CCT 138: CISSP Cybersecurity Journey - Education to Operational Technology Defense (DRAGOS)
May 06, 2024Embark on a transformative journey into the world of cybersecurity with me, Sean Gerber, as your guide. Discover how to fortify your career foundations and traverse the evolving landscape of digital protection. Our latest episode delves into the crucial timelines for mastering cybersecurity, with a special look at Dragos' role in safeguarding operational technology—think electricity and water, the lifeblood of our community.
Navigating the educational routes towards a cybersecurity career can be as intricate as the firewalls we swear by. I cover everything from the pragmatic approach of community colleges to the intense dedication required for boot camps like the University of Kansas. Alongside this, I share personal insights into selecting the right certification and the perpetual journey of learning, ensuring you're equipped to climb from an entry-level analyst to the strategic heights of a CISO.
But it's not all algorithms and code; it's about giving back too. Tune in as I reveal our CISSP Cyber Training initiative that goes beyond knowledge sharing. Profits are funneled into a foundation supporting adoption funding—a cause that personally resonates with me as a parent of four adopted children. By joining our training, you're not only securing your future in cybersecurity but also unlocking doors for families to grow through adoption. It's an episode that marries professional advancement with heartfelt philanthropy, and it's one you won't want to miss.
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.
Speaker 2:
Cybersecurity knowledge All right, let's get started. Hey y'all, Sean Gerber with CISSP Cyber Training, and hope you all are having a wonderful day today. Today we're going to be talking about some awesome topics. Actually, I want to take just a little bit of a diversion from what we have in the past as it relates to the domains. We're going to be starting back up on those next week, but this week I wanted to get into a topic around the overall cybersecurity training path. I'm getting a lot of feedback, which is great, from people asking what do I do, where do I go, how do I do this whole process and I've done an episode in the past, but obviously things have changed a little bit and just kind of wanted to give a little bit more guidance to some folks on what could be done to help them in their training path for cybersecurity.
Speaker 2:
In addition, at the end I'm going to talk about a company called Dragos. I'm going to try to highlight some companies here and there throughout the podcast to give you a little bit more expertise or knowledge around some of them and some of the products and tools they do offer. One thing I did understand is like, as a security architect, I didn't know these things until I started digging into them and I feel that maybe if I give you some more information around some of the products, you might have a better understanding of when you become a security professional or if you're already in your journey what some of these products do and how they work within the various organizations. So again, it'll be high level. It's not going to get into the weeds because that can go down a rabbit path that is extremely challenging, especially over a podcast. But we're just going to go over the basics so you understand it. But the reason I bring up Dragos and we'll talk about here in just a minute is the fact of one of the things they offer within the OT security space which I'm a little bit passionate about, just because of the fact that it concerns me where attackers can come after our water, electricity and so forth, and having a family and having people I care about. When people start messing with water and stuff, that usually kind of sets me off a little bit Because everything else money-wise people can make new money somewhere or another, they can figure this thing out, but when you start messing with people's water, that gets to be a bit disconcerting, I would say. So let's go and talk about. First off, the cybersecurity training paths that we're going to be getting into Now.
Speaker 2:
A lot of people ask me how fast can I get this done? I want to become a security professional. Let's go so, rather than being the old guy that just goes that's going to take you 35,000 years to get done. No, we're not going to say that. Can it be done much faster than I did? By far right, I took the long way.
Speaker 2:
And also, security when I first started was pretty much in its infancy, where you had wheel carts and buggies. Compared to today, you have AI, so it's like a jet engine. So it's very different from the past 20 years when I started. But so it's like a jet engine, so it's very different from the past 20 years when I started. But what you want to do is you want to begin today. You don't want to wait and you don't want to wait for the perfect solution to help you get started and go. Well, I've got to have all these things lined out before I can do this. This is one thing.
