CISSP Cyber Training Podcast - CISSP Training Program

CCT 342: US Govt and Mythos - CISSP EOL-EOS (Part 1) - Board Translation (Segment 1)

Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur Season 3 Episode 342

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 38:29

Send us Fan Mail

The next wave of AI in cybersecurity is not a theory project, it’s an operational deadline. I open with a timely look at reporting that the White House wants federal agencies to get access to Anthropic’s Claude Mythos, and why that scramble matters for every security team. If Mythos can help uncover vulnerabilities and accelerate exploit development, the same capability that strengthens defense can also supercharge attackers. We talk about why the government wants guardrails, why supply chain risk becomes a bigger deal, and why the gap between AI leaders may be measured in months, not years.

From there, I shift into practical CISSP Domain 2.5 fundamentals: appropriate asset retention, end of life, and end of support. We walk through what “end of life” really means, why unsupported systems become high-value targets, and how to build a real end-of-life process with asset inventory, sunsetting plans, data migration, continuity planning, and secure disposal. I also share why documentation isn’t busywork, especially when legal hold and chain of custody can block normal modernization efforts, and how retention policies can reduce both compliance exposure and litigation risk.

Finally, I kick off a boardroom cybersecurity series built for senior security professionals and aspiring CISOs. The core idea is simple: boards don’t make decisions in CVSS scores or alert counts, they make decisions in revenue impact, downtime, safety, and recovery time. I explain how to translate technical risk into business language, what boards actually want to know, and how strong executive communication turns a security leader into a strategic advisor. Subscribe, share this with a teammate, and leave a review so more CISSP and cybersecurity leaders can find the show.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Welcome And What’s Ahead

SPEAKER_00

Welcome to the CISSP Cyber Training Podcast. We provide you training and tools you need. CSSP exam. Hi, my name is Sean Gerber. I'm your host. Join me each week as I provide the information you need. CISSP exam and roll your cyber checker in the light. Alright.

