CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 265: Practice CISSP Questions - Mastering the Questions (Domain 1)
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
The cybersecurity landscape is rapidly evolving, and AI stands at the forefront of this transformation. In this thought-provoking episode, Shon Gerber explores the projected $450 billion impact AI will have by 2028 and what this means for security professionals today.
With only 2% of companies having fully deployed AI solutions and 39% not yet exploring them, we're at the beginning of a massive shift that will fundamentally change how organizations approach security. Shon provides a candid assessment of why cybersecurity roles haven't yet been automated (risk aversion) and why this protection is temporary—predicting significant changes within the next five years.
For CISSP candidates, the episode delivers exceptional value through a detailed breakdown of five Domain 1 questions. Rather than simply providing correct answers, Shon dissects each question to reveal the underlying principles and reasoning. This approach helps listeners develop the critical thinking needed to succeed not just on the exam, but in real-world security scenarios.
The questions cover essential security concepts including risk treatment strategies, due diligence versus due care, professional ethics, policy versus procedure distinctions, and governance structures. Each explanation includes common points of confusion and practical workplace applications, bridging the gap between exam preparation and professional practice.
Perhaps most valuable is Shon advice on navigating ethical dilemmas in security consulting. His guidance on how to inform clients of regulatory violations while maintaining professional relationships demonstrates the nuanced people skills that separate truly effective security leaders from technical practitioners.
Ready to future-proof your cybersecurity career while preparing for CISSP certification? This episode delivers actionable insights for both immediate exam success and long-term career viability in an AI-transformed landscape. Check out CISSPCyberTraining.com for additional resources, including 360 free practice questions to accelerate your certification journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go cybersecurity knowledge.
Speaker 2:All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is CISSP Question Thursday and we are going to be going over CISSP questions related to Domain 1. Now in the past we have gone over around 15 different questions associated with each of the various domains and some feedback I've gotten from folks is that you know, the questions are great, they like to have all those things, but one of the points is is like how do I actually study for this test and how do I understand the questions? So we're going to make just a little bit different tact on this and see if you could give me some feedback from the listening audience around what your thoughts are around this topic. But the goal is that we're going to go through each question. There's about five total questions and we're going to walk through each of them and then why is one more better than another one and some of the things that you may consider and some of the things you may actually maybe discard. So the goal of this is just to kind of be a little bit more slower pace, to understand each question step by step and then that way, when you go to actually take the exam, using the knowledge that you've gotten from CISSP, cyber Training, from various places you've found on the web, you now feel much more comfortable actually sitting and looking at a question and going okay, now this is what they're trying to get at. So that's the goal of this podcast and we're going to see if this works. That so that's the goal of this podcast and we're going to see if this works. If you all have, if you like this, please respond to me at contact at cisspcybertrainingcom and give me some feedback and let me know if this is something that resonates or if it doesn't. And if you like the 15 questions, that's fine too, just trying to figure out what works best for you and your study needs.
Speaker 2:But before we do, I wanted to actually jump into something that I think is pretty important for most all of us that we've dealt with here. I just and actually I've had a very interesting conversation with some friends of mine here this week and it's been very eye-opening and enlightening, and I'll just kind of go into that here in just a second. So this article comes out of ZDNet and it's basically saying how AI agents can generate $450 billion by 2028 and what potentially stands in the way of doing that. Now, the reason I bring this up is, as you know, with my company that I deal with CISSP Cyber Training, and also as a partner with NextPeak, we are focused a lot on AI and we're focused on AI risk assessments as one of the big factors as well. Now, one thing that I say that is because there's a lot of nuances when it comes to AI and how it's going to basically upend a lot of things that we know of today and yet we still haven't really truly grasped all of that just yet. And the reason I bring all of that up is because I was talking to a friend of mine who has a development team in New York City and he was working he works in here in the United States and he also has business in India and one of the pieces that he was bringing up was the fact that these young people in today's market that are coming around out of college are struggling to get some levels of especially in development space jobs for them, because the AI is, at least from a co-development standpoint, is taking over a lot of the things that they were doing coming right out of college, and so it's an interesting part. I knew it was going to happen, but it's happened much faster than I anticipated and obviously I can't anticipate much of anything. That's why my stock portfolio is not very good. So the point of it is is that you have to be able to pivot yourself and to understand AI. But also, if you're listening to this podcast, how do you pivot yourself in the future and move on in different careers?