Speaker 2:
After teaching in the college environment, I would say we have become very accustomed to having a path, a happy path, to teach us. Going from I go to school, I get my bachelor's degree, then I get my master's degree and I get yada, yada yada. That is fine in some cases for some career fields, and I would say for security, it can even happen in that as well. However, there's multiple paths to your road to cybersecurity. So don't just wait on having to. You have to have $100,000 to go to a college to do that.
Speaker 2:
I would also beg to differ. I don't think you need to spend that much money to get your started in cybersecurity unless you want to have a little bit broader understanding, such as you want to deal in development, you want to deal in other areas that college education may or may not be the best choice for you, or I should say a four-year college education may or may not be the best choice for you. You just have to kind of decide what is best for you and your overall plan. But you want to start with the foundations. You want to get that, and what I mean by the foundations is the understanding. Networking concepts and I will even point fingers back at myself is I don't know networking as well as I should, I would say. Sometimes in my own internal personal network I struggle with getting everything to work, and then, when it does work, I'm like, oh, I don't want to touch it, leave it alone, even though it's probably not configured as good as it should be. So I would say, understanding that foundations is an important factor in any career in cybersecurity.
Speaker 2:
You also need to expect that it's going to take two to six years before you really can start applying some of this knowledge. Now maybe you may be saying to yourself well, I don't have two to six years for this to happen. You've got to understand that this is like anything in life it will take time to get you where you want to go. This cannot happen overnight. It does not happen in a situation where, hey, I'm going to go take some courses online and I'm now going to be in the security. No, it's going to take a concentrated effort to make this happen. You can't just go and take some courses and watch YouTube and be there Now.
Speaker 2:
What I say that, though, is is that you don't have to have a formal education in this, which means you don't have to go and spend four years in college and $100,000 to get your foot started or get yourself started within the cybersecurity field. I've also had some people reach out to me from all over the globe going I want to do security, but I have no idea and I don't have the money to do that. Now I'm researching some different things with CISSP cyber training to help with that no-transcript and. But when there's a big barrier to entry to costs, that can cause challenges. But at the same time I've learned that unless you are willing to pay money for something and I mean pay sometimes significant amounts of money you're not fully invested in the plan.
Speaker 2:
So what I'll use as an example is I've offered my courses for like entry level for 19 bucks a month, and that was the membership program I had at the time on CISSP Cyber Training, and I offered it for a really cheap rate because I wanted people to get involved. Well then, what I find out is that people would complain because whatever nuance with the site that they didn't like, whether there was some video wasn't right completely, maybe it had changed a little bit and I haven't updated it quickly enough, all of those things people would complain about it, and I understand their points right, they want to have good quality training. But when I offered it at a higher rate, the complaints went down, and the reason is is because people, when they are fully invested with the financial resources that they have, they learn to go. I've got to learn to do this, and whether it's perfect or not perfect, it's not going to matter. It's the teaching and training that's there for you. You have to basically grab it and run with it. So the downside of getting these free courses is people don't value it as much as if they spent $4,000 or $ the training. Then they truly value the training they got out of it. So just keep that in mind is that, as you're looking for these different sources online, you may not be happy with the product. Well, it depends on what you paid for it and, at the same time, it really comes down to is how invested are you in getting this done? Because there's tons of opportunities out there and there's tons of ways for you to learn how to get into cybersecurity. But the part that a person like me cannot control is the fact that what you are willing to do to learn this information. So I'm saying all of that just to kind of preface the fact that whatever training you get into, you're going to get out of it whatever you put into it, because there's plenty of opportunity, plenty of resources.
Speaker 2:
I'm a pilot by trade. I learned this stuff because most of it was self-taught. It was not a formal course that I went to, that someone spoon-fed me and taught me these things. I even surpassed many of my peers within the corporate world, and not because I was any smarter than them I'm not by any stretch of the imagination but I had the tenacity to willing to learn, grow and change, and if you're willing to do that, then you can do anything you want, but you have to be willing to learn, grow and change, and if you're not willing to do those specific things, this is going to be a struggle, because cybersecurity is always changing. It's changing every day, and it makes it a challenge to learn, but it also that's what's fun about it is the fact that you're learning something new each and every day.
