CCT 156: Security Configuration Management, Change and Communication Best Practices (Domain 7.3)

Jul 08, 2024
 
Is a four-year college degree necessary to break into the world of cybersecurity? Discover why practical experience and industry certifications might just be your golden ticket to a thriving career in IT. In this episode of the CISSP Cyber Training Podcast, host Sean Gerber unpacks Domain 7.3 of the CISSP exam, emphasizing the significant shift in the job market. With over 7,500 new IT roles added in June alone, Sean discusses how transitioning from general IT to specialized cybersecurity roles can open doors to better opportunities and career growth. He also highlights the growing importance of networking knowledge and the benefits of pursuing roles in architecture and networking.

Ever wondered how to avoid security vulnerabilities associated with unmanaged device additions? Explore best practices for security configuration management as Sean underscores the essence of having a well-defined asset discovery and configuration management plan. Delve into the risks and benefits, from establishing security baselines to adopting scalable solutions for large networks. By referencing NIST 800-128 and tools like Microsoft’s SCCM, Sean provides actionable insights to help you secure operating systems, devices, and applications, thereby reducing your organization's attack surface.

Effective change and communication management can be the backbone of a secure IT environment. Sean breaks down the complexities of these processes, highlighting the value of automation, structured change control, and clear communication strategies. Learn about the importance of having a canary group to test changes before full deployment and the critical role of training both new hires and seasoned IT professionals. Finally, Sean wraps up with the vital importance of comprehensive study and preparation to ace the CISSP exam, offering resources that support not just your career, but also a nonprofit dedicated to adoptive families. Join us for an episode packed with insights, practical advice, and a roadmap to cybersecurity success.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1:  

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go. Cybersecurity knowledge.

Speaker 2:  

All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training, and hope you all are having a wonderfully blessed day today. Today is an amazing day. We're going to be talking about some awesome stuff as it relates to the CISSP Domain 7.3. So you know, we're marching down the CISSP training path and trying to get.

Speaker 2:  

The overall plan is to get you as much knowledge as you can to help you pass the CISSP exam. I keep getting tons of emails from folks that have passed the CISSP and they're very excited about that and they do enjoy the podcast and the overall training. So I guess that's a little bit of self-promotion. But bottom line is, I'm doing this for two reasons. One is so that you pass the CISSP exam, because that's, I failed at it and we want to make sure that it gives people an opportunity that may not have some of the expertise and knowledge To be able to, or at least have maybe not all of the knowledge you need to pass the CISSP, to give you that that point, that thing that you need to get you across the finish line. And the second thing is is we want to promote the site and offer up our services for a way, a price, that can then fund our adoption for or not our adoption our nonprofit for adoptive families. So the overall goal is I want to use this money, that any money that's gathered from the CISSP Cyber Training Plan is. All of that money goes to fund the non-profit that my wife and I have set up for adoptive families. So again, you got to give back, you got to provide stuff for other people, because in reality, that's all what we're here for.

Speaker 2:  

So, real quickly, before we get started in today's plan, we're going to get into an article I saw on Computer World and it talks about how many jobs are available in technology in the United States. Now, interesting part of this, I've had some individuals reach out to me that have been laid off in security not security in the IT world and they are trying to pivot themselves into the security space so that they are better positioned for the event of a potential downturn when it comes to IT professionals. Now, if you look at this article from Computer World, it talks about that there are right now, more than 7,500 new workers in IT. This just basically this past month. So that's a lot right. So that's the month of June and industry added about 7,500 new US workers more than any month this year, so it looks like it's growing. I would say that's probably going to be some pivoting, and where that means is that as folks move into new sectors of the IT space, there's going to be new jobs created, but I do feel there will be jobs that are going to be destroyed or repositioned, and so if you are a person that's working in the IT space and you want to have some more experience, obviously cybersecurity is a big factor. If you have some of that and you can gain some of that knowledge, that would be valuable. But one thing I thought was interesting in this overall article they talked about a lot more certifications that are happening and therefore there's also some other key parts. That I thought was interesting as it relates to college degrees and when we're talking about overall employment, you guys can check it all out and look at the different details around it. But they said the greatest uptick has been in software developers. Obviously, I can see that happening as we are becoming more and more dependent upon the software development space and those individuals. You can see that that will have a significant growth in that area.

