CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT Vendor 03: From Bomb Loader to Hacker - A Journey in Cybersecurity with Clint Steven (Phycyx.com)
What happens when a former Air Force weapons loader transforms into a cybersecurity expert? Clint Stevens from Physics joins us to share his remarkable journey through military intelligence, special operations support, and cyber warfare before founding his own security consultancy.
This conversation peels back the layers of cybersecurity consulting to reveal what truly matters for organizations trying to improve their security posture. Clint explains why expensive security tools often become glorified "paperweights" when organizations fail to understand their specific threat landscape first. His practical approach focuses on identifying business-specific risks rather than implementing generic solutions that waste resources without addressing real vulnerabilities.
For aspiring cybersecurity professionals, Clint offers refreshingly honest career advice that contradicts common assumptions. Rather than accumulating certifications without purpose, he emphasizes finding your passion within the vast cybersecurity landscape and developing hands-on experience. "Find what you're most interested in," he advises, noting that true expertise requires thousands of hours of dedication—something only sustainable when you genuinely enjoy the work.
Perhaps most valuable is Clint's insight into the crucial skill of translating technical findings into business impacts. This ability to communicate effectively with everyone from system administrators to CEOs—what Sean calls speaking "dolphin to shark"—often determines whether security recommendations are implemented or ignored. The conversation highlights why understanding both the technical and business perspectives is essential for career advancement in cybersecurity.
Whether you're preparing for the CISSP exam or exploring career opportunities in information security, this episode delivers practical wisdom from someone who's successfully navigated multiple roles in the field. Visit phycyx.com to learn more about Physics' approach to cybersecurity consulting.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge.
Speaker 2:All right, let's get started. Hey all, sean Gerber, with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today we have a great podcast ahead. We're going to be dealing with, like we talked about in the past, some vendors that come in and kind of give you a little insight into the career. We have a vendor here with you today and we have Clint Stevens from Physics, and I'm going to have Clint go into his background just a little bit here in a minute but kind of give you just an example of why we're doing this. Again, it's kind of bringing it back to the beginning.
Speaker 2:I got a lot of feedback from some of my listeners that they really wanted to truly understand. One, what are some different options out there for them to be able to buy services? Two, they also wanted to know how do I get in this career, how do these people get started in this? And the last thing is is then, what would be a good career path for them to help them potentially go down this situation or just at a minimum, getting some more knowledge? So that is where I brought Clint and physics into this. I've just real quickly and I'll have him introduce himself is.
Speaker 2:I've known Clint for many years now and I was actually very blessed to one get reconnected with him a few years ago when I was looking for a pen tester for my large multinational that I used to work with, and Clint came in, did an outstanding job for us, and the one point that I really liked about Clint and his team was the fact that they're not just trying to tell you the baby's ugly, go fix it. They're actually trying to help you go hey, this is risky, but this isn't so risky. This is something you really need to focus on. This is something maybe not so much and that is so helpful for business owners. So with that, I want to just kind of quickly talk about Clint and let Clint talk about himself and kind of tell us a little bit about your background and maybe why you got into all of this and what you expect to do with physics.
Speaker 3:Yeah, that's great, sean, much appreciated. Thank you for the opportunity. It's exciting to be here with you and your audience today.
Speaker 2:Awesome, well, glad to have you.
Speaker 3:Awesome, Well, glad to have you. Yes, thank you. Yeah, so a little bit about my background and how I ended up where I did. My dad was a programmer. He's been a programmer for probably 50 years. So when I was in high school, that's kind of where I focused some of my efforts. I thought I was going to be a programmer and started down that path. Then ended up joining the Air Force and the Air National Guard and kind of similar background with you, had some experience with the B-1s as a weapons load where you were a pilot, so we were giving you the capability to do what you do on that side.
Speaker 2:Yes, and without you we couldn't do our job, that's for sure.
