CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 256: Understanding, Adhering To, and Promoting Professional Ethics (Domain 1.1)
Ethical leadership lies at the heart of effective cybersecurity practice. In this episode, we dive deep into Domain 1.1 of the CISSP certification, exploring professional ethics and their critical importance for security professionals.
The episode opens with a sobering look at the current landscape of cyber warfare, examining how Israeli-linked hackers are actively targeting Iran's financial systems. This real-world example serves as a stark reminder that cyber conflicts aren't theoretical—they're happening now, with devastating consequences for both government systems and ordinary citizens. For security professionals, this underscores the urgent need for robust resilience planning and strategic preparation for highly targeted attacks.
We then unpack the ISC² Code of Ethics through its four foundational canons: protecting society and the common good, acting with integrity, providing competent service, and advancing the profession. Each canon is explored with practical examples and real-world implications. The message becomes clear—security professionals possess extraordinary power through their knowledge and system access, and with this comes profound responsibility.
Throughout the discussion, we emphasize that ethical considerations extend beyond compliance requirements. They touch everything from handling sensitive data and discovering vulnerabilities to implementing AI systems and creating organizational cultures where ethical concerns can be safely raised. The principle of "do no harm" stands paramount, recognizing that security decisions impact not just organizations but the individuals who rely on these systems for their livelihoods.
Whether you're preparing for your CISSP certification, already working in the field, or leading security teams, this episode provides crucial insights into the ethical framework that must guide cybersecurity practice. Because in information security, ethics isn't just about following rules—it's about protecting people and building trust in the digital systems that increasingly power our world.
Ready to strengthen your ethical leadership in cybersecurity? Visit our website for resources including practice questions, mentorship opportunities, and comprehensive CISSP exam preparation materials.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.
Speaker 2:Cybersecurity knowledge All right, let's get started, hey all Sean Gerber, with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Monday and what do we do on Mondays? We go over training related to the CISSP, and today is Domain 1, 1.1, and we're getting into professional ethics as related to ISC Squared. So we're going to be getting into some different aspects around what ISC Squared talks about as well, as we'll be talking in some various aspects around you as a professional working at a business and what are some of the things you should be concerned about as a cybersecurity professional. So this could be pretty good. I think you guys will really, really enjoy it.
Speaker 2:But before we do, we're going to be talking about an article that I saw in wired magazine, and the interesting parts about all of this are the fact that in the past, we have talked about iran. Uh, in the case that there would be a shooting war between the united states and iran and that still may very easily occur is that the iranians would launch cyber attacks against the us system, their critical infrastructure, banking, all those aspects of Now. But the interesting part is in this article it's talking the Israeli-tied predatory sparrow hackers are waging a cyber war on Iran's financial system. The tables in this specific situation are turned a little bit, in that Israel is launching attacks against Iran, which obviously they're using kinetic attacks and dropping bombs, but they're also launching a cyber attack against their financial system. So how does this affect everything? I mean it's changing the whole global dynamic in as it relates to cybersecurity professionals. You no longer could worry about hey, we're in the United States, we're safe, we're good. This is just craziness in the fact that now you in this specific situation, this sparrow, uh, predatory sparrow. They are linked to execute destructive cyber attacks against iran's financial sector and obviously they're burning, in this case, over a 90 million dollars in crypto. They're basically taking it and making it useless, and this was tart. They're also disrupt, disrupting the sepath I've probably just totally butchered that name bank uh, taking online banking and atm services offline.
Speaker 2:So I say this because I'm working with a very large financial institution right now and I I know that they have great cyber security controls in place, but I would say the mindset and this is not the mindset just of this organization, it's a mindset of many organizations is that in the event that there's a shooting war, you will become the primary target and they go. Well, yeah, we know this is going to happen, we have an idea this is going to happen, but no, this is really going to happen and it isn't just going to take down the critical infrastructure within the United States. They're going to come targeting specific banks, financial institutions, anything that can affect people directly. Now this group has explicitly framed the attacks and basically retaliation for Iran's support of terrorism, and you can put any sort of moniker on it you want. The challenge with this is does this affect the Iranian regime? Yes, but who else? Does it really affect the common people that really, in most cases I say most are not even connected with anything that's going on geopolitically. And the same thing is going to happen here in the United States or any place around the globe.
