The cybersecurity talent gap is widening at an alarming rate. According to the 2023 ISC² Global Workforce Study, we're facing a shortfall of 5.5 million cybersecurity professionals by 2024, with the workforce needing to grow 12.6% annually just to keep pace with demand. Yet growth is stalling at only 8.7%, creating both challenges and unprecedented opportunities for those pursuing cybersecurity careers.
What might surprise aspiring security professionals is that technical skills alone won't secure your future. As Sean Gerber emphasizes, "You can give me the smartest person in the world that understands security, and if they don't have critical thinking skills and communication skills, it makes it extremely challenging to put them in front of somebody to explain what's going on." This insight reveals why soft skills have become the hidden differentiator in cybersecurity hiring. While certifications like CISSP remain essential credentials, employers increasingly seek professionals who can translate complex technical concepts into business language.
This episode dives deep into Domain 1.5 of the CISSP exam, exploring the complexities of breach notification and trans-border data flows. Through practical examples and challenging questions, we examine how to navigate conflicting international regulations like GDPR and China's data localization laws, implement appropriate anonymization techniques to prevent re-identification attacks, and develop strategic approaches to vulnerability management across global operations. Each scenario challenges listeners to think beyond technical solutions to consider legal, ethical, and business implications – precisely the mindset required to excel as a cybersecurity leader.
Whether you're preparing for the CISSP exam or looking to advance your security career, this episode provides actionable insights on balancing compliance requirements with business objectives in our increasingly interconnected world. Join us to strengthen both your technical knowledge and the crucial soft skills that will set you apart in a competitive job market where communication might be your most valuable security asset.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge Allright, let's get started.
Good morning it's Sean Gerberwith CISSP Cyber Training and I
hope you all are having abeautiful day today.
Today is the wonderful Thursdayand Thursday is CISSP Question
Thursday.
So we are going to be gettinginto some really great questions
(00:43):
as it relates to domain 1.5.
And this comes on to breachnotification, it comes into data
transfer and so forth.
So it is going to be amazing.
But before we do get started,one thing I want to kind of go
over was there was an articleout just out recently from a
(01:03):
security intelligence and it'sabout the cybersecurity
workforce that can be expectedin 2024.
We talk about on this program,the CISSP cyber training, a lot
about the cybersecurityworkforce and how important it
is for the various companies outthere.
They need folks.
But an interesting concept wasthis article talks about the
(01:25):
change that's been happening inthe cybersecurity space itself,
a lot of it due to layoffs anddownsizing, and I've seen this
as well with the individualsthat have been wanting to get
full-time roles.
Out there in the world there'sactually, it appears to be,
maybe a little bit less of afull-time opportunity and maybe
(01:45):
more of a contractor typeopportunity, so that's kind of
looking that's floating outthere in the ether.
But one of the things aboutthis article that's kind of
interesting is that they'resaying that there's going to be
about 5.5 million jobs that aregoing to go unfilled and though
we have talked about this beforein the past that I said it was
like around three and a halfmillion well, they're saying 5.5
(02:07):
million.
This is off the 2023 ISCsquared global workforce study
and they're saying that theworkforce will need to grow at a
rate of 12.6% per year just tokeep up, and they're saying that
they basically grew at only8.7%.
So the interesting thing is isthis is why getting your CISSP
is important, because weobviously need you.
(02:27):
One of the parts that they'resaying that employees are
looking for what they're lookingfor with employees to get hired
, what various companies arelooking for scripting, intrusion
, threat protection, threatanalysis.
I thought the one that wasreally good at the bottom it's
really interesting iscommunication and critical
thinking skills.
I will tell you that you cangive me the smartest guy in the
(02:50):
world that understands security,and if he or she does not have
the critical communication, thecritical thinking skills and the
communication skills, it makesit extremely challenging for me
to be able to put them in frontof somebody and try to explain
what exactly is going on.
The other part that theystressed is around.
Obviously, the CISSP SecurityPlus and the security auditor
(03:13):
certifications are a key factor.
So if you're listening to thispodcast, you definitely are in
the right place.
We here at CISSP Cyber Trainingare going to teach you what you
need to know to be successful.
Here at CISP Cyber Training aregonna teach you what you need
to know to be successful.
But beyond just passing thetest, we are here to help you
with your cybersecurity journey,because it really is a big
thing that we need to do toprotect our country and to
(03:34):
protect our various countriesout there from this existential
threat, as they would say.
The one other thing they talkabout is upskilling workers.
That basically means I've donethis multiple times where you
have an individual who showsthat they have the aptitude for
security, then what can you doto put them in a position to win
(03:55):
, in that you give them thetraining and education they need
to be successful in securityand upskill them into their
position.
That's a really goodopportunity there.
I know CISA the CybersecurityInfrastructure Security Agency
they mentioned and ISC Squaredoffer training options.
They are both very good.
Some of them are free that youget.
I don't know ISC Squared.
(04:16):
They do have some free optionsavailable.
I think CISA definitely doesand they're trying to get people
that are understanding thesecurity space and getting them
out there in this world.
But bottom line, the last bulleton this, is again don't forget
the soft skills.
I will tell you that that islike I mentioned earlier.
That is probably one of thehardest things to teach and it's
(04:36):
probably one of the mostvaluable to a person and to an
organization.
So if you have all the IT stuff, then there's probably some
other really good books to read,like how to Influence Friends
and Influence People by DaleCarnegie Old book but very, very
valuable.
And then there's also anotherone called Skill with People by
(04:57):
Les Giblin Very good book on howto deal with individuals.
So the soft skills are valuableand they will make you money.
