CISSP Cyber Training Podcast - CISSP Training Program

CCT 343: Microsoft Defender - CISSP EOL-EOS (Part 2) - Board Translation (Segment 2)

Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur Season 3 Episode 343

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 31:21

Send us Fan Mail

Three Microsoft Defender zero-days are reportedly being exploited, and that is the kind of headline that tests whether our security program is real or just optimistic. I break down what we know, including BlueHammer (CVE-2026-33825) landing in Patch Tuesday while Red Sun and Undefend were described as still unpatched at the time, and the practical response: update fast, verify coverage, and keep your eyes on threat intel so local privilege escalation does not become a bigger incident.

From there, I keep the CISSP momentum going with Domain 2.5 retention requirements, because retention is one of those “boring” topics that turns you into a hero the day something goes wrong. We walk through why retention exists (regulatory compliance, legal mandates, litigation holds, audits, and business continuity), what you should actually retain (security logs, audit trails, backups, PCAP where it makes sense, and especially configuration files and system documentation), and how to test backup and recovery so it works when you need it. We also hit the real-world trade-offs: cost vs risk, over-retention vs under-retention, GDPR-style data minimisation, and secure disposal with documentation you can show an auditor.

Then I shift into security leadership with segment two of the boardroom cybersecurity series: five business translations that convert security speak into language boards can act on. Vulnerabilities become business exposure, alert volume becomes risk prevented, budget requests become ROI, AI threats become operational risk, and compliance becomes business continuity. If you want clearer retention policies, stronger audit readiness, and better executive buy-in, subscribe, share the show, and leave a review so more security pros can find it.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Welcome And Domain 2.5 Setup

SPEAKER_00

Welcome to the CISSP Cyber Training Podcast. We provide you training and tools you need to CSSP exam. Hi, my name is Sean Gerber. I'm your host podcast. Join me each week as I provide the information you need. CISSP exam and grow your cyber checker in the light. Alright.