Speaker 2:If a shooting war, a kinetic shooting war, occurs, you are going to be having strong cyber warfare aspects that are going to be happening on a daily basis. So I'm telling you this, not to say, oh, the sky is falling and you need to be afraid, but you do need to be aware and you need to communicate this to your boards, using this as a perfect example of how this could happen to your organization, and it really just truly comes down to this. You got to have resiliency, you got to understand cyber operations, you've got to understand it from a tactical and a strategic point of view and you have to have a resilient organization that can operate in the event that you are directly attacked by these types of individuals. Right now, I would say, a lot of the attacks going against various institutions are and I'm using this loosely there are some very talented people, but they're doing the hit and run right. They're trying to do smash and grab and they're just getting whatever they can.
Speaker 2:If you have a targeted attack against you, we all say this is going to be well, be very painful, it'd be hard to do, it'd be hard to manage. No, it's going to be really, really, really hard to manage. So the point of it is have a plan, start thinking about it now. I just can't stress it enough that you need to have a consideration and even when to take a Mike Tyson quote you have a great plan until you get hit in the face, and then, after you get hit in the face, your plan changes. But at least at a minimum, you have a plan so that, in the event, something does happen, which it's highly likely. If it doesn't happen soon, it will happen in the near future. You're gonna have to deal with it and so, as a cyber security professional, it's up to you they're relying on you to be prepared for these types of events. Okay, so I gave you enough doom and gloom. I'm just trying to highlight this situation. That go to wire, check it, check it out. It's actually a really good article that talks about how important it is for you to understand your adversary, cyber resilience, and then also have a good plan for yourself going forward. Okay, that's enough on that.
Speaker 2:Let's move into what we're going to talk about today. Okay, so today is over domain one 1.1, understanding, adhering to and promoting professional ethics. So, again, a big factor is understanding ethics. Again, do no harm. We're going to talk about that. I like to use the comment when I was working for the government as a red teamer use your powers for good, not evil. And yes, you do have a lot of powers. Whether it's intellectual that you got in your cranium or whether it's the fact that you're using your intellectual aspects on a keyboard, you can make life extremely painful for a lot of people and you can actually potentially even hurt people, depending upon the situation and what you're doing. So you need to understand ethics, and I know a lot of us do. I got it yawn. Oh, I don't want to deal with this, but you will have to know it and you will deal with it on your daily basis as a security professional.
Speaker 2:So we're going to go into ISC Squared's Code of Ethics Professional Ethics and this is their preamble. It's that safety and welfare of society and the common good, duty to your professionals and each other requires that we adhere, and that we be seen to adhere to the highest ethical standards of behavior. Okay, I read that to you but you're like going, okay, I'm reading it. Why is this in third grade? But the point of it is is that they want to make this point known.
Speaker 2:As a cybersecurity professional, you have principles. You have to take care of the common good. It requires you to adhere and to be seen to adhere to the highest ethical standards. This is an important factor because, as a security professional, you are entrusted with a lot of stuff. You've got people's data, you know what the CEO is doing, you know the financials for this organization. You have access to all the data in many ways and since you have access to this data, you could do very bad things with it. You could actually use it for profit. You could do a lot of different things that could cause a lot of damage to people's lives and to physical property, and so, therefore, you must have some of the highest principles related to your ethics and understanding what could happen in the event something bad, that you do something bad or somebody else does something bad. That's the other part. You need to understand individuals within your organization, individual people. If they're doing things that are unethical, how do you handle that? Okay, so they have the code of ethics canons, and we're going to go into each of these canons just a little bit.
Speaker 2:The goal is to protect society from the common good, necessary public trust, confidence and the infrastructure. You want to protect it all. You need to act honorably. That means you need to understand what honor is, and unfortunately, in today's world, not everybody does. I mean to be honest, just and responsible and, above all, legal in what you do.
