Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

A trusted administrator with legitimate access and a grievance can cause more damage than most external attackers ever will — no malware required. Shon opens with a true insider threat case where standard IT administrative tools were weaponized to lock out users, cripple operations, and attempt extortion. The incident isn't an outlier; it's a category of risk that grows wherever access management is treated as an IT function rather than a security priority. From that case, we build out the practical controls that meaningfully reduce insider threat exposure: least privilege access enforced rather than assumed, immutable backups that remain untouchable by the accounts they protect, privileged activity alerting that surfaces anomalous behavior before damage compounds, and genuine segregation of duties that exists in practice rather than only in policy documentation.

From insider threat defenses, the episode shifts into the cybersecurity career guidance that most professionals never receive: an honest roadmap built around high-demand specializations where skilled practitioners are genuinely scarce rather than the crowded entry paths that most career advice points toward.

For professionals breaking into cybersecurity, governance, risk, and compliance represents one of the most accessible and strategically undervalued entry points in the field. Risk assessments, security policy development, audit coordination, and vendor risk management are capabilities that transfer well from non-traditional backgrounds and create real competitive separation when most candidates are pursuing identical technical certification paths.

For those drawn to critical infrastructure, the combination of IT and operational technology security expertise remains rare enough to command serious salary premiums. Shon covers how to begin building fluency in SCADA systems and industrial control environments, why the Purdue model matters, and why practitioners who can bridge IT and OT security languages are among the most sought-after professionals in the field right now.

For mid-career and senior practitioners, the conversation moves into what genuinely unlocks leadership-level roles and CISO-track opportunities: risk quantification using the FAIR methodology, supply chain security program ownership, cloud security architecture fluency, and the ability to communicate security risk to boards and executive teams through metrics and a well-maintained risk register. The distinction Shon draws throughout is important — the path toward virtual CISO and senior advisory work is about developing into a business risk advisor who happens to understand technology deeply, not a more advanced operator of security tools.

Subscribe for ongoing cybersecurity career development and CISSP preparation guidance, share this with someone building their path in the profession, and leave a review so more security professionals can find the training. Tell us in the comments — what role are you targeting next?

🎯 Get 360 FREE CISSP Practice Questions delivered straight to your inbox at FreeCISSPQuestions.com — practical exam preparation that builds the foundational knowledge every serious cybersecurity career requires.

Join now and start your journey toward CISSP mastery today!