Speaker 3:All right, and without you we couldn't do our job, that's for sure. All right, and then, after I joined the Air Force to pay for school, so started my computer programming education, and then along comes online poker. So then I had a decision at 2, 3 o'clock in the morning.
Speaker 3:I can work on Java or C++ or I can be in a poker room and try to make some money.
Speaker 3:So ultimately what happened was I gave up the programming career and had a lot of experience and fun with that piece of it, but ultimately back to the Air Force career. I spent 15 years in intel operations with special operations support. Then the last seven years of my career was back in cyber warfare. So it was interesting to see where I was kind of starting with the programming and then where I ended up ultimately with my career and back in the cyberspace. So, hindsight being 20-20, I wish I would have stayed the course with my programming career because it would have made things a lot easier on this side of it had I done that. So six years with the Air Force Red Team which I believe is the same unit that you were, with a lot of your time focused on the offensive capabilities, and last year I was on the defensive side with the cyber protection team managing and leading those teams, doing the defense piece of network operations or cyber operations if you will.
Speaker 2:Very good. Yeah, that's awesome, yeah, and so, for the listening audience, give you a little bit of clarity on a few things and Clint brought up some really good points about. We used to talk about C&E, which is computer network exploitation, and you had C&A, c&d you know defense and attack and different types of offensive, defensive aspects to it. So Clint got to play both sides of that, which was really cool and it puts a different perspective. But I mean, the part that's really neat about Clint's story is the fact that I know a lot of people out there online are always looking for ways how do I get into cyber, what do I do? And they don't know.
Speaker 2:And some of these folks have paid a lot of money to and I hate to say it there's some charlatans out there that will tell you all kinds of stuff that really is pretty hard for you to be able to break into cyber with some of the things they're doing. But it also talks about those what Clint did, coming from basically being a bomb loader to being a hacker. That's a huge deal, and so I really think that, as you kind of talk through the stuff with us, clint, and we go over your career and then also how it is important with the CISSP maybe kind of bring back to tell folks, you know, what are some different things they can do in their careers. Now to help them and my audience primarily they're IT folks. Some are more senior than others because I'm an old guy, but others are young right, they're young too. And so just if you could kind of maybe give them some little nuggets, as you're going through this process, about your company and the things you've learned, I think that'll go a long ways in helping them.
Speaker 3:Yeah, that's great. One thing I do want to get out up front for your audience is I am on the lower end of the technical side capability. Yes, I was trained in that world, got through the schooling, if you will, but based on my position, I was immediately put into the management side, which I think is key for this audience, with the CISSP aspect to it. So my hands-on keyboard we're very, very limited, but leading the teams and really understanding where those pain points are for an organization as we're going through our findings and things. That's kind of the value that I add to the team that we've got, and it's a pretty fantastic team. It's a lot of technical capabilities that are way over my head.
Speaker 2:Yeah, but you can talk. I mean, that's the part that I think is important, as we, the CISSP is so important that you're in those positions, you're getting the certification so that you have the management skills to be able to translate and I say dolphins and sharks, but you have the ability to translate between your technical folks and the senior leaders. And I've said this time and again, that is money, that's serious money for you. One career money, but two longevity, and I think that that's an important part of what you do. So what I'd like to have you do is just quickly kind of talk to us about what is physics, how does it work. So it kind of gives people a context of what you're doing right now, and then we'll kind of go into some of the questions we talked about on the side.
Speaker 3:Yeah, for sure, and I think I failed to answer your last question so we'll get back to that one as well. But we'll talk about physics real quick. Started the company about six and a half years ago, really focused on the consulting side of it. So everything that I was seeing on the Air Force side and within the DOD, I was like there's a lot of crossover at least expected crossover to industry.
Speaker 3:Sure, and the unique opportunities that we had and the things that we were doing and the mindset that we took to the operations that we were conducting from that network exploitation, like you had mentioned, really really changes kind of the conversation around. Why do we do the things that we do? Why do the security frameworks that exist the way they do? Why are the controls the controls? And it's really understanding the why aspect to the different things that are put together and then being able to translate that and explain that to your senior executives on what's important to your senior executives, on what's important, what's not important and where can they really make investments that are value added to the company and not worry about everything because you can't solve all the problems.
