June 23, 2025 • 34 mins
Ethical leadership lies at the heart of effective cybersecurity practice. In this episode, we dive deep into Domain 1.1 of the CISSP certification, exploring professional ethics and their critical importance for security professionals.
The episode opens with a sobering look at the current landscape of cyber warfare, examining how Israeli-linked hackers are actively targeting Iran's financial systems. This real-world example serves as a stark reminder that cyber conflicts aren't theoretical—they're happening now, with devastating consequences for both government systems and ordinary citizens. For security professionals, this underscores the urgent need for robust resilience planning and strategic preparation for highly targeted attacks.
We then unpack the ISC² Code of Ethics through its four foundational canons: protecting society and the common good, acting with integrity, providing competent service, and advancing the profession. Each canon is explored with practical examples and real-world implications. The message becomes clear—security professionals possess extraordinary power through their knowledge and system access, and with this comes profound responsibility.
Throughout the discussion, we emphasize that ethical considerations extend beyond compliance requirements. They touch everything from handling sensitive data and discovering vulnerabilities to implementing AI systems and creating organizational cultures where ethical concerns can be safely raised. The principle of "do no harm" stands paramount, recognizing that security decisions impact not just organizations but the individuals who rely on these systems for their livelihoods.
Whether you're preparing for your CISSP certification, already working in the field, or leading security teams, this episode provides crucial insights into the ethical framework that must guide cybersecurity practice. Because in information security, ethics isn't just about following rules—it's about protecting people and building trust in the digital systems that increasingly power our world.
Ready to strengthen your ethical leadership in cybersecurity? Visit our website for resources including practice questions, mentorship opportunities, and comprehensive CISSP exam preparation materials.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started, hey all Sean Gerber,with CISSP Cyber Training and
hope you all are having abeautifully blessed day today.
Today is Monday and what do wedo on Mondays?
We go over training related tothe CISSP, and today is Domain 1
, 1.1, and we're getting intoprofessional ethics as related
to ISC Squared.
(00:43):
So we're going to be gettinginto some different aspects
around what ISC Squared talksabout as well, as we'll be
talking in some various aspectsaround you as a professional
working at a business and whatare some of the things you
should be concerned about as acybersecurity professional.
So this could be pretty good.
I think you guys will really,really enjoy it.
But before we do, we're going tobe talking about an article
that I saw in wired magazine,and the interesting parts about
(01:07):
all of this are the fact that inthe past, we have talked about
iran.
Uh, in the case that therewould be a shooting war between
the united states and iran andthat still may very easily occur
is that the iranians wouldlaunch cyber attacks against the
us system, their criticalinfrastructure, banking, all
those aspects of Now.
But the interesting part is inthis article it's talking the
(01:29):
Israeli-tied predatory sparrowhackers are waging a cyber war
on Iran's financial system.
The tables in this specificsituation are turned a little
bit, in that Israel is launchingattacks against Iran, which
obviously they're using kineticattacks and dropping bombs, but
they're also launching a cyberattack against their financial
(01:49):
system.
So how does this affecteverything?
I mean it's changing the wholeglobal dynamic in as it relates
to cybersecurity professionals.
You no longer could worry abouthey, we're in the United States
, we're safe, we're good.
This is just craziness in thefact that now you in this
specific situation, this sparrow, uh, predatory sparrow.
(02:12):
They are linked to executedestructive cyber attacks
against iran's financial sectorand obviously they're burning,
in this case, over a 90 milliondollars in crypto.
They're basically taking it andmaking it useless, and this was
tart.
They're also disrupt,disrupting the sepath I've
probably just totally butcheredthat name bank uh, taking online
(02:33):
banking and atm servicesoffline.
So I say this because I'mworking with a very large
financial institution right nowand I I know that they have
great cyber security controls inplace, but I would say the
mindset and this is not themindset just of this
organization, it's a mindset ofmany organizations is that in
the event that there's ashooting war, you will become
(02:54):
the primary target and they go.
Well, yeah, we know this isgoing to happen, we have an idea
this is going to happen, but no, this is really going to happen
and it isn't just going to takedown the critical
infrastructure within the UnitedStates.
They're going to come targetingspecific banks, financial
institutions, anything that canaffect people directly.
Now this group has explicitlyframed the attacks and basically
(03:14):
retaliation for Iran's supportof terrorism, and you can put
any sort of moniker on it youwant.
The challenge with this is doesthis affect the Iranian regime?
Yes, but who else?
Does it really affect thecommon people that really, in
most cases I say most are noteven connected with anything
that's going on geopolitically.
And the same thing is going tohappen here in the United States
(03:35):
or any place around the globe.
If a shooting war, a kineticshooting war, occurs, you are
going to be having strong cyberwarfare aspects that are going
to be happening on a daily basis.
So I'm telling you this, not tosay, oh, the sky is falling and
you need to be afraid, but youdo need to be aware and you need
to communicate this to yourboards, using this as a perfect
(03:58):
example of how this could happento your organization, and it
really just truly comes down tothis.
You got to have resiliency, yougot to understand cyber
operations, you've got tounderstand it from a tactical
and a strategic point of viewand you have to have a resilient
organization that can operatein the event that you are
(04:19):
directly attacked by these typesof individuals.
Right now, I would say, a lotof the attacks going against
various institutions are and I'musing this loosely there are
some very talented people, butthey're doing the hit and run
right.
They're trying to do smash andgrab and they're just getting
whatever they can.
If you have a targeted attackagainst you, we all say this is
going to be well, be verypainful, it'd be hard to do,
(04:39):
it'd be hard to manage.
No, it's going to be really,really, really hard to manage.
So the point of it is have aplan, start thinking about it
now.
I just can't stress it enoughthat you need to have a
consideration and even when totake a Mike Tyson quote you have
a great plan until you get hitin the face, and then, after you
get hit in the face, your planchanges.
But at least at a minimum, youhave a plan so that, in the
(05:03):
event, something does happen,which it's highly likely.
If it doesn't happen soon, itwill happen in the near future.
You're gonna have to deal withit and so, as a cyber security
professional, it's up to youthey're relying on you to be
prepared for these types ofevents.
Okay, so I gave you enough doomand gloom.
I'm just trying to highlightthis situation.
That go to wire, check it,check it out.
(05:24):
It's actually a really goodarticle that talks about how
important it is for you tounderstand your adversary, cyber
resilience, and then also havea good plan for yourself going
forward.
Okay, that's enough on that.
Let's move into what we're goingto talk about today.
Okay, so today is over domainone 1.1, understanding, adhering
to and promoting professionalethics.
(05:46):
So, again, a big factor isunderstanding ethics.
Again, do no harm.
We're going to talk about that.
I like to use the comment whenI was working for the government
as a red teamer use your powersfor good, not evil.
And yes, you do have a lot ofpowers.
Whether it's intellectual thatyou got in your cranium or
whether it's the fact thatyou're using your intellectual
aspects on a keyboard, you canmake life extremely painful for
(06:09):
a lot of people and you canactually potentially even hurt
people, depending upon thesituation and what you're doing.
So you need to understandethics, and I know a lot of us
do.
I got it yawn.
Oh, I don't want to deal withthis, but you will have to know
it and you will deal with it onyour daily basis as a security
professional.
So we're going to go into ISCSquared's Code of Ethics
Professional Ethics and this istheir preamble.
(06:31):
It's that safety and welfare ofsociety and the common good,
duty to your professionals andeach other requires that we
adhere, and that we be seen toadhere to the highest ethical
standards of behavior.
Okay, I read that to you butyou're like going, okay, I'm
reading it.
Why is this in third grade?
But the point of it is is thatthey want to make this point
(06:52):
known.
As a cybersecurity professional,you have principles.
You have to take care of thecommon good.
It requires you to adhere andto be seen to adhere to the
highest ethical standards.
This is an important factorbecause, as a security
professional, you are entrustedwith a lot of stuff.
You've got people's data, youknow what the CEO is doing, you
(07:14):
know the financials for thisorganization.
You have access to all the datain many ways and since you have
access to this data, you coulddo very bad things with it.