Government Push For Claude Mythos

Predictive Vulnerability Management With AI

CISSP Domain 2.5 Asset End Of Life

Boardroom Cybersecurity Translation Problem

Key Takeaways And Next Steps

SPEAKER_01

Good morning, everybody. It's Sean Gerber with CISSP Cyber Trading, and hope you all are having a beautiful blessed day today. Today is Monday. And Monday we talk about areas related to CISSP domains. And today we're going to be talking about domain 2.5, but we're also going to be talking about a couple different areas. One is this article that comes out of anthropic as well as board presentations and some things you need to know from a board standpoint. So today's episode is going to be fully packed, right, with stuff around anthropic as well as CISSP and how you should manage the board. So let's get started in what we're going to get to today. Okay, so as it relates to this article, this came out of CSO magazine, and it says White House moves to give federal agencies access to anthropics, Claude Mythos. Now we've talked about mythos on CISSP cyber training a couple times, and it's basically their new model that's coming out here at some point in the near future. One thing that the article brings up in this is that's that, you know, the U.S. government, Pentagon, for example, has said that the overall use of anthropics AI, especially the mythos, uh could be very challenging for the government, especially as it relates to its ability to be able to understand vulnerabilities and to run exploits against them. So mythos is next generation, right? It's the new piece of this, and it's going to be something that's going to change a lot of things that happen throughout the US and throughout the world. Now, the article comes into though is that the US government is wanting to get access to mythos before the rest of the world. And one of the reasons around this is the fact that it wants to be able to create and utilize its capabilities, but on a much more reduced scale. They want to say they put in guardrails to keep it from staying in staying inside the lanes. Now, I will tell you that, like we've all learned and we've seen this in the Terminator, what happens inside the lanes will probably pop out of the lanes. So the goal of around all of this is that it's going to have to be released at some point. And the governments are going to have to take action with it. I would say the biggest problem that the U.S. government is facing right now is the fact that they're worried releasing it is going to give more access to the hackers, but the Pentagon wants it out and released as well just for their use because they want to stay ahead of other countries out there that are have the same kind of technology. And if we see that it's moving this quickly, it's it's something that everybody's kind of concerned about. So the point comes into with this article is that why it's so controversial is the fact that they want to use it as a defensive tool and there because of potential offensive operations that they can use it against, other countries, that's the U.S. government. But on the flip side, they are really concerned about the supply chain and how this could affect multiple uh people in multiple countries. Now, I will say from a supply chain standpoint, if any of you are paying attention to CMMC, we know that supply chain is a big factor of that. And that's a certification for defense department industry uh equipment, or I should say, companies that are utilizing in the Defense Department. And so, the Department of War, sorry, there have been many years of talking it in a different way. And the point, though, comes into is that they're trying to basically use that piece where they can use the capability, but in a way that's not at its full capacity and full uh capabilities. Now, they're looking to put restricted and modified versions out there, they're trying to put access limitations on it, and then some sort of monitoring and oversight. I will say that this, I think it's a great try. I think it's gonna, they're gonna have to do something. But unfortunately, like many of these things, I feel like working in the government for many years that I have, this will probably fail, and it may fail badly. But they're at least attempting to try to do something like this. The problem is, is once mythos gets released, and it and you let's just say mythos, right, right now, because we know mythos, we don't know this. We're assuming based on information we've received from uh the anthropic people, is that it has the capability to be a red teamer on steroids. And so that is a concern. But it mythos is just the only one, is not the only one out there. We have the Chinese, you have Chat GPT, you have all these other types of AI-driven models that are there that are right, they're right at the heels of what's going on with Mythos. So they're all hanging in there at the same, pretty much the same pace. Mythos is the one that's probably a little bit of a generation leap ahead, but let's be realistic. We're talking maybe six months a year at the most difference between them. So they're this is all going to be coming out here within the next, I consider within the next 12 to 18 months. We're gonna be seeing a lot of changes in this space. So the article kind of comes into is that they we need to be reactive from a vulnerability management standpoint. They need to move from that where it's, hey, I'm running a scan, what do I do, to more of a predictive AI-driven discovery. And that's something I've been preaching about and harping about on CISSP cyber training for many years just because of that specific fact. Uh, it's also going to impact the traditional SAST, your static application security testing, as well as your dynamic application security testing. These are all these pieces are really a huge part when it comes to mythos and what it's going to do. So, again, it's all changing. There's no release date on when it's going to happen. There's nobody really knows what they're doing. I'm bringing