Speaker 2:The moment you go illegal, things go really bad, and it doesn't just affect you. It can affect your entire company, and this is the part you also got to think about as you move up in the organization, you become a officer within a company or you become a vice president or whatever. You have some level of leadership. Anything that you do that would be construed as illegal. Now I say this in the fact that the illegal part is going. Yeah, I'm going out and stealing candy from a baby, that's illegal. But if you do something that may be pushing the legality compliance aspects of it, it's that gray area. What ends up happening is it can affect not just you, it can affect your company job, that they have to pay their bills to feed their families. It's you can have a direct, immediate impact on so many people by not acting honorably and not doing the right thing.
Speaker 2:Now you need to provide diligent and competent service to your principals the people that own the business and you need to advance and protect the profession. Again, as a CISSP, you have worked very hard to get here. You need to advance the profession and one of the things I'm doing just right now is advancing the profession. Obviously, you're listening to this podcast and you're going okay, that's cool and I also offer things you can buy. That's great. But at the end of it, I'm advancing the profession because I bring in more than just saying, hey, study for this test. These are some of the things I've learned over the years that can help you in your profession as a CISSP, as a security professional. So, again, important, important part for you to go into as we're getting into the preamble and understanding the overall professional code of ethics related to the CISSP. Okay, canon one.
Speaker 2:Now, this is canon one of four specific canons. So again, we're 25% done. You need to protect society and the common good. Okay, so what does this mean? Protecting the society, common good and the necessary public trust and confidence and the infrastructure. Okay, that's a lot of big $10 words put into one sentence. But the ultimate goal, this should be your highest priority and this is, they consider, the highest priority canon of isc square. It requires security professionals to consider the broader impact of their actions and inactions. If you don't act, how does that impact you? How does that impact others? You need to really think through that. This is a. These kinds of roles are strategic thinking type roles. You have the ability to make changes within your organization. The other part that's important with this is and I can't stress this enough as a cybersecurity professional, you understand the aspects that are going on within your organization to the level that your senior leaders probably do not, and because they don't, they are relying on you to basically give them the direction they need to be successful to understand the issues that are going on with all of this. So, again, this is an area that you need to really consider. Now. Examples of how this canon applies to real world situations Responsible disclosure of vulnerabilities.
Speaker 2:We've talked about vulnerabilities all the time. How are you disclosing these in a way that minimizes harm to the public? Working with vendors to ensure that the vulnerabilities are patched in a timely manner? Right, you're getting those done. You have reports that are setting out, telling people this. You also are designing secure systems that protect the critical infrastructure. We just talk about this numerous ways in manufacturing critical infrastructure, banking all of those things that are in place, you've helped design secure systems that protect these areas, and this comes down to essential services such as power grids, transportation networks and so forth. You need to understand it so that you can help protect it.
Speaker 2:Now, implementing these security measures. They do help prevent disruptions. They also prevent attacks, and I would say that in many cases, they help prevent the attacks. But even if attacks occur, it needs to be resilient, to be able to thwart or be able to handle an attack by an adversary. Now preventing the spread of misinformation and malicious software by an adversary. Now preventing the spread of misinformation and malicious software. You need to take steps that you don't become an active participant or an inactive participant in spreading out misinformation or malicious software. Is your sites, are your external resources patched? Are they able to be? Have people uploading data to them that would be malicious and then now it's being passed on to other people? So you need to prevent this from happening. And again, these are obviously common sense things that you're going yeah, I get it, I understand I need to do this, but they put this on paper so that you truly understand and they hold you accountable to it, that if you're not doing what you're supposed to be doing, you, as a professional person in this role, you are being held to a higher standard. You are being held to a higher standard.
Speaker 2:Canon two act honorably, honestly and justly, responsibly and legally. Again, we're emphasizing the importance of integrity and trustworthiness in this canon. It requires adherence to both ethical principles and legal obligations. We've talked about this numerous times within our training that you have to maintain these ethical principles and you need to involve yourself with legal at all times. I deal with individuals that they haven't really thought about. They go yeah, yeah, we'll deal with legal when we need to. Or if something comes up, we've got them on the bat phone, we'll give them a call. Legal will show up. They'll swoop in and take over. No, don't do that. You need to have really active relationships with your legal people anybody that's in that level of business. You need to have those relationships now, before something bad happens. So to make examples around, this is again maintain integrity in all professional dealings. This avoids conflict of interest. I had to do this when I was working with my company before I had to tell them hey, I'm doing a podcast, I'm doing these aspects. Does this affect you Anything? I talk about? What can I talk about? What can I talk about? Again, avoiding conflicts of interest.