Defender Zero-Days And Patching

Why Retention Requirements Matter

Logs Backups And Configuration Files

Building Retention Policies And Overrides

Retention Risks Privacy And Disposal

Translating Cyber Risk For Boards

Five Business Translations That Fund Security

Resources Next Segment And Closing

SPEAKER_01

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training. And I hope you all are having a beautifully blessed day today. Today is Monday, and we are going to be continuing on our discussion around domain 2.5 of the CISSP. This is from last week. We kind of continued on that because it's a little bit long, and we also added into that conversation. This will be segment two of the cybersecurity board recommendations. And so I think it's going to be great. We have a four, there's actually four videos, I believe, if I'm not mistaken, that are coming out. Specifically around the board and the training related to that. But today we're going to talk about the Microsoft. There's three Microsoft Defender Zero Days that are actively being exploited. And this comes out of Hacker News. And I've seen this in a couple other different areas as well today. But that involves Blue Hammer, Red Sun, and Undefend. Now, these, if you're running Microsoft Defender, you want to make sure that you are taking care of your systems to ensure that they are actively updated. So what it basically comes down to is Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Defender. And with those, you can gain elevated privileges in a compromise system. We talked about their code name Blue Hammer, Red Sun, and Undefend. And these are basically by a researcher known as Chaotic Eclipse, or also known as Nightmare Eclipse. It's just interesting names. I mean, yeah, they guys think very highly of themselves. I am a nightmare eclipse or a chaotic eclipse. They basically are local privileged escalation and they're impacting the defender. Now, the one thing is that they're saying is that one of them has been updated. So the Blue Hammer is in Patch Tuesday updates that was done. This is CVE 2026 33825. The others, though, are unpatched at the at this moment. Now that's when this article came out in April 17th. That's when it was the case. Maybe by the time you're actually listening to this, it's patched. But if you are have Microsoft Defender in your organization, one of the things you need to keep in mind is ensure that the one update has been done, the blue hammer has been completed, and that you are watching out for Red Sun and Undefend. That's about all you can do is just keep an eye on what's actually going on. Now, this will be a local privilege escalation, so it was something that would occur within your organization locally, but you just need to watch what's actually happening within your area and your organization specifically. So again, Microsoft Defender. There's three zero days actively being exploited, and still two are unpatched. Okay, so let's roll into what we're going to talk about today. Okay, this is part two of domain two. Now, the purpose and importance of retention requirements are, as we mentioned, compliance and legal mandates. So organizations you need to adhere to industry-specific laws and regulations such as HIPAA, healthcare, uh for healthcare, SOC, Sarvanes Oxley for public companies, and GDPR for data protection. You also need to have, we talked about legal hold and potentially keeping that for illegal investigations or litigation. Now you have business continuity, operational needs. You need to ensure your critical data and records are accessible for ongoing operations and recovery. This is a big factor. And don't go with the defaults. You have to have, and I'm beating on this because I've seen it and it's bit me. You need to work with your operations teams to ensure that your backup and recovery setup meets their needs, as well as you need to do a test to ensure that the test is going to meet your expectations. So operational needs are important. It's not just IT doing this, and I can't stress this enough. You have to work in conjunction with your operations teams. So this is a management slash CISCISSP slash CISO. Big nugget. Audit and accountability, retaining system logs and records to support audits and demonstrate adherence to policies. This is an important part of the audit and assessment process. You need to make sure that you keep the logs, you keep the data to ensure that you're managing that as well. Historical and reference use, your data analysis, keeping historical data to analyze trends, and then you need to acknowledge, you need to retain system documentation and configurations for future projects or mid migrations. Now I'll tell you this is an example on how the knowledge preservation is important. Working with systems that are end of service, end of life. They work on software that is probably no longer around. You need to have the documentation and keep the documentation because if you come up with another program, and now we have Claude and all these things that you can use these for, you need to have the requirements, what it does, how it works, what does it integrate with? If it's all documented, you could feed that into the AI and ML, and it could come up with a piece of code that could potentially help you for that. So the knowledge preservation is an important part, and especially as we move with these NAAI systems, you potentially, I'm saying potentially, could utilize Claude or these other types of AIs to provide you the capability in a AWS micro environment. So just kind of keep that in the back of your head. There is opportunities there, but you need to have the documentation. If the documentation doesn't exist because it's been lost, now you need to figure out how to be you can make it in a way that could potentially help you. Now there's types of data systems that are subject to retention: user and systems logs. Security logs, this retain these logs for access control, authentication, and security incidents. These would be defined for a period of support investigations and forensic analysis. How much are you going to keep? PCAP data is an important part of many sort of investigations. However, your packet capture data can be very voluminous and very uh large. And because of that, that can add a lot of cost and a lot of basically configuration challenges you got to work through. So you need to understand what you need to keep. You need to keep just enough, but not too much. All right. So good luck on that one. Yeah, that's a hard one. And but I would start off small and build your way up and just always keep that in the