this out there just to keep it to your attention that it's going to be, I feel very strongly that what's going to happen is it's going to hits, it's going to start changing things extremely rapidly. Within probably three to six months, we will see just game changer changes. And I'm seeing this right now. And you've, if you haven't looked at Anthropics uh design capability, uh, I'm looking at this from a CISSP standpoint, but they just released something uh back in the 17th of this month of April, and it is now able to do design capabilities for you. You can put in your information, you can create presentations, you can create uh animation that goes with it. That is incredible. And now it's gonna impact designers and developers substantially, but you can see just the change in that within the past six months. So everything's moving at a breakneck speed. I would just say hang on for the ride because we're only gonna see more and more changes in this space. You as a security professional, get smart on AI GRC. Get smart on AI, start understanding it. It's going to be a game changer. I'm not gonna, I'm just I can't express this enough. If you're gonna, if you had time to focus on something, focus on one thing or another, I would start taking any extra time you have and start focusing on AI and how you can incorporate security and how I would say the GRC piece behind it, the people side. The coding piece of this, I'm sorry, it's gonna get taken over by AI itself. You need to have the GRC piece of this, that that's the part that will not be able to be taken over by AI. That's the interaction, that's the human connection that is an important part of this overall ecosystem. Okay, so that's all I've got about this article. Again, CSO magazine, and it's talking about why the White House moves to give federal agencies access to anthropics, Claude Mythos. Okay, so let's roll into what we're gonna talk about related to the CISSP today. Okay, so this is domain two, 2.5, ensuring appropriate asset retention, end of life, and end of support. Uh so this is part of CISSP Cyber Training's content that's available to you at CISSP Cyber Training. Please head on over there and check out what we've got available. I've got a ton of free stuff, including a 250 questions CISSP exam, as well as free content that relates to my rapid review. All that stuff is available to you at CISSP Cyber Training. A lot of the stuff, if you're doing self-study stuff, it's a good way to get you started. And it really, if you just follow it, you'll be successful in your CISSP. Um, I would say that the part that really will be helpful is if you gain access to my paid products, that's gonna walk you through all this content in a video format, step by step by step. My blueprint is gonna be incredible and helps you walk you through how do you prepare, how do you study, and then what do you do to take the test. All of these things are designed to help you pass the CISSP exam the first time. Okay, so 2.5 asset retention and end of life and end of support. Okay, so end of life. The definition of end of life is a stage when a product is no longer produced, sold, or supported by the vendor, indicating that it should be phased out of use. So we talk about end of life and a lot of different aspects related to Microsoft and the various products that it puts out there. These are all situations where you want to keep a tab on end of life because the last thing you want is stuff that should be put away and decommissioned running within your network. Now, the end of life process, this is an important piece of all of this. And as you're looking for different types of security frameworks and controls that you put in place, an end-of-life process is something that is called out specifically. Now, this is maintaining an updated list of assets and their life cycle status. Where are they at in relation to maintaining within your network? You need to keep that at list there and updated. You also need to have a sunsetting plan. Develop a structured plan to decommission assets, including data migration and continuity plans. And data retention during your end of life, you need to really understand how do you export the data that is on these systems and ensure the data is stored in end-of-life assets, it is properly transferred to new systems, or it's archived securely. You need to have a situation and a plan for that. I'll use an example where I was dealing with some legal hold aspects, and there was a time when the lawyers were saying we need to do something with these systems. Um they they were been holding on to them forever, and I came up to them and said, Hey, these things are end of life, we need to do something with them. And they're like, No, you can't touch them. These are legal hold. So we had to come up with an entire process on how we would move data from one system to another system and document it in the fact that if there was a problem and then we are ever sued, they had the ability to go back and look at these systems and know what actually occurred. But a lot of times, especially in legal hold cases, they will not want to touch these systems because they're afraid that anything could happen to the data and or it could deal with a chain of custody aspects. So data migration and export is important and it's really something you need to consider. It may seem very beyond, not fun, but it's something you're gonna have to do. Retention policies post-end of life, determine how long the data is associated with the end-of-life assets. This must be retained based on your needs and your regulatory requirements. So you need to have all of this defined and documented within your policies and procedures. Now there's some security considerations and asset disposal aspects you need to keep in mind. So, security considerations, you have vulnerable systems that are end of life, are particularly vulnerable if kept in production due to the lack of vendor updates. I'll count out the fact of the OT environment. So your operational