Speaker 2:So yes, and that's a you hit on a really great point. I'll give you just an example I was talking to. I do some volunteer work for a local company and helping them with cybersecurity stuff. And I'm talking to their. I do some volunteer work for a local company and helping them with cybersecurity stuff and I'm talking to their IT leaders. And their IT leaders are like well, these controls all need to be put in place, but you just mentioned risk. Right, risk is an important part. So you're telling these senior leaders that they don't necessarily have to spend all this money on stuff, but on some things they probably should. Is that what you're saying as far as risk goes?
Speaker 3:Yeah. So the one thing that we see a lot of is everybody wants the new cool gadget or tool that's out there, and most of them are expensive and you get a budget of, say, $80,000, $100,000. And how do we best allocate this, the money that we've been given? And everybody wants the automated answer. They want to buy a tool, they want to put it on the network and they want to forget about it and say, hey, we're good to go. And that's just not reality. And helping IT directors and executives understand that a tool is just one piece of it and just because you have a tool, it doesn't mean that you're any more secure than you might have otherwise been. If it's not configured properly, if it's not being monitored and managed properly, if it's not being updated, if you're not being able to take the information that it's giving you and making decisions, then you're just back to square one and you've spent a whole lot of money on a paperweight Right?
Speaker 2:Yeah, no, you're spot on. So let me ask you that I'm pulling that a little bit. You said that's one part of it, so what would be other parts that a company needs to be aware of? Because, again, this is going to tie directly to how the CISSP teaches us.
Speaker 3:What are some things that could also be that are as important, if not more important, than the actual tool itself? Yeah, so I think first thing you have to do is is understand two things. One, the threats that you face as an organization. What space are you in? What industry are you in? Are you a nonprofit? Are you a for-profit? Are you in the public sector? So all of the different organizations that are out there all have different threats that they're going to face, based on whatever the thing that they do is. So A understand your threats, know why that threat exists against you and then start to understand what risks exist based on the threats that you're going to be presented with. Okay, you're not going to be looking at all the threats across the board, you're not going to be looking at all the risks and vulnerabilities that are out there, but what really is specific to you as an organization, and having that base, foundation and understanding, and then that will drive decision-making later on.
Speaker 2:Right, right, yeah, and that's great call-out, clint. And so, based on that risk, this is where you folks that are listening to this they're going to ask questions in the CISSP around what are some of the most important thing you should do, or what is the least important, or what is the best control, or the most important control, and they use that because they're wanting you to think through this thought process, just like what Clint had said. So to your point. Does a bank worry about a manufacturing facility going offline or does a bank worry about money moving? Which one would be a more important thing for a bank?
Speaker 3:Well, I would think money moving would be the most important for the bank.
Speaker 2:Right, yeah, exactly, but this comes down to. So, as we talk about IT and you guys dealt with this in the pen testing world, I mean you have ATMs and ATMs are in many cases, tied to an IoT-type environment. But if your ATMs went down is one thing, but if you can't process money through Swift, that's a bigger deal than your ATMs potentially going down. So I think that's where the risk piece of this you have to kind of work through right. And so when you go and you do a pen test on an organization, how do you convey that to do you ever? Have you ever had a situation where the leader just didn't get it? And how did you then resolve that issue where they didn't understand the risk and what you were trying to do and then you had to. Maybe what did you have to do to kind of resolve that issue?
Speaker 3:yeah. So it's really trying to take the situation and correlate it to something that they do understand, okay, and really, um, that's from a loss mechanism, like, okay, this is the risk that you have, this is the business impact. So, talking through with them understanding the business impact, right, and relating it to other impacts or situations that they are more familiar with, right, being able to tie those two together and then walk down that conversation with them to really understand what that business impact is, what the risk is and what the right resolution and mitigation strategy to it is.
