:00] However, when I started there was nobody in security. So now there's so many more opportunities for people to get into security and get knowledge and experience way beyond whatever I had.

Now I've made a lot of mistakes, and so the key around that is let me help you navigate those mistakes and those issues for your career. My goal is to help you with that. I, I, I really do have a passion about helping people get jobs. I, I just helped a couple of my students with the, as a professor, I was helping them get jobs with, uh, local companies and also with some other companies.

I've helped them with resumes. I've helped them with interview skills. All of that piece is, is out there and available, and I really want to help you do that. So the the point is, is I've done it. I've went from being absolutely having no capability whatsoever. I do not have a cybersecurity pedigree. I do not have a master's in cybersecurity.

I don't have any of that. I barely have a bachelor's degree in aviation, but that doesn't mean anything. All it means is that I have a passion for this and I want to [00:19:00] succeed, and I want to help other people succeed. So again, that's my goal. Help you get to the goals you want and you desire so that we all can get ahead.

That's the bottom line. So this podcast here was basically an introduction now, then the next podcast, I'm gonna talk about the cissp cyber training.com. A little bit more what you can find out there. But I'm also gonna talk about solving the training problem. Now, again, going from zero to uh, I wouldn't say hero, but zero to.

A little bit more successful has been an interesting event, and I've learned a lot about the training problem that everybody's struggling with. I'll explain how I overcame it, what I did to do what you can do immediately to help your future. That's the goal. How can you help yourselves and your family's future right now, and then eventually maybe get the role that you've always wanted?

And I'll tell you that the role that you want may change. It will change as time goes on, but. The role that may be your future role may not even be existent yet. It may not have been created. And then I also want to help [00:20:00] you begin a career that is satisfying and fulfilling. Fulfilling. And then lastly, I want you to help protect the world from the evil hacker hoard because they're out there everywhere trying to take advantage of this.

And we need more people that can actually step up and fill the gap. And be the, the security resources to help protect companies, to help businesses, nonprofits, you name it. We need more resources in this space. So I would like to, as last plug, is to go to CSSP training cyber cssp cyber training.com. You can go check us out there.

There's a lot of really good stuff that's in there. There's stuff that's free, there's stuff that's paid, but bottom line is there's a lot of great information out there. Now, the site is relatively new, but the cool part about it is it's ever growing and ever. Building. So you're just gonna, as every time you've visited it, you'll get to see more and more information get put there.

So again, this is the end of this podcast. I'm extremely excited to work with you again, as the introduction, we will talk about the next one about cyber training and solving the training problem. So please definitely go there and [00:21:00] listen to that one. But I hope you have a wonderful day and we will catch you on the flip side.

See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube. Just head to my channel CISSP Cyber Training and you will find a plethora of content to help you pass the CISSP exam.

The first time. Lastly, head to cissp cyber training.com and look for the free stuff that is only available to our email subscribers. Thanks again for listening.