technology environment, many of those are kept in production due to the fact that they don't have updates or they don't want to break things. So those are vulnerable systems you really need to keep tabs on. One thing that you may watch out for is the fact that if you have an RD facility, sometimes these RD facilities are sitting within your business network and they're hidden behind a firewall, and you have very little understanding of what's actually occurring on these systems. These are great targets for security or for hackers, and they can go after these systems, especially if you don't know that they're even there. So a lot of that shadow IT can come back and bite you big time in the future. Isolation techniques, you need to implement network segmentation and strict access controls for these end-of-life systems that are continued to stay in use. This is a plan. If for some reason your business comes up to you and says, we have to keep these in place, you need to have a plan on how to deal with that specifically. So that's an important part, and working with your business leaders will help you do that. Asset disposal, you need to have a secure disposal method in which you are disposing of these systems. Are you degaussing them? Are you shredding them? Are you sending them off to some location far, far away in a planet unknown? How are you dealing with that? That's an important part of your supposed your secure sub disposal methods. And then you need to document what you did. I can't stress this enough. From an IT standpoint, most technical folks go, yep, did it, check. Move that device, put in this code, do that, whatever it might be. It's the documentation piece, is an important part. And the reason is it's not because the documentation, we would used to fly when I was flying airplanes, we had to go through so much documentation just to do one sortie in the B-1. Tons of documentation. The purpose is, though, is it's not because I have to do the documentation for me to fly. No, you get in the airplane, you pull back, you push forward, go left, you go right. That's flying. But the documentation piece is that anytime you are spending resources, anytime you're dropping bombs, most people hopefully aren't dropping bombs, but if you were, you're you're destroying things. You have to keep tabs of all these things. All the paperwork that goes with it, because it has to be documentation. If something were to go sideways, you have a plan on how to deal with it. So again, documentation is important. Do not forget that. This is one of the biggest areas within a security professional they screw up on, is they don't keep this information long term. Now, some various considerations for you to keep about, right? What happens at what point does the vendor or the manufacturer no longer provide updates or patches? How are you going to deal with that? You also need to understand the security risks associated with this. One, increased vulnerabilities that are out there, right? As you now have, especially with Claude, and we talked about with Mythos, as you get more of these vulnerability type capabilities within these AI environments, you're going to find that you have risks that you didn't even know you had. So you're going to have increased vulnerabilities, compliance violations. This is a factor. Again, the paperwork is a big part of this. The technical piece is one aspect, but compliance and the regulatory and legal aspects are another. The legal aspect, you can be the best organization in the world technically, but you can get sued and then go out of business because you didn't do the compliance piece of this. Transition planning. This is where you have inventory management. You maintain a comprehensive inventory, you make sure you have identify your assets that are end of service, and then you upgrade path is that you develop an upgrade and replacement plan to transition before going end of service. So CISOs, as an example, will be in a position for maybe two, maybe three years in most cases. I was there for eight years, I enjoyed it, I loved it. Uh, but most cases they're there for just a few years and they move on. In this case, if you don't have a succession plan set up, especially with these systems, new guy or gal comes in, what ends up happening is this gets dropped, they don't come back and deal with it. You maybe have a window before they get their feet underneath them of let's say six months, maybe a year before these end-of-service systems are finally addressed and talked about. Then you could potentially be vulnerable during that six months to a year. That it's imperative that you have these plans in place. It's your for you helping you as well as helping the people that you're working with, your future people. You need to have an upgrade path, which you talked about, a risk assessment. Evaluate the risks associated with running assets past end of service. Again, your business comes up to you. I had a friend of mine that owns an MSP, and he came out and he said, you know what? I want security is there, but in reality, the operations must happen. Security is kind of a secondary. And I challenged him on that and said, No, that's not the case. You need to work with your business, and the business needs to tell you what are what kind of risks are they willing to accept. It isn't just a fact that if I put the security tool in, it's going to impact revenue. It could impact revenue. And it could be something that is realistically a burden. But the business may has to make the decision of going, I am willing to accept that burden and willing to accept some of that risk and that loss of revenue because I want to overcome the risk that's there. So again, you have to ensure that you work with your businesses on any sort of these activities. And that's where the risk assessment will come in. It gives you paperwork on how to use it. It's a great important tool. Support extensions, extending support contracts. This is an option where you can have vendors support you