The CISSP Mindset: Part 1
Video Transcript
Our next section, I want to talk to you a little bit about the CISSP mindset. I have so much to talk about it. We've had to divide it into Part 1 and Part 2. But quite honestly, in my mind, this is the absolute most important thing I can tell you about this exam. Certainly, we're going to cover the material and make it make sense but you've got to go into this exam with the proper mindset. We're going to break this up into two sections just to go ahead and get started. The first thing I want to tell you is your role is a risk adviser, do not fix problems on this exam. That is the hardest thing in the world for a technical person is to see a problem and not fix it.
Most of us are hired because we can fix problems. But remember your role is a risk adviser. Let me give you a tricky question. Let's say I ask you or I give you a scenario. Kelly has been with the company for six months and she's been a difficult employee. It's been determined that Kelly should be terminated Friday at AM. What should you do Friday at AM? Now, guaranteed the vast majority of people are going to say disable Kelly's accounts, revoke her credentials, recover company property. But the thing is, is that's not what your risk adviser does? That's what your security team does or your security admin revoking credentials and so on. As a risk adviser, you make sure the appropriate parties are notified, so your role would be to contact the appropriate parties. Your role would be to make sure the proper policies and procedures are in place.
When is the last time you've had a risk of so come down to the basement, disable an account? That doesn't happen. It shouldn't happen because that's a violation of separation of duties. If you remember, this is a hands-off test. Your job, collect information, make an assessment of the risks, advise senior management, influence policy, those are fine. But you will not touch things. Anytime on this exam you find yourself tempted to go hack the registry, or you're going to disable an account, or block a port on a firewall or disable a user's access to a website, those are all incorrect. The focus on this exam is process, not problems. I don't know if any of you have ever worked for a company where you feel like you're just running around putting out fire after fire.
That's not a long-term focus. If you can't do your job for putting out fires, that's no good to anybody. On this exam, what we do is we go back and look at the process. If you fix the process, the problems will take care of themselves. I'm not worried that John has a malware on his system. I'll re-image that system and bring it back to normal in no time. What I'm worried about is how did that system get malware in the first place. Do we have a lapse in our change management or configuration management processes? Where is our vulnerability? That is your focus and that's the piece that I think messes a lot of very good technical people up. We want to fix things, hands-off, backup, collect information, advise senior management.
Don't forget it. Now the second bullet point, who is accountable for security? We have to address the fact that we have a word accountable and another similar word, responsible. Sometimes those words get used interchangeably. But on this exam, as it should be, accountable means the buck stops here. Usually, when we talk about accountable, we're talking about senior leadership. We're talking about the folks that have liability associated with the loss of assets. Now, something tricky is they may also say accountable or ultimately responsible or who has the ultimate responsibility. Anytime you see that word, ultimate, senior management, accountable, senior management. But who is responsible? Not ultimately responsible, but responsible. All of us have a responsibility with information security. But senior leadership is accountable, also known as ultimately responsible.
Next question. I love this question. How much security is enough? I think we've all heard, you can never have enough security. Or you absolutely can have enough security and you can absolutely have too much security. For instance, if I were to ask you all, how many of you have a retina scan in order to walk into your home? My guess is not many of you. Well, why not? Well, they're expensive. I would have to purchase the device, I would have to reconfigure the entranceway, not to mention the money is one thing but think about the effort. Think about the fact that, I've got 17 bags of groceries in my hand because God forbid, I make two trips from the car and I've got these 17 bags of groceries in my hand and the biometrics scan of my retina isn't working properly.
When we talk about how much security is enough, what we have to do is find that delicate balance of protecting our assets without having costs so high that they exceed the value of our assets. Now the tricky part there is that it can be hard to determine the exact value of your assets. But we can also have a difficulty in quantitatively defining costs of controls. Of course, I can give you the dollar amount for a retina scanner to get into your home, but we also have to factor in performance. We have to factor in ease of use and backwards compatibility. You will always pay for security. The question is, how much I'm willing to pay? Because there's always a limit where if I cross over, I'm spending more than the asset is warranted.
That's where risk management and the fourth bullet point comes in. Risk management starts with identifying your assets and figuring out what they're worth. Always start there with every decision you make and you can't go wrong. What I'm protecting? What's it worth? From there I look at threats and vulnerabilities relevant to the asset. I think about the potential for loss, which means basically I take probability and the impact of the risk event, and then I compare that to the cost of the countermeasure. What I'm looking for is a positive return on investment. I want to save more than I put out. We'll get much deeper in debt when we look at the risk management section. Then my last bullet point here with Part 1, if all the answers seem good, stop staring at the answers, go back to the question. Let me give you an example.
Let's say you see a question that says, what is the purpose of classification? A says to indicate harm if the file is compromised, B says to indicate harm if the file is not available, C says to describe the value of the data, and D says to determine how to protect the data. Now if you look at that question, many people will say, but all of those are correct because data does tell me harm if that asset is compromised. It can tell me the harm if the asset is not available and classification does give me an indication that the data is valued. But I know I can't choose all four answers so let me go back to the question and the question starts with the word why. Why means, what's the ultimate purpose.
When I ask myself what the ultimate purpose is, the ultimate purpose of classifying data is so that we can secure it. Rarely is the ultimate purpose to identify, to document. Those happen, but the ultimate purpose is they mandate a certain degree of security, which is really why we classify data. Go back and stare at the question if you feel like all the answers are the same. Find that key word that makes answer D better than A, B, and C. That was my first part of the CISSP mindset. The next section is going to cover the second elements.
