CISSP Cyber Training Podcast - CISSP Training Program

CCT 329: Cyber Security Skills Gap - Practice CISSP Questions (Domain 1)

Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur Season 3 Episode 329

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 19:11

Send us Fan Mail

Security readiness is slipping while threats race ahead—so we zero in on what actually moves the needle. We start with a frank look at why so many teams feel behind: AI-driven attacks, budget constraints, and a hiring market that demands senior talent at entry-level pay. Then we get practical, connecting CISSP Domain 1 concepts to real decisions leaders make every week: how to align risk management with business goals, how to write policies that drive action, and how to use standards, baselines, guidelines, and SOPs to turn strategy into measurable outcomes.

From there, we dig into quantitative risk without the fluff. You’ll hear how to compute Single Loss Expectancy and Annualized Loss Expectancy, and why ALE clarifies budget asks better than any slide deck. We contrast due care and due diligence in plain terms: patch what’s critical now, and keep a repeatable process that proves you act responsibly over time. We also revisit ISC2 ethics, centering the top priority—protect society and the common good—and show how that principle shapes daily choices around audits, monitoring, and vendor assurance.

Cloud security gets its own spotlight. When penetration tests are restricted, we show how to leverage SOC 2 Type II and ISO 27001 under NDA, map those assurances to your control set and risk appetite, and close gaps with compensating controls. Along the way, we challenge common hiring myths, explore smart uses of MSPs, and show why cross-training software engineers into security often outperforms chasing more certifications. The result is a clear, actionable path from policy to practice that helps you harden faster and justify every control with data.

If you’re studying for the CISSP or leading a team that needs wins now, this session brings usable strategies, not buzzwords. Subscribe, share with a teammate who needs it, and leave a review to tell us which takeaway you’ll implement first.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Welcome And Episode Setup

SPEAKER_00

Welcome to the CISSP Cybertraining Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Herbert. I'm your host of this Action Pack and Forward Podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

Domain 1 CISSP Focus Announced

Personal Update And Local Notes

SPEAKER_01

Hey all you're doing here for CIS CIS Cyber Training and hopefully today, today's CIS CISS Day. And we are going to go get over the CISSP questions related to domain one of the CISS. But before we do I obviously have a couple things I am going to be IP, if you are in the Louisville area, Louisville, Kentucky, that is. And as you are listening to this, you probably can talk about their own daughters getting married, probably are pretty excited about that. Or taking it in some way or another. And this article, if you're aware of it, the leaping drive. And this is where it comes down to the street. It's awesome. But yeah. So that's not what you need to listen to is about driving to Louisville, Kentucky. You want to learn about stuff on Skype.

SPEAKER_02

We all know there's a article that I saw today.

SPEAKER_01

This comes out by CSO magazine by John Edwards. That these IPs are going to have published this out and I have the World Economic Business Data. Only 14% of organizations are common. So I have our warehouse to meet their security. And some primary factors that are awesome are actually something that we're just going to go over.

Industry Stats On Readiness And AI Threats

SPEAKER_02

But we see this right now. The question comes into is these phobies and increased burden people. Now the world has changed.

Hiring Mismatch And Budget Constraints

SPEAKER_01

There's an issue right there. The budget cuts on those cameras. And this is a rapid evolution of AI-driven threats, obviously, and how threats are actually used now. And understanding how to be challenged as well. Now there is a mismatch between what employers want and they would post it on websites that would be a very important thing. And so this is a situation that came up in Korea. I've been doing cybersecurity for many years and I've been interviewing a lot of people and leave Canada. They basically offer suspects who are alleged roles for people that 20,000 meeting, well, I got to try to talk about South Korea. This would include cameras in homes, commercial facilities, they also though are having this state looking for that. And they basically have a person with senior experience but offer only entry-level compensation. While some of the new graduates are private foundational experiences, you have a camera in those areas because of the washed and monitoring expectations. And this is a big factory. That's a lot of sitting at home and just scanning through the thousand dollars.

SPEAKER_02

And then neglecting your current talent.

SPEAKER_01

They probably would make more money right now in Hopper. But people do basically as an officer. It's imperative that about 7,000 because we start looking at theround$12,000 as well. So in realistic job applications, job posts came up frequently demanded excessive number of certifications of experience for entry. It was$63,000 for effectively screening out qualified or high potential candidates. So you see this a lot. This isn't something new. But you need to understand what you're trying to find. And so they decided to go. You need to have a really good strategic view around this.

SPEAKER_02

So the challenge is a very important thing to do.