TRANSCRIPT

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Thursday, and we are going to be talking about CISSP related content, but we were going to be talking about security questions. But today we're going to be talking specifically around the career roadmap and something that nobody else is talking about. So that's the plan for today's podcast. But before we do, had a quick article I wanted to talk to you all about about a core infrastructure engineer pleads guilty to federal charges in an insider attack. So now if you all know that I have been working very hardly with hard with different types of uh insider risk programs that I've created over the years and worked with a lot of companies around this. This is an area that continues to be a huge part about all of the aspects related to cybersecurity, and it's something as a professional in the cybersecurity space, you need to be fully aware of and looking for different ways to help your company manage this risk. Now, this basically article comes out of CSO magazine, and it says the top line is a really important part of this whole conversation. It says, analysts say CISOs and IT leaders can do a better job of preventing such attacks via what should be a standard security procedure. So what does that mean? Well, I've seen this time and again. If you can define this within your company and you have standard security procedures around it, you could dramatically reduce the insider risk program or insider risk problem you may have within your company. But let's just kind of talk about what happened here. Now, this is a former core infrastructure engineer, a gentleman by the name of Daniel Ryan. Now, he just pleaded guilty to federal charges after carrying out an insider attack against his own employer. I have personally seen this with the companies that I've worked for in the past of IT individuals who have done this. And it's very similar to what they did to what he accomplished. So basically, what he did is he used legitimate IT admin tools, specifically not malware, right? You have all the IT tools you have can be dramatically impact an organization just by using them the way they're supposed to be. And so he deleted administrator accounts, changed user passwords, scheduled malicious tasks on critical servers, and disrupted systems and claimed backups were deleted. So what he tried to do after this was extort money and he demanded about$750,000 in Bitcoin, threatened to continue the shutdowns until paid. Now I'll tell you that crooks in most my in most places are not very smart, and this is absolutely idiotic. But the fact is that he thought he could get away with it is it's breathtaking. It truly is. So the attack locked out users of systems and caused major operational disruption, which we know we've talked about at CISSP cyber training. This disruption of your operational assets can be a huge factor. I mean, it can cost you millions of dollars a day. So he thought he could get his payout based on doing this specifically. So what the part is that's it's becoming a problem, it's becoming more alarming, is security experts are saying the most alarming part is that they use common well-known techniques, which we've talked about, and that the hackers use the well-known techniques, that's what they do. And they have basic security practices that they would be in place, then the processes should have prevented this. So it's an interesting part that I think we all need to take on us on, is that if you have anybody within IT in your organization, they do have the ability to cause all kinds of havoc and chaos in your organization. So you need to truly understand who is working for you. So one of the failures that came out of this article was they didn't have immutable backups, they had poor access control, obviously, no alerts on suspicious administrative activity, which is a key factor, and then they had weak segregation of duties, too much power given to one specific admin. And this happens a lot, especially in a small organization where they're trying to keep costs low and they have less amount of people involved. So, again, there's a lot of issues here that we see time and time again in the security space that you all need to be aware of and you should put in place and in practice within your own company. So you're again, you what you need to do is understand least privilege, who what can has access, who has access, what is the access they have to, and then are you monitoring their access, especially the administrators within your company? And then protect your backups from tampering, both from an individual individual standpoint within your company, as well as malware that might be attempting to hack into your organization. And then split critical control across multiple people. This is where you have the two-factor aspects of before something can get approved, you have someone else who approves that process. So you have multiple people in the chain and segregation of duties is enabled. So there's a lot of great things that you can do. Again, it's a real simple article. I highly recommend you read it, but it comes right down to the fact is that insider risk is a huge problem. It's going to become a bigger problem, especially as this IT infrastructure goes from being everything that was on-prem to now being so dispersed across multiple cloud platforms, multiple SaaS services. It is all this data is everywhere, and then it's in the hands of IT folks that may or may not have your best interests in mind. So again, keep that in the back of your mind. All right, that's all we got on that. So let's roll into what we're gonna talk about today. Hey y'all, Sean Gerber with CISSP Cyber Training, and today we're gonna be talking about a topic that not many people talk about. At least I've never heard them talk about it. But this is your cybersecurity career, a roadmap that nobody shows you. And why do they not show you? Well, we'll get into that in just a second. But this is gonna walk you through from entry level, mid-career, and senior level how you're gonna move your career to the ways that you can take your first steps all the way up to where you can be in the C-suite. Uh, the reason I say all this is, well, I've been there, done that, got the t-shirt. And I'm gonna walk you through how you can do that specifically. And the great part about this topic is the fact that it doesn't rely specifically on, hey, you gotta start here, you gotta go here, you gotta go here. It's gonna walk through some different options for you. And anybody can actually take this content and use it in a way to help you in your cybersecurity career, even if you are a mid-level person or a potentially already a senior level of executive. But this is just kind of the plan to walk you through how you can get your cybersecurity career started and moving in a direction that you want it to go. So, what most guides won't tell you? Well, we know there is a cybersecurity gap. There's a lot of people