back of your mind. Audit trails maintain comprehensive audit trails to track changes in system configuration and administrative actions. And then application and database data. You need to have operational records of your customer data, financial records, and other critical data. All of this, again, is through your backup and recovery solutions. You need to make sure you test these. Now, I will tell you that depending upon the how you plan your DR and your BC plans, you will want to do some level of testing at least annually. I would recommend that you do it probably maybe quarterly in different sections, but that can get very overbearing at sometimes, can be a bit much. But at a minimum, you need to be doing annual testing on your backup and recovery solutions. System documentation, this is where you have configuration files and system documentation for these things. Configuration files is a big factor, right? So let's say, for example, you have a firewall and you went through all this work to make it secure. You now have the configuration files on play in place, right? How are you backing those up? Because let's just say that this thing burps all over itself and it ends up having a mess and you got to put a new firewall in. Well, wouldn't it be nice to have the configurations already there that you just import? So often people back up the data, but they forget about the configuration files that are associated with all this equipment. Retain those as well. Those are very supportive, especially ones that are supporting very critical systems and functions. Technical manuals and change logs, we talked about that already to a little bit, but documentation around these systems is important. So types of assets that are subject to retention. You have data assets, which were your data, your user data, system logs, and backup data. You also have your physical and virtual assets. These are your servers, hardware, and your storage media. This, all of this information should be kept for retention. You need to work with your operations team to do this, and you need to work with your development team to ensure they understand what the operational team wants. So this is where you run the influential hat. You as a cybersecurity professional, CISO, director of IT, director of security, you are now in a position where you are working with your DevOps team and you're working with your senior leaders and your operations team to make sure that they're merging well together. I will tell you, working with many DevOps teams, they are very good at what they do, but they don't see the bigger picture in many cases. And so you need to consider how do you work with them on that specific area. Documentation and records, configuration and change management, these detail out system configurations and changes. And then you also need to have operational security procedures defined and backed up as well. That means you're any sort of procedure you make for your SIM, your firewalls, your incident response process, any of your vulnerability scanning pieces of this, all of that, those need to be ensured that they're backed up and stored in a location that'll provide you business continuity and disaster recovery. So some factors influencing retention requirements. You have regulatory and legal requirements. These are specific regulations that are focused on what do you need to do around retention. So, as an example, patient health records must be retained for at least six years. While financial records may require retention up to seven years, now that is dependent, right? It just depends on the situation. There's international laws. GDPR does have data minimization, so you need to make sure that you keep the data at a limited level about this. They have the anonymization aspects of GDPR as well. So you need to really truly understand where you're operating and what are some of these restrictions you may run into. Business and operational needs, you have a historical reference, retained data and system information for future reference and trend analysis. And then as well as you need compliance audits and reviews to retain data to support internal and external audits. I've had plenty of external audits that are done, and I've had to provide the auditors with information from various scans and various documentation we have done from an internal assessment. All of that needs to be kept in a central location and available to people. Risk management considerations, risk of data loss. That means you assess the risk of not retailing, retaining specific types of data, potential impact of operations, andor legal compliance. And then the cost of management, balance the cost of retaining assets against potential fines and operational challenges posted by inadequate data retention. So you do have the risk if you don't pay attention to it, data loss, which can bite you very painfully, and then cost management. The problem of maintaining too much, you could have data like data storage issues, but also not maintaining enough, you could have fines and then operational challenges. One example that this bit me pretty hard one time was we had operational folks, they ended up having all their data stored within one location. And what did they do? They decided to start cleaning house and deleting it. But thank goodness we had actually archived it and put it in glacier storage. Uh, but so when they started deleting things, things were still being archived. The operational teams came back and said, hey, we need to make a change to this box, this system, um, and we're gonna be doing it in the next six months. Where's the data? And the engineers are like, uh, it was deleted. But we came in, saved the day, and brought in this archived data. So again, a good plan around the management of it is incredibly important. It just I can't stress it enough. It's one of those things that's an unsung hero. But if you do it right and it comes out, you will be the hero. Retention policies and schedules. Retention policy development, you need to have a comprehensive policy that outlines the types of assets, the duration of storage methods, and the access controls. All of that needs to be defined within your policies. Boilerplate policies will not define this in a level that is best for you. They may call out just certain the best practices, but you need to go in and make sure that you have what is defined in your policies meets what your company wants. There needs to be clear guidelines to ensure policies include details on how and when the data should be securely disposed or after the retention policy period itself. Schedules