I highly recommend that youfocus on some of that too while
you're studying for your CISSP.
Okay, so let's get started intothe overall training today and
let's talk about some CISSPquestions.
Okay, so this is going to beover group seven.
(05:19):
If you go to my CISSP cybertraining there is.
We have this broken down intoCISSP questions and they're
based on domain domain onethrough eight and with those
different domains, what I do isI put these podcasts in there
with many of the questions thatI have and so you can be able to
listen to it and you canactually be able to go and take
the test themselves.
(05:39):
So they're designed there tohelp you kind of get both levels
of training when you're tryingto understand and pass the CISSP
exam.
Question one a multinationalcorporation with offices in the
United States and the EUtransfers customer data between
two locations, which is the mostsignificant legal constraint
they need to consider A HIPAAregulations due to the presence
(06:01):
of healthcare data.
B PCI DSS requirements, as somecustomers use credit cards.
C GDPR compliance because itinvolves EU citizens data.
Or D Sarbanes-Oxley, as afinancial transactions are
involved.
And the answer.
Let me come back to it realquick before I answer it.
When it comes down to US and EUtransfers, which is the most
(06:23):
significant legal constraintthey need to consider?
And the answer is C.
Obviously, you guys are allprobably connected with GDPR.
This does hold the highestpotential for penalties, even
though all of them may beimpacted and therefore it does
concern EU citizens' data.
Question number two your companyuses anonymization techniques
(06:44):
to protect sensitive data duringtrans-border data flows.
However, a recent securityaudit revealed that attackers
managed to re-identifyindividuals from the anonymized
data.
What most likely went wrong?
Again, a company anonymizesyour data, which is called out
with GDPR during thistrans-border data flow out with
(07:05):
GDPR during this transborderdata flow.
However, a recent securityaudit reveals attackers managed
to re-identify individuals fromanonymized data.
Which most likely went wrong Ainsufficient level of
anonymization.
Basically use K anonymityinstead of I diversity.
B is a lack of encryption forthe data at rest.
C inadequate access controlsfor receiving the data.
(07:26):
Or.
D failure to monitor forunauthorized data access
attempts.
Okay, so what basicallyhappened?
How did they re-identify thedata?
And it basically came down to A.
That's what most likely wentwrong insufficient level of
anonymization.
Likely went wrong, insufficientlevel of anonymization.
So when they didn't do that,they basically, when you don't
(07:53):
have enough level of anonymity,they can reattach the anonymized
data and then be able toconnect the two.
So you need to choose astronger anonymization technique
that improves theindistinguishable points between
the individuals and is crucialto prevent re-identification
attacks.
Question three you mustimplement a data loss prevention
solution to controltrans-border data flows.
Which DLP feature would be mosteffective in preventing
(08:15):
unauthorized data transfers ofintellectual property documents?
Again, you have a data lossprevention solution and it needs
to control the trans-borderdata flows.
Which would be most effectivein preventing an unauthorized
data transfer of intellectualproperty documents?
It's 4.30 in the morning, I'mstruggling to speak, sorry.
(08:39):
Content filtering based onkeywords and patterns.
B the activity monitoring andanomaly detection.
C network traffic inspectionand data fingerprinting.
Or D endpoint encryption anddata classification.
Again, for DLP, which DLPfeature would be most effective
in preventing unauthorized datatransfers?
And that would be D endpointencryption and data
(09:03):
classification.
So you're probably going hmm,how is that the case?
While other features helpdetect these activities,
encryption and obviouslyclassification will help it from
being leaked.
If it is leaked, it helps itfrom being exposed even more.
So classifying your documentswith a confidential and then
encrypting them would be a greatway to move forward and to
(09:24):
ensure that the data is notdiscoverable when it is
transferred.
Question four your company facespressure from the Chinese
government to store all datagenerated within China on local
servers.
However, your organization alsooperates under GDPR compliance
requirements.
How would you respond to thispressure?
Again, your company facespressure from the Chinese
(09:45):
government to store all datawithin the China local servers.
However, your organizationoperates under GDPR.
And then how would you respondto this pressure from the
Chinese government?
A agree to store all datalocally to avoid legal trouble
with China.
B explain GDPR complianceissues and propose alternate
solutions like dataanonymization before transfer.
(10:06):
B refuse to request outrightciting potential GDPR violations
.
That probably won't work.
And then D negotiate a dataresidency agreement with
specific privacy and securitysafeguards.
Okay, so if you think about it,there's probably really only
two that would stand out to youand you took to really narrow it
down.
And the answer is D negotiate adata residency agreement with
(10:28):
specific privacy and securitystandards.
Basically, you can't refusebusiness operations right,
that's just not going to happenand full compliance to conflict,
because that would conflictwith the GDPR requirements as
well.
You can agree with anegotiation around data storage
in China while ensuring GDPRcompliance.
The other thing you can thinkof, as well as data localization
(10:48):
, is if you have individualsthat are not EU citizens and you
know that and they live inChina, then you would separate
the data and just keep the EUdata in one location and keep
the China data in another.
So there's multiple options,but the bottom line of that
question is trying to get fromyou is yeah, you can't say no
and your business has to operate, but you have to come up with
alternative solutions.
(11:09):
That's basically what it comesdown to.
Question five the cyber attackcompromises your organization's
network, potentially exposingcustomer data stored in a cloud
server located in anothercountry.
Which action should you takefirst?
If you have a cyber attack andit's potentially exposing
customer data stored in a cloudserver in another country, what
do you do?
A notify the subjects affected.
(11:31):
B investigate the extent of thebreach and identify the
compromised data.