Speaker 2:
So, like I mentioned, there's no easy path to this. There's you can become in there's red teams, there's auditors, there's assessors, there's analysts, there's engineers, there's CISOs, there's all these different titles, and they all have different skill sets. So there is no easy path, and that's what makes it interesting and fun is because you can define what that is. The best part, though, of all of this is the fact that, because there is no easy path and there is no formal training and there's so many opportunities, you can do pretty much anything you want, from starting up your own company and hanging your own shingle to being someone who works in a corporation and is helping that corporation protect themselves. So, again, one of the things that you deal with when it comes to formal education aspects and I'm going to get into some of those that are available to you and how they work but you can get this is just some of the different options so you can get the formal education, which includes your two and four-year college institutions that you can go to.
Speaker 2:
The one college that I taught at was Wichita State, and at Wichita State you could go and take this your security focus. You could basically get a degree in computer science and then you had a security focus and that's basically a four-year college degree that you can go and get your stuff. Get your degree, get your certification or not your certification, get your degree, get your certification or not your certification, but your degree. South Dakota State has them, stanford, mit, pretty much every college now is dealing with some level of cybersecurity in their programs and they're good. I mean I shouldn't say they're not, they're not, they're not the some of them are better than others and a lot of it does. It comes into the fact of one. They've got to find qualified instructors to teach this product, and that's hard to do because when they're teaching it at the college level they don't pay very well. I mean, they just don't. Okay, as an adjunct professor, I was not making a lot of money for the amount of time that I put in.
Speaker 2:
It was one of those pieces that you did because you wanted to help the community. So you need to go and decide what is best for you. I would say a two-year program like a community college in your local. This is all based in the US and you have to look at your stuff froma global perspective, where that could be for you, but from a two-year community college in the United States is more than enough for you to get what you need to get started in security. However, if you have a path that you want to get your four-year college degree, look for one that has a good cybersecurity focus and find something that will. They have a good program that's already accredited and they can build out that you can grow to. So you just want to be a little bit judicious with which companies or I should say, which colleges, you pick when you're going to be in that formal education path, because once you start down this path, as we all know, it gets to be very expensive to try to deviate from it. So I would highly recommend you do a lot of research on which college you would want to go to.
Speaker 2:
If you're looking for a formal education. There's other things out there called online courses and certifications that you can get these that are available to you. So there's such a company such as Palo Alto EC Council I've got courseware on there Aramis University, google University of Kansas. They have a lot of online college programs available for you as well. Now they can be very niche in the fact that they can teach you how to do A+ from CompTIA. It can teach you how to do Wireshark. They've got some that are for Homeland Security and Cybersecurity. They've also got a Microsoft Cybersecurity Analyst Professional Certificate. So they've got different types of certificates that you can get.
Speaker 2:
Now, will those help you? I would say they can. It just depends on what you're trying to go do If you're trying to learn something, to help maybe your church to help your organization. The knowledge you can gain from those can be very valuable. Is it something that would get you working as a CISO? Probably not, I would just say, because you're going to need a little bit more formal knowledge than that. However, it can get you the basics and get started in a way that maybe that's how you learn and that's how you best learn, and so just I recommend you do a lot of research to figure out which one of these paths is best for you, and you may be using a combination of these various paths to get you what you want, based on your schedule and based on your needs.
Speaker 2:
Other things out there are boot camps. Now, these boot camps are offered by many different colleges, and I'm going to just give you one example of a boot camp that is close to where I live obviously, university of Kansas. So I live in Wichita, kansas. University of Kansas is in Lawrence, which is about three hours from us, and they're one of the main colleges that's here in Kansas and they have a really good basketball team and their football's okay, but they have a really good basketball team and they offer a 24 week program, okay. So basically you're talking 24 weeks a half a year, six months, roughly right. Six months of a year, working nine hours a week a year. Six months, roughly right. Six months of a year, working nine hours a week. And they have basically, it says you'll you'll have nine hours a week of work uh, of that's attending the different classes. So when they look at accreditation for colleges, you they base it on how many classes, how many classes you offer for the week and how long are the classes for the week. Well, this is a nine credit hour week. Well, I think it's like that's probably about a three point or a 300 level class, and they have three weekday evenings that you work. So you work in the evening, you take nine hours a week, three hours long for each of these classes and it basically you have around 20 hours of homework. So it's a pretty in-depth combination of things, but it what it'll do is it will help you get the aspects that you need to be a security professional.