should be categorized. There should be defined schedules based on data types, um, your security logs for one year, backup data for five years. Uh, do you have that? Is that defined within your policy setups? Review and update. You want to regularly review retention schedules to ensure alignment with evolving legal and business requirements. And then exceptions and overrides, there needs to be legal holds and policy exceptions as well. Need to have the ability to override your retention periods when needed for legal cases or ongoing investigations. So, what does that mean is that you have, let's say, your normal policy is I keep it for one year. But legal comes up to you and says, hey, these buy devices need to be kept for a minimum of seven years. You need to have the ability to override and maintain that. Now, you also need to come back to, though, when you're dealing with policy exceptions, to the next bullet, and that is document and approve exceptions to the retention policy when necessary. So if you're being asked by legal to do this, you need to make sure you document it. Not just, hey, I got a phone call from my legal guy, and he said I want to do this. And you just say, okay, no problem. And you do it. No, bad idea. Do not do that. You need to make sure that you have this documented and well understood by everybody involved. I cannot stress this enough. If you play with legal and you don't document things, you will get burned. You will get burned. So keep it. Okay, I hope I've beaten that horse enough. So some of the challenges and risks in asset retention, over retention, right? You have security and privacy risks, keeping data longer than you should, also legal risks that come with that. Uh increased cost, large storage volumes can lead to significant storage and maintenance costs that you don't plan for. Under retention, compliance risks, again, we talked about that, and operational impact. All of those things are some of the risks that you can deal with asset retention. And then balancing retention versus privacy. Data minimization is an important part, especially for personal and sensitive information. And you need to ensure that you have data protection measures in place with strong access controls and encryption. Now, with this, you need to make sure that if you have these and you put these in place and your legal team is good and your DevOps team, yeah, we've employed it, and your IT team says yes, that's all in place. You need to test it. And you need to make sure that what they say is true. Not to say that anybody's lying to you. That would not infer that. But what I'm saying is that sometimes people will put things in place. And in today's world where everything is set up with a configuration, they forgot to check the box. And if you forget to check a certain box, you could actually say, Yeah, we're good, but then realize, oh wait, I screwed that up. I've seen it happen over and over again. So important part trust, but verify. Secure disposal procedures, data sanitization. Again, all of these methods of data wiping, degaussing, or physical destruction to ensure the data is irrecoverable. You need to maintain records of data disposal for audit purposes and to verify compliance. Asset lifecycle management, you need to track assets in their life cycle, and then you need to have end-of-life planning. You need to plan for secure decommissionings of systems and their devices as well. So tracking it, end-of-life planning, all of these things need to be in place when you're disposing of this equipment. You cannot, you need to document this. And I can't stress this enough as well. Documentation on these systems that you're disposing. If you pay for Shred R Us to come out and shred your documents andor your hard drives, they need to sign something. They need to have a document, an itemized list of what they took, and you need to be able to put this in a location so that when someone comes up and says, What happened to my hard drive? Well, it was destroyed. Why was it destroyed? Well, because XYZ said it was destroyed and needed to be destroyed. Then they go look at Mr. Person XYZ and they're off your back. Again, you need to make sure there's documentation related to that. So best practices for asset retention, automated retention tools. Utilize software to help you in this process as much as you possibly can. Employee training. I can't stress this as well. I stress a lot of stuff in these, but the point comes into employee training by educating your staff on retention policies and the importance of compliance with the asset retention requirements. A big deal. Big, big, big deal. Audit monitoring, regular audit retention practices to ensure compliance and identify areas of improvement. Again, come back and also ensuring that you're trusting but you're verifying. And then your retention policy documentation, keeping documentation specifically set for what you have done, who are the contact points, the questions, andor exceptions. All in one specific location. So those are some key best practices: automated retention, employee training, audit monitoring, and retention policy documentation. Key consideration for security professionals. Ensure your policies are up to date. This means if you have sit in a situation where you take over as a CISO, make sure the first thing you should do is review all the policies there and determine which ones need to be updated. Maybe they don't, maybe they're good, maybe everything's happy, or you keep them the way they are because you know what? I don't want to rock the boat right now and I just want to figure out what's going on. That's fine too. But you need to make sure you understand the policies that are there. Compliance monitoring, implement monitoring mechanisms to ensure retention practices align with defined policies. And now this could be something as simple as you know, you're taking all the logs from what's happening right now and putting them into a big bucket. Or you could pay for something specifically that will be looking at all of this for you. Cross-functional coordination, work closely with legal compliance, and IT teams to create retention strategies that align with both regulatory requirements and your overall business objectives. So all of those are some key considerations that you as a professional need to be aware of. Okay, so that's all I have for the CICP. Now let's move into some training related to security leadership. Okay, this is segment two of the boardroom cybersecurity series. The five business translations converting security speak into language boards can act on. Why