Speaker 2:Being totally truthful and transparent in all your communications. Don't do the little drama thing. Avoid at all costs. Be truthful and transparent in everything. Provide accurate information to clients and employers and colleagues. Don't hide anything. You have the ability in your profession, being a security professional, to know information that most people do not. Don't play. I know something you don't know, don't do that and don't even try to act around that. All right, the ultimate goal is be transparent with everything you're doing, everything you know, and especially with your senior leaders. You want to be totally transparent with them. Don't think, well, I'm getting this problem fixed by myself right now and then I'll tell them. No, tell them now. That's the key point Disclosing any relevant facts or potential risks.
Speaker 2:If you don't do that and something bad happens, well, you're going to be hung out to dry. Two is that it can affect the guy on the line, like we talked about before. You need to disclose anything you know about risks and so that way they can either be addressed or at least at a minimum, the risks can be accepted. So they have to understand Complying with laws and regulations. It goes without saying. You don't apply with the law, you're going to have nice little handcuffs and you'll be going to prison, and I mean that truly. You may not go to a blue or white collar prison, which I don't know. If they do handcuffs for them, I assume they do, but you will have to deal with that. There's laws and regulations that are out there specifically, so you don't break them. And if you do break them, there are consequences for that.
Speaker 2:You can begin to ask more and more security professionals. They're seeing the writing on the wall here. So you need to truly kind of understand all the legal ramifications with your role. Even if you don't understand it, go out and try to understand it and then meet with legal, have them help you. It's imperative that you know this information because so many people are relying on you because they're thinking you know it and you're thinking they know it. Well then, at the end of the day, nobody knows it. That's bad, not a good place to be. So you understand the legal and regulatory landscape for your organization and for your role and also for your space, your vertical that you're in.
Speaker 2:Avoid conflicts of interest we kind of talked about that already and don't use your professional position for personal gain. Again, don't say figure out ways to use it so that you can make money on it. Hey, you know what I'm about? Ready to sign this contract with XYZ security company, you give me a little kickback, I'll sign with you. Yeah, that's bad. Don't do that. That'd be really, really bad. So avoid those kinds of conflicts of interest. Again, disclosing any potential conflicts of interest is extremely important.
Speaker 2:Canon three provide diligent and competent service to the principals. That's the point, right. So you need to focus on the relationship between your security professional and those who they serve the employers, the clients, your board, whoever. You need to make sure that you provide them diligent and competent service and they're paying you very well for this. In some cases, some people very, very well. They're paying you a lot of money, and so if they're doing that, then what should you do? You need to provide them a service that is equivalent or exceeds I would recommend, exceeds what they're paying you for. Here are some examples of this Providing services for your area of expertise.
Speaker 2:When it comes down to it, if you do offer up services that are not in your area of expertise say, for example, you don't know development very well and you say, well, I can do it. Well, okay, if you don't really understand it, you need to seek assistance in trying to do it. Now, if there's a case where you don't understand it and you're still stuck doing it, then you do to the point of having the second bullet, seeking assistance and get further training as necessary to do that. Or if you're a contractor like me and they say, well, I want you to do secure development, I go. I really don't know how to do that very well, I can do this part of it, but I can't do that part. That's being truthful and transparent on what you can and cannot do, and then from there the engagement may or may not happen.
Speaker 2:Keeping up to date with the latest security trends and technologies as we talk about this in CISSP Cyber Training, I usually give a security topic at the beginning. That's a great way for you to stay connected with security trends and technologies, and that this also is important by engaging with professional development, attending ISC squared meetings, which I remind myself as I say that I've missed the last one. I need to attend the next one. It's important for you to go and do these for professional development. Stay informed about new threats, vulnerabilities and security best practices. Be involved with the team, spread your knowledge around, act in the best interest of your employer or client within ethical and legal boundaries, and then providing objective advice and recommendations. Again, they're looking for you to give them the recommendations and knowledge that you have. It's imperative that you provide them things that they can use and that it's balanced and well orchestrated and it's something that they can take, digest and pass it on balancing your needs of the principle with the ethical considerations of legal requirements.