C disable network access in thecloud server to prevent further
data loss.
Or.
D contact the cloud serviceprovider and report the incident
.
And the answer the best answer,because all those are probably
not all those are good, butthey're all relatively decent.
They all follow the same path.
(11:51):
You want to contact the cloudservice provider and report the
incident again.
You don't know exactly what has.
It just appears to be.
So contacting the cloud serviceprovider is the best option so
they can work with you to helpmitigate the issue if it's
ongoing.
And then what are theremediation steps going forward?
Question six your organizationimplements a multi-factor
(12:12):
authentication for remote accessto internal systems across
borders.
However, some users complainabout the inconvenience of using
hardware tokens.
Okay, they got a little fob.
Which alternative MFA methodwould most be most secure while
retaining some of the userconvenience?
Again, convenience versussecurity, sometimes that comes
up A SMS one-time passwords, bemail verification codes.
(12:35):
C mobile app push notificationsor D security questions and
answers.
Okay, so when we talk abouthardware tokens, they are the
most secure, right?
So we really want to havesomething like that.
But which one of these would bethe best?
Next alternative now it wouldbe c mobile app push
notifications.
(12:56):
Now, when you get your, youremail verification codes, those
are not nearly as secure.
Your sms one-time passwords?
They, they can be, but they'rein sms, which is open text.
The mobile app pushnotifications they are a bit
more secure just in the factthat you have to have the mobile
app, and by having the mobileapp it's the same concept as the
(13:16):
SMS, but you actually have tohave the app itself.
So it's a better solution thanjust the overall hardware token.
Question seven you discover apotential data breach involving
unauthorized access to customerrecords from a vendor located in
a country.
What is your best course ofaction as a CISSP professional?
Again, you discover potentialdata breach involving
(13:37):
unauthorized access to yourcustomer records from a vendor
located in another country.
What is your best course ofaction as a professional in the
CISSP certification?
A immediately terminate thecontract with the vendor.
C independently investigate thebreach without notifying the
vendor.
C contact the vendor andcollaborate on investigating the
incident.
Or D report the breach directlyto legal authorities in both
(13:59):
countries.
Okay, so some of those havelonger ramifications and some of
them are good, some of themmaybe not so good.
And the answer is C contact thevendor and collaborate on
investigating the incident.
If you can work with the vendor, it's a whole lot easier to
deal with this challenge thantrying to just go and say well,
I'm going to throw you under thebus and tell the legal
authorities about the issue.
(14:20):
That's just usually not thebest option.
It is an option, but it's notthe best option.
Now, if the vendor isn'tresponding to what you've said,
well then that's a differentstory.
But work with the vendor to tryto figure out the problem.
I've done that multiple,multiple times.
Question eight your company usescloud service hosted in a
country with weaker data privacylaws than you own.
(14:40):
How can you mitigate the risksassociated with this arrangement
?
So your company uses cloudservices hosted in a country
with weaker data privacy lawsthan your own.
You can mitigate these risksassociated in this.
How can you mitigate the riskassociated with this arrangement
?
A encrypt all the data beforeuploading it to the cloud
(15:00):
platform.
B implement contractual dataresidency agreements with the
cloud provider.
C conduct regular penetrationtesting of the cloud environment
.
So encrypt all data, implementcontracts and conduct
penetration tests, or all of theabove?
And the answer is all of theabove, right?
All of those are really goodthings to mitigate the risk
(15:21):
associated with this type ofarrangement.
It's always good to do thesethings.
Now you just have to weigh outis it worth spending the money?
That's the question andopportunity costs.
Question nine an employeeworking remotely and in a
different country, reportsreceiving phishing emails
targeting company credentials.
What should be your immediateaction as a security
(15:41):
professional?
Okay, so you have employeesworking remotely and they're
receiving phishing emailstargeting them with company
credentials.
Targeting their companycredentials a block the phishing
domain.
B reset the employee's accountcredentials immediately.
C educate the employees onphish awareness and best
practices and then investigatethe email source and immediately
(16:02):
determine the attacks in nature.
Okay, so a is the domain, b isreset the employee's account.
C educate the employee on aphishing awareness.
Or.
D investigate the email sourceand determine the attacks nature
.
So all of those are good, right, they all have a place in this
overall process, but theimmediate action would be
investigate the email source anddetermine the attacks nature.
(16:24):
By doing that, you get a betterunderstanding of what exactly
is going on.
It also the email source anddetermine the attack's nature.
By doing that, you get a betterunderstanding of what exactly
is going on.
It also can allow you todetermine what are the best
mechanisms to put in place tostop this attack.
However, all those are good,they all are valuable, but which
one is the most immediate?
And those are the kind ofquestions you will see on the
CISSP.
Question 10, a government agencydemands access to your
company's customer data storedin a foreign country cloud
(16:47):
server.
What should you do beforecomplying with this request?
A provide agency with fullaccess to your data without
delay.
B consult legal counsel andassess the compliance
obligations.
C negotiate limitations onagency's access and data types.
Or.
D deny the request outright andcite data privacy regulations.
All those are good, right, theyall have issues, but yeah, the
(17:09):
one that's a big issue.
Obviously, when you start doingthese things, you want to really
make sure you focus on gettinglegal counsel and assess the
compliance obligations.
We've talked about thisnumerous times.
Especially when it comes tothis stuff, you really got to
have legal and complianceinvolved.
Again, I'm not giving you legalcounsel.
(17:30):
I got in trouble from a lawyerfriend of mine that made a
comment that thought I wastelling too much information on
a podcast and I'm like no, I'mnot, because I'm not a lawyer
and nor should you take anyadvice that I give you as legal
advice.