Speaker 2:  

But one thing that I've seen it coming by myself over the past few years, including when I was hiring individuals, is that we removed this requirement of having a four-year college degree requirement. So if you're a college person, you might be going. Well, why am I getting my college degree? I feel that if you have a degree in IT, that's valuable. I think that still having a degree is in many cases, allows you to check that box, to get in the door for an opportunity. However, I do believe, and strongly believe, that this is not a requirement. Removing having a four-year college degree is not a requirement in IT. It gives you some experience, some I would some say in some knowledge base, but when it comes to the overall making you a better fit for a role within a company the four-year degree isn't necessarily what is required. In my humble opinion and again, that's just my opinion After teaching in college for a couple of years and then hiring people from colleges and now being a contractor working for other companies, I don't see it as a requirement. I do see it as a nice to have Now CompTIA. They had been the ones that helped get some of the numbers around this article and CompTIA, if you're not aware, is one of the main certification companies out there. I've gotten many of my certifications through CompTIA as well. But they talked about network support specialists, it support specialists, system admins, network architects and data administrators. So all of those are the different kinds of growth opportunities they saw in the month of June.

Speaker 2:  

Bottom line is if you are getting into cybersecurity, I would highly recommend that you strive to be into the architecture space, and I'd also strive very strongly to understand networking After dealing with employees. That is not a well-known topic. Networking isn't, and I will point to myself. In some respects I understand networking, but I don't have the same level of knowledge that I probably need to have related to the networking environment. So grow your knowledge in that space. It can be extremely valuable, especially as people move and migrate into the cloud. Okay, so that was the main thing I want to talk about. This article as it relates to the college degrees talk about. Jobs are increasing in the United States in the IT space, but they're becoming very specialized in databases. I see more in cloud and then also in software development. Those are some of the key parts that came out of this article, so let's go ahead and let's roll into what we're going to talk about today.

Speaker 2:  

Okay, so this is under domain 7, 7.3, and we're going to be getting into performing configuration management. Now, this is taken out of the CISSP's ISC squared book that they have and that's the Certified Information Systems Security Professional Official Study Guide. Now, this is based on the 2024 book. I will say that the fact is that the 2021 and the 2024 have not really changed much at all. The content has not. There's been a small subtle increases, but mainly the only increases have been around what questions they're asking. So this content will be good for 2024 and it will help you pass the test, no doubt.

Speaker 2:  

Okay, so let's roll into 7.3. So, as we're dealing with configuration management and now this is going to be a subject we're going to go through a little bit here that is covered in other areas of the CISSP, but this kind of focused this section in 7.3 specifically around what is configuration management, specifically around what is configuration management. Now we're going to get into configuration changes, change control and so forth, but when you're dealing with security configurations, asset discovery is a key concept to ensure you have some level of protection for your enterprise networks, and that means you must have the ability to discover what assets are on your network If you don't have a good understanding of the assets that are on your network, it's really hard to protect them. I will say it's one of the biggest challenges that a large organization will have is around asset discovery, especially if you allow your employees or you allow individuals within your company to be able to install assets without a proper change control process. And what I mean that is that if you have an individual at a remote location let's say I'm in Wichita Kansas, let's go Tulsa, oklahoma, and you have a small shop in Tulsa, oklahoma, and because of that, your IT professionals are in Wichita, kansas, so they're two and a half hours away. So what you've done is you say you know what I'm going to allow you to have admin access to one or two people there in Tulsa so that they can install devices down in Tulsa. For you.

Speaker 2:  

Which is a logical thought process and that would be one that you would probably want to drive towards is having one, maybe two people with the ability to do that, or have the remote capability so that someone can do the remote access or the remote adding of these devices to your network. But what will happen? What you will see is, as this one or two people down in Tulsa, oklahoma, decides they're putting devices. Well, then the manager down there will come up to them and say, hey, bill, I need you to add this to this network or I need you to add that to the network. Them and say, hey, bill, I need you to add this to this network or I need you to add that to the network. And next thing you know, bill has added 30 new devices to the network in Tulsa and nobody knows about it. And so now you've got. The only people that know about it is Bill, because maybe Bill's supervisor came to him, maybe the plant manager came to him, maybe somebody else came to him. Next thing, you know, it went from having one device to 30 devices and no one really has a true understanding of what is in the network. And this is a really bad place to be, because this is where now you have.