Speaker 2:Okay. So let me ask you on that. So, business impact big big thing. Cissp talks all about it. So if you're dealing with a business impact, have you ever been in a situation where you were able to understand what the business their concern was, but the IT professional that brought you in didn't understand it? So you were, in some respects, having to convey between to help the IT person understand the actual risk.
Speaker 3:So, when looking at the IT side of it, a lot of your system administrators or network engineers they're trained on how do you build a network focused on availability Right, and not as much of the security side of it Not that they're not trained on it, but from an understanding and realizing what misconfigurations can actually bring to the table Right. The network works. Everything is working fine. For example, you have an administrator account that happens to be shared by everybody within your organization.
Speaker 2:That's not bad, is it?
Speaker 3:Availability is there, but not understanding why not everybody needs to have an administrator account or, even worse, a shared administrator account, is important that I think on the cybersecurity side of the house, we understand the why behind it, how it's exploited, how it's leveraged and taken advantage of to where your system administrator may not initially.
Speaker 2:Right? No, that's true. That's a very good point, and so I'd like to, after I ask this question, then I want you to tell me a little bit about your company and again, what are some of the things you guys offer. But when it comes to the contract I'm working at right now, it's really great. It's an awesome company that we're working with and they have a unique idea, and I even pinged you about this on the side a little bit. Where we get into co-collaboration and, as a contractor, the goal is to help organizations one don't assume that they all know it, which they don't, because we don't know everything but collaborate with them and help them, educate them. Have you ever had a situation where you were able to co-collaborate with the IT organization to give them some knowledge on what are some best based on best practices, or based on best practices or based on your experience, and then what was the end result in that?
Speaker 3:Yeah, we actually had a great opportunity. Oh, I'd say probably about a year ago. We finished that one up Working directly with the IT staff and team came in, provided a pen test for them, and we like to take that collaborative approach to where we're not running completely covert Not that we don't or can't but we find more value in that collaboration side of conducting the pen test. So, as we're finding things, we're informing the organization of these things, we're saying, hey, these are some of the areas that you might want to address, or we might find one thing that's like, hey, we need to fix this now, so we'll identify that with them. The interesting aspect of that engagement was, at the end, a lot of the recommendations that we had, a lot of the collaboration side of it was really focused on your best practices, satisfying or shoring up the low-hanging fruit, if you will. And it was unfortunate with that specific instance, which this was a learning opportunity for us is they felt that we might have been a little bit lacking on the product that we provided because we were so focused on the low-hanging fruit and the best practices. And the response that I was given was well, all that you're giving us is industry best practices around cybersecurity. And our approach, or our counter to that statement, is yes, because there's a lot of these things that you're not doing to the extent they should be done and they're exposing you. So you can spend a million dollars on this tool or these other things, but if these are still a problem, then you're just wasting your money and you're them actually implement and mitigate those um. When they've got the, the um I don't want to say the budget, but sometimes it's a budget issue but do they have the authorization and authority um given them to continue down that process and and take the findings and actually implement them? And, like I was saying earlier, everybody wants that immediate solution that's automated. You just deploy it on the network and that's it. And that's not the right answer.
Speaker 3:A lot of times, especially with companies that are just trying to get into this space, or they've recognized that they've got some issues and they're bringing in that outside consultant to help them understand really what is that next step that they need to take. The other side of the coin is once you get past the IT team and they're most of the time, they're on board with doing what you want to do or the suggestions that you're making and then you run into the executive level. So when you have the same conversations with the CFO, they're going to be a completely different approach and discussion topics than with the IT director and, even more so, with the CEO of the company. So each of these different positions have different priorities. What's important to them, what decisions do they have influence and control over? And then how are they looking at the information that you're giving them? So really understanding how to communicate effectively with each of the different individuals in the organization that's part of that decision-making process is key.
Speaker 3:That was a lot of words, for I'm not sure if I actually said anything.