That would be really bad.
If you did that, then you mightbe getting yourself in some
serious trouble and I don't wantto be in trouble.
(17:50):
So don't use my advice as legaladvice.
Question 11.
Your organization operates inmultiple countries in varying
cybersecurity maturity levels.
How can you implement aconsistent security posture
across these diverseenvironments?
A.
Enforce rigid, centralizedsecurity policies for all
locations.
B.
Develop a risk-based approach,tailoring security controls to
each region's needs.
(18:11):
C implement the highestsecurity standards across all
locations, regardless of localvulnerabilities.
Or.
D focus on security awarenesstraining and improve the user's
security behavior in all regions.
Okay, what do you want to do?
There's a lot of words in thisone, but you really bottom line
when you're dealing withmultiple countries.
You want to develop arisk-based approach, tailoring
security controls that eachregion needs.
(18:33):
Each region has its ownseparate needs and you have
various legal requirements inthose regions, so you better
make sure that you meet thoseneeds specifically, obviously,
gdpr in China.
Two good examples of that.
Question 12,.
You discover a vulnerability ina critical server software used
by your global operations.
However, patching the softwareimmediately would most likely
(18:54):
disrupt essential businessfunctions in some of the regions
.
What is your most strategiccourse of action?
Okay, you got security flawsand you need to patch them
immediately, and you are in aglobal business.
But what should you do first Adeploy the patch immediately on
all systems, regardless ofdisruption.
B inform the effective regionsand postpone patching until a
(19:15):
convenient time for all.
C develop a mitigation strategyto temporarily address the
vulnerability until patching isfeasible.
Or.
D prioritize patching high-riskregions and implement temporary
controls for others.
Okay again, what is the moststrategic course of action?
You got a criticalvulnerability.
(19:37):
Prioritize the high-riskregions right.
You want to make sure you dothat as best you can and you
want to have a sense of urgencyaround doing that.
You can't do it all and youdefinitely don't want to put it
off and you don't want to makesure it's convenient for
everyone, because it's nevergoing to be convenient for
everyone.
You just have to go do it.
Question 13.
A new international treatyimposes stricter data privacy
(19:57):
regulations on yourorganization's cross-border data
flows.
How should you adapt yourexisting security framework to
comply with these newregulations?
Okay, so private data privacyregulations on data cross-border
data flows.
What should you do?
A modify the dataclassification schema to align
with the treaty's datacategories.
(20:17):
That would be not the bestoption.
You could do it, but itwouldn't be best.
B update incident responseprocedures to include
notification requirements underthe treaty.
C or C conduct privacyassessments for data processing
and activities involvingcross-border data flows.
Okay, so I said the first onewouldn't be the best.
Why?
Well, because your treaties maychange.
They may not have that level ofdetail, but when you listen to
(20:41):
all three of those, you're goinghmm, they all are kind of good.
Should I do?
Oh wait, there's one moreanswer.
All of the above.
That's when you would pick upon all the above.
So I don't automatically justgo out and cross one off because
it doesn't make a lot of senseor it may not be the best option
option, but all of the abovewould be valuable.
I do when you try to tiesomething to a legal document
(21:02):
now or to a treaty.
There's nothing wrong with that.
But things tend to change,especially legislation.
So you'd want to try tounderstand the overall breadth
of what the legislation istrying to accomplish and if you
can tie it to that legislation,that would be good.
But if it gets really ambiguous, you may have to make a
judgment call.
If you do make a judgment call,you're going to want to make
sure you document why you madethat decision, because you will
(21:26):
someday get on to a new job as aCISO of a large multinational
that makes gazillions of dollarsevery day and some poor person
will come up behind you and gowhat was this person thinking?
So, yes, make sure you documentit all.
Question 14 your organizationplans to launch a new
cloud-based service accessiblefrom different countries.
Which aspects of the CISSPdomain should you prioritize
(21:46):
during your security designphase?
A cryptography, cryptographyand access controls.
B security architecture andrisk management.
C application security andbusiness continuity to ensure
that they're resilient.
Or D all of the above?
Okay, which aspects of theCISSP domains should you
prioritize during your securitydesign phase?
And when you're doing securitydesign, you need to look at all
(22:09):
of them.
Yes, all of the above.
You need to consider a holisticapproach when you're dealing
with this, from cryptography tosecurity architecture to down to
application.
Security needs to be a holisticapproach to this process.
Last question the last melon,the last melon.
Last question, the last melon,the last melon.
Question 15, you face criticismfrom colleagues claiming your
focus on international legal andregulatory compliance slows
(22:31):
down business expansion.
Yeah, I hear that a lot.
How would you defend yoursecurity approach and explain
its long-term benefits?
Okay, so you're claiming thatinternational legal and
regulatory compliance slowseverything down.
What should you do?
A emphasize the financialpenalties and reputational
damage from compliance.
That's true.
B highlight the improvedsecurity posture and reduced
(22:54):
attack services by adhering toregulations.
That is true too.
Showcase how proactivecompliance can build trust with
customers and regulatoryagencies, most definitely.
And the answer and then there'sD is all of the above.
Yeah, imagine that it's all ofthe above.
So, yes, there's all of theabove.
Ones are nice.
They're not always that way.
Okay on the test, but in thissituation for CISSP cyber
(23:16):
training, they are all of theabove, at least in this specific
situation.
Again, that's the one thing isthere are multifaceted benefits.
When you're dealing withcompliance, obviously you want
to avoid the penalties, you wantto highlight the posture and
you want to build trust.