Speaker 2:  

All these devices that are potentially vulnerable or could be vulnerable in the future are now open for discovery by bad people as well as good people. So you need to have an asset discovery plan designed around your environment, and it does provide the understanding of the overall risks to your environment. It does help you understand what is going on. It helps you basically understand how are the different risks that are involved and if you understand those assets, like, say, for example, you have all Windows 95 machines. So some of you folks might be listening to this going what is Windows 95? It is something really old, really archaic and you would think should never be run in a network. But yet it does. It is on networks, many networks. It's also in many process control environments. So that is a big risk. It does allow you the one thing when it comes to overall understanding configurations it will also allow you to track and correct all authorized devices. So it allows you to have the ability to manage these devices both remotely and, obviously, in person.

Speaker 2:  

And then also, what configuration management does is it allows you to discover any unauthorized devices within your environment. So I say any, that's a very broad term. I would, and this kind of comes out of the book. The goal is that if you have a good configuration management plan, you will discover any and all unauthorized devices on your network. Yeah, that's kind of a little bit of smoke and mirrors, I'm sorry. You know someone might tell me. Well, that's not right Now. The book answer would be any and all devices. That's what the purpose of it is. I would say that that's wrong, though, because you're going to struggle finding any and all devices. You will miss some, you just will. But the goal, though, is that you miss very few, and then the ones that you do miss, you quickly remediate. So now security configuration management.

Speaker 2:  

This comes out of NIST 800-128. The discussion around why you have to have it, and then we'll get into some more details around change control and so forth, but security configuration management again NIST 800-128, it's a software-based. They have various software-based security configuration management solutions to help you reduce this plan, or the attack surface, I should say, within your network, and what these are is there's like. Sccm is a good example of that. That's software configuration. It's Microsoft's product, and what that does is it provides you ability to deploy patches and equipment to various locations within your network, and SCCM is one example of that. There are many others, and this was that one from Microsoft, but there's other software configuration management tools that are out there as well, and they are designed to help you manage the operating systems, the applications Applications, is it depends but the network devices as well.

Speaker 2:  

The main thing you really want to understand, and when it comes to configuration management is you break these down into the physical device. You have the operating system that the devices obviously have as their operating system, their host, and then you want to have the applications. Those are really the three main attack vectors. Now, there's a little bit more involved in that as well, but the device itself, if it's a VM or if it's a physical device, your application or your operating system, and then your application. Now, if you can realistically and we're talking about risk if you can control the risk to your operating system, that's a win, and if you can do that automated, that's even a bigger win. If you can control the updates to your device right beyond the firmware and so forth, if it's a package, if it's a virtual machine and you package it up, if you can control that, then that's a win.

Speaker 2:  

When it comes to the applications, they get very, very convoluted and they also have a lot of application sprawl, which means people will add applications which may or may not be fully supported, and these SCM solutions are designed to help you update these applications. But the problem with that is that they don't always update well. They do tend to break things and I would say, if you're going to focus on from a real world perspective. If you can get two out of the three, that's a win. That's a huge win versus what happens in so many cases is people feel they have to eat the elephant and they can't eat it because it's so big, and I had to break this down with us. So if we can get the operating systems patched, awesome. If we can get the devices patched and updated, awesome. And we can do this on a routine, automated basis, incredible. If I can't get the application, well, let me get what applications I can get and then focus on that, because the applications will be huge and I know I've spent a little bit of time on that, but I'm just trying to focus and have you guys understand.

Speaker 2:  

The applications are one of the hardest things for you to update and patch because there's just so many moving parts related to it. Now, when it comes to requirements, there are regulatory requirements that force you to do this, that force you to have a security configuration so many moving parts related to it. Now, when it comes to requirements, there are regulatory requirements that force you to do this, that force you to have a security configuration management plan. That's PCI DSS, which is obviously your payment card industry. Then that's the data security standard. They have Sarbanes-Oxley, that's your SOX, and then they're also the Monetary Authority of Singapore, mas, that's another one as well. Many of them will require you to have some level of security configuration management. Iso 27001 will actually have that as well. So they're just stating that they want you to have this defined plan. You use some software and you have a plan to do so, versus just kind of winging it.

Speaker 2:  

Security configurations consist of four specific steps Now when you're dealing with. Step one is the asset discovery. Step two is defining an acceptable security configuration as a baseline for each device type. Step three is to ensure the security baselines meet your internal security policies. Obviously, you want them to meet what you have already in place, or maybe make a change to your internal security policy and then manage devices based on a predefined frequency, based on the specific policy itself. So again, you want to update these once every quarter, once a month, once every six months, once a year. You have to have that defined based on the policy you have. If you have a policy that says we will update our devices once a year, then you have your product that is set up to do that specifically as well.