You could actually use it forprofit.
You could do a lot of differentthings that could cause a lot
of damage to people's lives andto physical property, and so,
therefore, you must have some ofthe highest principles related
(07:35):
to your ethics and understandingwhat could happen in the event
something bad, that you dosomething bad or somebody else
does something bad.
That's the other part.
You need to understandindividuals within your
organization, individual people.
If they're doing things thatare unethical, how do you handle
that?
Okay, so they have the code ofethics canons, and we're going
to go into each of these canonsjust a little bit.
(07:56):
The goal is to protect societyfrom the common good, necessary
public trust, confidence and theinfrastructure.
You want to protect it all.
You need to act honorably.
That means you need tounderstand what honor is, and
unfortunately, in today's world,not everybody does.
I mean to be honest, just andresponsible and, above all,
legal in what you do.
(08:16):
The moment you go illegal,things go really bad, and it
doesn't just affect you.
It can affect your entirecompany, and this is the part
you also got to think about asyou move up in the organization,
you become a officer within acompany or you become a vice
president or whatever.
You have some level ofleadership.
Anything that you do that wouldbe construed as illegal.
Now I say this in the fact thatthe illegal part is going.
(08:37):
Yeah, I'm going out andstealing candy from a baby,
that's illegal.
But if you do something thatmay be pushing the legality
compliance aspects of it, it'sthat gray area.
What ends up happening is itcan affect not just you, it can
affect your company job, thatthey have to pay their bills to
feed their families.
It's you can have a direct,immediate impact on so many
(09:08):
people by not acting honorablyand not doing the right thing.
Now you need to provide diligentand competent service to your
principals the people that ownthe business and you need to
advance and protect theprofession.
Again, as a CISSP, you haveworked very hard to get here.
You need to advance theprofession and one of the things
I'm doing just right now isadvancing the profession.
(09:29):
Obviously, you're listening tothis podcast and you're going
okay, that's cool and I alsooffer things you can buy.
That's great.
But at the end of it, I'madvancing the profession because
I bring in more than justsaying, hey, study for this test
.
These are some of the thingsI've learned over the years that
can help you in your professionas a CISSP, as a security
professional.
(09:49):
So, again, important, importantpart for you to go into as
we're getting into the preambleand understanding the overall
professional code of ethicsrelated to the CISSP.
Okay, canon one.
Now, this is canon one of fourspecific canons.
So again, we're 25% done.
You need to protect society andthe common good.
Okay, so what does this mean?
Protecting the society, commongood and the necessary public
(10:12):
trust and confidence and theinfrastructure.
Okay, that's a lot of big $10words put into one sentence.
But the ultimate goal, thisshould be your highest priority
and this is, they consider, thehighest priority canon of isc
square.
It requires securityprofessionals to consider the
broader impact of their actionsand inactions.
If you don't act, how does thatimpact you?
(10:33):
How does that impact others?
You need to really thinkthrough that.
This is a.
These kinds of roles arestrategic thinking type roles.
You have the ability to makechanges within your organization
.
The other part that's importantwith this is and I can't stress
this enough as a cybersecurityprofessional, you understand the
aspects that are going onwithin your organization to the
(10:55):
level that your senior leadersprobably do not, and because
they don't, they are relying onyou to basically give them the
direction they need to besuccessful to understand the
issues that are going on withall of this.
So, again, this is an area thatyou need to really consider.
Now.
Examples of how this canonapplies to real world situations
Responsible disclosure ofvulnerabilities.
(11:16):
We've talked aboutvulnerabilities all the time.
How are you disclosing these ina way that minimizes harm to
the public?
Working with vendors to ensurethat the vulnerabilities are
patched in a timely manner?
Right, you're getting thosedone.
You have reports that aresetting out, telling people this
.
You also are designing securesystems that protect the
critical infrastructure.
We just talk about thisnumerous ways in manufacturing
(11:39):
critical infrastructure, bankingall of those things that are in
place, you've helped designsecure systems that protect
these areas, and this comes downto essential services such as
power grids, transportationnetworks and so forth.
You need to understand it sothat you can help protect it.
Now, implementing these securitymeasures.
They do help preventdisruptions.
(11:59):
They also prevent attacks, andI would say that in many cases,
they help prevent the attacks.
But even if attacks occur, itneeds to be resilient, to be
able to thwart or be able tohandle an attack by an adversary
.
Now preventing the spread ofmisinformation and malicious
software by an adversary.
Now preventing the spread ofmisinformation and malicious
software.
You need to take steps that youdon't become an active
(12:23):
participant or an inactiveparticipant in spreading out
misinformation or malicioussoftware.
Is your sites, are yourexternal resources patched?
Are they able to be?
Have people uploading data tothem that would be malicious and
then now it's being passed onto other people?
So you need to prevent thisfrom happening.
And again, these are obviouslycommon sense things that you're
going yeah, I get it, Iunderstand I need to do this,
but they put this on paper sothat you truly understand and
(12:46):
they hold you accountable to it,that if you're not doing what
you're supposed to be doing, you, as a professional person in
this role, you are being held toa higher standard.
You are being held to a higherstandard.
Canon two act honorably,honestly and justly, responsibly
and legally.
Again, we're emphasizing theimportance of integrity and
(13:07):
trustworthiness in this canon.
It requires adherence to bothethical principles and legal
obligations.
We've talked about thisnumerous times within our
training that you have tomaintain these ethical
principles and you need toinvolve yourself with legal at
all times.
I deal with individuals thatthey haven't really thought
about.
They go yeah, yeah, we'll dealwith legal when we need to.
(13:28):
Or if something comes up, we'vegot them on the bat phone,
we'll give them a call.
Legal will show up.
They'll swoop in and take over.
No, don't do that.
You need to have really activerelationships with your legal
people anybody that's in thatlevel of business.
You need to have thoserelationships now, before
something bad happens.
So to make examples around,this is again maintain integrity
(13:50):
in all professional dealings.
This avoids conflict ofinterest.
I had to do this when I wasworking with my company before I
had to tell them hey, I'm doinga podcast, I'm doing these
aspects.
Does this affect you Anything?
I talk about?
What can I talk about?
What can I talk about?
Again, avoiding conflicts ofinterest.
Being totally truthful andtransparent in all your
(14:11):
communications.
Don't do the little drama thing.
Avoid at all costs.
Be truthful and transparent ineverything.
Provide accurate information toclients and employers and
colleagues.
Don't hide anything.
You have the ability in yourprofession, being a security
professional, to knowinformation that most people do
not.
Don't play.
(14:32):
I know something you don't know, don't do that and don't even
try to act around that.
All right, the ultimate goal isbe transparent with everything
you're doing, everything youknow, and especially with your
senior leaders.
You want to be totallytransparent with them.
Don't think, well, I'm gettingthis problem fixed by myself
right now and then I'll tellthem.
No, tell them now.
That's the key point Disclosingany relevant facts or potential
(14:54):
risks.
If you don't do that andsomething bad happens, well,
you're going to be hung out todry.
Two is that it can affect theguy on the line, like we talked
about before.
You need to disclose anythingyou know about risks and so that
way they can either beaddressed or at least at a
minimum, the risks can beaccepted.
So they have to understandComplying with laws and
regulations.
It goes without saying.
(15:14):
You don't apply with the law,you're going to have nice little
handcuffs and you'll be goingto prison, and I mean that truly
.
You may not go to a blue orwhite collar prison, which I
don't know.
If they do handcuffs for them,I assume they do, but you will
have to deal with that.
There's laws and regulationsthat are out there specifically,
so you don't break them.
And if you do break them, thereare consequences for that.
(15:35):
You can begin to ask more andmore security professionals.
They're seeing the writing onthe wall here.
So you need to truly kind ofunderstand all the legal
ramifications with your role.
Even if you don't understand it, go out and try to understand
it and then meet with legal,have them help you.
It's imperative that you knowthis information because so many
people are relying on youbecause they're thinking you
(15:58):
know it and you're thinking theyknow it.
Well then, at the end of theday, nobody knows it.
That's bad, not a good place tobe.