translations matter? Boards do not need less cyber, they need it explained differently. The same risk framed in business terms gets funded, whereas it's framed technically, it will get dismissed. And I've seen this time and again. You have to make sure that they understand the words that they, your words you're communicating with them, are the words they understand. Real example around this would be citing a high CVS so at CVSS score will get dismissed or ignored. But a vulnerability that could halt one of your lines for 72 hours could cost you$14 million, it will get immediate action. I'll give you an example of how this happened to me specifically. I had a facility that I worked with and they said that, well, if the site is down for even three days, I'm okay with that. It's, you know, we understand that it's it's a big deal, but you know what, it's costing me$7 million a day, but I'm willing to accept a$21 million loss because of X, Y, and Z. And I said to him, okay, so you're willing to accept$21 million loss. But let's just be clear. You will not be down for three days. Expect it to be down at a degradated state for at least probably close to three weeks. Once I said that, he went, Oh, yeah, that's not good. We don't need that. Now,$21 million is a lot of money. And I would say that even then they say that it would be okay. It probably wouldn't be. But let's just say three weeks, and now we're talking multiple millions of dollars. Uh, it changes the conversation dramatically. Now I had to come to that table with that conversation with the details and the metrics to that could support it. You can't just arbitrarily just say this out of the blue, but those conversations go a lot further than saying I have a high CVSS score. Now, each translation maps to a security concept, the three things boards govern money, operations, and reputation. So these things come to that. You need to make sure that whatever conversation you're doing with them is to those points. Now, vulnerability equals business exposure. This is translation number one. What does this mean? Like we mentioned before, you have 47 unpatched CVEs with a score of eight and above. Right. You you really have 47 doors, and most critical could shut the company down from a cost the company from four to 14 million dollars. You have a don't say the remediation of critical findings is 60 days behind schedule. Now, okay, that what does that mean? I mean, that's a so what factor. Our exposure window has doubled. So here's what this means from a revenue continuity standpoint. Okay, so if your critical findings are 60 days behind, what kind of fines do you have? What kind of activity is this that halted for you? What have been some potential supply chain challenges? All of those are important parts that the board wants to know. Here's some key points around this and some key concepts that you've probably seen in the news. So Jaguar Land Rover, we talked about this before. A cyber attack halted production for six weeks, costing them millions per week. That hit their bottom line, and that is an important part. Now let's look at margins. If your margins, again, are let's say 10%, and you have lost six for six weeks, you have lost millions and millions of dollars. That is dramatically impacting their margin and their overall revenue stream. Boards respond to operational and financial scenarios, not severity scores. Now you need to build a loss case library specifically for your business model. Again, this is not generic threat matrices, but this is a specific loss case. So, what would I mean by that? You go out and you actually find different losses that have occurred with different companies that are in your sectors and have those in your decks because I'm old, but have them in your repertoire so that you can pull them out and use them in different types of presentations. That also is not for you to use them and just say, look, the sky is falling. No, but it's For you to put a little context, when that Georgia Pacific, or I should say that other company that was affected by their uh corrugated plant going down, that affected Georgia Pacific from a coke industry standpoint. Then therefore they saw this and went, oh, okay, there's revenue streams that we are willing to invest money in things because we see how this is happening to some of our other competitors. Those are important parts for you to think about. And it's having that and understanding the strategic view is an important piece. Always answer if this is exploited, what stops running and for how long. Again, if you have you've done tabletops and you understand critical systems within your organization, if this system goes down and it goes down for a period of time, this is how much it's going to cost you. And it's based on conversations you've had with X Leader. Again, understanding, talking about how if it's exploited, how it could go down, how it could impact the bottom line. One real world scenario lands harder than a spreadsheet of 500 CVEs. Again, it's communicating to them in the language they understand and they know. Translation number two, alert volume equals risk prevented. So one of the things we talked about earlier, our SIM generated 1.2 million alerts last month. But when we said we stopped 14 tax targeting executive accounts, each had a potential of X, let's say$2 million in fraud. You now are creating these metrics that make sense to them. Now, is there some squishiness in this? Yeah, there's squishiness in it. But you you caveat that conversation with these are subjective answers, right? We're coming out to you with quantitative numbers that we feel are consistent based on X, based on Y. So they know it's squishy and they know you've got a little bit of finger in the wind when you're trying to figure this out. But that drives home more of a finite, let's just say it came out to be$1 million in fraud. Okay, I would be begged to differ that they would not be going, well, it's only one, so we're okay with that. It's a point of coming, you don't want to exaggerate the numbers, but at the same time as you want to give them a number that they can actually anchor on. Another one is mean time to detect decreased by 18%. And we talked about this as well. We're now stopping attacks before damage occurs, not just finding them faster afterward. Or maybe you determine them, and because of we were able to deter determine them, we found the situation, we were able to mitigate them before much damage. We only had opportunity costs of$250 per incident. And there were 20 incidents, so now it's roughly what is that, math in public,$5,000 or more. I