Speaker 2:  

Now, one other thing you need to think about as you're relating to configuration management is obviously your operating system and your application support. I kind of hinted at this a little bit earlier is if you have good support for your applications and your application owners can get you those updates and those patches, this works well. Again, where it runs into problems is because if you look at a large enterprise, just to say a very big company, you have hundreds upon hundreds of applications, so updating them can be extremely painful. But if you have good ownership of who owns those applications and they can get updates from the vendors that have created those apps, then it can go okay. And I'm saying okay because it does not go well, let's just be honest. But at least if you have good plans and good processes around these applications, you can do it. Os is different, right, because you can control what operating systems are put in your network. If you don't control the operating systems well, then you have another, bigger problem. So again, understanding operating systems and the devices that run them is an extremely important factor.

Speaker 2:  

Policy flexibility is a key and sometimes we can become too draconian to set in our ways as it relates to the policy, stating I must patch every month, okay, well, maybe you need to have a risk-based approach to that. Maybe that is something you need to look at when it comes to patching. Do all my patches have to go through a manual change control process? Okay, is that flexible? No, but some companies will require that and that's fine. It's just knowing full well that that will add a lot of bureaucracy to your company. By adding all this bureaucracy, it will add time. It will also add the ability for mistakes to occur. I'm not saying you have to just go and hit everything on auto-update. That could be very bad as well, very problematic. So you need to have a good understanding of your policy and what you're trying to accomplish.

Speaker 2:  

Can you scale it? Again, we talk about the Wichita main campus and then you have the Tulsa remote office. Can you scale that to the remote offices? Can your remote offices be in China, malaysiaia, singapore? How does that work when you send up updates? What does the network configuration look like to be able to do that? So, again, scalability is an important factor.

Speaker 2:  

And then, closing the operational loop, understanding how do you operate this and make this happen from an operational standpoint. Again, these are, these are not configuration management. On management from a book's answer is very simple. It's just hey, you update the stuff, you have a good policy in place, you update it routinely, hey, you're good to go, and that can happen, but it's from a greenfield approach. When we say greenfield, it means bare bones, starting up from ground zero. From a greenfield approach, that could go well. But when you're talking, you get dropped in the middle of a network that's been around for 10, 15, 20 years. It's a lot harder and if they didn't have a good change management process in place, it can be very challenging. And I would say, if that happens to you, plan on a multi-year plan to get yourself in a good position. Do not I repeat, do not try to do this within a year if you're in a large organization, because it won't happen. Have a multi-year plan to make this and get the processes in place, the people to understand what they're doing and then get the overall buy-in from everybody to make that happen.

Speaker 2:  

Now, when we're dealing with another part of configuration management, we're going to get into some key activities around some aspects of this. So you need to have configuration identification. This will establish baselines, like I talked about earlier, about the product structure, function and the overall attributes of it. So having some level to document this via a spreadsheet, whatever it might be, but you have to have the ability to document the initial hardware and the software configuration on that server. It may be something as simple as a spreadsheet. It could be something more complex as a air quotes another application that you have to manage but you need to have some way of identifying the overall devices within your environment.

Speaker 2:  

Configuration control is another factor. You need something that manages the changes to maintain system stability and minimize the overall disruption. Change control can be very, very disruptive and you need to have those changes set up in place to be able to do that. Also, an example is like you're approving and implementing security patches for an application. There has to be an approval process in place to do that. My old company we used to have a very complicated approval process that would approve monthly patches. We moved away from that to an automated plan. As it relates to Microsoft, anything that was Microsoft-related was all automated. Why is that the case? Well, because in many cases, their updates and their management of their patches is better than what we were doing, so why not do automate that? From a Microsoft standpoint, there is a risk that you could have an outage. There's a risk that you can break things, but overall, the amount of time that was spent and the risk that we received from having delays in getting our security implemented was a huge factor, and so, therefore, we automated that process as much as possible.

Speaker 2:  

Configuration status accounting. What this basically means is how do you have a way to track and report on your configuration items? Do you have a dashboard. Are you managing that with your people? Do your senior leaders see this dashboard and understand what needs to be done? And this is helpful because if you need some level of horsepower, needs a senior leader to help you get things moving, they will help you in that space. So this is where the status accounting is an important factor Configuration, verification and audit.

Speaker 2:  

This will ensure the compliance. Accounting is an important factor Configuration, verification and audit. This will ensure the compliance with the established baselines. And then you regularly audit user access permissions against the defined security policies. Again, do you have a baseline? Do you have policies in place? Are you following your policies? If you're not following your policies, then one, change your baseline to meet your policies, if that's truly what you need, or modify your policies so that it fits your baselines. It's one or the other. Just don't leave yourself in a situation where, well, the policy isn't right, so we're just going to keep pressing forward. Policies are hard because they're documenting and it's paperwork. People don't like to do it, so they just kind of do stuff. You have to slow down in many cases to speed up, and this is an area that you need to consider.

