What happens when a former Air Force weapons loader transforms into a cybersecurity expert? Clint Stevens from Physics joins us to share his remarkable journey through military intelligence, special operations support, and cyber warfare before founding his own security consultancy.
This conversation peels back the layers of cybersecurity consulting to reveal what truly matters for organizations trying to improve their security posture. Clint explains why expensive security tools often become glorified "paperweights" when organizations fail to understand their specific threat landscape first. His practical approach focuses on identifying business-specific risks rather than implementing generic solutions that waste resources without addressing real vulnerabilities.
For aspiring cybersecurity professionals, Clint offers refreshingly honest career advice that contradicts common assumptions. Rather than accumulating certifications without purpose, he emphasizes finding your passion within the vast cybersecurity landscape and developing hands-on experience. "Find what you're most interested in," he advises, noting that true expertise requires thousands of hours of dedication—something only sustainable when you genuinely enjoy the work.
Perhaps most valuable is Clint's insight into the crucial skill of translating technical findings into business impacts. This ability to communicate effectively with everyone from system administrators to CEOs—what Sean calls speaking "dolphin to shark"—often determines whether security recommendations are implemented or ignored. The conversation highlights why understanding both the technical and business perspectives is essential for career advancement in cybersecurity.
Whether you're preparing for the CISSP exam or exploring career opportunities in information security, this episode delivers practical wisdom from someone who's successfully navigated multiple roles in the field. Visit phycyx.com to learn more about Physics' approach to cybersecurity consulting.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:26):
All right, let's get started.
Hey all, sean Gerber, withCISSP Cyber Training, and hope
you all are having a beautifullyblessed day today.
Today we have a great podcastahead.
We're going to be dealing with,like we talked about in the
past, some vendors that come inand kind of give you a little
insight into the career.
We have a vendor here with youtoday and we have Clint Stevens
from Physics, and I'm going tohave Clint go into his
background just a little bithere in a minute but kind of
(00:48):
give you just an example of whywe're doing this.
Again, it's kind of bringing itback to the beginning.
I got a lot of feedback fromsome of my listeners that they
really wanted to trulyunderstand.
One, what are some differentoptions out there for them to be
able to buy services?
Two, they also wanted to knowhow do I get in this career, how
do these people get started inthis?
And the last thing is is then,what would be a good career path
(01:11):
for them to help thempotentially go down this
situation or just at a minimum,getting some more knowledge?
So that is where I broughtClint and physics into this.
I've just real quickly and I'llhave him introduce himself is.
I've known Clint for many yearsnow and I was actually very
blessed to one get reconnectedwith him a few years ago when I
was looking for a pen tester formy large multinational that I
(01:36):
used to work with, and Clintcame in, did an outstanding job
for us, and the one point that Ireally liked about Clint and
his team was the fact thatthey're not just trying to tell
you the baby's ugly, go fix it.
They're actually trying to helpyou go hey, this is risky, but
this isn't so risky.
This is something you reallyneed to focus on.
This is something maybe not somuch and that is so helpful for
(01:59):
business owners.
So with that, I want to justkind of quickly talk about Clint
and let Clint talk abouthimself and kind of tell us a
little bit about your backgroundand maybe why you got into all
of this and what you expect todo with physics.
Speaker 3 (02:13):
Yeah, that's great, sean, much appreciated.
Thank you for the opportunity.
It's exciting to be here withyou and your audience today.
Speaker 2 (02:20):
Awesome, well, glad to have you.
Speaker 3 (02:21):
Awesome, Well, glad to have you.
Yes, thank you.
Yeah, so a little bit about mybackground and how I ended up
where I did.
My dad was a programmer.
He's been a programmer forprobably 50 years.
So when I was in high school,that's kind of where I focused
some of my efforts.
(02:41):
I thought I was going to be aprogrammer and started down that
path.
Then ended up joining the AirForce and the Air National Guard
and kind of similar backgroundwith you, had some experience
with the B-1s as a weapons loadwhere you were a pilot, so we
were giving you the capabilityto do what you do on that side.
Speaker 2 (02:59):
Yes, and without you we couldn't do our job, that's
for sure.
Speaker 3 (03:03):
All right, and without you we couldn't do our
job, that's for sure.
All right, and then, after Ijoined the Air Force to pay for
school, so started my computerprogramming education, and then
along comes online poker.
So then I had a decision at 2,3 o'clock in the morning.
(03:31):
I can work on Java or C++ or Ican be in a poker room and try
to make some money.
So ultimately what happened wasI gave up the programming career
and had a lot of experience andfun with that piece of it, but
ultimately back to the Air Forcecareer.
I spent 15 years in inteloperations with special
operations support.
Then the last seven years of mycareer was back in cyber
(03:53):
warfare.
So it was interesting to seewhere I was kind of starting
with the programming and thenwhere I ended up ultimately with
my career and back in thecyberspace.
So, hindsight being 20-20, Iwish I would have stayed the
course with my programmingcareer because it would have
made things a lot easier on thisside of it had I done that.
(04:13):
So six years with the Air ForceRed Team which I believe is the
same unit that you were, with alot of your time focused on the
offensive capabilities, andlast year I was on the defensive
side with the cyber protectionteam managing and leading those
teams, doing the defense pieceof network operations or cyber
(04:36):
operations if you will.
Speaker 2 (04:37):
Very good.
Yeah, that's awesome, yeah, andso, for the listening audience,
give you a little bit ofclarity on a few things and
Clint brought up some reallygood points about.
We used to talk about C&E,which is computer network
exploitation, and you had C&A,c&d you know defense and attack
and different types of offensive, defensive aspects to it.
So Clint got to play both sidesof that, which was really cool
(04:59):
and it puts a differentperspective.
But I mean, the part that'sreally neat about Clint's story
is the fact that I know a lot ofpeople out there online are
always looking for ways how do Iget into cyber, what do I do?
And they don't know.
And some of these folks havepaid a lot of money to and I
hate to say it there's somecharlatans out there that will
tell you all kinds of stuff thatreally is pretty hard for you
to be able to break into cyberwith some of the things they're
(05:21):
doing.
But it also talks about thosewhat Clint did, coming from
basically being a bomb loader tobeing a hacker.
That's a huge deal, and so Ireally think that, as you kind
of talk through the stuff withus, clint, and we go over your
career and then also how it isimportant with the CISSP maybe
(05:41):
kind of bring back to tell folks, you know, what are some
different things they can do intheir careers.
Now to help them and myaudience primarily they're IT
folks.
Some are more senior thanothers because I'm an old guy,
but others are young right,they're young too.
And so just if you could kindof maybe give them some little
nuggets, as you're going throughthis process, about your
(06:02):
company and the things you'velearned, I think that'll go a
long ways in helping them.
Speaker 3 (06:07):
Yeah, that's great.
One thing I do want to get outup front for your audience is I
am on the lower end of thetechnical side capability.
Yes, I was trained in thatworld, got through the schooling
, if you will, but based on myposition, I was immediately put
into the management side, whichI think is key for this audience
(06:30):
, with the CISSP aspect to it.
So my hands-on keyboard we'revery, very limited, but leading
the teams and reallyunderstanding where those pain
points are for an organizationas we're going through our
findings and things.
That's kind of the value that Iadd to the team that we've got,
and it's a pretty fantasticteam.
(06:50):
It's a lot of technicalcapabilities that are way over
my head.
Speaker 2 (06:55):
Yeah, but you can talk.
I mean, that's the part that Ithink is important, as we, the
CISSP is so important thatyou're in those positions,
you're getting the certificationso that you have the management
skills to be able to translateand I say dolphins and sharks,
but you have the ability totranslate between your technical
folks and the senior leaders.
And I've said this time andagain, that is money, that's
(07:15):
serious money for you.
One career money, but twolongevity, and I think that
that's an important part of whatyou do.
So what I'd like to have you dois just quickly kind of talk to
us about what is physics, howdoes it work.
So it kind of gives people acontext of what you're doing
right now, and then we'll kindof go into some of the questions
we talked about on the side.
Speaker 3 (07:34):
Yeah, for sure, and I think I failed to answer your
last question so we'll get backto that one as well.
But we'll talk about physicsreal quick.
Started the company about sixand a half years ago, really
focused on the consulting sideof it.
So everything that I was seeingon the Air Force side and
within the DOD, I was likethere's a lot of crossover at
(08:02):
least expected crossover toindustry.
Sure, and the uniqueopportunities that we had and
the things that we were doingand the mindset that we took to
the operations that we wereconducting from that network
exploitation, like you hadmentioned, really really changes
kind of the conversation around.
(08:23):
Why do we do the things that wedo?
Why do the security frameworksthat exist the way they do?
Why are the controls thecontrols?
And it's really understandingthe why aspect to the different
things that are put together andthen being able to translate
that and explain that to yoursenior executives on what's
(08:43):
important to your seniorexecutives, on what's important,
what's not important and wherecan they really make investments
that are value added to thecompany and not worry about
everything because you can'tsolve all the problems.