Your job as a securityprofessional is around
influencing others to help youdo your job, and you build trust
(23:38):
by helping others get what theywant and you get what you want.
So it works out well together.
All right, that's all I've gotfor today.
It is a lot of great questions.
Go to cisspcybertrainingcom.
You can check it out.
There's some really good stuffout there.
I mean, these questions arejust part of that.
It's just one little aspect ofwhat you can have at CISSP Cyber
Training.
I'm here to help you with thiswhole process as we are moving
(24:00):
forward, and I want you to helpyou, the CISSP, because the
world needs you, they need youout there and they need you
being successful as a securityprofessional.
More and more.
You see it all the time, solet's get this done, all right.
Thanks so much for joining metoday.
You all have a wonderful,wonderful day and we will catch
you on the flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge Allright, let's get started.
Good morning it's Sean Gerberwith CISSP Cyber Training and I
hope you all are having abeautiful day today.
Today is the wonderful Thursdayand Thursday is CISSP Question
Thursday.
So we are going to be gettinginto some really great questions
(00:43):
as it relates to domain 1.5.
And this comes on to breachnotification, it comes into data
transfer and so forth.
So it is going to be amazing.
But before we do get started,one thing I want to kind of go
over was there was an articleout just out recently from a
(01:03):
security intelligence and it'sabout the cybersecurity
workforce that can be expectedin 2024.
We talk about on this program,the CISSP cyber training, a lot
about the cybersecurityworkforce and how important it
is for the various companies outthere.
They need folks.
But an interesting concept wasthis article talks about the
(01:25):
change that's been happening inthe cybersecurity space itself,
a lot of it due to layoffs anddownsizing, and I've seen this
as well with the individualsthat have been wanting to get
full-time roles.
Out there in the world there'sactually, it appears to be,
maybe a little bit less of afull-time opportunity and maybe
(01:45):
more of a contractor typeopportunity, so that's kind of
looking that's floating outthere in the ether.
But one of the things aboutthis article that's kind of
interesting is that they'resaying that there's going to be
about 5.5 million jobs that aregoing to go unfilled and though
we have talked about this beforein the past that I said it was
like around three and a halfmillion well, they're saying 5.5
(02:07):
million.
This is off the 2023 ISCsquared global workforce study
and they're saying that theworkforce will need to grow at a
rate of 12.6% per year just tokeep up, and they're saying that
they basically grew at only8.7%.
So the interesting thing is isthis is why getting your CISSP
is important, because weobviously need you.
(02:27):
One of the parts that they'resaying that employees are
looking for what they're lookingfor with employees to get hired
, what various companies arelooking for scripting, intrusion
, threat protection, threatanalysis.
I thought the one that wasreally good at the bottom it's
really interesting iscommunication and critical
thinking skills.
I will tell you that you cangive me the smartest guy in the
(02:50):
world that understands security,and if he or she does not have
the critical communication, thecritical thinking skills and the
communication skills, it makesit extremely challenging for me
to be able to put them in frontof somebody and try to explain
what exactly is going on.
The other part that theystressed is around.
Obviously, the CISSP SecurityPlus and the security auditor
(03:13):
certifications are a key factor.
So if you're listening to thispodcast, you definitely are in
the right place.
We here at CISSP Cyber Trainingare going to teach you what you
need to know to be successful.
Here at CISP Cyber Training aregonna teach you what you need
to know to be successful.
But beyond just passing thetest, we are here to help you
with your cybersecurity journey,because it really is a big
thing that we need to do toprotect our country and to
(03:34):
protect our various countriesout there from this existential
threat, as they would say.
The one other thing they talkabout is upskilling workers.
That basically means I've donethis multiple times where you
have an individual who showsthat they have the aptitude for
security, then what can you doto put them in a position to win
(03:55):
, in that you give them thetraining and education they need
to be successful in securityand upskill them into their
position.
That's a really goodopportunity there.
I know CISA the CybersecurityInfrastructure Security Agency
they mentioned and ISC Squaredoffer training options.
They are both very good.
Some of them are free that youget.
I don't know ISC Squared.
(04:16):
They do have some free optionsavailable.
I think CISA definitely doesand they're trying to get people
that are understanding thesecurity space and getting them
out there in this world.
But bottom line, the last bulleton this, is again don't forget
the soft skills.
I will tell you that that islike I mentioned earlier.
That is probably one of thehardest things to teach and it's
(04:36):
probably one of the mostvaluable to a person and to an
organization.
So if you have all the IT stuff, then there's probably some
other really good books to read,like how to Influence Friends
and Influence People by DaleCarnegie Old book but very, very
valuable.
And then there's also anotherone called Skill with People by
(04:57):
Les Giblin Very good book on howto deal with individuals.
So the soft skills are valuableand they will make you money.
I highly recommend that youfocus on some of that too while
you're studying for your CISSP.
Okay, so let's get started intothe overall training today and
let's talk about some CISSPquestions.
Okay, so this is going to beover group seven.
(05:19):
If you go to my CISSP cybertraining there is.
We have this broken down intoCISSP questions and they're
based on domain domain onethrough eight and with those
different domains, what I do isI put these podcasts in there
with many of the questions thatI have and so you can be able to
listen to it and you canactually be able to go and take
the test themselves.
(05:39):
So they're designed there tohelp you kind of get both levels
of training when you're tryingto understand and pass the CISSP
exam.
Question one a multinationalcorporation with offices in the
United States and the EUtransfers customer data between
two locations, which is the mostsignificant legal constraint
they need to consider A HIPAAregulations due to the presence
(06:01):
of healthcare data.