Speaker 2:
So the curriculum in as far as University of Kansas goes is it's security fundamentals. You have system and admin, network and network security, defensive security, offensive security, and then they help prep you for your test. So what will that get you? Well, and then they help prep you for your test. So what will that get you? Well, in many cases they also partner with Security Plus or the CompTIA platforms, which is Security Plus, network Plus and so forth, and they'll build out this whole path for you so you can do this.
Speaker 2:
I think they'll offer a very similar type of program in the fact that if you go and you get your Networks Plus, security Plus, you get your Computer Ethical Security Plus, you get your Computer Ethical Hacking Certificate, you get some of these. There's the same stair-step approach that University of Kansas is offering. However, they're doing it in a much more compact environment. I would say 24 weeks to get done. Some of these courses is pretty fast, and so therefore, they're telling you that right away, you're going to be putting in roughly nine 29 hours a week.
Speaker 2:
You're going to be putting into learning these cybersecurity techniques and tools and it will take that, especially if you're coming in as raw, where you have very little knowledge in security, you will be putting in a lot of hours to try to understand how this all works, because, if some of you that listen to my podcast are IT professionals, have been doing this for a while and you understand the lingo for IT, but I would say some of the professionals that have even been with me for 20 years that understand IT truly don't always understand the networking concepts and they really don't understand security. It's almost like a completely different language to them, and so it's important for you to truly understand this whole vernacular, and it will take time for you to for this to occur, and it's going to be an ongoing process. This is not something that you just learn it and you forget it. You learn it, you dump it, like in college. You went to college, you learn this information and then you dumped it and you moved on. This is something you're going to deal with on a day-to-day basis all of the time.
Speaker 2:
Another option you have is the self-study, so you can utilize free resources and community forums that are out there to help you with the self-study plan. Now, one option I saw online that you can use as a framework is the NIST framework, and what that means is if you go online and you look at the NIST, it's the National Institutes for Standards and Technologies. They have a framework by which you can learn. The cybersecurity framework is one of them. If you walk and use that as your checklist, to go through and say I want to learn about network access controls and it'll step you through each of these different buckets and then you can go and research online of what? Okay, what are network access controls? What is a network address translation, what blankety, blankety, blank. You can go through all of these different pieces and they're going to walk you through, but it's going to be up to you. It's only going to be in a bulletized format. It's very detailed, I will give you that. It's extremely detailed and it will help you point you in the right direction to use, such as Microsoft Copilot or ChatGPT to help dig you out some of this knowledge that's out there. So it's a really good framework to help you do that if you need some sort of direction. A really good framework to help you do that, if you need some sort of direction.
Speaker 2:
There's also selfstudyorg. There's different. It says over 150 certification programs that are out there and available to you and many of them can deal with courses that lead down the 27001 plan, because you can be an implementer for ISO 27001. Also ISO 3100 or 31000 for risk manager. It talks about these various different certifications and different ways, different courses that are popular around the globe. Security is so broad.
Speaker 2:
If you pick something, get into it, learn it, dig into it not get knowledgeable about it and guess what? You'll probably find an opportunity on the planet for you in that space, because there's just so many opportunities for everyone. The other one is ICS Squared Certified in Cybersecurity. They do offer a free online self-paced program. Isc Squared does, and they're the ones that do the CISSP. They have various certifications that are available as well, but it'll get you the understandings around security principles, business continuity, network security and so forth. It's a really good free program that helps you get going into the overall cybersecurity space. I would highly recommend you go out and take it. I would just because, if anything, it's going to get you some more knowledge in a space that you may not have Career Karma. This helps you preparing for cybersecurity certifications exams through short courses, study groups, books and blogs right, they have all that stuff available to you Spiceworks, and then there's also Fortune Education. So there's so many opportunities out there for you to learn.