past the original end of service date. Microsoft will do this. It does come at a price. It does cost you money and it's something you're gonna have to plan for. And it doesn't go indefinitely. You will have to at some point say, yeah, we got to fix this problem. Third patty pat third patty. Third party patches, this is where you're using patches and updates provided by third-party vendors to support your ends as well. Maybe a third party will use the same kind of concepts and they will provide that to you. So those are just different types of extensions and capabilities that are available to you. Asset retention strategies. Now, the purpose of retaining assets is a couple things, right? Business continuity. You want to ensure that you have important data remains available to support your business operations. So you've got to maintain you keeping these. Regulatory compliance, retaining data for specific durations to comply with legal and regulatory requirements. And then historical and legal needs, preserving records and auditing, litigation, historical reference. I talked about legal hold. Big factor in many companies is if there's any sort of litigation, you have to be able to keep this data for a set period of time. And that is defined by whomever is suing you and the legal teams. So you need to make sure you understand the retention of these assets, especially when you're dealing with end of life and end of service. Now, these retention periods are policy-based retentions. So they establish periods based on data classification, business needs, and potential legal requirements that are there. And then there needs to be, back to what we mentioned before, some level of documentation on your schedule. You need to maintain detailed records outlining the duration of each of these that you're keeping. Now, the risk, again, there's some risk for retention that you need to be aware of. Over retention. So storing data longer than is necessary increases costs, management overhead, and security risk. It also increases litigation risk, legal risk. Why is that? Well, let's say, for example, you have your manufacturing facility, and your manufacturing facility does the, I'll just use chemical manufacturing. And you have kept records of this for the past 30 years of all the chemical potential releases you've had, yada, yada, yada. All this stuff has been kept. But no one really knows about it. And it's you've been safe, but you have all this data sitting in a box somewhere or in a hard drive. You now get sued. And as you get sued, the company comes to you and says, we want to know all this data that you have related to chemical manufacturing. So now you have 20 years of all this stuff, you have to release it. Well, there might be stuff in there that you know what, you made some mistakes early, but you corrected them, you're doing great, you're moving up, but that's 20 years ago. That is all legal discovery. And they can use that and they can turn around and spin it against you. So those are important pieces that you need to make sure you keep. Now, or or get rid of, I should say, the part that's going to come in it, that doesn't mean you go out and burn records. You don't do that. You don't try to hide anything. Heck no, that'll make even bigger legal problems. But you need to make sure that you work with legal counsel on understanding how long do you keep this these data and these records. Because every little bit that you keep for a period of time beyond a certain X point expectation, it increases your legal and potential risks. So you need to just kind of hand a plan with that. I'm I'm beating on that drum just specifically because of the fact that if I don't, you're going, there is a chance that something could happen that you have to deal with. So again, I'm not a lawyer, I don't provide legal advice. I'm just giving you some examples of what I've dealt with in the past. Now, when you're dealing with under retention, premature deletion of data can be on the opposite side, the flip side of this. You have compliance aspects that you need to keep. Well, what do you do? If you don't keep them, that those records, now you could potentially be out of compliance. So aspects, retention risk is an important part of this. So there's some retention technologies, archiving solutions and versioning and backup. Your archiving solutions provide automation in the movement of data for long-term storage. So you need to have a backup solution, then you need to have an archiving solution. Depending upon the size of your company, you may want an archiving solution such as, let's just say, AWS Glacier. It's a great archiving tool that's there for you. You could pay for a different type of solution, but you need to consider if there's any sort of versioning and backup, then what do I keep it beyond my versioning and backup dates? Now, your versioning and backup obviously is ensuring data is available in multiple states and formats for retention and compliance. How fast can you get the data if something were to happen? Those are all key pieces in your retention strategy for backup and recovery. So, what are some key best practices for end of service and end of life and asset retention? Proactive monitoring, continuously monitoring of vendor announcements around end of service, end of life. Microsoft publishes that, it's well known where they're at. Other vendors, maybe not so much. I would say in the OT space, they do that a lot. They post all of that information out there. And in many cases, they do it because at some point they could be held legally liable. So proactively monitoring, life cycle management. Integrate life cycle management into the asset procurement and maintenance process. So you got assets, you're purchasing them, you buy them, and then you want to put them in the queue to know when are they gonna go turn into a pumpkin. If they start them, hey, they're a baby, and then when are they going to die? You have to have that entire management process figured out. If you do