Speaker 2 (08:54):
So yes, and that's a you hit on a really great point.
I'll give you just an example Iwas talking to.
I do some volunteer work for alocal company and helping them
with cybersecurity stuff.
And I'm talking to their.
I do some volunteer work for alocal company and helping them
with cybersecurity stuff and I'mtalking to their IT leaders.
And their IT leaders are likewell, these controls all need to
be put in place, but you justmentioned risk.
Right, risk is an importantpart.
So you're telling these seniorleaders that they don't
(09:17):
necessarily have to spend allthis money on stuff, but on some
things they probably should.
Is that what you're saying asfar as risk goes?
Speaker 3 (09:25):
Yeah.
So the one thing that we see alot of is everybody wants the
new cool gadget or tool that'sout there, and most of them are
expensive and you get a budgetof, say, $80,000, $100,000.
And how do we best allocatethis, the money that we've been
given?
And everybody wants theautomated answer.
(09:48):
They want to buy a tool, theywant to put it on the network
and they want to forget about itand say, hey, we're good to go.
And that's just not reality.
And helping IT directors andexecutives understand that a
tool is just one piece of it andjust because you have a tool,
it doesn't mean that you're anymore secure than you might have
otherwise been.
(10:09):
If it's not configured properly, if it's not being monitored
and managed properly, if it'snot being updated, if you're not
being able to take theinformation that it's giving you
and making decisions, thenyou're just back to square one
and you've spent a whole lot ofmoney on a paperweight Right?
Speaker 2 (10:26):
Yeah, no, you're spot on.
So let me ask you that I'mpulling that a little bit.
You said that's one part of it,so what would be other parts
that a company needs to be awareof?
Because, again, this is goingto tie directly to how the CISSP
teaches us.
Speaker 3 (10:45):
What are some things that could also be that are as
important, if not more important, than the actual tool itself?
Yeah, so I think first thingyou have to do is is understand
two things.
One, the threats that you faceas an organization.
What space are you in?
What industry are you in?
Are you a nonprofit?
Are you a for-profit?
Are you in the public sector?
So all of the differentorganizations that are out there
all have different threats thatthey're going to face, based on
(11:09):
whatever the thing that they dois.
So A understand your threats,know why that threat exists
against you and then start tounderstand what risks exist
based on the threats that you'regoing to be presented with.
Okay, you're not going to belooking at all the threats
(11:31):
across the board, you're notgoing to be looking at all the
risks and vulnerabilities thatare out there, but what really
is specific to you as anorganization, and having that
base, foundation andunderstanding, and then that
will drive decision-making lateron.
Speaker 2 (11:44):
Right, right, yeah, and that's great call-out, clint
.
And so, based on that risk,this is where you folks that are
listening to this they're goingto ask questions in the CISSP
around what are some of the mostimportant thing you should do,
or what is the least important,or what is the best control, or
the most important control, andthey use that because they're
(12:06):
wanting you to think throughthis thought process, just like
what Clint had said.
So to your point.
Does a bank worry about amanufacturing facility going
offline or does a bank worryabout money moving?
Which one would be a moreimportant thing for a bank?
Speaker 3 (12:24):
Well, I would think money moving would be the most
important for the bank.
Speaker 2 (12:27):
Right, yeah, exactly, but this comes down to.
So, as we talk about IT and youguys dealt with this in the pen
testing world, I mean you haveATMs and ATMs are in many cases,
tied to an IoT-type environment.
But if your ATMs went down isone thing, but if you can't
process money through Swift,that's a bigger deal than your
ATMs potentially going down.
(12:48):
So I think that's where therisk piece of this you have to
kind of work through right.
And so when you go and you do apen test on an organization,
how do you convey that to do youever?
Have you ever had a situationwhere the leader just didn't get
it?
And how did you then resolvethat issue where they didn't
understand the risk and what youwere trying to do and then you
had to.
Maybe what did you have to doto kind of resolve that issue?
Speaker 3 (13:12):
yeah.
So it's really trying to takethe situation and correlate it
to something that they dounderstand, okay, and really, um
, that's from a loss mechanism,like, okay, this is the risk
that you have, this is thebusiness impact.
So, talking through with themunderstanding the business
impact, right, and relating itto other impacts or situations
(13:38):
that they are more familiar with, right, being able to tie those
two together and then walk downthat conversation with them to
really understand what thatbusiness impact is, what the
risk is and what the rightresolution and mitigation
strategy to it is.
Speaker 2 (13:54):
Okay.
So let me ask you on that.
So, business impact big bigthing.
Cissp talks all about it.
So if you're dealing with abusiness impact, have you ever
been in a situation where youwere able to understand what the
business their concern was, butthe IT professional that
brought you in didn't understandit?
So you were, in some respects,having to convey between to help
(14:16):
the IT person understand theactual risk.
Speaker 3 (14:20):
So, when looking at the IT side of it, a lot of your
system administrators ornetwork engineers they're
trained on how do you build anetwork focused on availability
Right, and not as much of thesecurity side of it Not that
(14:40):
they're not trained on it, butfrom an understanding and
realizing what misconfigurationscan actually bring to the table
Right.
The network works.
Everything is working fine.
For example, you have anadministrator account that
happens to be shared byeverybody within your
(15:00):
organization.
Speaker 2 (15:01):
That's not bad, is it ?
Speaker 3 (15:04):
Availability is there , but not understanding why not
everybody needs to have anadministrator account or, even
worse, a shared administratoraccount, is important that I
think on the cybersecurity sideof the house, we understand the
why behind it, how it'sexploited, how it's leveraged
and taken advantage of to whereyour system administrator may
(15:27):
not initially.
Speaker 2 (15:29):
Right?
No, that's true.
That's a very good point, andso I'd like to, after I ask this
question, then I want you totell me a little bit about your
company and again, what are someof the things you guys offer.
But when it comes to thecontract I'm working at right
now, it's really great.
It's an awesome company thatwe're working with and they have
(15:50):
a unique idea, and I evenpinged you about this on the
side a little bit.
Where we get intoco-collaboration and, as a
contractor, the goal is to helporganizations one don't assume
that they all know it, whichthey don't, because we don't
know everything but collaboratewith them and help them, educate
them.
Have you ever had a situationwhere you were able to
(16:11):
co-collaborate with the ITorganization to give them some
knowledge on what are some bestbased on best practices, or
based on best practices or basedon your experience, and then
what was the end result in that?
Speaker 3 (16:24):
Yeah, we actually had a great opportunity.
Oh, I'd say probably about ayear ago.
We finished that one up Workingdirectly with the IT staff and
team came in, provided a pentest for them, and we like to
take that collaborative approachto where we're not running
(16:44):
completely covert Not that wedon't or can't but we find more
value in that collaboration sideof conducting the pen test.
So, as we're finding things,we're informing the organization
of these things, we're saying,hey, these are some of the areas
that you might want to address,or we might find one thing
(17:07):
that's like, hey, we need to fixthis now, so we'll identify
that with them.
The interesting aspect of thatengagement was, at the end, a
lot of the recommendations thatwe had, a lot of the
collaboration side of it wasreally focused on your best
practices, satisfying or shoringup the low-hanging fruit, if
(17:32):
you will.
And it was unfortunate withthat specific instance, which
this was a learning opportunityfor us is they felt that we
might have been a little bitlacking on the product that we
provided because we were sofocused on the low-hanging fruit
and the best practices.
(17:53):
And the response that I wasgiven was well, all that you're
giving us is industry bestpractices around cybersecurity.
And our approach, or ourcounter to that statement, is
yes, because there's a lot ofthese things that you're not
doing to the extent they shouldbe done and they're exposing you
(18:14):
.
So you can spend a milliondollars on this tool or these
other things, but if these arestill a problem, then you're
just wasting your money andyou're them actually implement
and mitigate those um.
When they've got the, the um Idon't want to say the budget,
(18:48):
but sometimes it's a budgetissue but do they have the
authorization and authority umgiven them to continue down that
process and and take thefindings and actually implement
them?
And, like I was saying earlier,everybody wants that immediate
solution that's automated.
You just deploy it on thenetwork and that's it.
And that's not the right answer.
(19:15):
A lot of times, especially withcompanies that are just trying
to get into this space, orthey've recognized that they've
got some issues and they'rebringing in that outside
consultant to help themunderstand really what is that
next step that they need to take.
The other side of the coin isonce you get past the IT team
and they're most of the time,they're on board with doing what
you want to do or thesuggestions that you're making
(19:38):
and then you run into theexecutive level.
So when you have the sameconversations with the CFO,
they're going to be a completelydifferent approach and
discussion topics than with theIT director and, even more so,
with the CEO of the company.
So each of these differentpositions have different
(20:00):
priorities.
What's important to them, whatdecisions do they have influence
and control over?
And then how are they lookingat the information that you're
giving them?
So really understanding how tocommunicate effectively with
each of the differentindividuals in the organization
that's part of thatdecision-making process is key.