Speaker 2:Something I've run into in the past is that your principles may say, well, we're not going to worry about that. I'm like, well, you may say you're not going to worry about that, but the this legal requirement says you need to worry about it. Well, I'm like, hey, that's on you, I'm documenting it, this is what I'm saying, this is what I recommend, it's on you and you do that. That's imperative, that you have that kind of candor with these principles and you understand the threat, you understand the legal and regulatory requirements, and then they can make decisions. And I will just be very transparent on that. When they first said, well, the response is, oh, okay, yep, we'll do it. So the point I'm trying to make is that if you bring it to them in a level that they don't quite understand it and they kind of go, well, we don't really see it this way, but yet you come in and say, no, this is what it says and from a security professional standpoint, this is what you should do, it then changes the dynamic and the tone a lot. So again, that is why you, as a security professional, are so important with these different companies and you're so important with the different aspects of these companies, such as legal compliance and so forth.
Speaker 2:Canon four advance and protect the profession. That's the ultimate goal here. This is this addresses responsibilities of security professionals to contribute to the growth and integrity of the field. You focus on enhancing the reputation and the standing of information security profession, and this comes down to a lot of different ways Mentoring and educating others in the field, like we talk about sharing knowledge. Supporting professional development, promoting ethical conduct amongst colleagues, ensuring them they meet the ISC squared code of ethics. If something comes up and you see somebody doing it going, ah, that's not right. You need to hold them accountable to that.
Speaker 2:Again, also addressing any unethical behavior you may see within the profession, because it affects all of us, not just you, not just this person, but we all get to deal with this. If someone's a security professional that does a very poor job, well, the way the social media stuff is set up with LinkedIn, facebook, all these other Twitter, you name it what ends up happening is it just spreads like wildfire and it'll affect all of us in various forms. Contributing to the development of security standards and best practices. Help with the industry groups. Help them grow, give them best knowledge. Use what your lessons learn to help increase the overall knowledge for all companies. Sharing insights and lessons learned. Done that, we do that on cissp, cyber training. You get a lot of that right lessons learned. What did I do? That affected things. You can take that and then pass that on to other organizations as well and you can learn from that, avoiding actions that could damage the reputation of the profession.
Speaker 2:Again, coming down to maintaining a high standards of professional conduct, addressing any misconduct or incompetence that's another part. I see this in security. I see people that say, hey, if you just do this, you can become a super, super duper professional security person making gazillions of dollars. That is incompetence. I'm sorry, they're just wrong, and so you need to understand that and address it. As it comes out. There's some aspects of it that I can see is valuable, but then most of it is charlatans trying to just promote and make money. So you need to address this misconduct and the incompetence.
Speaker 2:Potentially, if you see it so, when you deal with the ISC squared code of professional ethics, this is a reference RFC 1087, ethics on the internet. This is the main thing. To kind of boil this down to and this kind of helped feed the overall ethics piece of ISC squared. One do not seek to gain unauthorized access. Two do not disrupt intended use of the internet. Another one is do not waste resources through actions and I would say also inactions. Do not destroy integrity of the computer information and do not compromise privacy of users. Now, this was the first one that fronted came out. This is RFC 1087. This was around ethics and the internet and this, like I mentioned just a minute ago, this helped spawn on a lot of the information that's in ISC Squared's ethics. Professional ethics aspects came from this and this was the first one that was out there when it came to computer systems and you can see they're very basic and very to the point.
Speaker 2:But the ultimate goal is that you do not want to. You have so much power in your hands. You do not want to. You have so much power in your hands. You do not want to use this poorly. Now, as we get dealing with the organizational code of ethics, there's an individual company, something to add to some key concepts for you to keep in mind. You need to review and understand your organization's ethical approach. If they don't have ethics, you need to leave the organization. I'm just being honest. If they don't have ethics, if there's people there showing that there's no ethical backbone at all, you need to start looking and updating your LinkedIn profile and get your resume ready and I get the heck out of Dodge. Even if they're paying you a lot of money, you don't want to be around that. Avoid it. Avoid it at all costs.