So you understand the legal andregulatory landscape for your
organization and for your roleand also for your space, your
vertical that you're in.
Avoid conflicts of interest wekind of talked about that
already and don't use yourprofessional position for
personal gain.
Again, don't say figure outways to use it so that you can
(16:21):
make money on it.
Hey, you know what I'm about?
Ready to sign this contractwith XYZ security company, you
give me a little kickback, I'llsign with you.
Yeah, that's bad.
Don't do that.
That'd be really, really bad.
So avoid those kinds ofconflicts of interest.
Again, disclosing any potentialconflicts of interest is
extremely important.
Canon three provide diligent andcompetent service to the
(16:44):
principals.
That's the point, right.
So you need to focus on therelationship between your
security professional and thosewho they serve the employers,
the clients, your board, whoever.
You need to make sure that youprovide them diligent and
competent service and they'repaying you very well for this.
In some cases, some people very, very well.
They're paying you a lot ofmoney, and so if they're doing
(17:07):
that, then what should you do?
You need to provide them aservice that is equivalent or
exceeds I would recommend,exceeds what they're paying you
for.
Here are some examples of thisProviding services for your area
of expertise.
When it comes down to it, if youdo offer up services that are
not in your area of expertisesay, for example, you don't know
(17:28):
development very well and yousay, well, I can do it.
Well, okay, if you don't reallyunderstand it, you need to seek
assistance in trying to do it.
Now, if there's a case whereyou don't understand it and
you're still stuck doing it,then you do to the point of
having the second bullet,seeking assistance and get
further training as necessary todo that.
Or if you're a contractor likeme and they say, well, I want
(17:49):
you to do secure development, Igo.
I really don't know how to dothat very well, I can do this
part of it, but I can't do thatpart.
That's being truthful andtransparent on what you can and
cannot do, and then from therethe engagement may or may not
happen.
Keeping up to date with thelatest security trends and
technologies as we talk aboutthis in CISSP Cyber Training, I
usually give a security topic atthe beginning.
(18:09):
That's a great way for you tostay connected with security
trends and technologies, andthat this also is important by
engaging with professionaldevelopment, attending ISC
squared meetings, which I remindmyself as I say that I've
missed the last one.
I need to attend the next one.
It's important for you to goand do these for professional
development.
Stay informed about new threats, vulnerabilities and security
(18:32):
best practices.
Be involved with the team,spread your knowledge around,
act in the best interest of youremployer or client within
ethical and legal boundaries,and then providing objective
advice and recommendations.
Again, they're looking for youto give them the recommendations
and knowledge that you have.
It's imperative that youprovide them things that they
can use and that it's balancedand well orchestrated and it's
(18:56):
something that they can take,digest and pass it on balancing
your needs of the principle withthe ethical considerations of
legal requirements.
Something I've run into in thepast is that your principles may
say, well, we're not going toworry about that.
I'm like, well, you may sayyou're not going to worry about
that, but the this legalrequirement says you need to
worry about it.
Well, I'm like, hey, that's onyou, I'm documenting it, this is
(19:19):
what I'm saying, this is what Irecommend, it's on you and you
do that.
That's imperative, that youhave that kind of candor with
these principles and youunderstand the threat, you
understand the legal andregulatory requirements, and
then they can make decisions.
And I will just be verytransparent on that.
When they first said, well, theresponse is, oh, okay, yep,
(19:41):
we'll do it.
So the point I'm trying to makeis that if you bring it to them
in a level that they don'tquite understand it and they
kind of go, well, we don'treally see it this way, but yet
you come in and say, no, this iswhat it says and from a
security professional standpoint, this is what you should do, it
then changes the dynamic andthe tone a lot.
So again, that is why you, as asecurity professional, are so
(20:04):
important with these differentcompanies and you're so
important with the differentaspects of these companies, such
as legal compliance and soforth.
Canon four advance and protectthe profession.
That's the ultimate goal here.
This is this addressesresponsibilities of security
professionals to contribute tothe growth and integrity of the
field.
You focus on enhancing thereputation and the standing of
(20:25):
information security profession,and this comes down to a lot of
different ways Mentoring andeducating others in the field,
like we talk about sharingknowledge.
Supporting professionaldevelopment, promoting ethical
conduct amongst colleagues,ensuring them they meet the ISC
squared code of ethics.
If something comes up and yousee somebody doing it going, ah,
that's not right.
(20:45):
You need to hold themaccountable to that.
Again, also addressing anyunethical behavior you may see
within the profession, becauseit affects all of us, not just
you, not just this person, butwe all get to deal with this.
If someone's a securityprofessional that does a very
poor job, well, the way thesocial media stuff is set up
with LinkedIn, facebook, allthese other Twitter, you name it
(21:06):
what ends up happening is itjust spreads like wildfire and
it'll affect all of us invarious forms.
Contributing to the developmentof security standards and best
practices.
Help with the industry groups.
Help them grow, give them bestknowledge.
Use what your lessons learn tohelp increase the overall
knowledge for all companies.
Sharing insights and lessonslearned.
(21:27):
Done that, we do that on cissp,cyber training.
You get a lot of that rightlessons learned.
What did I do?
That affected things.
You can take that and then passthat on to other organizations
as well and you can learn fromthat, avoiding actions that
could damage the reputation ofthe profession.
Again, coming down tomaintaining a high standards of
professional conduct, addressingany misconduct or incompetence
(21:51):
that's another part.
I see this in security.
I see people that say, hey, ifyou just do this, you can become
a super, super duperprofessional security person
making gazillions of dollars.
That is incompetence.
I'm sorry, they're just wrong,and so you need to understand
that and address it.
As it comes out.
There's some aspects of it thatI can see is valuable, but then
(22:12):
most of it is charlatans tryingto just promote and make money.
So you need to address thismisconduct and the incompetence.
Potentially, if you see it so,when you deal with the ISC
squared code of professionalethics, this is a reference RFC
1087, ethics on the internet.
This is the main thing.
To kind of boil this down toand this kind of helped feed the
overall ethics piece of ISCsquared.
(22:33):
One do not seek to gainunauthorized access.
Two do not disrupt intended useof the internet.
Another one is do not wasteresources through actions and I
would say also inactions.
Do not destroy integrity of thecomputer information and do not
compromise privacy of users.
Now, this was the first onethat fronted came out.
This is RFC 1087.
(22:53):
This was around ethics and theinternet and this, like I
mentioned just a minute ago,this helped spawn on a lot of
the information that's in ISCSquared's ethics.
Professional ethics aspectscame from this and this was the
first one that was out therewhen it came to computer systems
and you can see they're verybasic and very to the point.
But the ultimate goal is thatyou do not want to.
You have so much power in yourhands.
(23:14):
You do not want to.
You have so much power in yourhands.
You do not want to use thispoorly.
Now, as we get dealing with theorganizational code of ethics,
there's an individual company,something to add to some key
concepts for you to keep in mind.
You need to review andunderstand your organization's
ethical approach.
If they don't have ethics, youneed to leave the organization.
I'm just being honest.
If they don't have ethics, ifthere's people there showing
(23:35):
that there's no ethical backboneat all, you need to start
looking and updating yourLinkedIn profile and get your
resume ready and I get the heckout of Dodge.
Even if they're paying you alot of money, you don't want to
be around that.
Avoid it.
Avoid it at all costs.
Integrate cybersecurity intoorganizational's ethical
documents Right intoorganizational's ethical
documents.
Right?
Your need to make sure that, asthey have ethical documents,
(23:57):
they've thought about this fromdata privacy.
All those aspects are there.
Don't disclose your HIPAA datablah, blah, blah, blah.
Right, they have that all there.
But they need to alsoincorporate your acceptable use
policies.
How do you use your cyber stuff?
How do you use it in a waythat's acceptable?
What's the ethical way of usingit?
Right, don't take theinformation you get and use it
(24:17):
in ways that gratify or to makemore money for yourself.
Ethical issues are core tocybersecurity.
Again, manipulation, theft,coercion all those aspects can
be involved in security and youneed to be aware of that and you
need to take the higher road.