Speaker 2:  

Another part of change management is understanding, or a configuration management is change management. Now this is where you're rolling out changes. This would be around to the overall goals then to minimize the level of disruption that your company may have, and this is this. Changes can be very disrupted, so it's important that you have a really good plan in place to maintain your changes. If you are dropped in, you're airdropped into a new organization and you for.

Speaker 2:  

One of the first things you need to understand is the change control process, the change management process that they have in place. This may be a change control board. It could be along with emergency change advisory boards. They have a process. It could be one person that is the change control person. It could be a group of people that are doing that. But you need to truly understand if I want to implement changes within my environment, how do I do that If you don't have this within your network that you work at, or that, if you don't have this within your network that you work at or your business that you work at, you need to try to implement something like it.

Speaker 2:  

Depending on the size of your company, it may be a very small process, maybe once a month we do this and you have the IT director and you have maybe a couple of people from each areas and we go, hey, we're going to be deploying these changes. We need to communicate with people what's happening and that way they know what's going on. It could be a very simple process. It could be very complex and laborious. I work at a company right now that is very complex and laborious, but that's okay, that's what they do, that's what works for them and that's fine. They have figured out based on what they need to make sure that the change control process meets their specific needs and their regulatory requirements. So, again, you just have to determine what is going to be best for your organization. But this board, this change control board they will authorize changes, maintain the documentation and they will ensure that it's done in a proper way. They will review and approve any major software upgrades and changes to your organization and that's where this board is for.

Speaker 2:  

You have your emergency change advisory board and this can come by different names, like there's an emergency change board, emergency change advisory board. You can name it any different way you want to, but is there a group of people that will handle any urgent changes that need to occur and your organization may need those. If something happens and you have a patch that occurred and you have to roll back a patch, they may go to the emergency change board to go. We got to roll this back now because things are broken, so they'll handle all urgent changes that occur. They approve from emergency patches to fix a critical vulnerability to making rolling back potential changes that may happen within your organization. So it just depends on what you're trying to accomplish there. But you will see it, especially if a security event or incident would occur.

Speaker 2:  

This emergency change management plan you need to have that developed and then change request process. How do you initiate a change within your organization? What is the process to do that? Is it an email that you send a bill? Is it a ticketing system that you may have within ServiceNow or another type of ticketing system that's there? It could be a spreadsheet and you put it in the spreadsheet. But you need to have some sort of change request process.

Speaker 2:  

Automating. It is the best way you can do this because it can get very complex and very convoluted. I would also define what is needing a change. One situation I've seen is a company will require any change that is ongoing, like operational type changes so say I need to tweak something and if I tweak it I need to put in a change request. I've also seen it where in the situation of company will go and say if your change is going to affect any person you know impact the individual user, it must go through the change board. Any person you know impact the individual user it must go through the change board. If it's not, if it's going to be just a change to a configuration on a file, an application, then you can do whatever you need to do. That does not need to go through a change board. But if it's going to have a direct impact on an individual, then you would need to go through a change board or at least have a communication to your CIO, cto, one of those letting them know what is actually occurring.

Speaker 2:  

Again, it comes down to empowerment of your people. You have to decide how much empowerment do you want to give to your people? Do you want it to all be within the change control process or do you want to empower them to make changes in your network? It comes down to people, time and resources. How much do you have to be able to manage all of this yourself? So you need to consider having a change control or change request process in place.

Speaker 2:  

Last thing around change management you need to understand the communication piece of this. This is determining how the changes are communicated to your people. Now, this can be done in a couple different ways. It can be sent through a post on SharePoint. It could be sent through email. It could be in a DM that's sent to all your individuals. You need to determine how are these changes communicated and who are they communicated to.

