Navigating Cybersecurity: From B-1 Bomber WSO to CISO at Global Multi-National Corporation
Jan 07, 2025From the cockpit of a B-1 bomber to the nerve centers of global cybersecurity, I, Shon Gerber, invite you to explore the thrilling transition that shaped my career and mission. Discover the unexpected parallels between flying high-stakes missions and safeguarding billion-dollar enterprises from cyber threats. This episode offers a personal narrative of my journey, highlighting my experiences on the US Air Force Red Team and the critical role these played in forging a path into the world of cybersecurity. You'll hear about the moments that defined my career, my insights on balancing family life, and my commitment to making cybersecurity accessible and effective for businesses everywhere.
Join me as we navigate the complex challenges of managing security for a Koch Industries company, where I held the reins as Chief Information Security Officer. Learn how I tackled the intricacies of protecting intellectual property and global operations, and why I believe that preparedness is the strongest defense against cyber threats. We'll discuss my transition to consulting, my teaching experiences at Wichita State University, and the pressing need for businesses to fortify their defenses against hackers. Through this episode, I aim to empower you with the knowledge and tools to reduce cyber risks, ensuring your organization's resilience in the face of potential attacks.
TRANSCRIPTS
Speaker 1:
Welcome to the Reduce Cyber Risk Podcast, where we provide you the cybersecurity training, tools and expertise you need to protect your company from the evil hacker horde. Hi, my name is Sean Gerber and I'm your host for this action-packed and informative podcast. Join me each week as I provide the information you need to secure and protect your organization and reduce your cybersecurity risk. All right, let's get started. Give it up. Hey, there's Sean Gerber with Reduce Cyber Risk, and this is the introduction to what Reduce Cyber Risk can do for you, as well as a little bit about myself and the overall products that come with Reduce Cyber Risk. The purpose of Reduce Cyber Risk basically, in a nutshell, was I saw I've been doing cybersecurity for many, many years right now, and I've been seeing that a lot of businesses and a lot of people in general struggle with understanding the concepts, not because they don't they're not smart or they don't understand complex ideas. It's the fact that it's just a different language, and so the ultimate goal is to create a product that will help you reduce the risk to your company, help you understand how to mitigate this risk and provide you a service that really is second to none. But before we get into that, let's just kind of talk a little bit about and show you a little bit about myself. So if you have a chance, you can listen to this through a podcast or through some other media that we have. The ultimate goal is to kind of show you a little bit about me and my background. So my personal life. I'm married. I've got seven kids. I'm married to the same woman. I have since we met when we were in college, and it's amazing. I'm very blessed and because of that, we have three biological children, as well as four that have been adopted from both China and Uganda. If you see this picture, you can go to Reduce Cyber Risk and you can actually see a little bit more about my bio there. But you can see my family is amazing, right, very blended, very awesome. I've got two baby grandkids now, and I'm just super excited about that.
Speaker 1:
I've had no formal education. When we're dealing with technology, though, as we started this journey, my background was actually being a pilot. That was my ultimate goal was to fly airplanes for commercial airliners as well as for the US government. That was my ultimate plan. But since then, life has changed, right, I've had more kids, I've grown in different ways, but bottom line is is that life was throwing me a different avenue. Well, I became the CISO of an organization. We'll talk about that. I'm a college, I've been a college educator and now I'm a consultant for a very large company here in the United States, as well as for myself. So I do a lot of different things and the ultimate goal is to grow in my knowledge of cybersecurity.
Speaker 1:
So, again, I started off my background with a little bit of basic programming as I grew up as a child the Apple IIe's, the Texas Instruments computers that was kind of how I cut my teeth on IT in general. But the ultimate goal was that I was going to be a pilot and I wanted to fly at a very young age and so, therefore, I went off to the University of North Dakota to fly airplanes, to be a commercial pilot. That was my goal, and I became a commercial pilot and I actually eventually became a flight instructor and was teaching people how to fly, and hence that kind of started off my whole training genre that I began from when I was just a young person up to where I am now, and I've been teaching and training people in different aspects, from flying airplanes to flying military planes to also in the process of doing cybersecurity. I then moved from being flying airplanes and I was banked as a pilot. So, back in the early 2000s, there were not enough cockpits for people, and so they would bank pilots. They would put pilots in different positions waiting for a pilot slot to open up, and I was in that boat. Well, rather than wait for something, I decided I was going to go and try to get my foot in the door and then work that route differently. So I was always kind of thinking strategically how do I take the next step? Well, I became then a weapons systems officer on the B-1 bomber, the US military, and I flew the B-1 bomber until about 2002. And it was an awesome experience. I loved it to death. It was just a blast. But you know, life changes and so, therefore, when it changed, you've got to pivot. And so, therefore, we pivoted from flying airplanes and a goal and a career towards that path into my cyber beginnings right, that's just my little where I cut my teeth and where I started getting the baby food as it relates to cybersecurity.