Determine how cybersecurity isintegrated in your
organizational privacy.
Another aspect Privacy needs tobe embedded within that.
(24:41):
And then it comes down to thedoctor's creed Do no harm.
Primum naca non naccura.
See, I can't even say Englishand that's not even English.
I think that's Latin.
So just basically don't do anyharm.
Use your powers for good, notevil.
That's bottom line.
So now, when you're dealing withcode for fair information
practices, this outlines fiveprinciples for handling personal
(25:03):
information in an ethical andresponsible manner.
Again, no personal data recordkeeping existence is secret, so,
no matter how much you have, itisn't a secret right.
Individuals must be able tofind out what information is
being recorded.
So this comes down to that.
You, as an individual, need toensure that your employees know
what is being recorded on them,and this is why you get within a
(25:24):
Zoom call and you say this Zoomcall is being recorded.
They're trying to teach youthat right the ability for
individual to prevent personalinformation being used or made
available without consent.
You need to make sure that thatis not done, that you, that
everybody knows that it's beingused and that there's consent
around the personal data that'sbeing used.
You have the ability to corrector amend identical identifiable
(25:45):
records.
If there's a identifiablerecord on you and it isn't
correct.
Like it says, sean is shauna.
You need to be able to fix Seanfrom Shauna and if you can't do
that, that's not good.
So, because I don't even reallylike my name, sean, but I
really would not like Shauna nooffense to any Shaunas out there
.
I get it, you're good.
I just would not like thatbecause it's not my name.
(26:08):
Enrique is a better name,enrique, that's my name, that's
what I tell my kids and likeanybody asks what's your name
and I say, well, it's sean, I goby sean, well, sean, but I go
by enrique because enrique'scooler way cooler name.
If you're an enrique out there,listen to this, you've got a
cool name.
Uh, organizations storing thatdata must take steps to ensure
data is not misused.
(26:29):
Also, again, if you get thedata, you have the
responsibility to hold that data.
You need to make sure that itis not misused and it is
properly taken care of invarious different ways.
Okay, so I'm coming back to theindividual.
This is the CISSP and thesecurity professional.
We've talked about this.
We've kind of alluded to thisas we've gone on in this
(26:49):
discussion.
One is a professional integrityand accountability.
You need to have that.
You need to, above all, withthe cissp.
You need to operate inunethical, in ethical behavior
and avoid any sort of aspectsaround mistakes, unethical
aspects or conflict of interest.
Do care and do diligence.
You need to consistently applyknowledge, skills and best
practices to protect the assetsand manage the risks.
(27:11):
This implies continuouslearning and also having
competence when understandingthe evolving threats in that
landscape.
That's out there.
Confidentiality and privacyagain, upholding the privacy of
individuals and theconfidentiality of the
organization, even when you'renot legally compelled to do so.
You just might be recommended,but you should also go to the
(27:32):
higher level, even if it's notrequired legally.
I'd say that's.
One thing with my previousorganization they did is that,
even if it was not a legalrequirement, they looked around
the country to see where itmight be a legal requirement and
they went to the higherstandard, which I think is
important.
It costs them a lot of moneyand it also hurts your bottom
line a little bit, but they'retaking the higher level, the
(27:59):
higher road, which is muchbetter to place.
It's a much more defensibleposition to take.
Objective impartiality, makingsecurity decisions based on
facts and risk assessments, freefrom personal bias, prejudice
or undue influence.
You need to be impartial aboutstuff.
You need to really say if youdon't see it right, you need to
say it.
You don't see it right in aloving and caring way.
You don't tell people they'reidiots.
That's bad.
But you can do it in ways thatare like I don't necessarily
agree with what you're saying.
This is what I see Again.
(28:20):
No offense to that individual,but this is what I see Again.
You do it better than sayinghey, yeah, you're stupid, you're
an idiot.
Don't do that.
That's bad.
Responsible disclosure, ethicalhandling, discovered
vulnerabilities, balancing theneed for secure systems with
potential harm and prematurepublic disclosure.
Disclosure.
You just make sure you have aresponsible disclosure.
You don't go and post it ontwitter going, yeah, we just got
(28:41):
pwned.
You don't do that.
That's bad.
Um, there's a lot of legalissues with that and it's also
could affect the guy on the line.
I always come back to thiswhatever you do, don't affect
the guy or gal on the line.
They're working hard.
They have no clue about whatthey're doing with the
cybersecurity stuff.
Do not impact them.
I stress this they're workingreally hard.
I know you're working hard, butnot as hard as them, and then
(29:04):
they have more at risk in manycases than you.
As a security professional.
You can go get another role.
Some of these people this iswhat they got.
You need to protect them,period, bottom line.
That's all I can say.
Whistleblower, protection,understanding ethical
obligations that report seriousmisconduct or illegal activities
.
You need to obviously approvethat.
You need to allow that to occur.
(29:25):
You need to make sure that youdo not stifle, that you do not
hold back information.
It will burn you and it couldaffect the guy and gal on the
line.
Don't affect the guy and gal onthe line, business
organizations, employers andstakeholders and establish
ethical culture again.
You want an ethical culture.
If your board, or from theboard level down, doesn't have
it again, get your resume ready.
(29:46):
Get on linkedin.
Go find a new job there'splenty of them out there.
Do you want?
No matter how much moneythey're thrown at you, you do
not want to work there.
This includes clear policiesagainst unethical behavior.
You need to have that.
Compliance with laws andregulations Again, you need to
understand the laws andregulations within your
organization, within your space,within your vertical, and you
need to then comply with themFFIEC, nydfs, hipaa and so on
(30:10):
and so forth.
You got to know them, got touse them, got to follow them.
Transparency with stakeholdersAgain, coming forward with
everything you see that'sillegally permissible.
You need to show them, you needto tell them, you need to be
upfront with them and understandthis, and they look to you as a
leader to do that.
Data stewards you need to makesure that you have privacy by
design.
(30:30):
You, as a security professional, might be an architect and
you're therefore you're dealingwith.
How do you collect, store, useor dispose the data?
You need to have privacy bydesign built into this from the
beginning.
Resource allocation andethically allocating a
sufficient resources includespersonal budget technology.
All of those things need to bedone ethically.
You don't keep a little bit ofmoney left over for mom, dad and
(30:52):
the grandkids.
Fairness and bias in AI and MLOkay, as this becomes more
prevalent, we talk a lot aboutAI on CISSP, cyber Training is
that you ensure these systemsare developed and deployed
ethically.
This includes, you know, as faras perpetual or perpetuating
any sort of biases that they mayhave unfair, discriminatory
outcomes.
(31:12):
All of those pieces you need tobe aware of Because, again,
people are utilizing this fortheir information.
It needs to be above reproachand any biases that are there,
you need to weed those out rightaway because people are taking
this information and they'recalling it air quotes, gospel.
Responsible tools, use ofsecurity tools Again, this deals
with monitoring andsurveillance.
The tools you have in thecybersecurity space can do all
(31:35):
of those things.
You can be going.
Hey look, I got an email.
I saw what Joe just did thisweekend.
Oh my gosh, that's terrible.
No, that's bad, don't do that,right.
But you could have access tothat and you can hear
conversations that people say,whether it's intentional or
unintentional.
You have responsibility forthat.
Ethical employees again,creating an environment where
employees feel safe andempowered to raise ethical
(31:57):
concerns without the fear ofretaliation.
Don't do that again.
I keep, I keep strainingstressing this and I know I beat
that drum on this a lot, butthe point of it is these are
really foundational cornerstoneaspects you need to be aware of
as a cissSP and as acybersecurity professional
within your company and youroverall profession and future.
(32:18):
Okay, that's all I have for youtoday.
Go to CISSP, cyber Training.
You can gain access to all ofmy content, all of my
information.
It's all there and availablefor you.
You can get a lot of it forfree.
It's in my blog.
It's being posted on YouTube.
There's different pieces thatare there.
But if you're truly interestedin getting your CISSP completed
and get it done in a timely,fast manner, go in, buy one of
(32:39):
my programs and we can help youwith that, get it done.