it at the front end, you now have a whole lot of capability to ensure that you have best control on the back end. Compliance checklist, use checklists to ensure retention practices are met and your organizational and regulatory needs are set. Periodic reviews, you need to review your tension and asset statuses as well as policies to keep them up to date. And then finally, you need to have an instant response. Plan that is set up for potential breaches involving end of service and end-of-life systems. How do you handle those situations specifically for incident response? Do you have a plan in place for them? All of those are some key best practices right there of end-of-life, end-of-support, and asset retention. Okay, so that's all I have for the CICP. Now let's move into some training related to security leadership. Okay, so this is a training that I'm brought up related to the board. And how do you deal with talking and translating what is going on to the board? So this is designed specifically to help security professionals, senior security professionals who have to maybe deal with board conversations as well as the different aspects that go along with maybe talking to a senior executive. And the point of it is to give you that knowledge and experience that you then can one, take it for the CISSP exam, as well as how do you utilize the knowledge that I have to be able to help you in your future career. So, segment one, this is the first segment of a four-piece segment that we'll be doing over the coming weeks related to the board. Now, this is the translation problem. What is it? Why CISOs lose board support and how to fix it. So it's a boardroom cybersecurity series that is through CISSP Cyber Training. So where's the disconnect, right? You walk in with these critical findings, right? You're dealing with the with the board. Understand, let's pick, let me take a step back. When you're dealing with the board, these folks are people that are throughout business. Uh, they may be financial people, they may be operational people, they may be uh who knows. You don't know where they're coming from. A lot of finance folks that have a good financial background are typically part of a board. And this, they come in there and yeah, they want a security briefing. You are going to give them that security briefing and you're gonna try to talk to them about this stuff. The problem is, as I've seen it time and again, where the folks that come in, they are the IT professionals and they start talking in big fancy words that the board doesn't understand. And I kind of use this analogy as you have a dolphin and you have a shark. Okay, they both swim in the ocean, but they don't speak the same language. Maybe they do. I don't speak either one, so I don't know. But let's just assume they don't speak the same language. How does that work, right? So the disconnect is that you the IT person and the board don't speak the same language. What are you gonna do? So you walk in with these critical findings. Say the board calls you in, you're a security professional. Hey, there's some security, we hear there's critical findings. Tell me what's going on. They say you come in and you say firewall, and they go yon and they fall asleep, and their heads all hit the table, and then you kind of go, What happened? You're using terms that they don't or may not know. Now, firewall is pretty ubiquitous. People use this a lot, so I can anticipate there would be, they would get that, but when you start using a lot of IT lingo, they get lost in the translation. Boards discuss cyber risk alongside liquidity ratio, supplier risk, and operational downtime. So you need to come in with the attitude of how do I convert my language into theirs? So the boardroom does not dismiss cyber, they dismiss leaders who can't speak their language. And you see this time and again. If you can understand their language, you have taken the time to learn this. Good example, my CIO gave me a book when I was a CISO, said you need to read this. And this was on financial terms and understandings. Liquidity, capitalization, all of these key terms were parts that I had to understand what they were talking about. One, they would come in and I would actually, in the conversation in the board, I would make, I would know what they're saying, so I understand the language, or at least have an understanding of what they're saying. And then when I translate our capital expense of spending$1 million on a product, they understand where that's coming from. This is not a technical problem, it's a communication problem. And I've talked about this on CISSP cyber training. You all are very good technical people that are probably listening to this. You have a good grasp and understanding. However, sometimes your communication aspects are maybe a little challenged. I will tell you, I'll point fingers at myself specifically. I would be happy to eat pizza and sit in a closet and hack on computers all day long. I would be super happy doing that. That'd be great. It'd be wonderful. Unfortunately, yeah, that's not gonna work. And you see these folks that are online saying, you can be in cybersecurity and make a half a million dollars a year. Yeah, you can, but you have to change yourself to be able to do that. You can't just show up as the IT guy saying, Where's my half a million? You have to understand communication and how that all plays together. So the data is clear. The gap is getting worse, not better. Communication skills are a problem. 