Speaker 2:No, no you did and that's good, and I think, as the folks that are listening to understand how important it is for you, because he covered a lot of information there. But all this is related back to the CISSP in the fact that you're going to have to learn how to communicate with folks that are senior leaders, up to the ceos, down to the it professionals, and I don't mean that in down as in below, I just mean that in it's that you're going to cover that entire gamut. So you really this is why this test is so challenging for folks is because you have to a lot of guys that have come on with IT backgrounds. They don't try to understand that this is coming from an overall managerial perspective. So one thing I want to kind of quick touch on we never got a chance to really talk about. So can you, can you please talk just real briefly about physics and what do you guys offer for to companies?
Speaker 3:Yeah, absolutely, and and and my apologies for not not hitting on it. Like I said, uh, six years ago, six and a half years ago, we started the company focused on, on the consulting side, um, the compliance side, with CMMC starting to come online within the DOD sector, um, really trying to help companies understand where those risks are, what the requirements are that are coming down for them to win those contracts. So that was kind of the foundation of where we were and then from there we're looking at what is that past experience that we have? What can we actually bring to the table? That's more than just a consultant, so focused on your security assessments, whether it's penetration testing on the network side and the physical side. So that's one thing that our company does that most companies don't in this space is we do physical penetration testing as well, and so we tie that back into the cyber side, so that holistic information security approach, which is really, really fun. Some guys like the network side a lot and other guys like the physical side, so we are fortunate enough to be able to provide both of those opportunities.
Speaker 3:The other thing that we do as a company is networking support. So we have several guys that are very experienced and highly credentialed CCIE level Cisco engineers, where we are brought in to help solve problems that exist on a network. Case in point we had a really large company bring us in. They were having some monitoring issues and they had been dealing with this problem for for quite some time. Talk was talking several years. They're like we just can't solve the problem. We just haven't been able to find anybody. Bring anybody in that's been able to solve it. And and the individual we have with the CCIE, he was able to replicate the network, build an environment and a test structure and he ultimately, after about three works of really troubleshooting, three weeks of troubleshooting, he was able to identify the answer and then we were able to implement it on the network and it's been live ever since Nice. So a huge win for us in that space. So that's really, when we look at what do we bring and what do we provide, that's different than most of your companies in this space out there is. We've been able to get the fantastic opportunity to solve some really unique challenges. Yeah, that just don't really exist from an opportunity perspective very often. So those little feathers in our cap that we've been able to land, that's cool, very, very good.
Speaker 3:So what are some services that you have? Clint, that start off, like I said, was a consulting um the GRC compliance regulation, um, moving into pen testing, vulnerability assessments, uh, we discussed the physical security as well as network security. So that gives us that unique advantage. Um, and and what we'd like to do is we'd like to partner with other companies out there, um that we get requests for the physical side, right, um, they just don't have it in house. So that gives us a an opportunity to build relationships um with some partners out there as well. Um, then, moving down from there, we do fractional CISO uh, security awareness and training and then other two more technical training as well and training and then other more technical training as well for clients when they see the value of trying to increase the knowledge and capability of their internal IT teams. So it's very broad-based Things that we don't do.
Speaker 3:We're not a SOC. We don't do the monitoring and logging. We're not an MSP. Like I said earlier, talked about some of the networking support that we do go in solve challenges. We'll help build networks. We will look through configurations, build out configurations, implement configurations um um different companies. So, like during a construction phase, we'll do that, um, but but we're not an MSP, um, we're not really an MSSP either. So so we're very unique and niche. In that perspective of of we've got a lot of really solid capabilities, services, um, I would look at us more like an integration team. Okay, anything else and that's the other value that we bring to the table is a team aspect, where you can hire one person that's really super knowledge and experienced, or you can come with a partner, like us, who has an entire team that's going to support your efforts in whatever endeavors those are.