Speaker 1:
Well, in 2001, 2002, the B-1s went away and they left our company, or I should say our base, and as they were moving to a new place around the Air Force. We had to find a new mission for our people, and so, as we looked for a new mission, one of the things that a friend of mine and I stumbled across upon was the US Air Force Red Team. So back in the early 2000s, this was a pretty new concept. Now, obviously, red teaming had been around for a little while prior to that, but for the Air Force it was a relatively new concept. So the ultimate goal from an Air Force Red Team perspective was to focus on both physical and network penetration. Act like the adversary, break in, do what you need to do, get as much information as you possibly can and leave without getting shot. That was the goal. It was a really an awesome plan. I loved it. It was a great thing that allowed you to be tactically when you're dealing with flying airplanes. It allowed you to think like the adversary. It was just awesome and it worked really really well.
Speaker 1:
Well, we pitched this idea to the senior leadership and they were excited about it, and so, therefore, we brought these aggressors, which we call them the Information Aggressor Squadron or Information Warfare Aggressor Squadron we brought them to Wichita, kansas, and that's where we started at McConnell Air Force Base in Wichita. Kansas is where, and to this day, have a very strong cyber capability. Well, we stood up this squadron with around 82 people, 40 of which were potentially going to be hackers. Now to kinders you name it administrative professionals. We trained them into becoming hackers and being close access type folks. So this is amazing where we just grabbed people more or less off the street and taught them how to do this kind of capability. Now we had full and part-time employees that were doing this and we had global operations around the world.
Speaker 1:
I was part of the part that we taught the NSA red team. At that time, the NSA was just getting started. We helped teach them, and so the ultimate goal was this has kind of grown in maturity over the past 20-some years. Now, how does this all kind of play into it? Well, at Reduce Cyber Risk before I started up this company. Well, actually, I should say I started this company up first and then I pivoted to teaching people how to get the CISSP. Now, if you're anywhere, if you understand security, the CISSP is a certification. It's one of the higher level certifications to achieve to help you understand the overall security posture. Well, at CISSP Cyber Training. That is a business that I have that is designed specifically to teach people about the CISSP.
Speaker 1:
And after passing the CISSP in 2009, I then moved on to the next phase of my life. So in 2011 is when I decided to leave the US military, and I decided to leave the military because of a couple reasons. One is I had the opportunity to make colonel. I was lieutenant colonel at the time, but I had the opportunity to make colonel was Lieutenant Colonel at the time, but I had the opportunity to make Colonel. But once I did that, I knew I was committed for the next three to four to five years and I strategically thinking okay, is that where I want to be in the next five years or so? So the decision was made. You know what it's time to move and pivot into something else, and hence that's what I did.
Speaker 1:
I decided to move into corporate America, so I got into corporate cybersecurity. This started off as an architect for a very large multinational global company, and the company was Koch Industries and that's Charles and David Koch. And I got in there and I worked as a security architect for Koch Industries and one of those key factors was that I was learning how this whole corporation piece works how small, in this case, very large businesses, but how businesses operate. And the point was was that I knew that I understood the military and I understand government work, but I didn't understand corporate work and how corporations ideally would be deployed. So I did that. I took a step back and worked as an architect, and as an architect, I learned so much more about technology than I would have if I would just would have walked into a director type of role, and that was the goal is to get as much knowledge as I possibly could before I got into a position where I could actually have some different type of influence.
Speaker 1:
One of the key things I did when I was in security architecture was to be helped with the migration from an on-prem basically boxes and server rooms moving it to Amazon AWS, and so I was a key part of that when we were architecting this overall goal for Koch Industries. Well, from there, I then migrated to be a security operations manager. So if you're understanding, around security operations, it is the guys and gals that are watching the network, looking for bad guys that are getting into the network, and so we helped stand this up, and this was a 24 by 7 SOC that had operations around global manufacturing facilities everywhere around the globe, and this stood this first SOC up for the entire company. Now, the SOC was slowly coming out when I first got hired, but we refined it and we actually built it into a very substantial security operations center that was 24 by 7. We also developed an incident response disaster recovery plan for the managed service provider. It is an MSP that had multiple businesses. What does this mean? Well, basically what happened is is the MSP was managing all the different types of co-companies and we created this incident response and disaster recovery plan for many of these co-companies to deal with this. Now, again, this is in the early 2000s-ish, like 2010-ish or 2011, 2012-ish, right around in that time frame, so it's still relatively new and we built this out as a security operations and it worked great. It really is, and many of the things we put in place are still in operation today.