(20:23):
That was a lot of words, for I'mnot sure if I actually said
anything.
Speaker 2 (20:26):
No, no you did and that's good, and I think, as the
folks that are listening tounderstand how important it is
for you, because he covered alot of information there.
But all this is related back tothe CISSP in the fact that
you're going to have to learnhow to communicate with folks
that are senior leaders, up tothe ceos, down to the it
(20:46):
professionals, and I don't meanthat in down as in below, I just
mean that in it's that you'regoing to cover that entire gamut
.
So you really this is why thistest is so challenging for folks
is because you have to a lot ofguys that have come on with IT
backgrounds.
They don't try to understandthat this is coming from an
overall managerial perspective.
(21:07):
So one thing I want to kind ofquick touch on we never got a
chance to really talk about.
So can you, can you please talkjust real briefly about physics
and what do you guys offer forto companies?
Speaker 3 (21:17):
Yeah, absolutely, and and and my apologies for not
not hitting on it.
Like I said, uh, six years ago,six and a half years ago, we
started the company focused on,on the consulting side, um, the
compliance side, with CMMCstarting to come online within
the DOD sector, um, reallytrying to help companies
understand where those risks are, what the requirements are that
(21:40):
are coming down for them to winthose contracts.
So that was kind of thefoundation of where we were and
then from there we're looking atwhat is that past experience
that we have?
What can we actually bring tothe table?
That's more than just aconsultant, so focused on your
security assessments, whetherit's penetration testing on the
(22:01):
network side and the physicalside.
So that's one thing that ourcompany does that most companies
don't in this space is we dophysical penetration testing as
well, and so we tie that backinto the cyber side, so that
holistic information securityapproach, which is really,
really fun.
Some guys like the network sidea lot and other guys like the
(22:25):
physical side, so we arefortunate enough to be able to
provide both of thoseopportunities.
The other thing that we do as acompany is networking support.
So we have several guys thatare very experienced and highly
credentialed CCIE level Ciscoengineers, where we are brought
(22:47):
in to help solve problems thatexist on a network.
Case in point we had a reallylarge company bring us in.
They were having somemonitoring issues and they had
been dealing with this problemfor for quite some time.
Talk was talking several years.
They're like we just can'tsolve the problem.
(23:09):
We just haven't been able tofind anybody.
Bring anybody in that's beenable to solve it.
And and the individual we havewith the CCIE, he was able to
replicate the network, build anenvironment and a test structure
and he ultimately, after aboutthree works of really
troubleshooting, three weeks oftroubleshooting, he was able to
(23:29):
identify the answer and then wewere able to implement it on the
network and it's been live eversince Nice.
So a huge win for us in thatspace.
So that's really, when we lookat what do we bring and what do
we provide, that's differentthan most of your companies in
this space out there is.
We've been able to get thefantastic opportunity to solve
(23:52):
some really unique challenges.
Yeah, that just don't reallyexist from an opportunity
perspective very often.
So those little feathers in ourcap that we've been able to
land, that's cool, very, verygood.
(24:13):
So what are some services thatyou have?
Clint, that start off, like Isaid, was a consulting um the
GRC compliance regulation, um,moving into pen testing,
vulnerability assessments, uh,we discussed the physical
security as well as networksecurity.
So that gives us that uniqueadvantage.
(24:33):
Um, and and what we'd like todo is we'd like to partner with
other companies out there, umthat we get requests for the
physical side, right, um, theyjust don't have it in house.
So that gives us a anopportunity to build
relationships um with somepartners out there as well.
Um, then, moving down fromthere, we do fractional CISO uh,
security awareness and trainingand then other two more
(24:56):
technical training as well andtraining and then other more
technical training as well forclients when they see the value
of trying to increase theknowledge and capability of
their internal IT teams.
So it's very broad-based Thingsthat we don't do.
We're not a SOC.
We don't do the monitoring andlogging.
We're not an MSP.
(25:17):
Like I said earlier, talkedabout some of the networking
support that we do go in solvechallenges.
We'll help build networks.
We will look throughconfigurations, build out
configurations, implementconfigurations um um different
companies.
(25:37):
So, like during a constructionphase, we'll do that, um, but
but we're not an MSP, um, we'renot really an MSSP either.
So so we're very unique andniche.
In that perspective of of we'vegot a lot of really solid
capabilities, services, um, Iwould look at us more like an
integration team.
Okay, anything else and that'sthe other value that we bring to
(25:59):
the table is a team aspect,where you can hire one person
that's really super knowledgeand experienced, or you can come
with a partner, like us, whohas an entire team that's going
to support your efforts inwhatever endeavors those are.
Speaker 2 (26:16):
Yeah, no, that's good , that's really good.
In whatever endeavors those are, yeah, no, that's good, that's
really good.
And I think that's an importantpart as you are building or as
you're working with companies,having that, I like to say, the
stable, that stable of reallytalented individuals.
But the part is I also like isI've asked folks this many times
with vendors is well, whatdon't you do?
Good, right, because you'll get.
(26:36):
Some of these vendors will comeon and say, man, my product's
amazing, it'll do everything,it'll even cook your coffee for
you.
Right, you can't cook coffeebecause you brew it, but you
know what I mean?
It'll do everything for you,and that's good that you said
that there's things that youdon't do, and I think that's
really an important part thatyou have to really mention to
people is because it's you knowwe all want business, right, but
(26:58):
there's no reason to take moneythat you really can't perform a
service, because that doesn'thelp them and it doesn't help
you, correct?
Speaker 3 (27:04):
Yeah.
So go ahead I was just going tomake a reference around that
concept where, when we look at,terminology is a big thing too.
So that's kind of a we're inthat discussion.
Right now with one of ourpotential clients we're getting
ready to put a proposal in.
It's really understanding.
What are they asking for whenwe start to talk about
(27:27):
assessments and penetrationtesting and what is our
definition as physics aroundthose terms versus what is the
client's understanding anddefinition?
And then, even more so, what isthe other companies that are
also putting in proposals for?
What is their definition of avulnerability assessment or a
(27:48):
penetration test, and what arethey bringing to the table that
maybe we aren't, or vice versa,and what makes the most sense
for the client with wherethey're at within their security
program and their reviewprocesses?
Speaker 2 (28:02):
Yeah, no, that's spot on, and then that's again.
We can talk about this.
Words matter, right, and whenyou're dealing with SOWs, your
statements of work, you'redealing with all these different
types of documentation, youwant to make sure that they are
getting what they're paying forand that the expectation is the
same.
Because I'm running this rightnow, where the I got hired to do
(28:23):
this, but the expectation isdifferent than what I got hired
for, and so, even though we werevery painstakingly walking
through this entire process, youstill don't get it and you do
you kind of like two shipspassing in the night or a top
gun thing.
Where did he go, viper?
Yeah, where'd Viper go?
Where'd who go?
(28:43):
And that's where I feel likehalf the time we're just going
past each other.
So okay, so let's real quick,as we got a few minutes left.
I want to be cognizant of yourtime and not take too much of it
, as our students are studyingfor the CISSP and you just
mentioned.
You've got CMMC, you've got GRC, you do pen testing, you do
training and I know I've gotfolks that do all of those
(29:07):
different aspects.
If they wanted to get into, say, various pieces of what you do,
what are some things.
You would recommendCertifications, training.
What would you come back to tokind of help guide people around
how to get more knowledge andmore experience in cyber?
Speaker 3 (29:24):
Yeah.
So fortunately we havesomething called the Internet
and every question that you havethere's an answer to it.
So the one thing that I wouldrecommend, based on my past
experience of going down thewrong paths multiple times, is
really finding what are you mostinterested in.
(29:46):
Where is your passion?
Lies Cybersecurity, informationsecurity it's a huge umbrella,
lots of different things that gointo it, as we've talked about.
So really finding out what doyou like to do, what is your
passion life?
So now you don't have a job,it's more of a hobby.
So you enjoy the work.
You're engaged in the work, um,from a nine to five window.
(30:07):
You're going home and you'restill engaged with it because
you enjoy it that much.
So really finding that piece of, of whatever aspect, um within
this world that you're lookingto do, and then really finding
out how do you get hands-on, howdo you really start to dig in,
whether it's the pen testingpiece, maybe with OSCP, which is
(30:30):
more on the advanced side, ifyou enjoy the management piece
of it with CISSP and where mostof your audience lives in.
Do they really truly understandwhat are they getting into in
that realm?
Do they like reading throughdocumentation?
Do they like and enjoy tryingto find well, this control says
(30:56):
this and this control says this.
Well, I'm a technical guy andthe way I would satisfy this is
completely different than how itshould be satisfied from the
business perspective.
And is that something thatyou're going to be able to
internalize and say you knowwhat?
This is the right answer for B,but I got to find the right
answer for a.
(31:17):
So, look, using all theresources out there to really
find where's your niche.
What do you like to do?