Speaker 2:Now I have a one of the listeners and one of my students made a comment to me when we were chatting in our mentorship program he made. He said that he was actually getting into cyber security because of the fact that he wanted to make himself much more marketable. He's actually a developer and he's got a great job, great gig, but he knows that if he doesn't, at some point in time they're going to outsource some of his work. So he's taking the proactive step of becoming a cyber security professional, or at least having some of that stink on him, so that if something does happen to his role, he's in a much better position to take care of him and his family. So I highly recommend that if you are in any space, because AI as I walk through, some of these numbers are gonna really kind of stand out of going. Yeah, this is really gonna be a market changer.
Speaker 2:So again back to the article this is how they're gonna generate 450 billion by 2028. So again back to the article this is how they're going to generate $450 billion in by 2028. So that's only three years away, three and a half years, two and a half years away. So what they're saying is is that they're combining revenue growth and cost savings because of those situations where you're not hiring a bunch of interns. You're saving money, but also the revenue growth of the more efficient use of these people's time, because now AI can do this in a much faster way.
Speaker 2:Scaled adopters are basically saying their full deployment can expect to earn around $382 million over three years, and then the people in the pilot stage just getting started around $76 million or billion or million, I should say. So the point of it comes into is just that it's the growth is there Now. This is a part this stat I think is really important and it's going to kind of be very telling on where it's going to potentially go. And this is why they get so excited about all this is they're saying that only 2% globally have full AI agent deployment. So only 2% 12% of partial deployment and 23 to 24% are piloting it. So roughly around 60% are exploring AI. So that leaves 49%, or actually 39%. See, I can't do math in public 39% aren't even in the game yet, and that's if you're really looking at that. They're just piloting it. That doesn't mean much of anything at this point. Right, pilot can be very, can be in very different levels of what they're trying to accomplish, but AI is going to be a big market disruptor in a lot of different ways.
Speaker 2:Now the barriers that people are running into is one lack of infrastructure of AI, and that I can see, because we're still dealing from a security standpoint. You're dealing with folks that have infrastructure that's really old. It's been around for a long time and they haven't spent the money to update it. Ai is going to require that they have a much higher level of infrastructure in place than they currently do. Also, 20% have high data readiness, which basically means they are ready to ingest high volumes of data and they're ready to go. So that means 80% are not. So you can see there's a big. It's just going to be a monumental change that people are going to have to go through Now this point is very true is low AI literacy and strategy.
Speaker 2:Most folks don't even know how to deal with AI, let alone have a strategy around it. I've seen that as a consultant. They may just kind of go well, yeah, we need AI, and they don't really understand how they should handle it. So it's an important part. So literacy for teaching your people is extremely imperative that you have a good plan around that. So one thing it's going to come down to is they talk about strategic transformation will be required to have this happen, and that's moving beyond the pilots redesigning your processes to be AI-minded. And then I think this is really truly important.
Speaker 2:And if you are a cybersecurity professional, even though you may think you have a good, secure job, I would actually say you probably don't. It's just going to catch up, it's just a matter of time, but you need to get AI literacy and understand the culture. You really need to get understanding the AI aspects and what you can do with your business to help you with that. And this is when I mentioned that if you think that cybersecurity, you're good for a while the only difference between a cybersecurity professional right now and some of these developers that are struggling to find jobs and roles, developers that are struggling right to find jobs and roles. The biggest difference you're going to run into is the fact that most companies are not yet willing I say not yet willing to offset that risk, you know, of having AI work through some of these risky situations and provide recommendations and then potentially provide controls to help mitigate some of this risk. They're not yet ready to do that because the risk is too high, and what they mean by that is that the risk of, if something goes wrong, am I going to get sued? Their monetary, financial risk that they are more concerned about will not allow the AI adoption completely of cybersecurity in the short term.
Speaker 2:Ai adoption completely of cybersecurity in the short term. I would be willing to bet that in the next five years, you're going to start seeing a shift away from having cybersecurity professionals do a lot of the rudimentary tasks that are out there right now, and a lot of SOCs are going to have to start really kind of organizing your people to understand how to implement AI within your organization and then re-cross train your folks into understanding what can they do. So being AI literate is extremely valuable. You have time now take the next five years and start really getting into AI and understanding how it can help you and then also how it can help an organization. So, again, the money is there. People are going to invest money in it. You're already seeing job cuts because of it. You better jump on the bandwagon and try to get as smart as you possibly can around AI, because of that specific reasons. So, again, something to consider. Again, I don't want to say the sky is falling, but the sky is kind of falling. But it's a great opportunity for you to pivot, and I think every time something like this happens, for those who are willing to take the move, those are willing to pivot and change their paradigm, it will be extremely successful decision. Those that are not willing to change and not willing to change their paradigm, this will be a very painful thing. That's going to occur. So I highly recommend you get your bottom going and start understanding AI, understand security, how they interact together, what is the nexus between the two, and then you'll be in a much better position for you and your family in the next five years.