Public Sector Gaps And Funding Issues

Practical Responses: MSPs And Upskilling

Prioritizing Problem Solving And Basics

Transition To CISSP Practice Questions

Housekeeping And Free Resources

Common Pitfalls And Simple Protections

Question 1: Risk Management Alignment

SPEAKER_01

The gap is particularly acute in the public sector due to rigid hiring freezes, lower budget. One, dealing a lot with grants that were trauma available, and now all the changes in financial aspects going away. And then we've got children that are potentially being seen as private inappropriate. So how are the CISOs? And then you run down the responding to now because you did this. Well, one is outsourcing attorney to manage services to handle the operation tasks. They don't have to really tell you to be their problem. And that's a great option. It really truly is. I would say some of the MSPs that I've worked on may not have drama levels. But you know what? They may find that. So when you pay them enough money, comes down to them. Internal mobility, identifying employees and type of other departments like software engineers. I see this as a hack to any sort of software development piece of this. You can train them into secure roles. There's no question about it. This isn't that you have to have a unit. But there would be a lot more soft access points there. Prioritizing problem solving credentials. Assuming that you are going to get changed, I hit this and I beat this drum all the time. You can run changing default admin credentials. And the soft skills are the communication pieces once they get one, the actual building. And it does give me access to what's actually great article. I think that was awesome here. And again, factors are the same that you don't change the phone. You may roll back five years from now and say, hey, what are the factors affecting on them? These will probably come back issues. It may not be AI, maybe something different. Disable robot access will not guarantee that this is the biggest issue camera firmware, technology. This is something that failure to frame the gap don't do as well. Neglecting current talent, set them in forgetting. Those are really simple things that you can put in place that protect you and your family. Depending on the CSO maybe have cameras within your home, you may want to come up with the case. Okay, let's roll into the questions for cyber training. You can have all of these questions. These are just a small subset of the questions that are available to you. This is not cyber training. Head on over, check it out. If you just want to try out my 363 questions, along with all the cameras, these are the basics. It doesn't cost you a dime. But if you really want to have more capability, then you really need to look at some of the other options I have to do. Head on over to CIST. And this is part of CICP question training. And these are all part of the deep dive. Well, guess what? What a better one. An organization is transitioning from a traditional risk. So I've got a bunch of free things that are out there. Which of the following best describes the primary program. However, if you really truly want to get this thing knocked out, A, to ensure that IT risk management have your best isolation path from operational risk. B to align risk management activities with the organization's strategic goals.

SPEAKER_02

Or D to transfer all residual risk to third parties, insurance providers to achieve a regretal risk.

Why Zero Risk And Isolation Fail

Question 2: Security Governance Documents

Policies vs Guidelines vs SOPs

Question 3: Quantitative Risk Math

SPEAKER_01

And five minutes, you really need the content to help you do that. But head on over to ensure that I trained all of that information in isolation from operational risk training to prevent cross-contamination and available to the same thing. Especially operational risk. Unfortunately, so many people may think that IT is in its own side. So I want to get a little bit deeper into the operational side than in its own side. So you need to ensure that one right there. This content most likely possible. It most likely will not automate the risk assessment process using quantitative direction to eliminate answer questions when you go to take these. Okay, so let's go back to the traditional risk management approach. So your automating risk assessment process requirement isn't bad. Bringing quantitative external body. But when you basically want to make it a lot of things, exclusively to eliminate subjective buy control and actually doing what you're supposed to be doing before somebody exclusive to highlights, you want to use qualitative and quantitative specifically with this external certification. Then D, to transfer all residual risk to a third-party insurance provider, set up to residual risk to third-party insurance providers facing as C for achieved zero risk systems. Or D is not a one-time automated vulnerability standard. Even if you do transfer this residual risk to them, there is still a level of risk with the problem. So the correct answer is to align risk management activities with organizational strategic goals. But let's kind of walk through decision questions. So we talked about you want to make sure you have a good main point. Some of the needs are one time. It hasn't been something you've been building on. So that one implementing a new security governance framework count if I'm not going to be able to do that. Which document is considered to be a good idea. Conduct a setup at high level and must be approved by senior management. Now you probably need one penetration before bringing some certification authority in to security policy environment. B, however, at standard operating procedures, basically you've got to do them on IWIM. It's possible, but I don't think we're talking high-level, right? So that's the CEO performing. And it has to be going all the way aligned with the board. So why is this? Well, it's designed to verify both control design and operational is not correct. So they're going to look at guidelines are typically used to line up you with a job. It has the price property, processes and place to more or less gives you direction. Baselines is the baseline configuration piece of this. They're going to expect you to have done this at some point in time. Then standard operating form before SOPs. These are very tactical types of activities. Standard operating procedures, baselines and guidelines. Security policies are an imperative part because any organization and they are the piece that's going to help you as an organization. So we want to make sure that we are in a good idea. And your procedures, your SOPs are the most granular step-by-step instructions. So general kind of keep that in mind is going to help you a lot in the future as you are developing that for you. Your team does it design, a control and implements them, and during a quantitative risk analysis, you determine that. Which of the files is valid. A exposure factor for a function reports outside water rolling through your data center is 25%. So your board wants to have an independent rate of a current gives all their information from 10%. What is the annualized loss because the security staff understands control and your overall value effective exposure factor 25% and the ARO is point one? You agree, but the label of the activity of self-assessment is$50,000. So you basically come down to B is$20,000. And the next answer, you can't the language can be 100 different. Okay, so let's figure this baby out. So if you know that your single loss expectancy, you're trying to figure out that and operate.