Getting hands-on whether it'shacked the box, if that's what
you're going down, whether it'sgetting into NIST documentation
and reading through it and andtrying to find some
opportunities where you canstart to dig around and play
(31:39):
with different GRC tools thatexist and understand what makes
the right answer for a companywhen it comes to the security
framework and when they'regetting ready to go through an
audit.
Like, how do you really satisfyyou have a control, but
underneath the control there'sfour or five different
objectives and reallyunderstanding how to satisfy
(32:02):
that properly with who's askingthe question?
Really, if it's a DOD contract,the requirement to that may be
different than what you're usedto in the past.
So, really understanding thesituation dependent, and then
really the business use case.
What is the business need?
What is the right answer atthat level, more so than a
(32:24):
technical level?
Speaker 2 (32:26):
Yeah, no, that's really good, and so that's.
We've mentioned this before onthis training is you're a bomb
loader by trade.
I'm a pilot by trade, guesswhat?
No offense, but any monkey cando this.
I mean, we can.
And the point is do you have apassion to do it?
Are you really wanting to dosomething and do you grasp it
(32:47):
and run with it?
And the other part that I'lljust kind of come back to.
And if you all are listening tothis podcast and you hear a
noise in the background, my sondecided to mow the yard at the
most inopportune time, sohopefully I can get this out of
the podcast.
But the point of it is is thatwhen you're dealing with the
various parts of the technicalpieces here, is there something
that I mean.
(33:08):
Let me ask you this comment.
I was kind of going on adifferent tangent, but I'm gonna
come back to this point howmany hours do you feel that you
have spent studying and learningcyber over the past X many
years?
Do you feel that it's?
Has it been just a part-timegig for you, or has it been
something that's really consumedyou and been a big part of your
life for many years?
Speaker 3 (33:28):
So with me personally , it's been a lot more focused
on the business side, themanagement side of um these
concepts.
So, from a technical standpoint, um go through enough training
to understand the concepts.
Um get through the differentschools that I was a part of.
(33:49):
Um had a great program with uhCapital Technology University,
um out of Maryland, um and theirtechnical MBA in cybersecurity.
So that was a fantasticopportunity I had there to dig a
little bit into some of thetechnical side but also see the
bigger picture side, not justwithin the information security
(34:15):
realm but the business realm andhow these two kind of correlate
together and go from there.
So from an hour perspective,it's a lot.
If you were to ask my businesspartner where he's at with it, I
mean, he's exponentially more,but he also has OSCP and he's
(34:35):
really super technical.
So what are you doing outsideof your nine to five window?
How many articles a day are youreading?
How many different hands onkeyboard opportunities are you
trying to give yourself to learnand grow?
It's going to be a lot andthat's why I was saying earlier
before is find the thing thatyou really like, because you're
(34:57):
going to spend a lot of timedoing it.
Speaker 2 (34:59):
Yeah, no, that's great.
So the point is is I thinkMichael Jordan, or some
professional basketball player,made this comment Everybody
wants to be like Michael Jordanor like any of these other very
popular sports heroes, but theydidn't get to that position by
just going out and throwing theball every once in a while.
Right, they've spent eight to10,000 hours, and so the folks
(35:21):
is that you're listening to thispodcast.
One thing to keep in mind isthis is a journey.
This is not something that is asprint, that you're going to
get there overnight, but thecool part about it that's
different than when I went tocollege was is that I went to
school to learn how to fly anairplane.
Well, well, today you can learnall of these technical skills
and you don't have to be gonedown a pet, have a pedigree from
(35:42):
havad, to be able to do this.
You can do all of these typesof things without that.
So that's what I'm trying todrive home is that there's
opportunities.
You just have to know thatgoing into this it's going to
take time and it's going to takeexpertise and it's going to
take some money, both ininvesting money but also in
maybe making wrong decisions andthen learning from those
decisions.
(36:02):
So it's, it's kind of that howthat plays out.
So so is there anything elsethat you'd like to say, clint
about?
About this whole education path?
Speaker 3 (36:12):
Yes, um, thanks for bringing that up, sean.
Um, when I was getting intointo this realm there at the end
of my career, um, there seemsto be a real push by a lot of
people that are trying to getinto this space to get as many
certifications as they can, andthey're really focused on
(36:35):
gaining every single alphabetand every single configuration
of these letters can be in, andnow you have a string of a
thousand letters behind yourname on your LinkedIn account.
If you're not also getting theactual hands-on experience with
what those certifications arepresenting to you and teaching
(36:56):
you, you're going to have a realdifficult time when you get
into the work center and theworkforce and being able to
communicate the things that youknow from a theory standpoint to
what actually occurs in a liveenvironment.
So I would just say don't notchase them.
(37:16):
There's a double negative there,but understand the value that
they are bringing and then whatvalue they're not providing from
the actual real-worldexperience.
So, like I said, when you findwhat you're looking for, maybe
focus on that certification andget out in the workforce and
start to gain a hands-onexperience in a real environment
(37:37):
to understand all the dynamicsthat you're not going to learn
in an educational institution orgoing through a certification
program.
Speaker 2 (37:45):
Yep.
No, that's great.
All the people here listeningto this are going to get their
certification, so don't get yourcertification.
We're not saying that.
Speaker 3 (37:52):
We're saying- that's not what I said, I know.
I know I'm just I'm makingbecause I actually agree with
you very much.
Speaker 2 (37:57):
So that just because you have a certification in
something doesn't mean you knowanything.
It means you can take a test,and that's part of the reason
why the CISSP they have theexperience requirements that are
there.
But that in of itself doesn'talso require that you're going
to be the best person for therole of different certifications
(38:25):
.
You got to make sure that asyou're going in and when you're
talking about this we talk aboutthis in my mentoring program
that I have that it's whenyou're interviewing for the role
you need to be honest withpeople what you can do, what you
understand, and also be honestwhat you don't know, because the
last thing you want to do isget into a job and then say, yes
, I can do all these things, butthen you can't and then it's
not good for you and it's notgood for the profession.
Speaker 3 (38:46):
So yeah, and that's a great point.
And when we're, when we'rewrapping up an event, especially
when it involves the the pentesting side, I'll get asked a
lot of questions that Iimmediately defer to the
technical team doing the work.
I don't know enough.
I know enough to give you thewrong answer and just lead you
(39:09):
down the wrong path.
So don't be afraid to reallyunderstand you don't know
everything and be open andhonest with it, but know the
person that does have the answerand go seek them out and put
them on to the client or whoeveryou're interacting with um to
make sure that they theyunderstand and get the right
(39:30):
answer to the question thatthey've got.
Speaker 2 (39:31):
Yep, spot on, dude, spot on.
Okay, so I've got physics up onthe website right now, um, and
it's spelled P, h, y, c, y, xcom.
That's physicscom.
Um, is there anything?
Anything I know you said yousaid you're redoing, rebranding
your website, so that's going tochange.
Is there anything?
If somebody was looking forinformation around what you guys
do, is there certain tabs maybethey should go to?
(39:54):
Or is there anything you wantto add to this?
Speaker 3 (39:56):
Yeah, so.
So our website is superlightweight very minimal
information that we're providingon it.
Now, like you mentioned, we arein an update process, but when
you look at potential clientsthat we serve, it runs a gamut
really.
It really depends on who theclient is, what challenges are
(40:19):
they trying to solve and are wethe right team to help them with
that, with all the differentservice offerings that we've got
.
So we've done work with soleproprietors, single DOD,
contractors that have an officein their house, to Fortune 10
(40:39):
enterprises.
So we've run the complete gamutacross a whole lot of different
industries.
And if we're not the right team, we're going to recognize and
tell you, hey, we're not theright team, but this other team
is going to be able to take careof you.
So it really is thatcollaboration and working with
the client to get to the rightanswer that adds the most value
(40:59):
for them, and not looking at itfrom our standpoint as a company
of how do we generate the mostrevenue, because that's not the
right answer for the client.
Agreed it?
Speaker 2 (41:07):
and not looking at it from our standpoint as a
company of how do we generatethe most revenue, because that's
not the right answer for theclient.
Agreed, it isn't, because moneywill come, money will go, but
your reputation is everything.
So I totally agree, okay, well,hey, that is all I have.
Clint, it's been a pleasure.
I've really enjoyed thisconversation and I know my
students will as well.
Again, the ultimate thing is gocheck him out at physics
P-H-Y-C-Y-X dot com and if youhave any questions again, just
(41:29):
reach out to him and they've gota contact page that's out there
.
I'll have his information inthe show notes as well, but
again, we're just.
The ultimate goal of CISSPcyber training is to help you
understand the CISSP, expose youto other opportunities out
there and maybe just give yousome more education as time goes
on.
So, anything else you want toadd, clint?
Speaker 3 (41:49):
I just want to say thank you, sean, and thank you
to your audience for giving usthe opportunity to talk with you
all today, and hopefully thiswas some value add, because the
last thing I want to do is wastepeople's time.
No, it's good Thank you againfor the opportunity.