don't know. I'm doing math in public, so it's probably not right, but it's amount. It's an amount that's there. The ultimate point is that you now have come down and said there is a there was a situation, we've mitigated it, we have opportunity costs involved, and we have now this is what it cost the company. That is much more palatable than just saying we went and decreased our our time to respond or time to detect by 18%. Translation three, budget request equals an ROI or return on investment argument. So we need more money to monitor anomalous behavior. Okay, that's extremely vague. And what does that mean? Now that's what a lot of IT people say. We have anomalous behavior, we need to monitor it. And I need two million dollars. Okay, what does that do? Well, here's the breakdown. Two analysts improve uptime from 92 to 97%, saving roughly$2 million a year and adding$4 million quarter in e-commerce revenue. So you're an e-commerce company, because you have more uptime. Oh, okay. So I have$4 million in revenue that's coming in. I'm willing to spend X on this. Another one is don't say is the AI tool will cost us$500,000 to deploy enterprise-wide. Okay, what does that mean? Well, this investment that you're deploying this AI tool will reduce production delays, uh, avoid costly patches, and improve customer trust. So those are some maybe soft skills, some soft aspects of it. But again, you have to build it out rather than what are they getting for the$500,000? Communicate to them what is important to them. Translation four AI threat equals operational risk. Does it? Does it not? Well, okay, so don't say this. We're seeing increased use of LLMs in adversarial attack tool chains. And they're going, okay, I got LLMs because I know about that because I talked about it on Fox News. But what is an adversarial attack tool chain? I have no clue what that is. So what you can say is the AI can now clone an executive's voice in real time and trigger a fraudulent wire transfer. Here is our control on how to do that. And if you did have that and you showed the board on how that occurs in their meeting, ooh, that is impact, significant impact. Don't say agentic AI creates new vulnerabilities in our attack surface. Okay, again, I know what agentic is, but what is attack surface? So you can say this an AI-driven attack can now move 10 times faster than our responsive team. And here's how we're adapting. Oh, okay, cool. Now I guarantee you, especially when it comes to AI, they are hearing about it in the news and they're paying attention to it. So you better pay attention to it and ensure that you are ready to talk to your board about this because they're gonna ask you questions on it. Guaranteed. Translation five, compliance equals business continuity. So, compliance equals business continuity. What does this mean? So we have 14 open findings from an annual compliance audit. That's what you should not say. What does that mean? Because I don't know what these open findings stand for. How are they even any useful to me? But you can say three of these 14 findings represent regulatory fines up to$5 million and a potential loss of our payment processing license. Okay, now that will get them to pay attention, right? So they're going, you gotta do whatever you got to do to fix these problems, right? Again, important pieces. 14 open findings don't do anything, but you've done the research to find out what do they represent to the organization and what is important to the business. We need to achieve CMMC level two compliance. Okay, they may have heard of CMMC, but realistically, they don't even know what that acronym means. So what should I do as it relates to cyber maturity? Now, if you come pull it out and don't use an acronym and say, what is the cyber maturity? What does that mean? That will make more sense to them. Or you can say this without this, we lose eligibility of a$40 million Department of War, Department of War contract. Here is our timeline and budget. So that would make more sense. And they would actually go, yeah, let's do that. What do we need to do? Again, these are all important pieces that you have to communicate with your board so they understand what is exactly at stake. So some key takeaways around this segment. Vulnerability equals business exposure. What stops for how long and at what cost? Second one is alert volume equals risk prevention. Show what is stopped, not how much noise you have processed. They don't care about the noise. They don't, that isn't what's important. It's what has stopped. Budget request, your ROI argument is that every ask to revenue, project, or operational continuity should be part of your vernacular and of your uh lexicon. It's just an important piece. AI threat equals operational risk. Translate capability into business disruption scenarios. Why should they care? What is it going to impact them from a reputation standpoint? How's it going to impact them from a financial standpoint? And how's it going to impact their people? How does all of these things come into play? That is what's important to the board. And then compliance and business continuity. Frame regulatory work as your license to operate, right? You want to have your regulatory is just for doing work to be able to do or operate in a certain building or a certain area, certain whatever, you're going to have to make sure that you have some sort of compliance aspects involved and you need to follow through with those. So again, it's imperative that you understand the details behind this so that you can be better at producing this for your company. Okay, that's the last we have for this segment. The next segment in the coming week is going to be the board briefing framework, something you should be concerned about and you should be knowing. But again, if you're ready to level up, you're ready to make this happen, go to CISSP Cyber Training. If you're looking for your CISSP, we're there for you. If you're looking for something beyond that, where we have got some great things, reach out to me at CISSP Cyber Training. I'm in the process, in the throes of creating a coaching and mentoring program for senior executives because I feel it's an important part that is missing at this moment. But again, go check it out. You can check me out at my podcast. You can check me out on YouTube. All of those places are available. Go to CISSP Cyber Training and get all the content that's available to you. All right, have a great day and we'll catch you on the flip side.

unknown

See ya.

SPEAKER_01

Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.

Contributor

Shon Gerber

Host