Speaker 2:Yeah, no, that's good, that's really good. In whatever endeavors those are, yeah, no, that's good, that's really good. And I think that's an important part as you are building or as you're working with companies, having that, I like to say, the stable, that stable of really talented individuals. But the part is I also like is I've asked folks this many times with vendors is well, what don't you do? Good, right, because you'll get. Some of these vendors will come on and say, man, my product's amazing, it'll do everything, it'll even cook your coffee for you. Right, you can't cook coffee because you brew it, but you know what I mean? It'll do everything for you, and that's good that you said that there's things that you don't do, and I think that's really an important part that you have to really mention to people is because it's you know we all want business, right, but there's no reason to take money that you really can't perform a service, because that doesn't help them and it doesn't help you, correct?
Speaker 3:Yeah.
Speaker 3:So go ahead I was just going to make a reference around that concept where, when we look at, terminology is a big thing too. So that's kind of a we're in that discussion. Right now with one of our potential clients we're getting ready to put a proposal in. It's really understanding. What are they asking for when we start to talk about assessments and penetration testing and what is our definition as physics around those terms versus what is the client's understanding and definition? And then, even more so, what is the other companies that are also putting in proposals for? What is their definition of a vulnerability assessment or a penetration test, and what are they bringing to the table that maybe we aren't, or vice versa, and what makes the most sense for the client with where they're at within their security program and their review processes?
Speaker 2:Yeah, no, that's spot on, and then that's again. We can talk about this. Words matter, right, and when you're dealing with SOWs, your statements of work, you're dealing with all these different types of documentation, you want to make sure that they are getting what they're paying for and that the expectation is the same. Because I'm running this right now, where the I got hired to do this, but the expectation is different than what I got hired for, and so, even though we were very painstakingly walking through this entire process, you still don't get it and you do you kind of like two ships passing in the night or a top gun thing. Where did he go, viper? Yeah, where'd Viper go? Where'd who go? And that's where I feel like half the time we're just going past each other. So okay, so let's real quick, as we got a few minutes left.
Speaker 2:I want to be cognizant of your time and not take too much of it, as our students are studying for the CISSP and you just mentioned. You've got CMMC, you've got GRC, you do pen testing, you do training and I know I've got folks that do all of those different aspects. If they wanted to get into, say, various pieces of what you do, what are some things. You would recommend Certifications, training. What would you come back to to kind of help guide people around how to get more knowledge and more experience in cyber?
Speaker 3:Yeah. So fortunately we have something called the Internet and every question that you have there's an answer to it. So the one thing that I would recommend, based on my past experience of going down the wrong paths multiple times, is really finding what are you most interested in. Where is your passion? Lies Cybersecurity, information security it's a huge umbrella, lots of different things that go into it, as we've talked about. So really finding out what do you like to do, what is your passion life? So now you don't have a job, it's more of a hobby. So you enjoy the work. You're engaged in the work, um, from a nine to five window. You're going home and you're still engaged with it because you enjoy it that much. So really finding that piece of, of whatever aspect, um within this world that you're looking to do, and then really finding out how do you get hands-on, how do you really start to dig in, whether it's the pen testing piece, maybe with OSCP, which is more on the advanced side, if you enjoy the management piece of it with CISSP and where most of your audience lives in. Do they really truly understand what are they getting into in that realm? Do they like reading through documentation? Do they like and enjoy trying to find well, this control says this and this control says this. Well, I'm a technical guy and the way I would satisfy this is completely different than how it should be satisfied from the business perspective. And is that something that you're going to be able to internalize and say you know what? This is the right answer for B, but I got to find the right answer for a.
Speaker 3:So, look, using all the resources out there to really find where's your niche. What do you like to do? Getting hands-on whether it's hacked the box, if that's what you're going down, whether it's getting into NIST documentation and reading through it and and trying to find some opportunities where you can start to dig around and play with different GRC tools that exist and understand what makes the right answer for a company when it comes to the security framework and when they're getting ready to go through an audit. Like, how do you really satisfy you have a control, but underneath the control there's four or five different objectives and really understanding how to satisfy that properly with who's asking the question? Really, if it's a DOD contract, the requirement to that may be different than what you're used to in the past. So, really understanding the situation dependent, and then really the business use case. What is the business need? What is the right answer at that level, more so than a technical level?