Speaker 2 (42:03):
You bet, you bet.
No, it's great Again.
This is an experience, that aneducation that a lot of folks
don't ever get to see and youdon't get a chance to talk to
people and hear these things.
So it's awesome, it's great,all right.
Well, thank you all very muchfor joining.
I hope you all have a wonderful, wonderful day.
Again, don't forget to check usout at that's
cisspcybertrainingcom.
Lots of free stuff that's outthere, all kinds of great
(42:26):
information.
There's some programs that'llhelp you get your CISSP
completed.
There's a blueprint.
I can't tell you enough.
The blueprint is amazing.
Got some really great questionsas well, but it's awesome.
Just go check it out.
A lot of free stuff there andavailable as well.
All right, we will catch youall on the flip side.
Have.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:26):
All right, let's get started.
Hey all, sean Gerber, withCISSP Cyber Training, and hope
you all are having a beautifullyblessed day today.
Today we have a great podcastahead.
We're going to be dealing with,like we talked about in the
past, some vendors that come inand kind of give you a little
insight into the career.
We have a vendor here with youtoday and we have Clint Stevens
from Physics, and I'm going tohave Clint go into his
background just a little bithere in a minute but kind of
(00:48):
give you just an example of whywe're doing this.
Again, it's kind of bringing itback to the beginning.
I got a lot of feedback fromsome of my listeners that they
really wanted to trulyunderstand.
One, what are some differentoptions out there for them to be
able to buy services?
Two, they also wanted to knowhow do I get in this career, how
do these people get started inthis?
And the last thing is is then,what would be a good career path
(01:11):
for them to help thempotentially go down this
situation or just at a minimum,getting some more knowledge?
So that is where I broughtClint and physics into this.
I've just real quickly and I'llhave him introduce himself is.
I've known Clint for many yearsnow and I was actually very
blessed to one get reconnectedwith him a few years ago when I
was looking for a pen tester formy large multinational that I
(01:36):
used to work with, and Clintcame in, did an outstanding job
for us, and the one point that Ireally liked about Clint and
his team was the fact thatthey're not just trying to tell
you the baby's ugly, go fix it.
They're actually trying to helpyou go hey, this is risky, but
this isn't so risky.
This is something you reallyneed to focus on.
This is something maybe not somuch and that is so helpful for
(01:59):
business owners.
So with that, I want to justkind of quickly talk about Clint
and let Clint talk abouthimself and kind of tell us a
little bit about your backgroundand maybe why you got into all
of this and what you expect todo with physics.
Speaker 3 (02:13):
Yeah, that's great, sean, much appreciated.
Thank you for the opportunity.
It's exciting to be here withyou and your audience today.
Speaker 2 (02:20):
Awesome, well, glad to have you.
Speaker 3 (02:21):
Awesome, Well, glad to have you.
Yes, thank you.
Yeah, so a little bit about mybackground and how I ended up
where I did.
My dad was a programmer.
He's been a programmer forprobably 50 years.
So when I was in high school,that's kind of where I focused
some of my efforts.
(02:41):
I thought I was going to be aprogrammer and started down that
path.
Then ended up joining the AirForce and the Air National Guard
and kind of similar backgroundwith you, had some experience
with the B-1s as a weapons loadwhere you were a pilot, so we
were giving you the capabilityto do what you do on that side.
Speaker 2 (02:59):
Yes, and without you we couldn't do our job, that's
for sure.
Speaker 3 (03:03):
All right, and without you we couldn't do our
job, that's for sure.
All right, and then, after Ijoined the Air Force to pay for
school, so started my computerprogramming education, and then
along comes online poker.
So then I had a decision at 2,3 o'clock in the morning.
(03:31):
I can work on Java or C++ or Ican be in a poker room and try
to make some money.
So ultimately what happened wasI gave up the programming career
and had a lot of experience andfun with that piece of it, but
ultimately back to the Air Forcecareer.
I spent 15 years in inteloperations with special
operations support.
Then the last seven years of mycareer was back in cyber
(03:53):
warfare.
So it was interesting to seewhere I was kind of starting
with the programming and thenwhere I ended up ultimately with
my career and back in thecyberspace.
So, hindsight being 20-20, Iwish I would have stayed the
course with my programmingcareer because it would have
made things a lot easier on thisside of it had I done that.
(04:13):
So six years with the Air ForceRed Team which I believe is the
same unit that you were, with alot of your time focused on the
offensive capabilities, andlast year I was on the defensive
side with the cyber protectionteam managing and leading those
teams, doing the defense pieceof network operations or cyber
(04:36):
operations if you will.
Speaker 2 (04:37):
Very good.
Yeah, that's awesome, yeah, andso, for the listening audience,
give you a little bit ofclarity on a few things and
Clint brought up some reallygood points about.
We used to talk about C&E,which is computer network
exploitation, and you had C&A,c&d you know defense and attack
and different types of offensive, defensive aspects to it.
So Clint got to play both sidesof that, which was really cool
(04:59):
and it puts a differentperspective.
But I mean, the part that'sreally neat about Clint's story
is the fact that I know a lot ofpeople out there online are
always looking for ways how do Iget into cyber, what do I do?
And they don't know.
And some of these folks havepaid a lot of money to and I
hate to say it there's somecharlatans out there that will
tell you all kinds of stuff thatreally is pretty hard for you
to be able to break into cyberwith some of the things they're
(05:21):
doing.
But it also talks about thosewhat Clint did, coming from
basically being a bomb loader tobeing a hacker.
That's a huge deal, and so Ireally think that, as you kind
of talk through the stuff withus, clint, and we go over your
career and then also how it isimportant with the CISSP maybe
(05:41):
kind of bring back to tell folks, you know, what are some
different things they can do intheir careers.
Now to help them and myaudience primarily they're IT
folks.
Some are more senior thanothers because I'm an old guy,
but others are young right,they're young too.
And so just if you could kindof maybe give them some little
nuggets, as you're going throughthis process, about your
(06:02):
company and the things you'velearned, I think that'll go a
long ways in helping them.
Speaker 3 (06:07):
Yeah, that's great.
One thing I do want to get outup front for your audience is I
am on the lower end of thetechnical side capability.
Yes, I was trained in thatworld, got through the schooling
, if you will, but based on myposition, I was immediately put
into the management side, whichI think is key for this audience
(06:30):
, with the CISSP aspect to it.
So my hands-on keyboard we'revery, very limited, but leading
the teams and reallyunderstanding where those pain
points are for an organizationas we're going through our
findings and things.
That's kind of the value that Iadd to the team that we've got,
and it's a pretty fantasticteam.
(06:50):
It's a lot of technicalcapabilities that are way over
my head.
Speaker 2 (06:55):
Yeah, but you can talk.
I mean, that's the part that Ithink is important, as we, the
CISSP is so important thatyou're in those positions,
you're getting the certificationso that you have the management
skills to be able to translateand I say dolphins and sharks,
but you have the ability totranslate between your technical
folks and the senior leaders.
And I've said this time andagain, that is money, that's
(07:15):
serious money for you.
One career money, but twolongevity, and I think that
that's an important part of whatyou do.
So what I'd like to have you dois just quickly kind of talk to
us about what is physics, howdoes it work.
So it kind of gives people acontext of what you're doing
right now, and then we'll kindof go into some of the questions
we talked about on the side.
Speaker 3 (07:34):
Yeah, for sure, and I think I failed to answer your
last question so we'll get backto that one as well.
But we'll talk about physicsreal quick.
Started the company about sixand a half years ago, really
focused on the consulting sideof it.
So everything that I was seeingon the Air Force side and
within the DOD, I was likethere's a lot of crossover at
(08:02):
least expected crossover toindustry.
Sure, and the uniqueopportunities that we had and
the things that we were doingand the mindset that we took to
the operations that we wereconducting from that network
exploitation, like you hadmentioned, really really changes
kind of the conversation around.
(08:23):
Why do we do the things that wedo?
Why do the security frameworksthat exist the way they do?
Why are the controls thecontrols?
And it's really understandingthe why aspect to the different
things that are put together andthen being able to translate
that and explain that to yoursenior executives on what's
(08:43):
important to your seniorexecutives, on what's important,
what's not important and wherecan they really make investments
that are value added to thecompany and not worry about
everything because you can'tsolve all the problems.
Speaker 2 (08:54):
So yes, and that's a you hit on a really great point.
I'll give you just an example Iwas talking to.
I do some volunteer work for alocal company and helping them
with cybersecurity stuff.
And I'm talking to their.
I do some volunteer work for alocal company and helping them
with cybersecurity stuff and I'mtalking to their IT leaders.
And their IT leaders are likewell, these controls all need to
be put in place, but you justmentioned risk.
Right, risk is an importantpart.
So you're telling these seniorleaders that they don't
(09:17):
necessarily have to spend allthis money on stuff, but on some
things they probably should.
Is that what you're saying asfar as risk goes?
Speaker 3 (09:25):
Yeah.
