I am nearing the end of my first CISSP course that I've had the opportunity to teach, and I am pretty sure that I am probably the best student in the class! I am not being facetious, learning is the main reason why I chose to put in the extra hours to teach! I am learning so much. The students challenge me to be my best, and I am all the better for it. I have gotten help from this forum as well.
Thanks to all of you who provided your suggestions!
@Lamont29, from your posts I've been reading since the start of my CISSP journey, I can see/sense your passion for teaching and mentoring newbies like me trying to get into IT security. As I've mentioned to you on private message, you're such an inspiration. I feel you're like an "elder in a tribe" whom I've grown to trust, respect, and looking forward to reading your sage advices every day...
In my CISSP journey, I've met people including my manager who discouraged me from pursuing the CISSP certification. It was quite ironic that he himself is a CISSP! I've seen two groups of people: one who discourage/not help or simply negative. The other one who is compassionate/caring and very positive in helping others. You sir, are obviously in this second category...and I'm very grateful and hope that you will continue to care and support all your students to come!
I really appreciate your gracious comments @unixgeek21. I hold a lot of intrinsic value in knowing that I am doing some good for someone else. That acknowledgement really keeps me going.
I always figured I learned more from teaching than just about anything else 🙂
One of the things I learned early on was if you wanted to truly learn something, teach it to others. Having to do this has helped me in my career. One of the best things you can do is to learn how to speak to different audiences and either explain it in simple terms or explain it in complex terms, based on your audience's level of knowledge of the subject. Here is an example:
We, as security practitioners, often tell our users we have to protect our agency's PII or other data in a manner that shows due diligence. I was explaining this once in a presentation and an audience member raised their hand and said "Well the bad guys can get the same information from the phone book, why do we have to be so careful?" I explained it in this way.
Say you lent your chainsaw to your neighbor and then he had it stolen from him. Which situation would you be more ok with and which one would you be more upset with?
Situation 1: He took the chainsaw from you and stored it in his locked garage. When the thieves broke in, setting off the alarm, they grabbed whatever they could and fled.
Situation 2: He took the chainsaw from you placed it in the back of his pickup truck, making no effort to conceal or secure it. Ran about 10 errands all over town and then woke up the next morning and went out to use it and discovered it missing.
In situation 1 you could say your neighbor took prudent steps to secure it and the bad guys got lucky. Sure there were probably more steps he could have taken (chained it to something with a lock and chain, went out and purchased a large safe, etc.), but that may have raised the cost of protection over the cost of the machine. He may be able to file a claim with his homeowners insurance to be able to buy you another one.
In situation 2 you would be upset that they were so careless. They don't even know when or where it was stolen so you have little chance to even know where to start looking if you wanted to do something about it. His automobile insurance may not even cover it, and even if it did your neighbor would likely have to pay the deductible so they may just say "Sorry!".
When I explained it like that you could see that not only that person got it, but a large part of the audience got it as well. I could have just repeated the line "We have to do our due diligence in securing the data we are in possession of." but it would not have had the impact it did. By adding a personal touch and relating data security to chainsaw security it helped bridged that gap. It also tied in to their emotions because most of us have had something stolen from us and we immediately go to that feeling in our minds when we hear a similar story. The audience even piped up with some things they would say or do to their neighbor if that scenario happened. "Exactly!" I said. That is how our customers will feel if we don't take adequate steps to protect their data.
I further reinforced it during my walk-a-rounds by saying "Protect that chainsaw" or "Don't leave that data in the back of the truck"
So learning how to 1) make it easy to understand by relating a similar story, 2) tie it in to emotions they have had, and 3) telling an interesting story instead of boring InfoSec speak, will help you tremendously in your career advancement.
Very cool. I have wanted to teach a CISSP (or similar) course in InfoSec. Are you teaching through a college or through ISC2? I have a masters degree in another field, but have passed the CISSP and CSSP.
I agree with your reply @unixgeek21 . It is interesting that sometimes the workplace isn't as supportive of credentials as it should be. That is why community is so important. We all need to keep striving and reaching in our profession, regardless of the complacency of some of our colleagues. @Lamont29 has that passion for teaching, and that is so contagious.
@Lamont29, as someone who started as an IT Trainer, besides the benefits already mentioned, I'll say that something I found very appealing about teaching is the satisfaction felt when imparting knowledge to others.
Hope to see you continue infusing others with an enthusiasm for Information Security.
When I explained it like that you could see that not only that person got it,
but a large part of the audience got it as Well