out there that say they are looking for people, but they don't know how to do it. Well, there's three and a half million jobs, this was as of last year, that went unfilled because of cybersecurity that they didn't have jobs for. And now as AI is becoming more and more of a factor, the jobs I feel are going to only increase because of this. Over 80% of organizations report critical OT security gaps. So they don't have the gaps, they don't have the things in place to manage the gaps that they have, the security issues. And so they are looking for people specifically around OT security. Now, also 41% of companies will cite AI security as their number one skills gap. So, what does that mean? I don't even know how to deal with AI. So people are going, what should we do? How should we handle it? There's a great opportunity in the AI space. And now as it relates to job growth, it's expected that there's gonna be a 30% job growth and security over the coming years. So most cybersecurity career advice focuses on the same thing. Go be a red team, get in the sock, and go down the pen tests. I'm gonna tell you right now that that is a great opportunity if you enjoyed that. However, there is places that there's a lot of scarcity related to different roles that you can take advantage of, whether you are an entry-level, mid-level, or even an executive. Because this is a big factor that people just aren't talking about. Because why? They just don't know it. They really truly don't know that this exists. So, are you new to cyber? Well, here's where nobody else is looking. So, GRC audit and governance. These are secret paths for you to be able to be successful. And I tell you this, and I've mentioned this a time and again on CISSP cyber training. This is a great place for you to start and for you to get knowledge and grow your career. So 51% of hiring managers now accept non-cyber backgrounds in GRC. So GRC is a great place for you to enter. Most candidates look overlook this entirely because they go, Well, I want to be on the technical side. That's great, but this is an opportunity for you to be able to get into areas that nobody else is doing. What do you actually do? Well, risk assessments, policy writing, compliance frameworks, all of those pieces are in place. Audit coordination and vendor risk management. I will tell you right now, I've gone through multiple risk management plans. I've been through various different assessments, I mean, for years and years and years. And most of the auditors that come in do not have the level of expertise needed to understand this topic. Now, what the great part is, is it relates to AI, you can utilize AI in a way that can help you grow your knowledge as well as provide great risk assessment capabilities for many companies. This is a great place for you to enter. Now, what is your unfair advantage? If you have a background in finance, law, HR, project management, these experiences can help you more than you realize in the GRC space. So highly recommend you look at that. Now, some of the certifications you can consider is your Comp TS Security Plus. Why? Does it give you a good foundation of security? CISA, which is your certified information security auditor, C Risk, these are all different areas that can be very helpful certifications if you want to go down this space. Now, the typical analyst salary will range anywhere from 65 to 95, whereas if you get into the senior levels, you're locking 80 or 90 to 192,000. So again, these are really good income generating roles that are out there and available for you. Maybe you can get into these. And I truly believe this. Now, the next one is OT ICS Security Engineer. Why almost nobody is here? The reason is that fewer than 5% of cybersecurity professionals understand both IT and OT architecture. That's a big deal, right? This creates massive salary premiums and near zero competition. This is a place that you can get into and go. I've taught IT and OT. I understand it. And guess what? You guys can understand this as well. It's not hard. I'm a pilot by trade. Go figure. You can do this. The IT and ICS world, securing SCADA systems, PLCs, industrial sensors, all of these pieces are part of the physical internet. This comes into hospitals, power grids, you name it. All of those things fall within IoT and the ICS world. So how do you get started in this? Well, learn the IT basics, right? We talk about Security Plus, Networks Plus. These are very key pivotal certifications that will be important for you. But then pivot to the ICS specific training via SISA, free ICS courses, as well as the different areas within USCRT.gov. There's a zero cost barrier, and you're going, well, how do I get into this? Then once you start there, you need to go and start growing your experience in this space. Now there's ways you can do that. When you can reach out to me at CISSP Cyber Training, I'm happy to walk you through some different options, but there are ways for you to do that. So some key certifications, you have your global industrial cybersecurity professional, you've got CSSA, you've got the SCADA architecture aspects. All of these are important parts to help you down this space. So again, very important certs, and these can help you immensely. Now, an IT security salary on average is about 120 grand. That's pretty life-changing for many people. And it can go to 200,000 plus because of the demand that's in these spaces. So I can't stress this enough. There are great opportunities outside of being the traditional pen tester, sock analyst, and so forth. The move most entry-level candidates miss. Skip the hacker cue. Everybody wants to be a hacker. I want to be a hacker. I was a hacker. Yeah, it's great, it's fun, but there are so many more opportunities. GRC and OT roles, again, have 10 times fewer applicants and they have higher starting salaries. Go where the competition is thin, right? You know, where you see everybody's going one direction, I have lived my life by going the opposite direction. Non-technical skills are your superpower. Communication, documentation, and stakeholder management. I cannot stress this enough. These soft skills and these knowledge skills are so in need of today's people. You need to understand this because if you can do this now, you will actually get and do in front of the CEO and do things that most people cannot do. Get the reps through the nonprofits. I mean this in the saying that there's a lot of nonprofits out there that you can help. And you can get the knowledge and understanding in doing and helping them by in this space as well. Security clearances. If you can get in with the military and get a clearance, this alone can potentially add anywhere from 30 to 50 grand a year over your income because of this situation. So over a career, you're talking that's a half a million to a million dollars. Additional income can come to you because of a security clearance. Start the process early, get with somebody that actually