So the one thing that we see alot of is everybody wants the
new cool gadget or tool that'sout there, and most of them are
expensive and you get a budgetof, say, $80,000, $100,000.
And how do we best allocatethis, the money that we've been
given?
And everybody wants theautomated answer.
(09:48):
They want to buy a tool, theywant to put it on the network
and they want to forget about itand say, hey, we're good to go.
And that's just not reality.
And helping IT directors andexecutives understand that a
tool is just one piece of it andjust because you have a tool,
it doesn't mean that you're anymore secure than you might have
otherwise been.
(10:09):
If it's not configured properly, if it's not being monitored
and managed properly, if it'snot being updated, if you're not
being able to take theinformation that it's giving you
and making decisions, thenyou're just back to square one
and you've spent a whole lot ofmoney on a paperweight Right?
Speaker 2 (10:26):
Yeah, no, you're spot on.
So let me ask you that I'mpulling that a little bit.
You said that's one part of it,so what would be other parts
that a company needs to be awareof?
Because, again, this is goingto tie directly to how the CISSP
teaches us.
Speaker 3 (10:45):
What are some things that could also be that are as
important, if not more important, than the actual tool itself?
Yeah, so I think first thingyou have to do is is understand
two things.
One, the threats that you faceas an organization.
What space are you in?
What industry are you in?
Are you a nonprofit?
Are you a for-profit?
Are you in the public sector?
So all of the differentorganizations that are out there
all have different threats thatthey're going to face, based on
(11:09):
whatever the thing that they dois.
So A understand your threats,know why that threat exists
against you and then start tounderstand what risks exist
based on the threats that you'regoing to be presented with.
Okay, you're not going to belooking at all the threats
(11:31):
across the board, you're notgoing to be looking at all the
risks and vulnerabilities thatare out there, but what really
is specific to you as anorganization, and having that
base, foundation andunderstanding, and then that
will drive decision-making lateron.
Speaker 2 (11:44):
Right, right, yeah, and that's great call-out, clint
.
And so, based on that risk,this is where you folks that are
listening to this they're goingto ask questions in the CISSP
around what are some of the mostimportant thing you should do,
or what is the least important,or what is the best control, or
the most important control, andthey use that because they're
(12:06):
wanting you to think throughthis thought process, just like
what Clint had said.
So to your point.
Does a bank worry about amanufacturing facility going
offline or does a bank worryabout money moving?
Which one would be a moreimportant thing for a bank?
Speaker 3 (12:24):
Well, I would think money moving would be the most
important for the bank.
Speaker 2 (12:27):
Right, yeah, exactly, but this comes down to.
So, as we talk about IT and youguys dealt with this in the pen
testing world, I mean you haveATMs and ATMs are in many cases,
tied to an IoT-type environment.
But if your ATMs went down isone thing, but if you can't
process money through Swift,that's a bigger deal than your
ATMs potentially going down.
(12:48):
So I think that's where therisk piece of this you have to
kind of work through right.
And so when you go and you do apen test on an organization,
how do you convey that to do youever?
Have you ever had a situationwhere the leader just didn't get
it?
And how did you then resolvethat issue where they didn't
understand the risk and what youwere trying to do and then you
had to.
Maybe what did you have to doto kind of resolve that issue?
Speaker 3 (13:12):
yeah.
So it's really trying to takethe situation and correlate it
to something that they dounderstand, okay, and really, um
, that's from a loss mechanism,like, okay, this is the risk
that you have, this is thebusiness impact.
So, talking through with themunderstanding the business
impact, right, and relating itto other impacts or situations
(13:38):
that they are more familiar with, right, being able to tie those
two together and then walk downthat conversation with them to
really understand what thatbusiness impact is, what the
risk is and what the rightresolution and mitigation
strategy to it is.
Speaker 2 (13:54):
Okay.
So let me ask you on that.
So, business impact big bigthing.
Cissp talks all about it.
So if you're dealing with abusiness impact, have you ever
been in a situation where youwere able to understand what the
business their concern was, butthe IT professional that
brought you in didn't understandit?
So you were, in some respects,having to convey between to help
(14:16):
the IT person understand theactual risk.
Speaker 3 (14:20):
So, when looking at the IT side of it, a lot of your
system administrators ornetwork engineers they're
trained on how do you build anetwork focused on availability
Right, and not as much of thesecurity side of it Not that
(14:40):
they're not trained on it, butfrom an understanding and
realizing what misconfigurationscan actually bring to the table
Right.
The network works.
Everything is working fine.
For example, you have anadministrator account that
happens to be shared byeverybody within your
(15:00):
organization.
Speaker 2 (15:01):
That's not bad, is it ?
Speaker 3 (15:04):
Availability is there , but not understanding why not
everybody needs to have anadministrator account or, even
worse, a shared administratoraccount, is important that I
think on the cybersecurity sideof the house, we understand the
why behind it, how it'sexploited, how it's leveraged
and taken advantage of to whereyour system administrator may
(15:27):
not initially.
Speaker 2 (15:29):
Right?
No, that's true.
That's a very good point, andso I'd like to, after I ask this
question, then I want you totell me a little bit about your
company and again, what are someof the things you guys offer.
But when it comes to thecontract I'm working at right
now, it's really great.
It's an awesome company thatwe're working with and they have
(15:50):
a unique idea, and I evenpinged you about this on the
side a little bit.
Where we get intoco-collaboration and, as a
contractor, the goal is to helporganizations one don't assume
that they all know it, whichthey don't, because we don't
know everything but collaboratewith them and help them, educate
them.
Have you ever had a situationwhere you were able to
(16:11):
co-collaborate with the ITorganization to give them some
knowledge on what are some bestbased on best practices, or
based on best practices or basedon your experience, and then
what was the end result in that?
Speaker 3 (16:24):
Yeah, we actually had a great opportunity.
Oh, I'd say probably about ayear ago.
We finished that one up Workingdirectly with the IT staff and
team came in, provided a pentest for them, and we like to
take that collaborative approachto where we're not running
(16:44):
completely covert Not that wedon't or can't but we find more
value in that collaboration sideof conducting the pen test.
So, as we're finding things,we're informing the organization
of these things, we're saying,hey, these are some of the areas
that you might want to address,or we might find one thing
(17:07):
that's like, hey, we need to fixthis now, so we'll identify
that with them.
The interesting aspect of thatengagement was, at the end, a
lot of the recommendations thatwe had, a lot of the
collaboration side of it wasreally focused on your best
practices, satisfying or shoringup the low-hanging fruit, if
(17:32):
you will.
And it was unfortunate withthat specific instance, which
this was a learning opportunityfor us is they felt that we
might have been a little bitlacking on the product that we
provided because we were sofocused on the low-hanging fruit
and the best practices.
(17:53):
And the response that I wasgiven was well, all that you're
giving us is industry bestpractices around cybersecurity.
And our approach, or ourcounter to that statement, is
yes, because there's a lot ofthese things that you're not
doing to the extent they shouldbe done and they're exposing you
(18:14):
.
So you can spend a milliondollars on this tool or these
other things, but if these arestill a problem, then you're
just wasting your money andyou're them actually implement
and mitigate those um.
When they've got the, the um Idon't want to say the budget,
(18:48):
but sometimes it's a budgetissue but do they have the
authorization and authority umgiven them to continue down that
process and and take thefindings and actually implement
them?
And, like I was saying earlier,everybody wants that immediate
solution that's automated.
You just deploy it on thenetwork and that's it.
And that's not the right answer.
(19:15):
A lot of times, especially withcompanies that are just trying
to get into this space, orthey've recognized that they've
got some issues and they'rebringing in that outside
consultant to help themunderstand really what is that
next step that they need to take.
The other side of the coin isonce you get past the IT team
and they're most of the time,they're on board with doing what
you want to do or thesuggestions that you're making
(19:38):
and then you run into theexecutive level.
So when you have the sameconversations with the CFO,
they're going to be a completelydifferent approach and
discussion topics than with theIT director and, even more so,
with the CEO of the company.
So each of these differentpositions have different
(20:00):
priorities.
What's important to them, whatdecisions do they have influence
and control over?
And then how are they lookingat the information that you're
giving them?
So really understanding how tocommunicate effectively with
each of the differentindividuals in the organization
that's part of thatdecision-making process is key.
(20:23):
That was a lot of words, for I'mnot sure if I actually said
anything.
Speaker 2 (20:26):
No, no you did and that's good, and I think, as the
folks that are listening tounderstand how important it is
for you, because he covered alot of information there.
But all this is related back tothe CISSP in the fact that
you're going to have to learnhow to communicate with folks
that are senior leaders, up tothe ceos, down to the it
(20:46):
professionals, and I don't meanthat in down as in below, I just
mean that in it's that you'regoing to cover that entire gamut
.
So you really this is why thistest is so challenging for folks
is because you have to a lot ofguys that have come on with IT
backgrounds.
They don't try to understandthat this is coming from an
overall managerial perspective.