Speaker 2:Okay, so, like I mentioned earlier, this is going to be the CISSP questions deep review, and I'm trying to come up with a great name, some catchy title, but the point of it is I'm trying to come up with a great name, right, some catchy title, but the point of it is I'm trying to walk through question by question. What are they trying to get at? Why is this important? Why do you need to know it? So we break this down right. So domain one, two and so forth. So we're going to be dealing domain one, domain one's. About 15% of the questions that you're going to see on the CISP exam are there, and that's an important part for you to kind of keep in mind. So, as you're studying for the various pieces of Domain 1, if you are weak in Domain 1, you definitely want to spend more time in it. But Domain 1 has about 15% of the questions based on the 2024 CISSP ISC squared program.
Speaker 2:Now I want a quick shout out for CISSP Cyber Training. If you want any sort of free resources, there's tons of stuff out there. A lot of the content I have is free. I'm giving more and more away all the time. If you want to have more of a concierge type of approach and more of a hand-holding or not a hand-holding a partnership as we walk through your CISSP. You can look at my paid resources. I have mentorship and I also have a plan to help you get your CISSP, but more of a one-on-one approach, more concierge, more white glove. I'm here for you and that's the overall purpose, because I know you can get a lot of your content for free online, which is fine. I mean, there's a lot of great stuff out there online that's free. The one thing I know is that if you want something to help you step-by-step to walk through it, the more paid version will help you with that. If you want access to me, the paid version will help you get that. But again, if you want the free stuff, I have tons of that and more of it's coming all the time. So, again, go to check it out at CISSP Cyber Training. Okay.
Speaker 2:So question one we're going to get into this. This is risk treatment and strategy pitfalls that you may come into as you're walking through this. Okay, so question one a cybersecurity team discovers a vulnerability in a legacy system. The fix would cost approximately $250,000, while the projected loss from the exploit is estimated at $50,000 annually over the next three years. So again, the fix costs you a quarter of a million, while the projected loss, if you just leave it as it is, from this exploit is estimated at about $50,000 annually over the next three years. So it's roughly $150,000 annual loss or not annual loss over the next three years you'll lose 150 grand versus $250,000 you're going to spend to fix it. The CISO recommends no immediate action.
Speaker 2:Which risk treatment strategy is being applied? So again, he's basically accepting the risk and he's saying you know what? We're not going to do it because the cost is too high. So what risk strategy is being applied? A Risk avoidance, b Risk mitigation, c Risk acceptance or D Risk transfer? Again, a Risk avoidance, b Risk mitigation, c Risk acceptance or D Risk transfer? Okay, and the answer is C risk acceptance. I kind of lead it to that a little bit, if he's accepting the risk. But again, the fix is about $250,000, which exceeds the expected loss over those three-year period.
Speaker 2:Now if that expected loss was to exceed $250,000, then you may or may not decide to implement the fix. And why? Why would you not want to implement it? Well, maybe the fact is that in the next two years you are going to be implementing something else that's going to totally offset that and it's just worth accepting the risk. Now, if the fix was, let's say, less $50,000, and you lose $50,000 a year if you were to get hit, yeah, then it would be a no-brainer, you'd move on. But by choosing to take no action, the organization is knowingly accepting the risk and the financial decision is justified based on the risk assessment. Now the thing you're gonna have to also think about as a security professional is, once you accept the risk as a CISO, you go and you accept it. Now you're gonna go.
Speaker 2:You have to document all of that and I've run into this in a couple of consulting gigs that I've had is that when the CISO or the senior leader goes, yep, I'm accepting that risk, which is great then formal documentation needs to follow that. Why? Well, because, guess what? When I was a CISO, I ran into the same exact problem. I didn't document like I should have, and what ended up happening is, when something were to occur, if I'm out of town, there was no documentation on why I made those decisions that I made. So you need to have some level of documentation, knowing that, why you've accepted the risk. That needs to be communicated up to your leadership, up to the board, or up to your CIO. Again, all of those are financial decisions, but, depending upon the decision rights you have as an organization, within that organization, you will need to actually go forward and justify what you're doing within that organization. You will need to actually go forward and justify what you're doing, so why the other ones are wrong.