Speaker 2:Yeah, no, that's really good, and so that's. We've mentioned this before on this training is you're a bomb loader by trade. I'm a pilot by trade, guess what? No offense, but any monkey can do this. I mean, we can.
Speaker 2:And the point is do you have a passion to do it? Are you really wanting to do something and do you grasp it and run with it? And the other part that I'll just kind of come back to. And if you all are listening to this podcast and you hear a noise in the background, my son decided to mow the yard at the most inopportune time, so hopefully I can get this out of the podcast. But the point of it is is that when you're dealing with the various parts of the technical pieces here, is there something that I mean. Let me ask you this comment. I was kind of going on a different tangent, but I'm gonna come back to this point how many hours do you feel that you have spent studying and learning cyber over the past X many years? Do you feel that it's? Has it been just a part-time gig for you, or has it been something that's really consumed you and been a big part of your life for many years?
Speaker 3:So with me personally, it's been a lot more focused on the business side, the management side of um these concepts. So, from a technical standpoint, um go through enough training to understand the concepts. Um get through the different schools that I was a part of. Um had a great program with uh Capital Technology University, um out of Maryland, um and their technical MBA in cybersecurity. So that was a fantastic opportunity I had there to dig a little bit into some of the technical side but also see the bigger picture side, not just within the information security realm but the business realm and how these two kind of correlate together and go from there.
Speaker 3:So from an hour perspective, it's a lot. If you were to ask my business partner where he's at with it, I mean, he's exponentially more, but he also has OSCP and he's really super technical. So what are you doing outside of your nine to five window? How many articles a day are you reading? How many different hands on keyboard opportunities are you trying to give yourself to learn and grow? It's going to be a lot and that's why I was saying earlier before is find the thing that you really like, because you're going to spend a lot of time doing it.
Speaker 2:Yeah, no, that's great. So the point is is I think Michael Jordan, or some professional basketball player, made this comment Everybody wants to be like Michael Jordan or like any of these other very popular sports heroes, but they didn't get to that position by just going out and throwing the ball every once in a while. Right, they've spent eight to 10,000 hours, and so the folks is that you're listening to this podcast. One thing to keep in mind is this is a journey. This is not something that is a sprint, that you're going to get there overnight, but the cool part about it that's different than when I went to college was is that I went to school to learn how to fly an airplane.
Speaker 2:Well, well, today you can learn all of these technical skills and you don't have to be gone down a pet, have a pedigree from havad, to be able to do this. You can do all of these types of things without that. So that's what I'm trying to drive home is that there's opportunities. You just have to know that going into this it's going to take time and it's going to take expertise and it's going to take some money, both in investing money but also in maybe making wrong decisions and then learning from those decisions. So it's, it's kind of that how that plays out. So so is there anything else that you'd like to say, clint about? About this whole education path?
Speaker 3:Yes, um, thanks for bringing that up, sean. Um, when I was getting into into this realm there at the end of my career, um, there seems to be a real push by a lot of people that are trying to get into this space to get as many certifications as they can, and they're really focused on gaining every single alphabet and every single configuration of these letters can be in, and now you have a string of a thousand letters behind your name on your LinkedIn account. If you're not also getting the actual hands-on experience with what those certifications are presenting to you and teaching you, you're going to have a real difficult time when you get into the work center and the workforce and being able to communicate the things that you know from a theory standpoint to what actually occurs in a live environment. So I would just say don't not chase them.
Speaker 3:There's a double negative there, but understand the value that they are bringing and then what value they're not providing from the actual real-world experience. So, like I said, when you find what you're looking for, maybe focus on that certification and get out in the workforce and start to gain a hands-on experience in a real environment to understand all the dynamics that you're not going to learn in an educational institution or going through a certification program.
Speaker 2:Yep. No, that's great. All the people here listening to this are going to get their certification, so don't get your certification. We're not saying that.