Speaker 2:Integrate cybersecurity into organizational's ethical documents Right into organizational's ethical documents. Right? Your need to make sure that, as they have ethical documents, they've thought about this from data privacy. All those aspects are there. Don't disclose your HIPAA data blah, blah, blah, blah. Right, they have that all there. But they need to also incorporate your acceptable use policies. How do you use your cyber stuff? How do you use it in a way that's acceptable? What's the ethical way of using it? Right, don't take the information you get and use it in ways that gratify or to make more money for yourself.
Speaker 2:Ethical issues are core to cybersecurity. Again, manipulation, theft, coercion all those aspects can be involved in security and you need to be aware of that and you need to take the higher road. Determine how cybersecurity is integrated in your organizational privacy. Another aspect Privacy needs to be embedded within that. And then it comes down to the doctor's creed Do no harm. Primum naca non naccura. See, I can't even say English and that's not even English. I think that's Latin. So just basically don't do any harm. Use your powers for good, not evil. That's bottom line.
Speaker 2:So now, when you're dealing with code for fair information practices, this outlines five principles for handling personal information in an ethical and responsible manner. Again, no personal data record keeping existence is secret, so, no matter how much you have, it isn't a secret right. Individuals must be able to find out what information is being recorded. So this comes down to that. You, as an individual, need to ensure that your employees know what is being recorded on them, and this is why you get within a Zoom call and you say this Zoom call is being recorded. They're trying to teach you that right the ability for individual to prevent personal information being used or made available without consent. You need to make sure that that is not done, that you, that everybody knows that it's being used and that there's consent around the personal data that's being used. You have the ability to correct or amend identical identifiable records. If there's a identifiable record on you and it isn't correct.
Speaker 2:Like it says, sean is shauna. You need to be able to fix Sean from Shauna and if you can't do that, that's not good. So, because I don't even really like my name, sean, but I really would not like Shauna no offense to any Shaunas out there. I get it, you're good. I just would not like that because it's not my name. Enrique is a better name, enrique, that's my name, that's what I tell my kids and like anybody asks what's your name and I say, well, it's sean, I go by sean, well, sean, but I go by enrique because enrique's cooler way cooler name.
Speaker 2:If you're an enrique out there, listen to this, you've got a cool name. Uh, organizations storing that data must take steps to ensure data is not misused. Also, again, if you get the data, you have the responsibility to hold that data. You need to make sure that it is not misused and it is properly taken care of in various different ways. Okay, so I'm coming back to the individual. This is the CISSP and the security professional. We've talked about this. We've kind of alluded to this as we've gone on in this discussion. One is a professional integrity and accountability. You need to have that. You need to, above all, with the cissp. You need to operate in unethical, in ethical behavior and avoid any sort of aspects around mistakes, unethical aspects or conflict of interest. Do care and do diligence. You need to consistently apply knowledge, skills and best practices to protect the assets and manage the risks. This implies continuous learning and also having competence when understanding the evolving threats in that landscape. That's out there. Confidentiality and privacy again, upholding the privacy of individuals and the confidentiality of the organization, even when you're not legally compelled to do so. You just might be recommended, but you should also go to the higher level, even if it's not required legally. I'd say that's. One thing with my previous organization they did is that, even if it was not a legal requirement, they looked around the country to see where it might be a legal requirement and they went to the higher standard, which I think is important. It costs them a lot of money and it also hurts your bottom line a little bit, but they're taking the higher level, the higher road, which is much better to place. It's a much more defensible position to take. Objective impartiality, making security decisions based on facts and risk assessments, free from personal bias, prejudice or undue influence. You need to be impartial about stuff. You need to really say if you don't see it right, you need to say it. You don't see it right in a loving and caring way. You don't tell people they're idiots. That's bad. But you can do it in ways that are like I don't necessarily agree with what you're saying. This is what I see Again. No offense to that individual, but this is what I see Again. You do it better than saying hey, yeah, you're stupid, you're an idiot. Don't do that. That's bad.
Speaker 2:Responsible disclosure, ethical handling, discovered vulnerabilities, balancing the need for secure systems with potential harm and premature public disclosure. Disclosure. You just make sure you have a responsible disclosure. You don't go and post it on twitter going, yeah, we just got pwned. You don't do that. That's bad. Um, there's a lot of legal issues with that and it's also could affect the guy on the line. I always come back to this whatever you do, don't affect the guy or gal on the line. They're working hard. They have no clue about what they're doing with the cybersecurity stuff. Do not impact them. I stress this they're working really hard. I know you're working hard, but not as hard as them, and then they have more at risk in many cases than you.