Speaker 2:Okay, a risk avoidance would involve discontinuing the use of the system, and that's not what's going to actually happen at all. Mitigation would involve applying controls to reduce the risk, which was also rejected. Why? Because the risk mitigation piece of this, the cost, was. I didn't want to, they didn't want to spend the money. Risk transfer would be likely buying insurance or outsourcing the liability, which isn't mentioned at all in the question. So you may decide to do that. You may want to get some additional insurance, but it wasn't called out in the question specifically.
Speaker 2:Now, one common confusion you may run into, especially when you're dealing with this, is that you may mislabel the inaction as negligence, and that's one thing to consider is that people will go well, if I don't do anything now, I could be considered negligent, related to some sort of regulatory body, and that is a possibility, right, but if you document your thought process and your reasoning behind it and why you did it. Odds are high that that will not go anywhere, because what these guys are wanting is they know you're trying to make decisions based on what's best for the company. But you have to be able to document why you made those decisions and your thought process behind it. Now if you made the decision that I'm documenting it, saying I just didn't want to because I didn't think there was a risk, no big deal, if it was that flippant, yeah, then you'd be in trouble. But if you've documented why you thought this, the process and why you came to the conclusion odds are high you're going to be in a much better position than if you obviously if you don't do anything at all. So again, you need to watch for economic justification and you really need to understand that is the hallmark of risk acceptance when you're dealing with economic justification.
Speaker 2:Question two due diligence versus due care. Okay, which of the following best describes or demonstrates the principle of due diligence in an organization's security program? So which of the following best demonstrates the principle of due diligence in an organization's security program? A performing quarterly audits to ensure controls are functioning as expected. B updating incident response procedures after a breach occurred. C establishing a security policy approved by executive leadership or. D ensuring employees sign acceptable use policies during the onboarding process. Again, which of the following demonstrates the principle of due diligence in an organization's security program? A performing quarterly audits. B updating incident response procedures after the breach occurs. C establishing security policy approved by executive leadership or. D ensuring employees sign the acceptable use policies during the onboarding process Again, due diligence. And the answer is A performing quarterly audits to ensure that controls are functioning as expected.
Speaker 2:Okay, so that's the due diligence piece. This is about ongoing monitoring and evaluation and improvement. That's what due diligence is. You're being diligent about what's there. You want to make sure that it's doing what it's supposed to be doing. The security controls are actually working as intended. These are like regular audits. These ensure oversight and accountability, which will align with the continuous due diligence aspects.
Speaker 2:You're going to depend upon what organization you're in. You may have regulatory requirements that force you to do this on an ongoing basis, but even if you don't have regulatory requirements forcing you to do this, it's something you should consider. Again, if you're a senior leader in security, it's your head on a platter and they'll be coming for you. Knives will come out the moment something bad happens, knives will come out and they will be after you. So I recommend that you don't go over and above and just go crazy with this stuff, but at the same time, you should. Everything that you do, every decision you make, should be documented and why it was made. You know it could be as simple as an email, but it needs to be documented and stored in a location that's easy to be accessed by people. So why the other ones are wrong? B is reactive Due care may apply, but it's not proactive diligence, okay.
Speaker 2:C it reflects the initial governance setup. Again, that's what you're setting up going, but it's not ongoing oversight, which is what due diligence will cover. And then D is obviously enforcing your acceptable use policy. Again, that's due care, making sure you're taking responsible steps to protect your assets. So, again, a lot of times that happens due care and due diligence get confused. So due care is action taken With. Due diligence is ongoing governance or oversight. Diligence means you're paying attention to it. Due care means you are actually taking doing something to help reduce the risk of it. Remember again, due diligence equals doing your homework. Due care equals doing the right thing. Okay, so I hope that makes sense.
Speaker 2:That's question number two. Question three ethics and professional judgment. Okay, you're a security consultant hired by a client who unknowingly stores regulated data in an encrypted format. Okay, so unknowingly Fixing the issue would exceed the client's current budget. What is the most ethical course of action according to ISC Squares Code of Ethics? Okay, and this comes back to what we talk about with ISC squared, but it's really, when it comes down to what is your code of ethics, okay, most ethical course of action. There's a couple in here that you could actually do, but when they're asking what is the most ethical piece of this, which one is it? And the answer is D, obviously, this is the one that's going to cause some strife. I will tell you that.