SPEAKER_02

You're going to have your asset value times your exposure factor. Or you decline it's a$200. This is an area where many people will buy off the market.

Calculating SLE And ALE

Using ALE To Justify Controls

Question 4: Due Care vs Due Diligence

Immediate Patching And Backlogs

Question 5: ISC2 Ethics Priority

SPEAKER_01

I'm good, and then they will grab and buy it. So your recommending an internal audit would be your SLE came out to be your single loss expectancy of$50,000 times 0.1 or 10%. That's the same thing. So the ALE is your most critical number for management because it tells you how much you should expect to be expensive per year. Which helps you justify the budget of the government. And your annual loss expectancy is five. You may go, you know what, I'm not going to do that. Your security staff will cost maybe$1,000. And then if you agree to it, they'll want to do a self-assessment versus an audit. You may go to the point of saying, yeah, it's worth spending the money right now. So the ultimate goal is you're going to want to do that. This is just one factor that you're trying to use when you take the leaders of the account of the budget for the other thing. Question three: a recent vulnerability assessment identifies several issues. Which of the following actions is a company vulnerability to tear the scanner. That is the same thing. But it does it has to be a good thing. Well, it's not a good thing. A developing a multi-year strategy roadmap for security architecture. Okay, vulnerability into a background. You're not actually doing something on this piece here. You are I mean you are, but you are developing vulnerability and require emergency patches. So the mediums are along the line of due diligence. How should you authentic handle that? Or D. Perform a risk analysis. Now that is taking a level of due care of found that's not really focused on specifically payment systems, not a critical vulnerability. One finding has a million pieces of this for the scanner. That's not really something that fits into this question. It could buy the C or D performing a gap analysis against an ISO 27001 standard. It's really not more of a due diligence kind of action. It's not really a due career. Backlog might be a good option. So when we're talking due care, this is an action of the implementation of doing what is right because immediately entered the vulnerability and requirements. There are lots of reasonable people, but we see every day in the news only use of variable potentially. So the correct answer would be D. Next question, which of the following canons of the INC Squared Code of Ethics is considered the most important thing. It takes precedence over others than if determining a factor for your organization. These are important competent service to place, advance and protect the profession. Okay, internal, we're not going to be able to do that. ISC Square, you know this is the whole process. So what is the most important takes precedence over everything at CISP cyber training many times is provide diligent and competent service to principles ongoing. Yes, you want to do that, but that's the same thing. The provider already performs annual external SOC. Advance and protect the profession. So this wanted SaaS provider is that must comply with regulatory expectations. Act honorably, honestly, justly, responsibly, and legally, which of the following best satisfies the expectation ongoing right under this optimizing one that is correct. It's an important thing. Protect society, the common good, necessary public trust, confidence, increase the external stock audit. If we don't protect the stuff that's there, then it allows B, implement a risk-based honorably comes right out of combining with self-assessments. But when it comes right down to it, protecting society and the common good is the number one. Or D rely on real-time security control. Okay, that is all I have for you today. Head on over to CISSP Cyber Training. Go check it out. There's really good stuff there. CRPSSPhous Cybertraining.com, and you can check out everything that's when it comes back to the lots and free stuff. Go check out my videos on YouTube. Go check out the videos that are there. Some of these are more expensive than others. Really excited about the future, and it's going to increase our having a beautiful blessed day, and we will catch you all on the flip side. It'll help you increase the video. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback.

SPEAKER_00

So also check out my videos that are on YouTube and just head to my channel at CISSP Cybertraining.