(21:07):
So one thing I want to kind ofquick touch on we never got a
chance to really talk about.
So can you, can you please talkjust real briefly about physics
and what do you guys offer forto companies?
Speaker 3 (21:17):
Yeah, absolutely, and and and my apologies for not
not hitting on it.
Like I said, uh, six years ago,six and a half years ago, we
started the company focused on,on the consulting side, um, the
compliance side, with CMMCstarting to come online within
the DOD sector, um, reallytrying to help companies
understand where those risks are, what the requirements are that
(21:40):
are coming down for them to winthose contracts.
So that was kind of thefoundation of where we were and
then from there we're looking atwhat is that past experience
that we have?
What can we actually bring tothe table?
That's more than just aconsultant, so focused on your
security assessments, whetherit's penetration testing on the
(22:01):
network side and the physicalside.
So that's one thing that ourcompany does that most companies
don't in this space is we dophysical penetration testing as
well, and so we tie that backinto the cyber side, so that
holistic information securityapproach, which is really,
really fun.
Some guys like the network sidea lot and other guys like the
(22:25):
physical side, so we arefortunate enough to be able to
provide both of thoseopportunities.
The other thing that we do as acompany is networking support.
So we have several guys thatare very experienced and highly
credentialed CCIE level Ciscoengineers, where we are brought
(22:47):
in to help solve problems thatexist on a network.
Case in point we had a reallylarge company bring us in.
They were having somemonitoring issues and they had
been dealing with this problemfor for quite some time.
Talk was talking several years.
They're like we just can'tsolve the problem.
(23:09):
We just haven't been able tofind anybody.
Bring anybody in that's beenable to solve it.
And and the individual we havewith the CCIE, he was able to
replicate the network, build anenvironment and a test structure
and he ultimately, after aboutthree works of really
troubleshooting, three weeks oftroubleshooting, he was able to
(23:29):
identify the answer and then wewere able to implement it on the
network and it's been live eversince Nice.
So a huge win for us in thatspace.
So that's really, when we lookat what do we bring and what do
we provide, that's differentthan most of your companies in
this space out there is.
We've been able to get thefantastic opportunity to solve
(23:52):
some really unique challenges.
Yeah, that just don't reallyexist from an opportunity
perspective very often.
So those little feathers in ourcap that we've been able to
land, that's cool, very, verygood.
(24:13):
So what are some services thatyou have?
Clint, that start off, like Isaid, was a consulting um the
GRC compliance regulation, um,moving into pen testing,
vulnerability assessments, uh,we discussed the physical
security as well as networksecurity.
So that gives us that uniqueadvantage.
(24:33):
Um, and and what we'd like todo is we'd like to partner with
other companies out there, umthat we get requests for the
physical side, right, um, theyjust don't have it in house.
So that gives us a anopportunity to build
relationships um with somepartners out there as well.
Um, then, moving down fromthere, we do fractional CISO uh,
security awareness and trainingand then other two more
(24:56):
technical training as well andtraining and then other more
technical training as well forclients when they see the value
of trying to increase theknowledge and capability of
their internal IT teams.
So it's very broad-based Thingsthat we don't do.
We're not a SOC.
We don't do the monitoring andlogging.
We're not an MSP.
(25:17):
Like I said earlier, talkedabout some of the networking
support that we do go in solvechallenges.
We'll help build networks.
We will look throughconfigurations, build out
configurations, implementconfigurations um um different
companies.
(25:37):
So, like during a constructionphase, we'll do that, um, but
but we're not an MSP, um, we'renot really an MSSP either.
So so we're very unique andniche.
In that perspective of of we'vegot a lot of really solid
capabilities, services, um, Iwould look at us more like an
integration team.
Okay, anything else and that'sthe other value that we bring to
(25:59):
the table is a team aspect,where you can hire one person
that's really super knowledgeand experienced, or you can come
with a partner, like us, whohas an entire team that's going
to support your efforts inwhatever endeavors those are.
Speaker 2 (26:16):
Yeah, no, that's good , that's really good.
In whatever endeavors those are, yeah, no, that's good, that's
really good.
And I think that's an importantpart as you are building or as
you're working with companies,having that, I like to say, the
stable, that stable of reallytalented individuals.
But the part is I also like isI've asked folks this many times
with vendors is well, whatdon't you do?
Good, right, because you'll get.
(26:36):
Some of these vendors will comeon and say, man, my product's
amazing, it'll do everything,it'll even cook your coffee for
you.
Right, you can't cook coffeebecause you brew it, but you
know what I mean?
It'll do everything for you,and that's good that you said
that there's things that youdon't do, and I think that's
really an important part thatyou have to really mention to
people is because it's you knowwe all want business, right, but
(26:58):
there's no reason to take moneythat you really can't perform a
service, because that doesn'thelp them and it doesn't help
you, correct?
Speaker 3 (27:04):
Yeah.
So go ahead I was just going tomake a reference around that
concept where, when we look at,terminology is a big thing too.
So that's kind of a we're inthat discussion.
Right now with one of ourpotential clients we're getting
ready to put a proposal in.
It's really understanding.
What are they asking for whenwe start to talk about
(27:27):
assessments and penetrationtesting and what is our
definition as physics aroundthose terms versus what is the
client's understanding anddefinition?
And then, even more so, what isthe other companies that are
also putting in proposals for?
What is their definition of avulnerability assessment or a
(27:48):
penetration test, and what arethey bringing to the table that
maybe we aren't, or vice versa,and what makes the most sense
for the client with wherethey're at within their security
program and their reviewprocesses?
Speaker 2 (28:02):
Yeah, no, that's spot on, and then that's again.
We can talk about this.
Words matter, right, and whenyou're dealing with SOWs, your
statements of work, you'redealing with all these different
types of documentation, youwant to make sure that they are
getting what they're paying forand that the expectation is the
same.
Because I'm running this rightnow, where the I got hired to do
(28:23):
this, but the expectation isdifferent than what I got hired
for, and so, even though we werevery painstakingly walking
through this entire process, youstill don't get it and you do
you kind of like two shipspassing in the night or a top
gun thing.
Where did he go, viper?
Yeah, where'd Viper go?
Where'd who go?
(28:43):
And that's where I feel likehalf the time we're just going
past each other.
So okay, so let's real quick,as we got a few minutes left.
I want to be cognizant of yourtime and not take too much of it
, as our students are studyingfor the CISSP and you just
mentioned.
You've got CMMC, you've got GRC, you do pen testing, you do
training and I know I've gotfolks that do all of those
(29:07):
different aspects.
If they wanted to get into, say, various pieces of what you do,
what are some things.
You would recommendCertifications, training.
What would you come back to tokind of help guide people around
how to get more knowledge andmore experience in cyber?
Speaker 3 (29:24):
Yeah.
So fortunately we havesomething called the Internet
and every question that you havethere's an answer to it.
So the one thing that I wouldrecommend, based on my past
experience of going down thewrong paths multiple times, is
really finding what are you mostinterested in.
(29:46):
Where is your passion?
Lies Cybersecurity, informationsecurity it's a huge umbrella,
lots of different things that gointo it, as we've talked about.
So really finding out what doyou like to do, what is your
passion life?
So now you don't have a job,it's more of a hobby.
So you enjoy the work.
You're engaged in the work, um,from a nine to five window.
(30:07):
You're going home and you'restill engaged with it because
you enjoy it that much.
So really finding that piece of, of whatever aspect, um within
this world that you're lookingto do, and then really finding
out how do you get hands-on, howdo you really start to dig in,
whether it's the pen testingpiece, maybe with OSCP, which is
(30:30):
more on the advanced side, ifyou enjoy the management piece
of it with CISSP and where mostof your audience lives in.
Do they really truly understandwhat are they getting into in
that realm?
Do they like reading throughdocumentation?
Do they like and enjoy tryingto find well, this control says
(30:56):
this and this control says this.
Well, I'm a technical guy andthe way I would satisfy this is
completely different than how itshould be satisfied from the
business perspective.
And is that something thatyou're going to be able to
internalize and say you knowwhat?
This is the right answer for B,but I got to find the right
answer for a.
(31:17):
So, look, using all theresources out there to really
find where's your niche.
What do you like to do?
Getting hands-on whether it'shacked the box, if that's what
you're going down, whether it'sgetting into NIST documentation
and reading through it and andtrying to find some
opportunities where you canstart to dig around and play
(31:39):
with different GRC tools thatexist and understand what makes
the right answer for a companywhen it comes to the security
framework and when they'regetting ready to go through an
audit.
Like, how do you really satisfyyou have a control, but
underneath the control there'sfour or five different
objectives and reallyunderstanding how to satisfy
(32:02):
that properly with who's askingthe question?
Really, if it's a DOD contract,the requirement to that may be
different than what you're usedto in the past.
So, really understanding thesituation dependent, and then
really the business use case.
What is the business need?
What is the right answer atthat level, more so than a
(32:24):
technical level?
Speaker 2 (32:26):
Yeah, no, that's really good, and so that's.