is willing to supply you with a clearance. Free OT training exists right now. Go to the different places to get OT training. Those will help you and help you grow your experience. Go to colleges, get some very specific OT training skills. I like I said, in my college I worked at Wichita State, I provided physical cybersecurity systems, helped my folks understand IT and OT systems as well. Document everything like a portfolio on LinkedIn, anywhere you can, document all of that information. Make it you you want to build your brand. I've got a young man that works for me in my Kona Ice business. He is building a brand. You have to build your brand. Who is you? That doesn't make sense, but who are you? Who is Sean Gerber? That's my key. You go out and Google, you'll see who Sean Gerber is. The same thing with you is you need to Google that as well. So something to consider as it relates to those. Now, are you in your mid-career plateau? Right? Here are the moves that can actually help accelerate your career and what you can do to help expediate the process. So you have IT spirit experience. Now's the time to differentiate. I will tell you, differentiation is the key. If you're in a job that you just don't enjoy and you really don't like, there are so many things that you can use your superpowers in IT to help so many people. You got nonprofit community and impact. You can build a portfolio proving leadership, not just execution. You can be nonprofits like your entire security program solo. You can position yourself for the CISO tracks. Again, helping grow this knowledge. You network with boards, executives, attorneys, auditors. I've done that. So I've tell the reason I tell you that, not because of me, but to say that I was on part of various boards because of helping nonprofits with their systems. It's an important piece, and you can do this to help grow your career. You have to be able to step out of what you're currently in. Also keep in mind, you know what? You may you may have some imposter syndrome and say, I just don't know all this stuff. You're exactly right. You may not. How do you get it doing it? You step out and you do it. That's the only way this happens. These videos that I produce, none of this would have happened if I wouldn't have stepped out and done it. Now you may argue whether it's good or bad. I don't know, but the problem is this. If you don't do it, you can't make it happen. So you have to at least try. So AI GRC specialists, I've mentioned this time and again. I feel very, very strongly that if you can be a GRC specialist in the AI space, you can do so much. There's regulations that are coming down all the time related to AI. One just hit the streets related recently about in California, Governor Newsom just basically said that you have to have all kinds of vetting with your AI, within your organization, otherwise, you can't do business with the state, and that's only going to anticipately grow. So you're gonna have to have a good handle around AI. So great places there. You got algorithm bias auditing, AI ethics oversight, certification paths, as well as all kinds of aspects. Now the salary range is gonna be anywhere from 110 to 210,$20,000, somewhere right around there. It doesn't matter. The point of it is you're looking at 100 grand plus to be an AI GRC specialist, but it doesn't happen overnight. You have to start now. ICS and OT security, this is where you can actually have a huge impact on many different organizations. And this is where I say that you have IT. You now need to specialize. Niche down, do that. You can get in SCADA security architecture or segmentation, critical infrastructure or protection. You can all of those things are available to you. You can start some of this work with your small towns. They all have IT OT environments. Can you go out and start offering your services to them? There's great ways for you to be able to make income. And if anything, more than just making the income, building up your rapport with the various cities and people that you can turn around and then take that, put that on your resume, and make that part of your portfolio. This is a great time for you to differentiate yourself if you're in your mid-level career and trying to figure out what should you do next. So the hidden accelerators for a mid-career professionals. Risk quantification is your ticket up. It is. Understanding FAIR. FAIR is your factor analysis and information risk. FAIR is an important part of understanding the methodology that helps you put dollar figures to cyber risk. Risk is an imperative part of all of this. I cannot stress this enough. Most organizations don't just want you to implement security tools, they want to know the risk behind it. So this is an important part. Supply chain security is exploding, right? Your post-solar winds and log4j, the supply chain is an inboardroom priority. And many of them realize it, but they don't know what to do about it. You, as a mid-professional, as one that's been doing this for a while, can help them understand the overall vendor risk management around what they're dealing with with their companies. So you can differentiate yourself. Get out of the IT silo. Again, when you're in mid-care career stagnation, usually means you're taking you're talking only to IT people. Start attending legal, finance, and operational meetings. I did this for years. It's an important part of you getting your network out, understanding who are the people within legal, compliance, HR, and start networking with these folks and building a rapport with them. This will help do nothing but expand and grow your brand and get you exposure in places that you never had before. Again, though, like I mentioned earlier, you have to be willing to step out. Take the step, make the move. Cloud security architecture, but different, right? So not just a cloud admin, but understanding the overall cloud security architecture. I will tell you, this is an area that I have dabbled in, but I am not strong in. And I really truly feel from a personal development standpoint, this is an area that I need to do better at. So I want to spend time growing my knowledge around this because it's going to help me only be a better consultant and a better person for anybody that I'm working with. So again, this gap alone, 33% of companies say they cannot fill this cloud security architecture role. So that's an interesting part. Maybe you should start focusing your knowledge around that and maybe spend some time if you enjoy cloud security. Now to the senior levels. Okay, so cementing your legacy, commanding the boardroom. This is an area that many folks struggle with, and there's a lot of reasons why, and we'll kind of get into some of those. Risk is the language of the boardroom. Are you fluent around that? So when we're talking about this, we have some different certifications that are going to be an important part for you to talk to the boardroom, your CISSP, your CISM, and your C