Speaker 2:As a security professional. You can go get another role. Some of these people this is what they got. You need to protect them, period, bottom line. That's all I can say.
Speaker 2:Whistleblower, protection, understanding ethical obligations that report serious misconduct or illegal activities. You need to obviously approve that. You need to allow that to occur. You need to make sure that you do not stifle, that you do not hold back information. It will burn you and it could affect the guy and gal on the line. Don't affect the guy and gal on the line, business organizations, employers and stakeholders and establish ethical culture again. You want an ethical culture. If your board, or from the board level down, doesn't have it again, get your resume ready. Get on linkedin. Go find a new job there's plenty of them out there. Do you want? No matter how much money they're thrown at you, you do not want to work there. This includes clear policies against unethical behavior. You need to have that.
Speaker 2:Compliance with laws and regulations Again, you need to understand the laws and regulations within your organization, within your space, within your vertical, and you need to then comply with them FFIEC, nydfs, hipaa and so on and so forth. You got to know them, got to use them, got to follow them. Transparency with stakeholders Again, coming forward with everything you see that's illegally permissible. You need to show them, you need to tell them, you need to be upfront with them and understand this, and they look to you as a leader to do that. Data stewards you need to make sure that you have privacy by design. You, as a security professional, might be an architect and you're therefore you're dealing with. How do you collect, store, use or dispose the data? You need to have privacy by design built into this from the beginning.
Speaker 2:Resource allocation and ethically allocating a sufficient resources includes personal budget technology. All of those things need to be done ethically. You don't keep a little bit of money left over for mom, dad and the grandkids. Fairness and bias in AI and ML Okay, as this becomes more prevalent, we talk a lot about AI on CISSP, cyber Training is that you ensure these systems are developed and deployed ethically. This includes, you know, as far as perpetual or perpetuating any sort of biases that they may have unfair, discriminatory outcomes. All of those pieces you need to be aware of Because, again, people are utilizing this for their information. It needs to be above reproach and any biases that are there, you need to weed those out right away because people are taking this information and they're calling it air quotes, gospel.
Speaker 2:Responsible tools, use of security tools Again, this deals with monitoring and surveillance. The tools you have in the cybersecurity space can do all of those things. You can be going. Hey look, I got an email. I saw what Joe just did this weekend. Oh my gosh, that's terrible. No, that's bad, don't do that, right. But you could have access to that and you can hear conversations that people say, whether it's intentional or unintentional. You have responsibility for that. Ethical employees again, creating an environment where employees feel safe and empowered to raise ethical concerns without the fear of retaliation. Don't do that again. I keep, I keep straining stressing this and I know I beat that drum on this a lot, but the point of it is these are really foundational cornerstone aspects you need to be aware of as a cissSP and as a cybersecurity professional within your company and your overall profession and future. Okay, that's all I have for you today.
Speaker 2:Go to CISSP, cyber Training. You can gain access to all of my content, all of my information. It's all there and available for you. You can get a lot of it for free. It's in my blog. It's being posted on YouTube. There's different pieces that are there.
Speaker 2:But if you're truly interested in getting your CISSP completed and get it done in a timely, fast manner, go in, buy one of my programs and we can help you with that, get it done. I've got a whole blueprint that will help you walk you through, step by step, by step by step, on what you need to do to get studied and get ready for the CISSP exam. Also, if you need some mentorship, I've got that available to you as well. I can mentor you, walk you through. What kind of job do you want to look for what kind of professional aspects Do you just need someone as a sounding board for some of your security professional stuff. I can do that for you as well. You can be acting as a CISO for you. All that's available for you at CISSP Cyber Training.
Speaker 2:And, lastly, if you need any sort of consulting work outside of that, just let me know. Reach out to me. I've got a whole laundry list of people that I can work with. If I can't help you, I've got lots of people within my network that can provide the level of security you need for your organization. So that's all I've got. Have a wonderful, wonderful day, and we will catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