We've mentioned this before onthis training is you're a bomb
loader by trade.
I'm a pilot by trade, guesswhat?
No offense, but any monkey cando this.
I mean, we can.
And the point is do you have apassion to do it?
Are you really wanting to dosomething and do you grasp it
(32:47):
and run with it?
And the other part that I'lljust kind of come back to.
And if you all are listening tothis podcast and you hear a
noise in the background, my sondecided to mow the yard at the
most inopportune time, sohopefully I can get this out of
the podcast.
But the point of it is is thatwhen you're dealing with the
various parts of the technicalpieces here, is there something
that I mean.
(33:08):
Let me ask you this comment.
I was kind of going on adifferent tangent, but I'm gonna
come back to this point howmany hours do you feel that you
have spent studying and learningcyber over the past X many
years?
Do you feel that it's?
Has it been just a part-timegig for you, or has it been
something that's really consumedyou and been a big part of your
life for many years?
Speaker 3 (33:28):
So with me personally , it's been a lot more focused
on the business side, themanagement side of um these
concepts.
So, from a technical standpoint, um go through enough training
to understand the concepts.
Um get through the differentschools that I was a part of.
(33:49):
Um had a great program with uhCapital Technology University,
um out of Maryland, um and theirtechnical MBA in cybersecurity.
So that was a fantasticopportunity I had there to dig a
little bit into some of thetechnical side but also see the
bigger picture side, not justwithin the information security
(34:15):
realm but the business realm andhow these two kind of correlate
together and go from there.
So from an hour perspective,it's a lot.
If you were to ask my businesspartner where he's at with it, I
mean, he's exponentially more,but he also has OSCP and he's
(34:35):
really super technical.
So what are you doing outsideof your nine to five window?
How many articles a day are youreading?
How many different hands onkeyboard opportunities are you
trying to give yourself to learnand grow?
It's going to be a lot andthat's why I was saying earlier
before is find the thing thatyou really like, because you're
(34:57):
going to spend a lot of timedoing it.
Speaker 2 (34:59):
Yeah, no, that's great.
So the point is is I thinkMichael Jordan, or some
professional basketball player,made this comment Everybody
wants to be like Michael Jordanor like any of these other very
popular sports heroes, but theydidn't get to that position by
just going out and throwing theball every once in a while.
Right, they've spent eight to10,000 hours, and so the folks
(35:21):
is that you're listening to thispodcast.
One thing to keep in mind isthis is a journey.
This is not something that is asprint, that you're going to
get there overnight, but thecool part about it that's
different than when I went tocollege was is that I went to
school to learn how to fly anairplane.
Well, well, today you can learnall of these technical skills
and you don't have to be gonedown a pet, have a pedigree from
(35:42):
havad, to be able to do this.
You can do all of these typesof things without that.
So that's what I'm trying todrive home is that there's
opportunities.
You just have to know thatgoing into this it's going to
take time and it's going to takeexpertise and it's going to
take some money, both ininvesting money but also in
maybe making wrong decisions andthen learning from those
decisions.
(36:02):
So it's, it's kind of that howthat plays out.
So so is there anything elsethat you'd like to say, clint
about?
About this whole education path?
Speaker 3 (36:12):
Yes, um, thanks for bringing that up, sean.
Um, when I was getting intointo this realm there at the end
of my career, um, there seemsto be a real push by a lot of
people that are trying to getinto this space to get as many
certifications as they can, andthey're really focused on
(36:35):
gaining every single alphabetand every single configuration
of these letters can be in, andnow you have a string of a
thousand letters behind yourname on your LinkedIn account.
If you're not also getting theactual hands-on experience with
what those certifications arepresenting to you and teaching
(36:56):
you, you're going to have a realdifficult time when you get
into the work center and theworkforce and being able to
communicate the things that youknow from a theory standpoint to
what actually occurs in a liveenvironment.
So I would just say don't notchase them.
(37:16):
There's a double negative there,but understand the value that
they are bringing and then whatvalue they're not providing from
the actual real-worldexperience.
So, like I said, when you findwhat you're looking for, maybe
focus on that certification andget out in the workforce and
start to gain a hands-onexperience in a real environment
(37:37):
to understand all the dynamicsthat you're not going to learn
in an educational institution orgoing through a certification
program.
Speaker 2 (37:45):
Yep.
No, that's great.
All the people here listeningto this are going to get their
certification, so don't get yourcertification.
We're not saying that.
Speaker 3 (37:52):
We're saying- that's not what I said, I know.
I know I'm just I'm makingbecause I actually agree with
you very much.
Speaker 2 (37:57):
So that just because you have a certification in
something doesn't mean you knowanything.
It means you can take a test,and that's part of the reason
why the CISSP they have theexperience requirements that are
there.
But that in of itself doesn'talso require that you're going
to be the best person for therole of different certifications
(38:25):
.
You got to make sure that asyou're going in and when you're
talking about this we talk aboutthis in my mentoring program
that I have that it's whenyou're interviewing for the role
you need to be honest withpeople what you can do, what you
understand, and also be honestwhat you don't know, because the
last thing you want to do isget into a job and then say, yes
, I can do all these things, butthen you can't and then it's
not good for you and it's notgood for the profession.
Speaker 3 (38:46):
So yeah, and that's a great point.
And when we're, when we'rewrapping up an event, especially
when it involves the the pentesting side, I'll get asked a
lot of questions that Iimmediately defer to the
technical team doing the work.
I don't know enough.
I know enough to give you thewrong answer and just lead you
(39:09):
down the wrong path.
So don't be afraid to reallyunderstand you don't know
everything and be open andhonest with it, but know the
person that does have the answerand go seek them out and put
them on to the client or whoeveryou're interacting with um to
make sure that they theyunderstand and get the right
(39:30):
answer to the question thatthey've got.
Speaker 2 (39:31):
Yep, spot on, dude, spot on.
Okay, so I've got physics up onthe website right now, um, and
it's spelled P, h, y, c, y, xcom.
That's physicscom.
Um, is there anything?
Anything I know you said yousaid you're redoing, rebranding
your website, so that's going tochange.
Is there anything?
If somebody was looking forinformation around what you guys
do, is there certain tabs maybethey should go to?
(39:54):
Or is there anything you wantto add to this?
Speaker 3 (39:56):
Yeah, so.
So our website is superlightweight very minimal
information that we're providingon it.
Now, like you mentioned, we arein an update process, but when
you look at potential clientsthat we serve, it runs a gamut
really.
It really depends on who theclient is, what challenges are
(40:19):
they trying to solve and are wethe right team to help them with
that, with all the differentservice offerings that we've got
.
So we've done work with soleproprietors, single DOD,
contractors that have an officein their house, to Fortune 10
(40:39):
enterprises.
So we've run the complete gamutacross a whole lot of different
industries.
And if we're not the right team, we're going to recognize and
tell you, hey, we're not theright team, but this other team
is going to be able to take careof you.
So it really is thatcollaboration and working with
the client to get to the rightanswer that adds the most value
(40:59):
for them, and not looking at itfrom our standpoint as a company
of how do we generate the mostrevenue, because that's not the
right answer for the client.
Agreed it?
Speaker 2 (41:07):
and not looking at it from our standpoint as a
company of how do we generatethe most revenue, because that's
not the right answer for theclient.
Agreed, it isn't, because moneywill come, money will go, but
your reputation is everything.
So I totally agree, okay, well,hey, that is all I have.
Clint, it's been a pleasure.
I've really enjoyed thisconversation and I know my
students will as well.
Again, the ultimate thing is gocheck him out at physics
P-H-Y-C-Y-X dot com and if youhave any questions again, just
(41:29):
reach out to him and they've gota contact page that's out there
.
I'll have his information inthe show notes as well, but
again, we're just.
The ultimate goal of CISSPcyber training is to help you
understand the CISSP, expose youto other opportunities out
there and maybe just give yousome more education as time goes
on.
So, anything else you want toadd, clint?
Speaker 3 (41:49):
I just want to say thank you, sean, and thank you
to your audience for giving usthe opportunity to talk with you
all today, and hopefully thiswas some value add, because the
last thing I want to do is wastepeople's time.
No, it's good Thank you againfor the opportunity.
Speaker 2 (42:03):
You bet, you bet.
No, it's great Again.
This is an experience, that aneducation that a lot of folks
don't ever get to see and youdon't get a chance to talk to
people and hear these things.
So it's awesome, it's great,all right.
Well, thank you all very muchfor joining.
I hope you all have a wonderful, wonderful day.
Again, don't forget to check usout at that's
cisspcybertrainingcom.
Lots of free stuff that's outthere, all kinds of great
(42:26):
information.
There's some programs that'llhelp you get your CISSP
completed.
There's a blueprint.
I can't tell you enough.
The blueprint is amazing.
Got some really great questionsas well, but it's awesome.
Just go check it out.
A lot of free stuff there andavailable as well.
All right, we will catch youall on the flip side.
Have.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.