41% of the boards deal with cyber on a monthly basis. That's pretty substantial, right? So you're talking out of all the boards out there, 40% of them deal with that. That's huge. And you only know that 60%, the remaining 60% will be at some point in time. But however, CISO board alignment, basically understanding each other, is down in 25. It went down from 84% in 24. Now, could those numbers be skewed a bit? They are, but the trend is focusing down, not up. 85% of CISOs report pressure to strengthen their executive communication skills, knock, knock, knock. You need to import your understanding of what are the key terms you need to be understanding and communicating with your board. And then 62% of CIO say their business spends more on responding to attacks than preventing them. That is the strategic thought process. And this comes into your risk communication with your board. If you can communicate this with well with your board, what are these tools that are going to help you? In many cases, the board is willing to spend the money if you can prove prove to them and provide information on how to drop and reduce or mitigate the risk. So this is a quote from Dergesh Kalayal. I can't say his name, but he's a network security expert out of Cavestro. And this, I would say this is an important part, right? When cyber risk is explained in terms of loss production, safety, and recovery time, leadership will pay attention. They will. And recovery time is a big factor, and safety. Those safety is the non-negotiable. If anything deals with safety, your system, if you don't do these things, people will die. Everybody pays attention to it. One, you don't want people to die. And two, it increases all kinds of additional risk to an organization that you don't want. So if it's framed only as a technical issues, any sort of production priorities will usually win. It's important. You've got to focus on this. So two languages, one meeting, tech language, you lose the room, right? We have 47 unpatched CVEs with a CVS score of above 8.0. They're going, what in gosh darn it is that? Makes no sense. Our sim generated 1.2 million alerts last month. Okay, so what? Mean time to detect improve by 18%. So what? These are all so what, right? If you can't answer these, they're gonna go, what does this mean? So in business language, we have 47 open doors. The most critical could cost 4 million and three days of downtime. Aha. That makes more sense. What explain these open doors? Well, these are the unpatched, we call them CVEs. These are, and they're high risk, they're at 8.0. Okay, so explain what we should do to do that. Again, more conversations. We stopped 14 attacks targeting executive accounts last quarter. Okay, that's more digestible. 14 accounts up against our execs, big, big deal. 1.2 million alerts, I have no clue what you're talking about. We prevented potential$6 million on fraud in Q3, right? So because we had a way to and then they'll come back and say, well, how did you do that? Well, we have the ability to detect this information, that's these things that are happening, and our mean time to detect, okay, that's the time that we decided to discover it to when we detect it, to then we can we can eventually start to implement on it, was improved by 18%. And that in turn allowed us to prevent$6 million in fraud in Q3. Oh, that sounds great. Good job, CISO. We are proud of you. Again, two languages, one meeting. You need to have a good plan. I've seen it. I've just I'm just explaining to you. This is stuff that you it will help you in your career immensely. What boards actually want to know? What is our risk profile in dollars and operational terms? How are we set up? Now, they we come to you and say, what is our risk profile? Well, you in turn, because you've worked with your operational staff that are on the board, that maybe work for the board in different places, you can say, well, based on working with our operational teams, this is our overall risk profile, and this is what it's going to cost. This is how our expense, blah, blah, blah. You can get into all of those pieces. What risk are you tracking that could disrupt in the next 12 months? So we got a situation we have a risk that we have an unplanned outage that, or we have an outage that's set up that could cause vulnerabilities. We have a web server that's going to be going down that could cause issues as well. What you have end-of-life systems, end-of-service systems that could cause issues. All of those pieces you would come up to your board. When something goes wrong, how did the attacker get in and why didn't we stop it? They want to know how'd they get in, why didn't we do it? Now, we all know this, and we've and this is something you can set with the board. It's not a matter of if, it's a matter of when. That being said, if you have plans in place that when they get in, you mitigate it quickly. That's what the board wants to know. Setting the expectation with the board that they're going to get in, and setting the expectation with the board that we have plans in place to deal with it when they do get in, they're happy with that. They understand they don't live in a perfect world. But you have to, as a security professional, set that expectation. And that doesn't just happen overnight. It happens with influence that you provide. Are you a strategic advisor or just a person managing a firewall? If you're a person managing a firewall, you get paid firewall pay, 80 to 100 grand, great, you're awesome. If you are a strategic advisor, yeah, you're making$300,000 with stock options and you're now looking at half a million dollars a year or more in income. Again, that's a big difference, but it's true. It's totally true. Board members know the stakes. They need you to make these stakes real and actionable and understandable. They need you to understand that and they need to convey it. Why is this getting harder in 26? Boards now meet cybersecurity monthly, the same frequency as financial performance reviews. They do. So you get more exposure. They want to know. AI threats are moving faster. Aha, and that's a big deal. Mythos is good. That's why all this the CFOs and all the senior leaders for the banking industry got together last month to talk about mythos. You get it? I hope you're getting it. Regulatory pressure, SEC, GDPR, CMMC, all of these make the boards legally accountable. Nobody wants to be legally accountable. We just don't. They understand the risk. So they need to understand what is the security behind