Speaker 2:Inform the client of the regulatory violations, because they didn't know, right, they weren't aware. So you told them okay, recommend immediate remediation and then document the conversation Now, because they don't have this in budget. It's going to cause all kinds of drama. Right, there's gonna be all kinds of drama and you're gonna have to work through that, but let's just go down to what isc squares talks about. So it requires that you protect society in the common good and you act honorably, honestly and lawfully. Right. So notifying the client and documented. This will align with those and when those duties and without overstepping any sort of legal boundary. So you've notified them. You're not actually doing it, but you're notifying them. You're not notifying regulators, you're notifying them. So now that you've notified them, it is on them to get this taken care of and addressed Now. But it will cause drama.
Speaker 2:So here's one of the things that you're going to want to do as a security professional. If this happens, once you find out there's a problem, you will want to informally get on the phone and you will want to call them and let them know. Hey guys, gals, this is coming. I'm going to bring this up. You're going to see it in print, it's going to be in written format and we need to come up with a plan on how we're going to address it. I would highly recommend you do that ahead of time. You talk to them ahead of time, maybe come to them with some options on how to address the problem, maybe some things you can do to help them in this case. But have that good plan before you send an email saying this is a formal.
Speaker 2:I'm letting you know that you have been doing this wrong, because the reason I say that and I don't want to tell you that you go and you say, well, you just don't tell it. You don't tell people, no, you have to do that. That's the right thing to do. The part that makes you a good partner with these folks is the fact that you then give them a heads up that this is coming, because nobody wants to be blindsided by this and blindsided by this. And if you all of a sudden send them an email saying, hey, by the way, you are in violation of this regulation, it now is something that's totally admissible. It's something they have to deal with, they have to address, which is what they should. But if they already have been kind of warmed up to the idea of what's going on and they have some potential options, now when that email comes across their desk, they're going oh, okay, yeah, we can do it, we got it, we got a plan, we got a plan.
Speaker 2:You always want to allow people to save face. Do the right thing, do what's right, but you want to allow people to save face. It's an important part, okay, I can't stress that enough. Why are others wrong? Okay, a ignores a violation. That's unethical. Don't want to do that delays the mitigation without documentation or risk escalation. C could be considered overreaction right and could violate the confidentiality clauses. And that is one of those where you go and tell the regulator hey, these guys goofed up, you don't want to go do that just yet. You want to make sure. And if you do do something like that, make sure you have legal counsel that has talked to you and they will recommend, yes, go and do that. Or they'll say, no, don't do that. Uh, don't do any of these things without legal counsel. Now, some common confusion around this is that you will struggle with the balance between business constraints and legal and ethical responsibilities. It's that fine line and the key here is to advocate for the security while documenting your decision. But also, you want to work as a partner with these people. I can't stress that enough. Being a partner is a good thing.
Speaker 2:Question four policy versus procedure. A company enforces a strong password requirements. The user complains. A system allowed them to set the password one, two, three, or password one, two, three, despite the policy stating the password must contain dictionary words. What is the most likely issue? Okay, so basically, what ends up happening is you have a strong password requirement the user was allowed to put in some goofy password that wasn't good, despite stating the passwords must contain dictionary word, must not contain dictionary words such as password. What is the most likely issue?
Speaker 2:Okay, a the standard is incorrectly defined. B the procedure was not implemented correctly. C the policy is too vague. Or D the guideline is overriding the policy. Okay, we all know. So you got to understand what guideline is, you got to understand what a policy is and we got to understand what a procedure is.
Speaker 2:And let's walk through the answer. The answer is B the procedure was not implemented correctly. Yes, it would be that. Why A procedure defines how. A procedure defines how policies enforce your acceptable use, your password policies. This is how they would be enforced and a lot of it's the technical procedure that goes into actually clicking the links to make sure it all does what it's supposed to do. If the system is technically allows for weak passwords, the implementation ie procedure was flawed, which basically means they didn't click a button they should have probably clicked, so the procedure didn't follow through. The acceptable use or the password policy in this case. Here is perfectly fine, according to what they said, but the controls, the configurations on the back end did not match up with what the policy stated. So again, a we'll kind of go why the other ones were wrong.