Speaker 2:
The key problem is is it has to come down to you. You have to be the one that goes out, searches it, does it, makes it happen. You can reach out to me at CISSP Cyber Training and if you have questions, I'll try to answer them. I get a lot of emails and I'll just warn you I can't always get to all of them, but these are. I'll have this posted on my blog. You'll have access to it so you can go check it out. And these are just the walkthrough, the different outline of where you can go to get some of this information that you may need.
Speaker 2:
Now, industry certifications. This is a big factor, do I? Am I a firm believer in certifications? No, not really. They are important. They bring a lot to the table in the fact that they help you get you understanding the concepts and the terminology. The problem is is many people will utilize certifications as as a checkbox to go hey, if I get this certification done, I'm now in like a four-year degree, I might go to school, get an education, get a degree, get a job. That doesn't work this way. I know guys that will have certifications up the wazoo on their name and their name will have 18 different acronyms behind them PMP, cisp, ceh, blankety, blankety, blank and I'm not bagging on those people by any stretch of the imagination. That is awesome and they show the fact that they can take a really good test, and some of those tests are extremely challenging. The CCIE yeah, the Cisco certified internet engineer I think that's what it is is extremely hard. Okay, very, very hard. Those guys are amazing. Now I say that is that some of these certifications can be very, very hard. Those guys are amazing. Now I say that is that some of these certifications can be very, very challenging and they have high recognition to them and that's awesome. Cissp is one of them.
Speaker 2:
However, I've also taken certifications that are like, yeah, checkbox, checkbox, checkbox. Oh, hey, I'm a HIPAA certified person. No, that doesn't really make you that much of a certified person. Now, I'm making that light of that. There actually was a lot more training to it than that. But the point of it is, if you pass the test, you're good. But here are some of the certifications that are recognized within the community and again, I'm stressing this home because some people get very religious about this. They get upset when you start bagging on certifications. I'm not bagging on certifications. They have a time, they have a place and they have a need and they prove that you'd have some knowledge and that you can take a test. That's good, but I would say experience plus a certification makes you extremely marketable.
Speaker 2:
So, certified information security professional CISSP obviously you're listening to this podcast. You're looking to get your CIS certified information security auditor that's your cisa. Certified ethical hacker your ceh. It's a good skill to understand the attackers and what they're after comptia security plus very good foundational program to help you understand security and getting into it. Certified information security manager good management certification to understand what a manager would think about right Designs, oversees the enterprise. It's a really good for a director of security who maybe just didn't have a lot of security background. It's a really good certification to kind of help get you in the mindset. Gsec the G-I-A-C security essentials is another good one that's out there that helps you kind of get the basics around cybersecurity, best practices, offensive Security Certified Professional OSCP, and then the C-RISC, which is your Certified Risk and Information Systems Control. C-risc is a really good certification to understand risk.
Speaker 2:
Now I say that. So the reason I say the certifications aren't always that necessary. If you went and studied C-RISC, so let's say you are in a job right now and you went and went through the entire courseware of C-Risk and I'm stopping on C-Risk because I really think strongly it's a good thing to help you understand risk within your organization. I've taken the courseware. The courseware is challenging it truly is. It's a very the courseware. The courseware is challenging, it truly is. It's a very challenging courseware. However, we just sit, for I didn't want to sit for the test because at the time I was taking it out of my own pocket, but I gained enough knowledge in the c-risk thought process to help implement that within my my goals as a ci or as a cissp, but mainly as a ciso.