B PCI DSS requirements, as somecustomers use credit cards.
C GDPR compliance because itinvolves EU citizens data.
Or D Sarbanes-Oxley, as afinancial transactions are
involved.
And the answer.
Let me come back to it realquick before I answer it.
When it comes down to US and EUtransfers, which is the most
(06:23):
significant legal constraintthey need to consider?
And the answer is C.
Obviously, you guys are allprobably connected with GDPR.
This does hold the highestpotential for penalties, even
though all of them may beimpacted and therefore it does
concern EU citizens' data.
Question number two your companyuses anonymization techniques
(06:44):
to protect sensitive data duringtrans-border data flows.
However, a recent securityaudit revealed that attackers
managed to re-identifyindividuals from the anonymized
data.
What most likely went wrong?
Again, a company anonymizesyour data, which is called out
with GDPR during thistrans-border data flow out with
(07:05):
GDPR during this transborderdata flow.
However, a recent securityaudit reveals attackers managed
to re-identify individuals fromanonymized data.
Which most likely went wrong Ainsufficient level of
anonymization.
Basically use K anonymityinstead of I diversity.
B is a lack of encryption forthe data at rest.
C inadequate access controlsfor receiving the data.
(07:26):
Or.
D failure to monitor forunauthorized data access
attempts.
Okay, so what basicallyhappened?
How did they re-identify thedata?
And it basically came down to A.
That's what most likely wentwrong insufficient level of
anonymization.
Likely went wrong, insufficientlevel of anonymization.
So when they didn't do that,they basically, when you don't
(07:53):
have enough level of anonymity,they can reattach the anonymized
data and then be able toconnect the two.
So you need to choose astronger anonymization technique
that improves theindistinguishable points between
the individuals and is crucialto prevent re-identification
attacks.
Question three you mustimplement a data loss prevention
solution to controltrans-border data flows.
Which DLP feature would be mosteffective in preventing
(08:15):
unauthorized data transfers ofintellectual property documents?
Again, you have a data lossprevention solution and it needs
to control the trans-borderdata flows.
Which would be most effectivein preventing an unauthorized
data transfer of intellectualproperty documents?
It's 4.30 in the morning, I'mstruggling to speak, sorry.
(08:39):
Content filtering based onkeywords and patterns.
B the activity monitoring andanomaly detection.
C network traffic inspectionand data fingerprinting.
Or D endpoint encryption anddata classification.
Again, for DLP, which DLPfeature would be most effective
in preventing unauthorized datatransfers?
And that would be D endpointencryption and data
(09:03):
classification.
So you're probably going hmm,how is that the case?
While other features helpdetect these activities,
encryption and obviouslyclassification will help it from
being leaked.
If it is leaked, it helps itfrom being exposed even more.
So classifying your documentswith a confidential and then
encrypting them would be a greatway to move forward and to
(09:24):
ensure that the data is notdiscoverable when it is
transferred.
Question four your company facespressure from the Chinese
government to store all datagenerated within China on local
servers.
However, your organization alsooperates under GDPR compliance
requirements.
How would you respond to thispressure?
Again, your company facespressure from the Chinese
(09:45):
government to store all datawithin the China local servers.
However, your organizationoperates under GDPR.
And then how would you respondto this pressure from the
Chinese government?
A agree to store all datalocally to avoid legal trouble
with China.
B explain GDPR complianceissues and propose alternate
solutions like dataanonymization before transfer.
(10:06):
B refuse to request outrightciting potential GDPR violations
.
That probably won't work.
And then D negotiate a dataresidency agreement with
specific privacy and securitysafeguards.
Okay, so if you think about it,there's probably really only
two that would stand out to youand you took to really narrow it
down.
And the answer is D negotiate adata residency agreement with
(10:28):
specific privacy and securitystandards.
Basically, you can't refusebusiness operations right,
that's just not going to happenand full compliance to conflict,
because that would conflictwith the GDPR requirements as
well.
You can agree with anegotiation around data storage
in China while ensuring GDPRcompliance.
The other thing you can thinkof, as well as data localization
(10:48):
, is if you have individualsthat are not EU citizens and you
know that and they live inChina, then you would separate
the data and just keep the EUdata in one location and keep
the China data in another.
So there's multiple options,but the bottom line of that
question is trying to get fromyou is yeah, you can't say no
and your business has to operate, but you have to come up with
alternative solutions.
(11:09):
That's basically what it comesdown to.
Question five the cyber attackcompromises your organization's
network, potentially exposingcustomer data stored in a cloud
server located in anothercountry.
Which action should you takefirst?
If you have a cyber attack andit's potentially exposing
customer data stored in a cloudserver in another country, what
do you do?
A notify the subjects affected.
(11:31):
B investigate the extent of thebreach and identify the
compromised data.
C disable network access in thecloud server to prevent further
data loss.
Or.
D contact the cloud serviceprovider and report the incident
.
And the answer the best answer,because all those are probably
not all those are good, butthey're all relatively decent.
They all follow the same path.
(11:51):
You want to contact the cloudservice provider and report the
incident again.
You don't know exactly what has.
It just appears to be.
So contacting the cloud serviceprovider is the best option so
they can work with you to helpmitigate the issue if it's
ongoing.
And then what are theremediation steps going forward?
Question six your organizationimplements a multi-factor
(12:12):
authentication for remote accessto internal systems across
borders.
However, some users complainabout the inconvenience of using
hardware tokens.
Okay, they got a little fob.
Which alternative MFA methodwould most be most secure while
retaining some of the userconvenience?