Risk. All of those are important certifications that help you position you in a way that you can help communicate better with the board and with your C-suite. Because if you don't do that, it's really hard for you to be able to move up into a senior level position that can grow and expand where it's at today. So the senior security mindset is basically this stop thinking about security problems and start thinking about business risk with a cyber dimension. Again, cyber is in everything. And if you talk to the board, it's not a cyber problem. It's not a security problem. It is a business risk that has a cyber spin that we all need to be aware of. Another thing they stop thinking about is we need to block this, right? What is the what you should be thinking is what is the cost of this risk versus the cost to retreat it or mitigate the problem. Again, many parts will come into security professionals, will say, I need to block this situation. I need to stop it from happening. But you need to really understand what is the risk that you're trying to mitigate and avoid. Compliance checklists. Stop thinking I gotta meet compliance's needs and come checklist related to a topic. That's a big fallacy that occurs. I've seen this especially in SOC 2 type, type 1 type of activities where these guys will come in and go, got it, check, got it, check, got it. Check and that's their compliance checklist. Don't think of it like that. You need to consider risk-based security posture with metrics. That is the key to understand what is your overall plan, what is the overall security posture for your organization. And then stop thinking the technical team. You are not part of a technical team. You are a risk advisor to the C-suite and to the board. It's all about risk, and it's imperative that you understand it's all about risk. So you also want to consider potentially, obviously, having fair understanding, CCSPs or the C C C C G R C the governance and risk compliance piece of this related to different certifications. Again, understanding the boardworm, that is a big factor in what you're trying to accomplish. So from security pro to risk leader, the CISO pathway, this is something to consider. Security engineer are analyst. That's where you start. Typically, that's where person begins in this process. Their technical depth is not real strong, and they get into the ITOC space. Then you move from there to a security manager or architect. This is where we have program leadership and risk quantification. This is another five years or so. Okay, so this is your next step. Then the third step is where you're getting into the director of security or GRC. You're talking the 10 to 15 year point. This is where you understand budgets, board communications, and all of those. And then moving into the CISO or chief risk officer, it's about a 15-year point, right? So you can see there is a program, there's a path for this to happen. You have to, though, look at this at the long game. If you've been in this for a while, you need to look at how do you get into director of security or GRC. If you've been just getting into this, just you're right, starting off brand new, this is a great path starting today that can help you get you in a position in the next 10 to 15 years in being a CISO or chief risk officer position, if that's what you want. But there's other options for you as well. So the VCSO opportunities, this is more opportunities here that are happening. This is where you serve three to five companies simultaneously, and you can operate between$150 and$300 an hour. This is a spot that I've been working in for many years. Okay, so the CISO opportunities. Board literacy, learn to read a 10K, understand the PL impacts, translate risk into dollar exposure. These are some skills that separate CISO from everyone else. And then understanding a risk register. Building, maintaining, and presenting a risk register to a board is one of the ultimate senior level skills. It's an important part. Risk registers are viable to your organization, especially if you are in that CISO role. All right, some universal principles. Risk is the common thread at every career level, whether it's entry level, mid-career, or the senior level. So at an entry level, you need to understand and identify risk in policies and the controls. You need to document the risk findings in an audit-ready language. Understand the frameworks from the NIST Cybersecurity Framework to the ISO 27001. And then start building a personal risk register mindset so you understand how that works. Recognize every security decision is a risk trade-off. So again, entry level, understanding that. But this is good foundational things that'll help you when you become mid and senior level positions. In a mid-career, you want to quantify risk in business terms, fair methodology, business terms. Build a risk-based security program, not compliance checklists, metrics. Understand metrics and how to display those to management. That's a really key thing. That if you drive that home now, it's going to help you in a few years to come. Link technical controls to business impact and then own the risk register and drive remediation prioritization. You want to be able to have understand what's going on, and then you want to be the person that is driving these changes. Senior level, board level risk communication and reporting. You need to understand how to communicate to the board. Enterprise risk management integration, which is your ERM. Understand risk appetite and tolerance frameworks and the overall design of those. Do what is the appetite of the company? What are they willing to do? Third party and supply chain strategies as well as cyber risk, and you need the drivers of business investment decisions. So again, security without risk contents is just expensive theater. Okay, that's just it really truly is. And it's important for you to understand this piece. The last thing I want to say is your career, your roadmap. No one else is going to map this out for you. That's why you're here. I'm walking you through from beginning to end. You'll hear people say you can make a half a million dollars in cybersecurity. Yeah, you can, but it's going to take some time and a planning. You can do this though. You definitely can do this. So if you're just starting, last thing I want to say is begin with your C your risk certs, start your free CIS ISCS training. If you're in your mid-career, add AI, GRC, or OT understandings to your current role. Put those in there. Get them in there. Or if you're a senior pro, CISSP, CISM, or C Risk. All of these are passed to the CISO. Thank you so much for joining me. You can actually see this on YouTube. You can see it on my website at CISSP Cyber Training. All of this is available to you there and available. It's awesome. So I'm excited for you all. Please reach out to me anytime and we can help you out any possible way I can. Have a great day and we'll catch you on the flip side. See ya.