Speaker 2:
Now, the reason I got the CISSP certification is because many of the HR people will require a CISSP. So you got to get through the gate and therefore, if you're going to have to have a certification, it's one of the best certifications to have and it's one of the most challenging to get through the HR gate. So I highly recommend the CISSP. But all of these are very, very good certifications, especially for taking the training. If you just take the training and not actually sit for the exam, they're very, very good. You just have to decide if you want to spend the money to sit for the exam. So, again, those are just certifications.
Speaker 2:
Now, when we talk about work experience, how do you get the work experience you need to be successful in cybersecurity. They go. Well, how do I do this? I'm just a. I don't. I've talked to an individual who wants actually went to school in hairstyle, right Wanted to cut hair, and that's great, it's a great profession. I'm so thankful that people can cut my hair, because otherwise I would look like a Sasquatch, so I'm very thankful for that. And they wanted to change and get into cybersecurity, and they go. What do I do? Well, this is what you. This is some of the steps that you can take, but if you need to get the, one of the things I mentioned, though, is that the certifications are important, but the getting the education through work is just as important, if not, in some cases, much more important. So you can get this through local IT shops. So go work at.
Speaker 2:
Here in Kansas, we have a company called Ribbit Computers, and they're just a basic computer shop that helps companies with their computer needs. Go work there, do hardware support for them. You'll learn a lot doing that, but at the same time, you should be learning cybersecurity. Don't just let them, don't think that they're going to teach you everything you know. To be successful in this career, you're going to have to go and grow your knowledge through these different local IT shops. Get in with a company and start working within their IT service desk. That's a possibility. Find a way to get within their organization. A lot of times if you work at a smaller company, you are a jack of all trades, which means you could be their security person. You also could be their IT person and you could be their accountant. That's very possible.
Speaker 2:
My friend of mine is our chief of police in our local town and guess what he does? It support. Can you believe that? I've told him he needs to stop doing that, but anyway, he likes doing it and he enjoys it, so that's fine. But when it comes right down to it is IT support. You can find different ways for you to help provide knowledge and you can put that as experience that you're gaining by doing it. College work studies another way to help as well you can. My friend of mine is the CIO for that local college and he is folks come on and do work study and they do IT support in the work study space.
Speaker 2:
Now is it where it's, deep into the security space? No, is it pulling cables? Yeah, but can you learn a lot from pulling cables and pushing them into switches. You sure can. So that's another way that you can gain knowledge that you need. Or volunteer work at local colleges or institutions that are non-profits my church I've donated some of my time to them to help them with their security. My local community I've helped them with their security. So it really comes down to areas that you can best provide the value and you can utilize all of that as some level of work experience.
Speaker 2:
So now, what are some specialized cybersecurity roles that you can get into? You have a security architects, you have cloud security architects, you have AI security engineers, you have cloud security auditors you name it. You have all kinds of different titles, names and positions that you can have within a company. Each of them have their own specific role and their own specific need. I was a security architect with a large multinational and that large multinational taught me a lot of great things.
Speaker 2:
But many people at this time will start off as an analyst within an organization, especially within a security operations center, and they'll work their way up to maybe being an engineer that's managing a specific tool, or they may start as an engineer working a specific tool and then move in to be an analyst, working in a SOC or someplace else. You just have to. There is no happy path to help you get from one to the other, but here's a potential education path or a potential work path that will help you that many people use. Again, though this does not have to be the only way to get there. There's multiple paths that you can take to get to wherever your goal is, and first off, you have to decide what is your goal. And your goal will change, because my goal was to be a CISO. Well, I became a CISO and now my goal is to be a security consultant. Why? Because I want more freedom. I got tired of being the CISO. It was a great job, wonderful people, great company, but your life, your world and life changes. So therefore you make changes based on that. But the potential education path or I should say work path, would be you'd get an analyst role and then potentially move up to an engineer or vice versa, just depends on the company you're with. Then you'll get an architect, an auditor or an assessor role. Then you can get into a management type role, which would be your director or manager type of role within an organization, and then potentially, you could become the CISO for that company. So those are or for a different company, right? Those are the typical path to be when you're trying to work your way up within an organization, and so those are the typical roles that you would expect.