Again, convenience versussecurity, sometimes that comes
up A SMS one-time passwords, bemail verification codes.
(12:35):
C mobile app push notificationsor D security questions and
answers.
Okay, so when we talk abouthardware tokens, they are the
most secure, right?
So we really want to havesomething like that.
But which one of these would bethe best?
Next alternative now it wouldbe c mobile app push
notifications.
(12:56):
Now, when you get your, youremail verification codes, those
are not nearly as secure.
Your sms one-time passwords?
They, they can be, but they'rein sms, which is open text.
The mobile app pushnotifications they are a bit
more secure just in the factthat you have to have the mobile
app, and by having the mobileapp it's the same concept as the
(13:16):
SMS, but you actually have tohave the app itself.
So it's a better solution thanjust the overall hardware token.
Question seven you discover apotential data breach involving
unauthorized access to customerrecords from a vendor located in
a country.
What is your best course ofaction as a CISSP professional?
Again, you discover potentialdata breach involving
(13:37):
unauthorized access to yourcustomer records from a vendor
located in another country.
What is your best course ofaction as a professional in the
CISSP certification?
A immediately terminate thecontract with the vendor.
C independently investigate thebreach without notifying the
vendor.
C contact the vendor andcollaborate on investigating the
incident.
Or D report the breach directlyto legal authorities in both
(13:59):
countries.
Okay, so some of those havelonger ramifications and some of
them are good, some of themmaybe not so good.
And the answer is C contact thevendor and collaborate on
investigating the incident.
If you can work with the vendor, it's a whole lot easier to
deal with this challenge thantrying to just go and say well,
I'm going to throw you under thebus and tell the legal
authorities about the issue.
(14:20):
That's just usually not thebest option.
It is an option, but it's notthe best option.
Now, if the vendor isn'tresponding to what you've said,
well then that's a differentstory.
But work with the vendor to tryto figure out the problem.
I've done that multiple,multiple times.
Question eight your company usescloud service hosted in a
country with weaker data privacylaws than you own.
(14:40):
How can you mitigate the risksassociated with this arrangement
?
So your company uses cloudservices hosted in a country
with weaker data privacy lawsthan your own.
You can mitigate these risksassociated in this.
How can you mitigate the riskassociated with this arrangement
?
A encrypt all the data beforeuploading it to the cloud
(15:00):
platform.
B implement contractual dataresidency agreements with the
cloud provider.
C conduct regular penetrationtesting of the cloud environment
.
So encrypt all data, implementcontracts and conduct
penetration tests, or all of theabove?
And the answer is all of theabove, right?
All of those are really goodthings to mitigate the risk
(15:21):
associated with this type ofarrangement.
It's always good to do thesethings.
Now you just have to weigh outis it worth spending the money?
That's the question andopportunity costs.
Question nine an employeeworking remotely and in a
different country, reportsreceiving phishing emails
targeting company credentials.
What should be your immediateaction as a security
(15:41):
professional?
Okay, so you have employeesworking remotely and they're
receiving phishing emailstargeting them with company
credentials.
Targeting their companycredentials a block the phishing
domain.
B reset the employee's accountcredentials immediately.
C educate the employees onphish awareness and best
practices and then investigatethe email source and immediately
(16:02):
determine the attacks in nature.
Okay, so a is the domain, b isreset the employee's account.
C educate the employee on aphishing awareness.
Or.
D investigate the email sourceand determine the attacks nature
.
So all of those are good, right, they all have a place in this
overall process, but theimmediate action would be
investigate the email source anddetermine the attacks nature.
(16:24):
By doing that, you get a betterunderstanding of what exactly
is going on.
It also the email source anddetermine the attack's nature.
By doing that, you get a betterunderstanding of what exactly
is going on.
It also can allow you todetermine what are the best
mechanisms to put in place tostop this attack.
However, all those are good,they all are valuable, but which
one is the most immediate?
And those are the kind ofquestions you will see on the
CISSP.
Question 10, a government agencydemands access to your
company's customer data storedin a foreign country cloud
(16:47):
server.
What should you do beforecomplying with this request?
A provide agency with fullaccess to your data without
delay.
B consult legal counsel andassess the compliance
obligations.
C negotiate limitations onagency's access and data types.
Or.
D deny the request outright andcite data privacy regulations.
All those are good, right, theyall have issues, but yeah, the
(17:09):
one that's a big issue.
Obviously, when you start doingthese things, you want to really
make sure you focus on gettinglegal counsel and assess the
compliance obligations.
We've talked about thisnumerous times.
Especially when it comes tothis stuff, you really got to
have legal and complianceinvolved.
Again, I'm not giving you legalcounsel.
(17:30):
I got in trouble from a lawyerfriend of mine that made a
comment that thought I wastelling too much information on
a podcast and I'm like no, I'mnot, because I'm not a lawyer
and nor should you take anyadvice that I give you as legal
advice.
That would be really bad.
If you did that, then you mightbe getting yourself in some
serious trouble and I don't wantto be in trouble.
(17:50):
So don't use my advice as legaladvice.
Question 11.
Your organization operates inmultiple countries in varying
cybersecurity maturity levels.
How can you implement aconsistent security posture
across these diverseenvironments?
A.
Enforce rigid, centralizedsecurity policies for all
locations.
B.
Develop a risk-based approach,tailoring security controls to
each region's needs.
(18:11):
C implement the highestsecurity standards across all
locations, regardless of localvulnerabilities.
Or.
D focus on security awarenesstraining and improve the user's
security behavior in all regions.
Okay, what do you want to do?