Speaker 2:A standards define rules, like passwords must be 12 characters, not logical enforcement. So a standard will tell you what you should do but it doesn't tell you how it should be done. The policy appears clear and passwords must avoid dictionary words, but it did allow dictionary word in that password. And then guidelines key thing are non-mandatory, which basically means they're just guidance, is all they are. They do not override policies by any stretch of the imagination. And we talk about this. It's standards, policies, procedures, guidelines, kind of in that format. So what's the confusion? Policy versus procedure can be very confusing and I see this all the time. People struggle with what a policy is and they also struggle with what a standard is. So the policy is what must happen, so that's what must happen. Your policies must be. You cannot have dictionary words, you have to have complex words, blah, blah, blah. The procedure is how it would happen, that's the buttons that you are clicked to allow it to actually occur. So very straight, it's a pretty straightforward question. But you have to know various details around policies, procedures and guidelines to be able to really truly feel confident in answering the question.
Speaker 2:Question five, the last melon security governance structures. We're getting into governance. Which of the following best illustrates a failure in security governance at the executive level? Okay, which of the following best illustrates a failure in security governance at the executive level? A an organization lacks documented procedures for account revocation. B the vulnerability remains unpatched for six months due to oversight. C the security team reports to the IT director, who deprioritizes risk-based decisions. Or D a third-party vendor failed to follow the data handling procedures leading to a breach. Okay, so which of these best illustrates security governance at the executive level? Okay, so if you kind of go through here and these questions, you're going well. Okay, which ones are this? Does this one deal with technical? Does this one deal with executives? What is it? And let's walk into what the answer is. And the answer is C. Right, the security team reports to this IT director. So we're talking executives. This is the one who deprioritized the risk-based decisions, and so that was an executive level challenge. There.
Speaker 2:Security governance is about organizational alignment, especially at the executive level, and that's the governance I mean. Let's be realistic. Governance helps the executive stay out of jail and if you have good governance and you follow governance, it can help that and I don't mean it will totally protect you, but it will help you in your overall program. If security is subordinated to IT operations because cost convenience, you're basically saying I don't want to deal with it, I'm going to push it down to ops. This is where governance potentially has failed and it does cause problems because I've seen it happen. Where ops will go, they have a different priority in how they deal with things. They also understand risk differently than the senior leadership will and they will make decisions based on what they know.
Speaker 2:And if you're the CISO of a organization and you understand risk based on the organizational standpoint, but your IT operations folks do not and they make decisions based on the organizational standpoint, but your IT operations folks do not and they make decisions based on IT ops, that can cause you all kinds of drama and it can actually lead you to a lot of sort of technical aspects and legal issues that you may have to work through. So again, it's an important part. If you deal with this. You don't want to let that go down to the IT ops area. If you're the CISO for your organization, okay, a is a procedural flaw, operational, not governance level B is a control oversight. It can stem from policy failure, not executive level failure. And then D relates to third-party risk, right? So TPRM, this is not something that the executive level would. I mean, they would deal with it, but that was not really tied toward the IT director, it was tied towards the third party risk. So what are some confusion, right?
Speaker 2:People confuse governance with any other security control failure. If it failed, it's a governance issue and that's not necessarily the truth. True, governance involves a strategic alignment, authority structures and accountability at the top of the organization and the organization. That's an important part that they have to deal with is the overall governance. If you don't have, you have an organization that doesn't have real good governance. I'm sorry, but you're setting yourself up for disaster. You need to have a governance structure in place, and it doesn't have to be elaborate. It can be just basics, but at a minimum you have something that defines everybody's roles, what are their responsibilities, also, who has the decision rights. All of that is a governance type of piece and it's an important part of all security within any organization.
Speaker 1:Okay, that is all.
Speaker 2:I have for you today. I hope you got a lot out of this. Let me know, just email me. Let me know what you think about it. The ultimate point is that I'm trying to create questions and answers for you guys that when you go sit through the test, you go, ah. That's why the point is not to regurgitate these questions and to be very transparent. If you're trying to get the test done as fast as you possibly can, cissp Cyber Training will help you a little bit, but it's definitely not going to help you in the levels that you need.
Speaker 2:The goal of this program and the goal of the podcast and of the content that I have at CISSP Cyber Training is, to one, help you pass the CISSP, but it's also to set you up for future success as a cybersecurity professional. I'm sorry, anybody can take a test. Anybody can pass a test, but it's the expertise that you gain in this profession. That's what's going to help you, accelerate you in your career, and if the more knowledge you can gain through the different cyber security pieces and the way that you can then help impart and reduce people's risk, the better off the entire community is going to be. So again, check it out cissp cyber training.
Speaker 2:Lots of free stuff. There's some paid stuff, but I guarantee you you'll be happy with anything you go with. I wish you the best and have a great day. We'll catch you on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