Speaker 2:
Now one thing you go is how do I get all this information? Now, we kind of talked about it earlier, the continuing education piece of this. There's podcasts, there's blog posts, there's training venues such as Black Hat or DEF CON. There's local training venues that you can go to, such as your organizations that have different meetings ISACA, ist squared meetings they're all available for you. Mentorship or networking, going out on LinkedIn and reaching out to people I have individuals reaching out to me asking for mentoring. What should I do? People that go to CISSP Cyber Training they can actually sign up for my mentoring program and they can get one-on-one training with me specifically walking through their cybersecurity program, working through their career path, helping them with their company or their organization. All of that stuff is available to you in that regard as well. Different types of mentorship meetings you can go to there's isc squared, there's the national cyber security alliance, information security forum, cloud security alliance and then the sands institute. Those those are five really good networking organizations and and if you follow them that they will take you a long way. They're really good companies to work with, and so that's kind of the overall view of the cybersecurity training path and what you can do. So I'd highly recommend you go to CISSP, cyber Training.
Speaker 2:
You can actually look at the outline. It'll help you kind of jog your memory. Feel free to reach out and email me. Like I said, I'll get to you if I can. It just help you kind of jog your memory. Feel free to reach out and email me. Like I said, I'll get to you if I can. It just depends on, obviously, my workload with my day job and then my family and so forth. But I'm happy to respond to you if I can and help you down this path.
Speaker 2:
Now I want to roll into something called Drago's Community Defense Program. The reason I'm focusing on that again OT security. But I really want to start kind of bringing up some of these different vendors that are out there that I've worked on. That I'm working on just to kind of give you some guidance around what are they, how do they work, the 100-foot view of these programs, because it gets you some more knowledge around them, especially as you're learning these security tools or the security knowledge in space. So Dragos Community Defense Program this is CDP. Now I've got some friends that are in Dragos and they gave me this information and it's very, very good. I mean, honestly, I'm very excited about the fact that they do this and there are other companies out there that do similar products, and if you are listening to this and you are a different company and you want me to highlight one of your products, hey, send it to me. I'll check it out and maybe we'll put it on the air. But anyway, at the end of the day, dragos has got a really good program and what it's designed to do is it's designed for small businesses, but mainly the critical infrastructure, such as water, utilities and so forth, and they offer their services for free.
Speaker 2:
If you're a small community, that is $100 million or less in revenue, so that's a pretty small town, right? I was just asking my wife who's on the city council going? Are we 100 million? And I probably were not. We're probably higher than that, but it's free offerings. But even at the prices, if you are over 100 million. Talking to one of my reps there, I feel that they will work with you as much as they can. They are very passionate about protecting the OT environment.
Speaker 2:
I had an individual reach out to me from Singapore and he's concerned about it from a Singaporean standpoint, of the same challenge they have around OT security. Well so OT, what it does is it's designed to be within your platform. They have a platform software that they put in that is, in your process control or your OT environment, and it deals with asset visibility, inventory, threat detection, vulnerability management, and then it also has different response playbooks for that OT thing, which basically means if something bad were to happen, they have playbooks to operate on to help fix the problem. And these are really important to have these playbooks because they give you something In the flying world. We had a checklist we would go back to. It's very, very similar to that. They also give you membership in their OT cert, which offers toolkits, guides and how-to videos for helping people to understand what's going on, and then it's for members-only working sessions to build out cybersecurity capabilities as well.
Speaker 2:
They have another program called Neighborhood Keeper and this is a part of the collective defense and community threat. So what it's basically designed is it's like a hive where if someone gets attacked and they use a certain technique, the community will talk. The community will not. People will talk. I mean they do, but these systems will talk so they'll know that hey, someone's attacking a water plant in Texas. What are they using? And now, if you have it at a water plant in Kansas, you may have to get a heads up on that. This is actually occurring. So it's great, it's awesome opportunity and it does.