There's a lot of words in thisone, but you really bottom line
when you're dealing withmultiple countries.
You want to develop arisk-based approach, tailoring
security controls that eachregion needs.
(18:33):
Each region has its ownseparate needs and you have
various legal requirements inthose regions, so you better
make sure that you meet thoseneeds specifically, obviously,
gdpr in China.
Two good examples of that.
Question 12,.
You discover a vulnerability ina critical server software used
by your global operations.
However, patching the softwareimmediately would most likely
(18:54):
disrupt essential businessfunctions in some of the regions
.
What is your most strategiccourse of action?
Okay, you got security flawsand you need to patch them
immediately, and you are in aglobal business.
But what should you do first Adeploy the patch immediately on
all systems, regardless ofdisruption.
B inform the effective regionsand postpone patching until a
(19:15):
convenient time for all.
C develop a mitigation strategyto temporarily address the
vulnerability until patching isfeasible.
Or.
D prioritize patching high-riskregions and implement temporary
controls for others.
Okay again, what is the moststrategic course of action?
You got a criticalvulnerability.
(19:37):
Prioritize the high-riskregions right.
You want to make sure you dothat as best you can and you
want to have a sense of urgencyaround doing that.
You can't do it all and youdefinitely don't want to put it
off and you don't want to makesure it's convenient for
everyone, because it's nevergoing to be convenient for
everyone.
You just have to go do it.
Question 13.
A new international treatyimposes stricter data privacy
(19:57):
regulations on yourorganization's cross-border data
flows.
How should you adapt yourexisting security framework to
comply with these newregulations?
Okay, so private data privacyregulations on data cross-border
data flows.
What should you do?
A modify the dataclassification schema to align
with the treaty's datacategories.
(20:17):
That would be not the bestoption.
You could do it, but itwouldn't be best.
B update incident responseprocedures to include
notification requirements underthe treaty.
C or C conduct privacyassessments for data processing
and activities involvingcross-border data flows.
Okay, so I said the first onewouldn't be the best.
Why?
Well, because your treaties maychange.
They may not have that level ofdetail, but when you listen to
(20:41):
all three of those, you're goinghmm, they all are kind of good.
Should I do?
Oh wait, there's one moreanswer.
All of the above.
That's when you would pick upon all the above.
So I don't automatically justgo out and cross one off because
it doesn't make a lot of senseor it may not be the best option
option, but all of the abovewould be valuable.
I do when you try to tiesomething to a legal document
(21:02):
now or to a treaty.
There's nothing wrong with that.
But things tend to change,especially legislation.
So you'd want to try tounderstand the overall breadth
of what the legislation istrying to accomplish and if you
can tie it to that legislation,that would be good.
But if it gets really ambiguous, you may have to make a
judgment call.
If you do make a judgment call,you're going to want to make
sure you document why you madethat decision, because you will
(21:26):
someday get on to a new job as aCISO of a large multinational
that makes gazillions of dollarsevery day and some poor person
will come up behind you and gowhat was this person thinking?
So, yes, make sure you documentit all.
Question 14 your organizationplans to launch a new
cloud-based service accessiblefrom different countries.
Which aspects of the CISSPdomain should you prioritize
(21:46):
during your security designphase?
A cryptography, cryptographyand access controls.
B security architecture andrisk management.
C application security andbusiness continuity to ensure
that they're resilient.
Or D all of the above?
Okay, which aspects of theCISSP domains should you
prioritize during your securitydesign phase?
And when you're doing securitydesign, you need to look at all
(22:09):
of them.
Yes, all of the above.
You need to consider a holisticapproach when you're dealing
with this, from cryptography tosecurity architecture to down to
application.
Security needs to be a holisticapproach to this process.
Last question the last melon,the last melon.
Last question, the last melon,the last melon.
Question 15, you face criticismfrom colleagues claiming your
focus on international legal andregulatory compliance slows
(22:31):
down business expansion.
Yeah, I hear that a lot.
How would you defend yoursecurity approach and explain
its long-term benefits?
Okay, so you're claiming thatinternational legal and
regulatory compliance slowseverything down.
What should you do?
A emphasize the financialpenalties and reputational
damage from compliance.
That's true.
B highlight the improvedsecurity posture and reduced
(22:54):
attack services by adhering toregulations.
That is true too.
Showcase how proactivecompliance can build trust with
customers and regulatoryagencies, most definitely.
And the answer and then there'sD is all of the above.
Yeah, imagine that it's all ofthe above.
So, yes, there's all of theabove.
Ones are nice.
They're not always that way.
Okay on the test, but in thissituation for CISSP cyber
(23:16):
training, they are all of theabove, at least in this specific
situation.
Again, that's the one thing isthere are multifaceted benefits.
When you're dealing withcompliance, obviously you want
to avoid the penalties, you wantto highlight the posture and
you want to build trust.
Your job as a securityprofessional is around
influencing others to help youdo your job, and you build trust
(23:38):
by helping others get what theywant and you get what you want.
So it works out well together.
All right, that's all I've gotfor today.
It is a lot of great questions.
Go to cisspcybertrainingcom.
You can check it out.
There's some really good stuffout there.
I mean, these questions arejust part of that.
It's just one little aspect ofwhat you can have at CISSP Cyber
Training.
I'm here to help you with thiswhole process as we are moving
(24:00):
forward, and I want you to helpyou, the CISSP, because the
world needs you, they need youout there and they need you
being successful as a securityprofessional.
More and more.
You see it all the time, solet's get this done, all right.
Thanks so much for joining metoday.
You all have a wonderful,wonderful day and we will catch
you on the flip side, see ya.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com