I've got a whole blueprint thatwill help you walk you through,
step by step, by step by step,on what you need to do to get
studied and get ready for theCISSP exam.
Also, if you need somementorship, I've got that
available to you as well.
I can mentor you, walk youthrough.
(32:59):
What kind of job do you want tolook for what kind of
professional aspects Do you justneed someone as a sounding
board for some of your securityprofessional stuff.
I can do that for you as well.
You can be acting as a CISO foryou.
All that's available for you atCISSP Cyber Training.
And, lastly, if you need anysort of consulting work outside
of that, just let me know.
Reach out to me.
I've got a whole laundry listof people that I can work with.
If I can't help you, I've gotlots of people within my network
(33:21):
that can provide the level ofsecurity you need for your
organization.
So that's all I've got.
Have a wonderful, wonderful day, and we will catch you all on
the flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
(33:41):
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started, hey all Sean Gerber,with CISSP Cyber Training and
hope you all are having abeautifully blessed day today.
Today is Monday and what do wedo on Mondays?
We go over training related tothe CISSP, and today is Domain 1
, 1.1, and we're getting intoprofessional ethics as related
to ISC Squared.
(00:43):
So we're going to be gettinginto some different aspects
around what ISC Squared talksabout as well, as we'll be
talking in some various aspectsaround you as a professional
working at a business and whatare some of the things you
should be concerned about as acybersecurity professional.
So this could be pretty good.
I think you guys will really,really enjoy it.
But before we do, we're going tobe talking about an article
that I saw in wired magazine,and the interesting parts about
(01:07):
all of this are the fact that inthe past, we have talked about
iran.
Uh, in the case that therewould be a shooting war between
the united states and iran andthat still may very easily occur
is that the iranians wouldlaunch cyber attacks against the
us system, their criticalinfrastructure, banking, all
those aspects of Now.
But the interesting part is inthis article it's talking the
(01:29):
Israeli-tied predatory sparrowhackers are waging a cyber war
on Iran's financial system.
The tables in this specificsituation are turned a little
bit, in that Israel is launchingattacks against Iran, which
obviously they're using kineticattacks and dropping bombs, but
they're also launching a cyberattack against their financial
(01:49):
system.
So how does this affecteverything?
I mean it's changing the wholeglobal dynamic in as it relates
to cybersecurity professionals.
You no longer could worry abouthey, we're in the United States
, we're safe, we're good.
This is just craziness in thefact that now you in this
specific situation, this sparrow, uh, predatory sparrow.
(02:12):
They are linked to executedestructive cyber attacks
against iran's financial sectorand obviously they're burning,
in this case, over a 90 milliondollars in crypto.
They're basically taking it andmaking it useless, and this was
tart.
They're also disrupt,disrupting the sepath I've
probably just totally butcheredthat name bank uh, taking online
(02:33):
banking and atm servicesoffline.
So I say this because I'mworking with a very large
financial institution right nowand I I know that they have
great cyber security controls inplace, but I would say the
mindset and this is not themindset just of this
organization, it's a mindset ofmany organizations is that in
the event that there's ashooting war, you will become
(02:54):
the primary target and they go.
Well, yeah, we know this isgoing to happen, we have an idea
this is going to happen, but no, this is really going to happen
and it isn't just going to takedown the critical
infrastructure within the UnitedStates.
They're going to come targetingspecific banks, financial
institutions, anything that canaffect people directly.
Now this group has explicitlyframed the attacks and basically
(03:14):
retaliation for Iran's supportof terrorism, and you can put
any sort of moniker on it youwant.
The challenge with this is doesthis affect the Iranian regime?
Yes, but who else?
Does it really affect thecommon people that really, in
most cases I say most are noteven connected with anything
that's going on geopolitically.
And the same thing is going tohappen here in the United States
(03:35):
or any place around the globe.
If a shooting war, a kineticshooting war, occurs, you are
going to be having strong cyberwarfare aspects that are going
to be happening on a daily basis.
So I'm telling you this, not tosay, oh, the sky is falling and
you need to be afraid, but youdo need to be aware and you need
to communicate this to yourboards, using this as a perfect
(03:58):
example of how this could happento your organization, and it
really just truly comes down tothis.
You got to have resiliency, yougot to understand cyber
operations, you've got tounderstand it from a tactical
and a strategic point of viewand you have to have a resilient
organization that can operatein the event that you are
(04:19):
directly attacked by these typesof individuals.
Right now, I would say, a lotof the attacks going against
various institutions are and I'musing this loosely there are
some very talented people, butthey're doing the hit and run
right.
They're trying to do smash andgrab and they're just getting
whatever they can.
If you have a targeted attackagainst you, we all say this is
going to be well, be verypainful, it'd be hard to do,
(04:39):
it'd be hard to manage.
No, it's going to be really,really, really hard to manage.
So the point of it is have aplan, start thinking about it
now.
I just can't stress it enoughthat you need to have a
consideration and even when totake a Mike Tyson quote you have
a great plan until you get hitin the face, and then, after you
get hit in the face, your planchanges.
But at least at a minimum, youhave a plan so that, in the
(05:03):
event, something does happen,which it's highly likely.
If it doesn't happen soon, itwill happen in the near future.
You're gonna have to deal withit and so, as a cyber security
professional, it's up to youthey're relying on you to be
prepared for these types ofevents.
Okay, so I gave you enough doomand gloom.
I'm just trying to highlightthis situation.
That go to wire, check it,check it out.
(05:24):
It's actually a really goodarticle that talks about how
important it is for you tounderstand your adversary, cyber
resilience, and then also havea good plan for yourself going
forward.
Okay, that's enough on that.
Let's move into what we're goingto talk about today.
Okay, so today is over domainone 1.1, understanding, adhering
to and promoting professionalethics.
(05:46):
So, again, a big factor isunderstanding ethics.
Again, do no harm.
We're going to talk about that.
I like to use the comment whenI was working for the government
as a red teamer use your powersfor good, not evil.
And yes, you do have a lot ofpowers.
Whether it's intellectual thatyou got in your cranium or
whether it's the fact thatyou're using your intellectual
aspects on a keyboard, you canmake life extremely painful for
(06:09):
a lot of people and you canactually potentially even hurt
people, depending upon thesituation and what you're doing.
So you need to understandethics, and I know a lot of us
do.
I got it yawn.
Oh, I don't want to deal withthis, but you will have to know
it and you will deal with it onyour daily basis as a security
professional.
So we're going to go into ISCSquared's Code of Ethics
Professional Ethics and this istheir preamble.
(06:31):
It's that safety and welfare ofsociety and the common good,
duty to your professionals andeach other requires that we
adhere, and that we be seen toadhere to the highest ethical
standards of behavior.
Okay, I read that to you butyou're like going, okay, I'm
reading it.
Why is this in third grade?
But the point of it is is thatthey want to make this point
(06:52):
known.
As a cybersecurity professional,you have principles.
You have to take care of thecommon good.
It requires you to adhere andto be seen to adhere to the
highest ethical standards.
This is an important factorbecause, as a security
professional, you are entrustedwith a lot of stuff.
You've got people's data, youknow what the CEO is doing, you
(07:14):
know the financials for thisorganization.
You have access to all the datain many ways and since you have
access to this data, you coulddo very bad things with it.
You could actually use it forprofit.
You could do a lot of differentthings that could cause a lot
of damage to people's lives andto physical property, and so,
therefore, you must have some ofthe highest principles related
(07:35):
to your ethics and understandingwhat could happen in the event
something bad, that you dosomething bad or somebody else
does something bad.
That's the other part.
You need to understandindividuals within your
organization, individual people.
If they're doing things thatare unethical, how do you handle
that?
Okay, so they have the code ofethics canons, and we're going
to go into each of these canonsjust a little bit.
(07:56):
The goal is to protect societyfrom the common good, necessary
public trust, confidence and theinfrastructure.
You want to protect it all.
You need to act honorably.
That means you need tounderstand what honor is, and
unfortunately, in today's world,not everybody does.
I mean to be honest, just andresponsible and, above all,
legal in what you do.