Speaker 1:
And from there, I also had the opportunity to be what we call a fractional CISO or a fractional security officer for many of the family businesses tied with Koch Industries. So I learned a lot is from a fractional or from a partial type of CISO work. You know virtual type CISO. Now what a CISO is I've kind of used that acronym without really saying what it actually is is a chief information security officer, and it's someone who manages the security for your organization and for your company. Now, this was a great time. I really enjoyed it. Got to see some really neat people, got to really engage with high net worth folks. It was an awesome opportunity.
Speaker 1:
But what ended up happening is shortly thereafter, another opportunity arose for me to become an actual chief information security officer for one of the Koch companies. Now, as a chief information security officer for this global manufacturing company, I was responsible for many different aspects. One we had global operations from a chemical manufacturing standpoint that was within China, within the United States and within Europe. So it's a much different scale than what I was as a security operations manager and as an architect, and I had to deal with intellectual property protection in the upwards of around $5 billion. So that's just the intellectual property protection in and of itself. That doesn't include what the company actually grossed as an overall, which is another like a $10 billion company. So again, it's not a monster company, but it's a very substantial organization based on around $10 billion in gross revenue. Now I was a security leadership and architect for both the industrial control environment as well as the process control networks and their R&D network. So I was able to take my security architect knowledge as a CISO, be able to embed that within the organization, and so it brought a really neat different dynamic to protecting the security and enhancing the security of this organization.
Speaker 1:
I developed and implemented incident response, breach response for our various business units Again taking information back from when I was previously working for the MSP and putting that into the business Deployed and created disaster recovery and business resiliency programs and then also implemented a compliance and regulatory program as well. So all of these things were done with this company and also helped with mergers and acquisitions. So a lot of great things happened while I was working in corporate cybersecurity and I just recently left them, about a year ago, to go start into the consulting gig. But before I got into that, one thing I thought I didn't have in my bucket list that I wanted to do was I wanted to teach college-type cybersecurity and I was given the opportunity to do so through a friend of mine who was running the program at a local college. Now this is Wichita State University and I worked there for about two years as an adjunct professor under cyber risk management and cyber physical systems. Now these were 400 level courses that I developed and focused specifically around cyber risk. The goal was planning on organizational readiness, incident response and the planning that's associated with it, and then I also helped teach disaster recovery and preparation for operations and maintenance. And then I also help teach disaster recovery and preparation for operations and maintenance. So, as you can see, this whole thing has kind of built over the years with a lot of great experience that has come to the table.
Speaker 1:
In cyber physical systems. I took my knowledge as in industrial control environments and baked that into IoT through different AWS environments and creating an AWS core as well as the IoT platform in the cyber physical systems. So this generally comes down to the ICS IoT process control, scada type environment is what cyber physical systems is. So if you're listening to this and you deal with manufacturing, that is right along the lines of what you do with on a day-to-day basis. That's the cyber physical systems. So again you can see, over the 20 some years of being in security, it has built upon layer upon layer upon layer and the goal again is to provide the best level of training that I can to individuals, and then training and consultation.
Speaker 1:
Then I decided to move into consulting. Okay, I just ended up. A contract was a recording of this but I had one year with a healthcare a very, very large healthcare organization and we had two multi-million dollar projects. We worked with this healthcare organization and focused on insider risk as well as network decryption and encryption. On top of that, I also acted as a security leader for this or healthcare organization and again it's very large, basically through the Midwest, and the ultimate goal was was to help them with one leadership, two, helping them with insider risk, and then also a DDoS detection and cloud monitoring and security. So all these things that have built from being a red teamer architect then into being a CISO all play into how we provide a consulting capability and, at the end of it, provides a great way for us to be able to help reduce the risk to your organization. So here's just some of the certifications that I have and again, I'm one of those that is not a firm believer in certifications. I think they're important. I think they're important for people to get. It helps people stay sharp, but at the end of the day, it's your experience beyond the certification that really kind of helps hone what you know and what you don't know. That being said, you can see some of these are some of the certifications we have from CISSP, networks Plus, security Plus and so forth.
Speaker 1:
Now, the purpose of reduced cyber risk and I alluded to it at the beginning was training for businesses in cyber security. That was the goal create some level of training for people in the security space and for businesses to help reduce your risk. Provide knowledge around cyber security risk. Focus on cyber security frameworks for educational purposes and help you grow your organization at not necessarily people wise, but security wise through understanding the various cybersecurity frameworks. Train your employees and professionals related to cybersecurity. Provide insight around concepts and tools. One of the things that I've worked with people in the past on is they don't understand all of the various tools and how they work within their company. My goal is to help you with that, also introduce you to introductory to cybersecurity partners and assist in protecting all of your assets.
Speaker 1:
Now, okay, I'm awesome. Just ask me. I'm awesome. No, I'm not. I know a lot of stuff. I'm very blessed to have been experienced and be able to gain a lot of information. However, I am not the be-all, end-all to help you with your cybersecurity needs, and so, therefore, we have partnered with people and we surround ourselves with people that are much smarter than ourselves, and that's what we've done with reduced cyber risk. Again, all of them. Ultimate goal is to provide you what you need to help protect you and your company. Now here's some of the training topics we'll get into is obviously is fundamentals around business emerging security, threats, assessments, audits, organizational gap assessments, assessments, audits, organizational gap assessments.