Speaker 2:  

One thing I did forget to mention when you're dealing with changes, you may want to consider a canary group, and what I mean by that is that is there a group of people that can test your change prior to it being rolled out to the overall populace, so that they may be individuals or a bunch of IT savvy folks that are willing to accept a change on their computers prior to it being rolled out. And the purpose is that if there's anything blows up, it blows up on a small subset of people versus everyone. So you may want to consider having a canary group or a test group within your organization before you roll out massive changes to your company. Sorry, I just thought of that. Now, the other thing around communication, though, is that you need to determine how it's communicated, and then how are you going to notify the users on any upcoming system maintenance that may be occurring? Again, it can be as simple as sending out emails, but in most cases, if you're going to be doing something that's broad brush to the organization especially if it's extremely disruptive you may use multiple communication channels. You may use email along with posting on a SharePoint or internal website of what's actually going to be happening with the change, and you also may tell your service desk or your client support people whoever's taking phone calls for service requests that a change is occurring, because one people will call in and they didn't get the memo, they didn't see it on the website, they didn't pay attention. You're just going to have to think about multiple ways for this change control process to be articulated and sent to individuals within your company.

Speaker 2:  

Now, as it relates to training, you need to develop a training plan for configuration and change management, and it's important that you have this in place one to train new people that are coming on how the change management process works as well as any, and that includes employees as well as IT professionals as well. It's especially easy or helpful when you're dealing with helping your IT staff. I will tell you that I've run into more situations than I can count of being dropped into an organization and then trying to figure out the change management process, just to find out that I've wasted a bunch of time not doing the process the way it should have been done or just doing a process that really was not required. So having a way to train your IT staff on the change control process can be extremely valuable. It will help you with reducing any waste you may have within your company. But, again, you must have some level of training.

Speaker 2:  

So if you're paying attention to the CISSP cyber training the goal of this is to one. I'm giving you the details you need to help you pass the CISSP, but also giving you that real-world experience as you go into working at a new company, some things for you to keep in mind. It's the hacks of the IT cybersecurity world. So, again, training is an important factor because if you can have it and this training can be very, very simple Do not overcomplicate it. I've done that myself and I've seen it done time and time again. People will overcomplicate the training piece of this. It could be as simple as this is what you do you submit the ticket to this to XYZ, and then you let Billy Bob know. It could be that simple, right? But just know that Billy Bob will leave the company at some point, so you've got to have plans to deal with the loss of Billy Bob. All right, if you're watching this from Singapore or China, you're probably going. I don't know who Billy Bob is, that's okay. None of us do either. He's just this fictitious person who is always involved in IT. Okay, that is all I have. As it relates to configuration management, again, this is domain 7, 7.3. And this is configuration management for the ISC squared study guide based on that. And this is for getting your CISSP certification Head on over to CISSPcybertrainingcom.

Speaker 2:  

Again, head on over there. I've had a lot of great success Now, it's not me, but people have had a lot of great success with my training programs and I also recommend you utilize other resources out there because people learn differently, but they've been very successful with my program. You can go out there and I have my base level program. It's offered to you at you pay what you wish. Okay, I will have a base that I'm gonna, a baseline that I'm gonna be setting, but right now it's pay as you wish, and the goal is is that all of the funds, everything that comes in through cissp cyber training, is going into our non-profit to help adoptive families.

Speaker 2:  

I I have four adopted children. I have seven children total. My children come from China and Uganda and I am an adamant supporter of adoptions for people around the world and we want to be a supporter of that, and I know it's extremely expensive to do so, and so therefore, we feel that any funds that come out of CISSP Cyber Training need to go directly into helping adoptive families. Again, it's all for that. So any purchase you make on CISSP Cyber Training goes 100% to this foundation. It does not come to me any longer. Basically, it comes right down to it is. We realize that we've been called to do something like this, and so therefore, that's where all the funds will go and therefore that's what we're going to do. So if you have any questions at all, feel free to reach out to me. You can reach out to me at cissp cyber training contact at cisspcybertrainingcom. I'm happy to answer your questions if you have some, but know full well that that this program the cissp cyber training program.

Speaker 2:  

If you put it to place, you put the blueprint in place and you take the time that you need to take three, four, six months to do it you will pass the CISSP. I really truly, if you follow the program and do what the program says and you follow the letter and you focus on what it says, you will pass the CISSP exam. The problem is when people don't pay attention and they start feeling like they can short circuit the situation. You may get lucky, but I will tell you that I failed it the first time because of I thought I knew the content. I did not know the content and I thought that by just taking the, studying enough questions, I can pass the test and I can at least get through it.

Speaker 2:  

That will not work. On the CISSP, you have to know the content to be able to pass it through it. That will not work. On the CISSP, you have to know the content to be able to pass it. So go out to CISSP Cyber Training, check it out Again. All proceeds at CISSP Cyber Training go to Nonprofit for Adoptive Families. Okay, have a wonderful, wonderful day and we will catch you on the flip side, see ya.

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!