(08:16):
The moment you go illegal,things go really bad, and it
doesn't just affect you.
It can affect your entirecompany, and this is the part
you also got to think about asyou move up in the organization,
you become a officer within acompany or you become a vice
president or whatever.
You have some level ofleadership.
Anything that you do that wouldbe construed as illegal.
Now I say this in the fact thatthe illegal part is going.
(08:37):
Yeah, I'm going out andstealing candy from a baby,
that's illegal.
But if you do something thatmay be pushing the legality
compliance aspects of it, it'sthat gray area.
What ends up happening is itcan affect not just you, it can
affect your company job, thatthey have to pay their bills to
feed their families.
It's you can have a direct,immediate impact on so many
(09:08):
people by not acting honorablyand not doing the right thing.
Now you need to provide diligentand competent service to your
principals the people that ownthe business and you need to
advance and protect theprofession.
Again, as a CISSP, you haveworked very hard to get here.
You need to advance theprofession and one of the things
I'm doing just right now isadvancing the profession.
(09:29):
Obviously, you're listening tothis podcast and you're going
okay, that's cool and I alsooffer things you can buy.
That's great.
But at the end of it, I'madvancing the profession because
I bring in more than justsaying, hey, study for this test
.
These are some of the thingsI've learned over the years that
can help you in your professionas a CISSP, as a security
professional.
(09:49):
So, again, important, importantpart for you to go into as
we're getting into the preambleand understanding the overall
professional code of ethicsrelated to the CISSP.
Okay, canon one.
Now, this is canon one of fourspecific canons.
So again, we're 25% done.
You need to protect society andthe common good.
Okay, so what does this mean?
Protecting the society, commongood and the necessary public
(10:12):
trust and confidence and theinfrastructure.
Okay, that's a lot of big $10words put into one sentence.
But the ultimate goal, thisshould be your highest priority
and this is, they consider, thehighest priority canon of isc
square.
It requires securityprofessionals to consider the
broader impact of their actionsand inactions.
If you don't act, how does thatimpact you?
(10:33):
How does that impact others?
You need to really thinkthrough that.
This is a.
These kinds of roles arestrategic thinking type roles.
You have the ability to makechanges within your organization
.
The other part that's importantwith this is and I can't stress
this enough as a cybersecurityprofessional, you understand the
aspects that are going onwithin your organization to the
(10:55):
level that your senior leadersprobably do not, and because
they don't, they are relying onyou to basically give them the
direction they need to besuccessful to understand the
issues that are going on withall of this.
So, again, this is an area thatyou need to really consider.
Now.
Examples of how this canonapplies to real world situations
Responsible disclosure ofvulnerabilities.
(11:16):
We've talked aboutvulnerabilities all the time.
How are you disclosing these ina way that minimizes harm to
the public?
Working with vendors to ensurethat the vulnerabilities are
patched in a timely manner?
Right, you're getting thosedone.
You have reports that aresetting out, telling people this
.
You also are designing securesystems that protect the
critical infrastructure.
We just talk about thisnumerous ways in manufacturing
(11:39):
critical infrastructure, bankingall of those things that are in
place, you've helped designsecure systems that protect
these areas, and this comes downto essential services such as
power grids, transportationnetworks and so forth.
You need to understand it sothat you can help protect it.
Now, implementing these securitymeasures.
They do help preventdisruptions.
(11:59):
They also prevent attacks, andI would say that in many cases,
they help prevent the attacks.
But even if attacks occur, itneeds to be resilient, to be
able to thwart or be able tohandle an attack by an adversary
.
Now preventing the spread ofmisinformation and malicious
software by an adversary.
Now preventing the spread ofmisinformation and malicious
software.
You need to take steps that youdon't become an active
(12:23):
participant or an inactiveparticipant in spreading out
misinformation or malicioussoftware.
Is your sites, are yourexternal resources patched?
Are they able to be?
Have people uploading data tothem that would be malicious and
then now it's being passed onto other people?
So you need to prevent thisfrom happening.
And again, these are obviouslycommon sense things that you're
going yeah, I get it, Iunderstand I need to do this,
but they put this on paper sothat you truly understand and
(12:46):
they hold you accountable to it,that if you're not doing what
you're supposed to be doing, you, as a professional person in
this role, you are being held toa higher standard.
You are being held to a higherstandard.
Canon two act honorably,honestly and justly, responsibly
and legally.
Again, we're emphasizing theimportance of integrity and
(13:07):
trustworthiness in this canon.
It requires adherence to bothethical principles and legal
obligations.
We've talked about thisnumerous times within our
training that you have tomaintain these ethical
principles and you need toinvolve yourself with legal at
all times.
I deal with individuals thatthey haven't really thought
about.
They go yeah, yeah, we'll dealwith legal when we need to.
(13:28):
Or if something comes up, we'vegot them on the bat phone,
we'll give them a call.
Legal will show up.
They'll swoop in and take over.
No, don't do that.
You need to have really activerelationships with your legal
people anybody that's in thatlevel of business.
You need to have thoserelationships now, before
something bad happens.
So to make examples around,this is again maintain integrity
(13:50):
in all professional dealings.
This avoids conflict ofinterest.
I had to do this when I wasworking with my company before I
had to tell them hey, I'm doinga podcast, I'm doing these
aspects.
Does this affect you Anything?
I talk about?
What can I talk about?
What can I talk about?
Again, avoiding conflicts ofinterest.
Being totally truthful andtransparent in all your
(14:11):
communications.
Don't do the little drama thing.
Avoid at all costs.
Be truthful and transparent ineverything.
Provide accurate information toclients and employers and
colleagues.
Don't hide anything.
You have the ability in yourprofession, being a security
professional, to knowinformation that most people do
not.
Don't play.
(14:32):
I know something you don't know, don't do that and don't even
try to act around that.
All right, the ultimate goal isbe transparent with everything
you're doing, everything youknow, and especially with your
senior leaders.
You want to be totallytransparent with them.
Don't think, well, I'm gettingthis problem fixed by myself
right now and then I'll tellthem.
No, tell them now.
That's the key point Disclosingany relevant facts or potential
(14:54):
risks.
If you don't do that andsomething bad happens, well,
you're going to be hung out todry.
Two is that it can affect theguy on the line, like we talked
about before.
You need to disclose anythingyou know about risks and so that
way they can either beaddressed or at least at a
minimum, the risks can beaccepted.
So they have to understandComplying with laws and
regulations.
It goes without saying.
(15:14):
You don't apply with the law,you're going to have nice little
handcuffs and you'll be goingto prison, and I mean that truly
.
You may not go to a blue orwhite collar prison, which I
don't know.
If they do handcuffs for them,I assume they do, but you will
have to deal with that.
There's laws and regulationsthat are out there specifically,
so you don't break them.
And if you do break them, thereare consequences for that.
(15:35):
You can begin to ask more andmore security professionals.
They're seeing the writing onthe wall here.
So you need to truly kind ofunderstand all the legal
ramifications with your role.
Even if you don't understand it, go out and try to understand
it and then meet with legal,have them help you.
It's imperative that you knowthis information because so many
people are relying on youbecause they're thinking you
(15:58):
know it and you're thinking theyknow it.
Well then, at the end of theday, nobody knows it.
That's bad, not a good place tobe.
So you understand the legal andregulatory landscape for your
organization and for your roleand also for your space, your
vertical that you're in.
Avoid conflicts of interest wekind of talked about that
already and don't use yourprofessional position for
personal gain.
Again, don't say figure outways to use it so that you can
(16:21):
make money on it.
Hey, you know what I'm about?
Ready to sign this contractwith XYZ security company, you
give me a little kickback, I'llsign with you.
Yeah, that's bad.
Don't do that.
That'd be really, really bad.
So avoid those kinds ofconflicts of interest.
Again, disclosing any potentialconflicts of interest is
extremely important.
Canon three provide diligent andcompetent service to the
(16:44):
principals.
That's the point, right.
So you need to focus on therelationship between your
security professional and thosewho they serve the employers,
the clients, your board, whoever.
You need to make sure that youprovide them diligent and
competent service and they'repaying you very well for this.