it. The CISO row is splitting. It's strategic governance versus technical delivery. Two different career tracks. You need to understand this. I'm working as a consultant with multiple companies. I have CISOs that are extremely technical, very good. Their governance piece, maybe not so much. You've got to be able to do both. Or maybe you have two people that are working in the space. I don't know. It depends on the company and how they want to do it. CISOs who thrive earn genuine authority before the next incident forces the question. You have to be the person they come to. If you are the expert, you're the person they believe, they're going to come talk to you if when something occurs. I've had it happen where I have an incident, hackers get in, I deal with the issue. Soon as I roll it up the chain of what's going on, the board wants to meet. And I'm chatting with the board about what actually occurred. Again, these are the folks that make decisions for the company. These are roles that if you want to be a CISO or you want to have that strategic at some sort of strategic level within the company, you need to be aware of it and you need to be able to handle it. So, root cause, three communication failures, jargon overload. Like we kind of mentioned CVE, CVSS, uh firewalls, uh AWS. Um, you're dealing with a uh Kubernetes cluster. Yeah, stuff like that. They aren't gonna have any clue. Technical metrics that boards can't act on. They want metrics. They need metrics, that's what gives them something to deal with. No business connection, failing to tie your security posture to revenue, operations, and competitive risk. It's just an expense, right? That's all it is. But if you can tie that to that, to resiliency for your business, that includes your pot, your revenue, and your operations. Imperative. There was a we work with a company out of Georgia Pacific when I was at Coke Industries, their competitor got hacked. And it put a competitive risk against the competitor because when they were down for weeks on end, Georgia Pacific in turn was able to get the uh different types of bill or um they're deal with corrugated cardboard, and they were able to then take on the market share that this other company lost. So all of those are competitive aspects behind it. Now, if you end up having a cybersecurity incident, you could have been on the receiving end and then you lose all that revenue. So again, you got to connect the business connection to it. Reporting and not leading, showing up with status updates instead of strategic recommendations. If you're just status updates, they can have anybody come in and do that. Did that in the military where I came in, I was a lieutenant colonel sitting in the corner. And when the generals wanted me, you would just give them a head nod. You'd give them what they wanted, then they would walk on to somebody else. So the point of it is you want to do that or you want to be a strategic leader in the room. This came from Truusona Boardroom Reality Report for 2026. CISOs who cannot clearly explain how risk was evaluated before an incident often find themselves defending gaps rather than demonstrating foresight. You gotta think strategically. You cannot think tactically. When you're a CISO, that's not your role. Tactical actions are for your security architects or potentially your director of security. Uh, your role as a CISO is strategic. Now, the opportunity, become the translator. The board needs a CISO who speaks both languages fluently. If you don't know it, find some good books on understanding uh the overall business acumen. I run small businesses and I've learned a lot from some folks that are helping me with my books. You gotta learn the language. Security is now classified as a business control function, not as an IT subdomain. It is a business operational aspect that you gotta have. It just truly is. It is what's imperative to your business running. Forward-thinking organizations pair CISO leadership with technical VP delivery. You need to make sure they have someone that can provide this from a technical standpoint. And then executive communication is defining career skill for security leaders in 26. And I would say it's the defining skill for leaders going forward long term. Every practitioner has a field deserves to learn this skill. It's again, it's most never ever taught. You must you must understand it. You must take the time to learn it and grow on your own. So here are some key takeaways. One, the gap between security and the boardroom is a communication problem, not a knowledge problem. Boards are paying more attention to cyber risk than ever, but the CISO alignment is declining. And again, it's not about the money, but if you want the money, then you need to do these things to be successful in that space. Speaking business language, risk revenue operations is now a core CISO competency. If anybody tells you different, run away. Right? I'm trying to tell you with CISSP cyber training and the training that I provide here, it's more than just the fact that you're learning how to pass the exam. You need to look at it from the long-term play. And what do you need from a mentorship and growth and coaching standpoint? Okay, so then the last statement is the next three segments I have that will be coming in the subsequent months, or I should say weeks, will give you the exact translations and the frameworks on how to make this happen. So the ultimate goal was this is the first one to get this in your face, to understand what do you need to do to deal with the board as a CISO and how do you manage that. So if you're ready to level up, get all get a hold of us at CISSPcybertraining.com. I can help you with all of these things. Business translations and the CISO are the next aspects you'll see next week. Uh, but again, awesome aspects. I hope you enjoy this. And you know what? We'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or iconicopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.

Contributor

Shon Gerber

Host