Risk-Based Assurance Program

Cloud Assurance With SOC 2 And ISO

Mapping Reports To Risk Appetite

Resources, Wins, And Closing CTA

SPEAKER_01

And you will find a clipper or a pony copia of content to help us back to the CISSP full-time audit. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening. So maybe the coverage may not be as valuable. C, or I should say D, rely on real-time security monitoring tools as they are continuously monitoring security events. You should have this in place anyway if you're dealing with a software two. That's probably not your best choice. I would say that's probably the least desirable choice of all the four. Then the answer, the correct answer would be B, implement a risk-based internal assessment program combining both security assessments and targeted internal audits and continuous monitoring. All of the three are in place. And yeah, so now you're looking at everything. So you're not just looking at one or two, or you're just looking at every six months, you're now looking at it on a continuous and optimized basis. So again, this will definitely balance out regulatory expectations, operational practicality, practicality words, and then cost control versus assurance. So all of those pieces are last question for this. Your company is moving a critical application to a public cloud provider using APA as a model. The provider does not allow customer penetration tests again. And also ISO 27001. So what is the best approach to obtaining assurance is that the provider's controls are effective? So again, they won't allow it to hit it because it's a platform as a service model. But they do talk to type two, they do ISO 27001 and the dependent test. And this is all available to you, the reports are under and EA. Reject the provider because a penetration test cannot be performed by your internal redity. B rely solely on the provider's marketing documentation for security white papers. C review the map of the independent insurance reports under your organization's control requirements and risk appetite, or the demand access to raw penetration tests, artifacts and complications from the provider's redity. Okay, so how do you do you want it to be? So the key question on this is that you need to understand I've run into this review multiple times. As a CISO and in different other aspects, you're gonna want to know it's all about the risk, right? It's all about the risk. It's all about the risk. It's all about the risk, right? Well, if it's all about the risk, the key thing around this, then is you want to focus on what have they done. And if they are actually truly have certifications, type two, type two, and ISO twenty seven thousand one, as well as a pen test, if they've done this, then that would really be a good thing. So let's talk about that. That is no no. You can't necessarily say that. Now, I say that if you have multi-gazillion dollars in IP-based information with these people, then you may want to talk to them and say, Well, I can't do it against your platform, so maybe I'm willing to stand up my own platform that you guys manage. Those are options, right? Now, I they they totally have legit concerns about having you do it against their stuff, but then maybe you need to look at other options architecturally. B, rely solely on the provider's marketing documentation and security white papers. Well, okay, anybody can put what they want in papers. Now they could get sued, but you definitely don't want to rely on that. That that's great. It might be the first hack of going, okay, cool, there's SOC 2 type 2. Awesome. Yeah, that might be great at the beginning, but when it comes right down to it, you're gonna want to see their documentation. So uh demand, demand is usually not a really good word when you're trying to meet with people, so question uh or answer D, demand full access to raw pen tests, artifacts, and exploit chains from the provider's red team. So demanding usually does not go well. Uh, it becomes very confrontational very quickly. So I would highly recommend you do not use that. Uh, you actually maybe have a good uh discussion and dialogue with them, and maybe they'll be happy enough to give that information to you. That being said, the right answer is C. Review and map the independent assurance reports to your organization's control requirements and risk appetite. Comes right down to put them under NDA, get the NDA, sign the NDA. Then they will give you all this information, and then you can start looking at it and gleaning over it and determining if it will meet your needs. Again, you need a correct response is you want to get the access to the reports, but you gotta get them under NDA. You want to scope it and determine the coverage to ensure that it covers your own network, and then you want to identify gaps where your organization must implement compensating and complementary controls. So, again, that is the answer. Again, that's on question five. Review and map identity uh independent assurance reports to your organization's control requirements and risk appetite. Okay, so if you go to CISSP Cyber Training, I actually have more questions that are tied into my deep dive. I just don't have time to go over all of them right now. Head on over to CISSP Cyber Training. You can get access to those. Those are all available to you. Again, uh I'll tell you that's on the paid subscription to get access to some of the deep dive questions that I have. But you can actually actually actually you can actually look at the the video of this and you can go through this. This will be available on my blog uh as well as it'll be posted, obviously, in this podcast. But all that's available to you at CISSP Cyber Training. All right, thank you so much for joining me today again. I appreciate it. I want to tell you that I hope you all are doing well, and I I get more people pinging me all the time saying, past, I passed. It's like it's like the ding on your phone, you know? Okay, ding, past, ding, past. It's been awesome. I'm so excited that people are passing using the CISSP cyber trading content because they're very, very happy with it. So that's the ultimate goal. Get you done, get you passed, get you moving on. All right, have a great day, and we will catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.

Contributor

Shon Gerber

Host