In some cases, some people very, very well.
They're paying you a lot ofmoney, and so if they're doing
(17:07):
that, then what should you do?
You need to provide them aservice that is equivalent or
exceeds I would recommend,exceeds what they're paying you
for.
Here are some examples of thisProviding services for your area
of expertise.
When it comes down to it, if youdo offer up services that are
not in your area of expertisesay, for example, you don't know
(17:28):
development very well and yousay, well, I can do it.
Well, okay, if you don't reallyunderstand it, you need to seek
assistance in trying to do it.
Now, if there's a case whereyou don't understand it and
you're still stuck doing it,then you do to the point of
having the second bullet,seeking assistance and get
further training as necessary todo that.
Or if you're a contractor likeme and they say, well, I want
(17:49):
you to do secure development, Igo.
I really don't know how to dothat very well, I can do this
part of it, but I can't do thatpart.
That's being truthful andtransparent on what you can and
cannot do, and then from therethe engagement may or may not
happen.
Keeping up to date with thelatest security trends and
technologies as we talk aboutthis in CISSP Cyber Training, I
usually give a security topic atthe beginning.
(18:09):
That's a great way for you tostay connected with security
trends and technologies, andthat this also is important by
engaging with professionaldevelopment, attending ISC
squared meetings, which I remindmyself as I say that I've
missed the last one.
I need to attend the next one.
It's important for you to goand do these for professional
development.
Stay informed about new threats, vulnerabilities and security
(18:32):
best practices.
Be involved with the team,spread your knowledge around,
act in the best interest of youremployer or client within
ethical and legal boundaries,and then providing objective
advice and recommendations.
Again, they're looking for youto give them the recommendations
and knowledge that you have.
It's imperative that youprovide them things that they
can use and that it's balancedand well orchestrated and it's
(18:56):
something that they can take,digest and pass it on balancing
your needs of the principle withthe ethical considerations of
legal requirements.
Something I've run into in thepast is that your principles may
say, well, we're not going toworry about that.
I'm like, well, you may sayyou're not going to worry about
that, but the this legalrequirement says you need to
worry about it.
Well, I'm like, hey, that's onyou, I'm documenting it, this is
(19:19):
what I'm saying, this is what Irecommend, it's on you and you
do that.
That's imperative, that youhave that kind of candor with
these principles and youunderstand the threat, you
understand the legal andregulatory requirements, and
then they can make decisions.
And I will just be verytransparent on that.
When they first said, well, theresponse is, oh, okay, yep,
(19:41):
we'll do it.
So the point I'm trying to makeis that if you bring it to them
in a level that they don'tquite understand it and they
kind of go, well, we don'treally see it this way, but yet
you come in and say, no, this iswhat it says and from a
security professional standpoint, this is what you should do, it
then changes the dynamic andthe tone a lot.
So again, that is why you, as asecurity professional, are so
(20:04):
important with these differentcompanies and you're so
important with the differentaspects of these companies, such
as legal compliance and soforth.
Canon four advance and protectthe profession.
That's the ultimate goal here.
This is this addressesresponsibilities of security
professionals to contribute tothe growth and integrity of the
field.
You focus on enhancing thereputation and the standing of
(20:25):
information security profession,and this comes down to a lot of
different ways Mentoring andeducating others in the field,
like we talk about sharingknowledge.
Supporting professionaldevelopment, promoting ethical
conduct amongst colleagues,ensuring them they meet the ISC
squared code of ethics.
If something comes up and yousee somebody doing it going, ah,
that's not right.
(20:45):
You need to hold themaccountable to that.
Again, also addressing anyunethical behavior you may see
within the profession, becauseit affects all of us, not just
you, not just this person, butwe all get to deal with this.
If someone's a securityprofessional that does a very
poor job, well, the way thesocial media stuff is set up
with LinkedIn, facebook, allthese other Twitter, you name it
(21:06):
what ends up happening is itjust spreads like wildfire and
it'll affect all of us invarious forms.
Contributing to the developmentof security standards and best
practices.
Help with the industry groups.
Help them grow, give them bestknowledge.
Use what your lessons learn tohelp increase the overall
knowledge for all companies.
Sharing insights and lessonslearned.
(21:27):
Done that, we do that on cissp,cyber training.
You get a lot of that rightlessons learned.
What did I do?
That affected things.
You can take that and then passthat on to other organizations
as well and you can learn fromthat, avoiding actions that
could damage the reputation ofthe profession.
Again, coming down tomaintaining a high standards of
professional conduct, addressingany misconduct or incompetence
(21:51):
that's another part.
I see this in security.
I see people that say, hey, ifyou just do this, you can become
a super, super duperprofessional security person
making gazillions of dollars.
That is incompetence.
I'm sorry, they're just wrong,and so you need to understand
that and address it.
As it comes out.
There's some aspects of it thatI can see is valuable, but then
(22:12):
most of it is charlatans tryingto just promote and make money.
So you need to address thismisconduct and the incompetence.
Potentially, if you see it so,when you deal with the ISC
squared code of professionalethics, this is a reference RFC
1087, ethics on the internet.
This is the main thing.
To kind of boil this down toand this kind of helped feed the
overall ethics piece of ISCsquared.
(22:33):
One do not seek to gainunauthorized access.
Two do not disrupt intended useof the internet.
Another one is do not wasteresources through actions and I
would say also inactions.
Do not destroy integrity of thecomputer information and do not
compromise privacy of users.
Now, this was the first onethat fronted came out.
This is RFC 1087.
(22:53):
This was around ethics and theinternet and this, like I
mentioned just a minute ago,this helped spawn on a lot of
the information that's in ISCSquared's ethics.
Professional ethics aspectscame from this and this was the
first one that was out therewhen it came to computer systems
and you can see they're verybasic and very to the point.
But the ultimate goal is thatyou do not want to.
You have so much power in yourhands.
(23:14):
You do not want to.
You have so much power in yourhands.
You do not want to use thispoorly.
Now, as we get dealing with theorganizational code of ethics,
there's an individual company,something to add to some key
concepts for you to keep in mind.
You need to review andunderstand your organization's
ethical approach.
If they don't have ethics, youneed to leave the organization.
I'm just being honest.
If they don't have ethics, ifthere's people there showing
(23:35):
that there's no ethical backboneat all, you need to start
looking and updating yourLinkedIn profile and get your
resume ready and I get the heckout of Dodge.
Even if they're paying you alot of money, you don't want to
be around that.
Avoid it.
Avoid it at all costs.
Integrate cybersecurity intoorganizational's ethical
documents Right intoorganizational's ethical
documents.
Right?
Your need to make sure that, asthey have ethical documents,
(23:57):
they've thought about this fromdata privacy.
All those aspects are there.
Don't disclose your HIPAA datablah, blah, blah, blah.
Right, they have that all there.
But they need to alsoincorporate your acceptable use
policies.
How do you use your cyber stuff?
How do you use it in a waythat's acceptable?
What's the ethical way of usingit?
Right, don't take theinformation you get and use it
(24:17):
in ways that gratify or to makemore money for yourself.
Ethical issues are core tocybersecurity.
Again, manipulation, theft,coercion all those aspects can
be involved in security and youneed to be aware of that and you
need to take the higher road.
Determine how cybersecurity isintegrated in your
organizational privacy.
Another aspect Privacy needs tobe embedded within that.
(24:41):
And then it comes down to thedoctor's creed Do no harm.
Primum naca non naccura.
See, I can't even say Englishand that's not even English.
I think that's Latin.
So just basically don't do anyharm.
Use your powers for good, notevil.
That's bottom line.
So now, when you're dealing withcode for fair information
practices, this outlines fiveprinciples for handling personal
(25:03):
information in an ethical andresponsible manner.
Again, no personal data recordkeeping existence is secret, so,
no matter how much you have, itisn't a secret right.
Individuals must be able tofind out what information is
being recorded.
So this comes down to that.
You, as an individual, need toensure that your employees know
what is being recorded on them,and this is why you get within a
(25:24):
Zoom call and you say this Zoomcall is being recorded.