Speaker 3:We're saying- that's not what I said, I know. I know I'm just I'm making because I actually agree with you very much.
Speaker 2:So that just because you have a certification in something doesn't mean you know anything. It means you can take a test, and that's part of the reason why the CISSP they have the experience requirements that are there. But that in of itself doesn't also require that you're going to be the best person for the role of different certifications. You got to make sure that as you're going in and when you're talking about this we talk about this in my mentoring program that I have that it's when you're interviewing for the role you need to be honest with people what you can do, what you understand, and also be honest what you don't know, because the last thing you want to do is get into a job and then say, yes, I can do all these things, but then you can't and then it's not good for you and it's not good for the profession.
Speaker 3:So yeah, and that's a great point. And when we're, when we're wrapping up an event, especially when it involves the the pen testing side, I'll get asked a lot of questions that I immediately defer to the technical team doing the work. I don't know enough. I know enough to give you the wrong answer and just lead you down the wrong path.
Speaker 3:So don't be afraid to really understand you don't know everything and be open and honest with it, but know the person that does have the answer and go seek them out and put them on to the client or whoever you're interacting with um to make sure that they they understand and get the right answer to the question that they've got.
Speaker 2:Yep, spot on, dude, spot on. Okay, so I've got physics up on the website right now, um, and it's spelled P, h, y, c, y, xcom. That's physicscom. Um, is there anything? Anything I know you said you said you're redoing, rebranding your website, so that's going to change. Is there anything? If somebody was looking for information around what you guys do, is there certain tabs maybe they should go to? Or is there anything you want to add to this?
Speaker 3:Yeah, so. So our website is super lightweight very minimal information that we're providing on it. Now, like you mentioned, we are in an update process, but when you look at potential clients that we serve, it runs a gamut really. It really depends on who the client is, what challenges are they trying to solve and are we the right team to help them with that, with all the different service offerings that we've got. So we've done work with sole proprietors, single DOD, contractors that have an office in their house, to Fortune 10 enterprises. So we've run the complete gamut across a whole lot of different industries. And if we're not the right team, we're going to recognize and tell you, hey, we're not the right team, but this other team is going to be able to take care of you. So it really is that collaboration and working with the client to get to the right answer that adds the most value for them, and not looking at it from our standpoint as a company of how do we generate the most revenue, because that's not the right answer for the client. Agreed it?
Speaker 2:and not looking at it from our standpoint as a company of how do we generate the most revenue, because that's not the right answer for the client. Agreed, it isn't, because money will come, money will go, but your reputation is everything. So I totally agree, okay, well, hey, that is all I have. Clint, it's been a pleasure. I've really enjoyed this conversation and I know my students will as well. Again, the ultimate thing is go check him out at physics P-H-Y-C-Y-X dot com and if you have any questions again, just reach out to him and they've got a contact page that's out there. I'll have his information in the show notes as well, but again, we're just. The ultimate goal of CISSP cyber training is to help you understand the CISSP, expose you to other opportunities out there and maybe just give you some more education as time goes on. So, anything else you want to add, clint?
Speaker 3:I just want to say thank you, sean, and thank you to your audience for giving us the opportunity to talk with you all today, and hopefully this was some value add, because the last thing I want to do is waste people's time. No, it's good Thank you again for the opportunity.
Speaker 2:You bet, you bet. No, it's great Again. This is an experience, that an education that a lot of folks don't ever get to see and you don't get a chance to talk to people and hear these things. So it's awesome, it's great, all right. Well, thank you all very much for joining. I hope you all have a wonderful, wonderful day. Again, don't forget to check us out at that's cisspcybertrainingcom. Lots of free stuff that's out there, all kinds of great information. There's some programs that'll help you get your CISSP completed. There's a blueprint. I can't tell you enough. The blueprint is amazing. Got some really great questions as well, but it's awesome. Just go check it out. A lot of free stuff there and available as well. All right, we will catch you all on the flip side. Have.