Speaker 1:
The thought process is that I want to educate you around security, so that one you're going to need a security professional at some point. Now, depending on the size of your company, you may want to grow that in-house, which I totally agree with In many cases. I think that's the right approach, but the goal is that you need to kind of understand what should you look for, what should you help train your people on. That is the plan is that we can help provide that basic level knowledge of what does it take to protect your company, but, at the same time, is, if you feel you need security services, reduce Cyber Risk is here for you as well, so we'll provide security awareness training for your employees and your shop workers. It's there, it's going to be available to you in some form or fashion. You can take it, build upon it or, at the minimum, you can hire somebody like us to help expand it for you. Cybersecurity product reviews. I'll be getting meeting with people around different various products that are out there and do reviews of those.
Speaker 1:
Again, this won't be all inclusive, but the goal is to try to take the complex and make it a little bit more digestible. One of the comments that I've used in the past one of the statements I should say that I've used is that I want to take something that is higher level, like maybe college level type of knowledge, and break it down to the third grade level. The goal is that, not that you're going to take something and I hate this term of you take something and you dumb it down no, there's no dumbing anything down. The folks that are listening to this, you guys, are very smart. You all are very intelligent. You are not foolish people. That being said, you understand your place and I understand mine. The goal is to create this knowledge, take this knowledge and break it down to a level that's easily transferable and easily understood, and most people agree the third grade level basically middle school, a little bit below middle school is where people can best communicate and therefore that is the goal Break it down to a level that you can understand that then you can take action upon it Again, and we're also going to be doing referrals for pen testing, security assessments, virtual CISOs any of those things is going to be available to you and we're going to provide that as well.
Speaker 1:
So, if you need it, we're here for you, bottom line, and we're going to provide that as well. So, if you need it, we're here for you, bottom line. Okay, what can you expect? So the goal is to give you weekly updates on security threats that may affect your company. That's the goal, right, if we can do that. Now I will tell you that going forward, initially it may be once every two weeks. I've got the podcast is going to be out there hitting the streets. About once every two weeks is what my goal is, and initially, if I can get enough traction, I'll go once a week. But the ultimate point is to provide consistent content out there so that you can take this information and then be able to use it to protect your company.
Speaker 1:
We'll discuss risk and provide tools on how you can evaluate it with your company. I work as a virtual CISO for various companies and we can bring along some ideas around different tools that you may want to use within your organization. We'll discuss cybersecurity terms, topics and protection mechanisms, as well as what are the different aspects to make happen for your company. We'll provide guidance and training over cybersecurity frameworks. These are going to be an important part. Again, the reason I like to lean on cybersecurity frameworks is because it's duplicatable. You can follow the steps. It will walk you through what you need to do Now.
Speaker 1:
If you're just coming to this and you're going, those frameworks are great, but they sound like I'm just reading stereo instructions. I can't understand what they're saying. That's the purpose of reduced cyber risk is to provide you some of that knowledge and to kind of break it down to a level that you can understand what they're actually asking you. Because, again, you all that are listening to this most likely are running a business. You're dealing with a lot of people, whatever it might be. You don't necessarily have the time to deal with security, or you want to know more about it, but you feel uneducated and you don't really know how to communicate with people about it. That's the purpose of reduced cyber risk. So again, ultimate goal is to get you what you need to help you pass or to help you get rid of the evil hacker horde and to avoid being hacked. That is the ultimate goal. All right, that is all I have for you today.
Speaker 1:
If you have any questions, please reach out to me at contact at ReduceCyberRiskcom you can see it here on the screen or just reach out to me at ReduceCyberRiskcom. There's a place you can go in there. Or, if you want to reach out to me as well, I think Sean at reducecyberriskcom is another way to get a hold of me. So there's lots of ways to do it. I'm here to help you. Truly. I just want you to be successful.
Speaker 1:
I am so sick of the hackers taking advantage of people and businesses. I own multiple businesses that are not cyber related, and you know what I don't like the fact that I have to be worried that someone could hack my accounts and steal everything that I've worked for. You guys have worked really hard for your organizations. Whether you own the company or whether you're invested because of your leadership within that role. You've worked really hard. You don't want something to happen to it. You don't want to have to deal with it. Let us help you at Reduce Cyber Risk. At least get you in a good position so that, if one, it does happen to you, you're better prepared, and two, if you are better prepared, maybe they'll move on to somebody else, because that's how we want it, that's how they roll. All right, that's all I've got for you today. Have a wonderful day and we will catch you on the flip side, see ya.