They're trying to teach youthat right the ability for
individual to prevent personalinformation being used or made
available without consent.
You need to make sure that thatis not done, that you, that
everybody knows that it's beingused and that there's consent
around the personal data that'sbeing used.
You have the ability to corrector amend identical identifiable
(25:45):
records.
If there's a identifiablerecord on you and it isn't
correct.
Like it says, sean is shauna.
You need to be able to fix Seanfrom Shauna and if you can't do
that, that's not good.
So, because I don't even reallylike my name, sean, but I
really would not like Shauna nooffense to any Shaunas out there
.
I get it, you're good.
I just would not like thatbecause it's not my name.
(26:08):
Enrique is a better name,enrique, that's my name, that's
what I tell my kids and likeanybody asks what's your name
and I say, well, it's sean, I goby sean, well, sean, but I go
by enrique because enrique'scooler way cooler name.
If you're an enrique out there,listen to this, you've got a
cool name.
Uh, organizations storing thatdata must take steps to ensure
data is not misused.
(26:29):
Also, again, if you get thedata, you have the
responsibility to hold that data.
You need to make sure that itis not misused and it is
properly taken care of invarious different ways.
Okay, so I'm coming back to theindividual.
This is the CISSP and thesecurity professional.
We've talked about this.
We've kind of alluded to thisas we've gone on in this
(26:49):
discussion.
One is a professional integrityand accountability.
You need to have that.
You need to, above all, withthe cissp.
You need to operate inunethical, in ethical behavior
and avoid any sort of aspectsaround mistakes, unethical
aspects or conflict of interest.
Do care and do diligence.
You need to consistently applyknowledge, skills and best
practices to protect the assetsand manage the risks.
(27:11):
This implies continuouslearning and also having
competence when understandingthe evolving threats in that
landscape.
That's out there.
Confidentiality and privacyagain, upholding the privacy of
individuals and theconfidentiality of the
organization, even when you'renot legally compelled to do so.
You just might be recommended,but you should also go to the
(27:32):
higher level, even if it's notrequired legally.
I'd say that's.
One thing with my previousorganization they did is that,
even if it was not a legalrequirement, they looked around
the country to see where itmight be a legal requirement and
they went to the higherstandard, which I think is
important.
It costs them a lot of moneyand it also hurts your bottom
line a little bit, but they'retaking the higher level, the
(27:59):
higher road, which is muchbetter to place.
It's a much more defensibleposition to take.
Objective impartiality, makingsecurity decisions based on
facts and risk assessments, freefrom personal bias, prejudice
or undue influence.
You need to be impartial aboutstuff.
You need to really say if youdon't see it right, you need to
say it.
You don't see it right in aloving and caring way.
You don't tell people they'reidiots.
That's bad.
But you can do it in ways thatare like I don't necessarily
agree with what you're saying.
This is what I see Again.
(28:20):
No offense to that individual,but this is what I see Again.
You do it better than sayinghey, yeah, you're stupid, you're
an idiot.
Don't do that.
That's bad.
Responsible disclosure, ethicalhandling, discovered
vulnerabilities, balancing theneed for secure systems with
potential harm and prematurepublic disclosure.
Disclosure.
You just make sure you have aresponsible disclosure.
You don't go and post it ontwitter going, yeah, we just got
(28:41):
pwned.
You don't do that.
That's bad.
Um, there's a lot of legalissues with that and it's also
could affect the guy on the line.
I always come back to thiswhatever you do, don't affect
the guy or gal on the line.
They're working hard.
They have no clue about whatthey're doing with the
cybersecurity stuff.
Do not impact them.
I stress this they're workingreally hard.
I know you're working hard, butnot as hard as them, and then
(29:04):
they have more at risk in manycases than you.
As a security professional.
You can go get another role.
Some of these people this iswhat they got.
You need to protect them,period, bottom line.
That's all I can say.
Whistleblower, protection,understanding ethical
obligations that report seriousmisconduct or illegal activities
.
You need to obviously approvethat.
You need to allow that to occur.
(29:25):
You need to make sure that youdo not stifle, that you do not
hold back information.
It will burn you and it couldaffect the guy and gal on the
line.
Don't affect the guy and gal onthe line, business
organizations, employers andstakeholders and establish
ethical culture again.
You want an ethical culture.
If your board, or from theboard level down, doesn't have
it again, get your resume ready.
(29:46):
Get on linkedin.
Go find a new job there'splenty of them out there.
Do you want?
No matter how much moneythey're thrown at you, you do
not want to work there.
This includes clear policiesagainst unethical behavior.
You need to have that.
Compliance with laws andregulations Again, you need to
understand the laws andregulations within your
organization, within your space,within your vertical, and you
need to then comply with themFFIEC, nydfs, hipaa and so on
(30:10):
and so forth.
You got to know them, got touse them, got to follow them.
Transparency with stakeholdersAgain, coming forward with
everything you see that'sillegally permissible.
You need to show them, you needto tell them, you need to be
upfront with them and understandthis, and they look to you as a
leader to do that.
Data stewards you need to makesure that you have privacy by
design.
(30:30):
You, as a security professional, might be an architect and
you're therefore you're dealingwith.
How do you collect, store, useor dispose the data?
You need to have privacy bydesign built into this from the
beginning.
Resource allocation andethically allocating a
sufficient resources includespersonal budget technology.
All of those things need to bedone ethically.
You don't keep a little bit ofmoney left over for mom, dad and
(30:52):
the grandkids.
Fairness and bias in AI and MLOkay, as this becomes more
prevalent, we talk a lot aboutAI on CISSP, cyber Training is
that you ensure these systemsare developed and deployed
ethically.
This includes, you know, as faras perpetual or perpetuating
any sort of biases that they mayhave unfair, discriminatory
outcomes.
(31:12):
All of those pieces you need tobe aware of Because, again,
people are utilizing this fortheir information.
It needs to be above reproachand any biases that are there,
you need to weed those out rightaway because people are taking
this information and they'recalling it air quotes, gospel.
Responsible tools, use ofsecurity tools Again, this deals
with monitoring andsurveillance.
The tools you have in thecybersecurity space can do all
(31:35):
of those things.
You can be going.
Hey look, I got an email.
I saw what Joe just did thisweekend.
Oh my gosh, that's terrible.
No, that's bad, don't do that,right.
But you could have access tothat and you can hear
conversations that people say,whether it's intentional or
unintentional.
You have responsibility forthat.
Ethical employees again,creating an environment where
employees feel safe andempowered to raise ethical
(31:57):
concerns without the fear ofretaliation.
Don't do that again.
I keep, I keep strainingstressing this and I know I beat
that drum on this a lot, butthe point of it is these are
really foundational cornerstoneaspects you need to be aware of
as a cissSP and as acybersecurity professional
within your company and youroverall profession and future.
(32:18):
Okay, that's all I have for youtoday.
Go to CISSP, cyber Training.
You can gain access to all ofmy content, all of my
information.
It's all there and availablefor you.
You can get a lot of it forfree.
It's in my blog.
It's being posted on YouTube.
There's different pieces thatare there.
But if you're truly interestedin getting your CISSP completed
and get it done in a timely,fast manner, go in, buy one of
(32:39):
my programs and we can help youwith that, get it done.
I've got a whole blueprint thatwill help you walk you through,
step by step, by step by step,on what you need to do to get
studied and get ready for theCISSP exam.
Also, if you need somementorship, I've got that
available to you as well.
I can mentor you, walk youthrough.
(32:59):
What kind of job do you want tolook for what kind of
professional aspects Do you justneed someone as a sounding
board for some of your securityprofessional stuff.
I can do that for you as well.
You can be acting as a CISO foryou.
All that's available for you atCISSP Cyber Training.
And, lastly, if you need anysort of consulting work outside
of that, just let me know.
Reach out to me.
I've got a whole laundry listof people that I can work with.
If I can't help you, I've gotlots of people within my network
(33:21):
that can provide the level ofsecurity you need for your
organization.
So that's all I've got.
Have a wonderful, wonderful day, and we will catch you all on
the flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
(33:41):
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.