Speaker 2:
I think I feel it's a really big factor is so often these attacks happen and they happen in a stovepipe or in a silo and no one really knows about them. This is going to be one of those pieces where this is happening Threat hunting. They also will go out and do automatic analysis and participants of telemetry by the experts in OT and threat hunting. So they do all of this for you again, looking for these threats. Now they focus on 100 million or less because those are usually pretty tiny networks. They're not very big and the threats are usually probably pretty small, so it doesn't take a lot of time for them to do threat hunting within that network. But it's a great product. Even if you're a large corporation and you need it and you are concerned about your OT environment. They do a really good job in this space. And then it gives you access to the Dragos Academy, which is on-demand training and education for OT, cyber and their Dragos platform. So it's a lot of different aspects that they can give you for the training you need.
Speaker 2:
Because, again, I talk about my small community the IT professionals that work in our community very smart people, very good at what they do, but they are limited in some of their capabilities because they're IT focused. They're not necessarily cybersecurity focused. Well, now you just magnify that times how many different communities within the country, in the United States and around the world that are in a very similar boat. It doesn't matter whether you're in the United States, singapore, malaysia, china Everybody's got the same challenge. They do. There's just not enough security resources and everything is interconnected. Saw this coming about 25 years ago and it's going to get worse, unfortunately, now. Who is this designed for? Again, we kind of talked about $100 million as the annual revenue. It's US-based water, electric and natural gas providers with less than $100 million in annual revenue and they offer free access to the software itself. Million in annual revenue and they offer free access to the software itself. This initiative does help organizations improve their security and reduce their overall OT risk. And it is a comprehensive program that does combine the education, the technology and the overall community to help bolster or make them stronger the cybersecurity critical defense against these critical infrastructure locations. So again, very cool.
Speaker 2:
I highly recommend them. I've used them in the past. They're a great company. I really I just I like the people. But again, if you are interested in, if you're a community or company out there looking to have some of your security stuff brought up on my podcast, reach out. I'm happy to look at what you have and I'll introduce at least the concepts. I'm not going to give recommendations unless I've actually worked with the product. I've worked with Dragos and I'm really happy with them, but I will talk about different pieces of this.
Speaker 2:
So if you deal with Azure Sentinel, I'll talk about Azure Sentinel. I've never really used it. I understand how it works and I'll kind of address those things, but that's for people to understand. What does Azure Sentinel do? That's the ultimate goal, right? So that is it. That is all I have for today.
Speaker 2:
I hope you guys have a wonderful day. I hope you learned a lot from this training program. It is going to be available on CISSP Cyber Training. Go check out CISSP Cyber Training. There's some great resources out there for you. There's a lot of free resources. There's going to be some changes to, potentially, my financial structure on that as well.
Speaker 2:
I really want to give back to the community and I also want to. We have a thing that's important to us is I want to fund a nonprofit that is for adoptions. One thing we if you guys have seen my about page we've got four adopted kids from all over the globe and one thing when you get into the adoption space that's really challenging is the financial aspects of it. So I'm starting up a nonprofit that's going to be focused on helping people with adoptions and helping fund that. And so CISSP cyber training it's probably going to happen, but I'm going to end up making majority, if not all of the funds that come in through CISSP Cyber Training will be put into that foundation to help with adoptions. So that's the plan as of right now. I'm heading that direction, just waiting for the dear Lord to tell me what he wants me to do, but I feel that that's probably where it's going to go, so that I will not take any of the financial aspects that come from CISSP cyber training and I'm going to put all that into the adoption space.
Speaker 2:
Now, on that flip note is I know it's expensive to get into CISSP or into learning getting your CISSP. I also want to have options to help people in certain situations. Right, there's some of that's going to be available to you as well, but the ultimate goal is I want you to learn security so that you can protect our globe. Two, I also want to help fund adoptions for people who really want to bring help kids, because that's an important part of what I've been called to do. And three is I just want to give you an opportunity so you can do it in a cost-effective manner that helps you and your family. All right, that's all I've got for you today. I hope you guys have a wonderful, wonderful day and we will catch you on the flip side, see ya
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!