October 2, 2025 • 27 mins
The fastest way to lose trust is to let AI adoption outrun your governance. We open with a blunt look at AI sprawl and shadow AI—how unsanctioned tools slip past weak policies, create data exposure, and strain legacy controls—then lay out a practical path for teams that don’t have a big‑tech budget: continuous discovery via proxies or CASB‑like tools, real‑time monitoring through a trusted partner, and risk assessments that focus on business impact, not buzzwords. The goal isn’t to slow innovation; it’s to make it safe and repeatable.
From there, we bring CISSP Domain 1.3 to life with five scenario‑based questions that mirror real leadership decisions. You’ll hear why federated governance outperforms heavy central mandates in multinationals, how defining risk appetite is the first step before any framework, and which metrics actually prove value to a board. We draw a clear line between due care (policies, accountability, legal alignment) and due diligence (testing, verification, audits), and we show why insurance can transfer residual risk but can never replace sound governance.
We also get specific about executive communication. A new CEO wants alignment, accountability, and outcomes—not weekly patch timelines. Learn how to map security objectives to corporate strategy, prioritize by business risk, and present measurable progress that earns budget and buy‑in. If you’re preparing for the CISSP or leading a program under pressure, these principles help you think like a strategist and act with confidence.
Want more? Explore the free resources and growing library at CISSP Cyber Training, and grab the 360 free CISSP practice questions. If this episode helps you think clearer about governance and AI, subscribe, share it with a teammate, and leave a quick review to help others find the show.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber.
I'm your host for thisaction-packed informative
podcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is, yes, CISSP questionThursday.
And we are going to be goinginto some deep dive questions
related to domain 1.3.
And again, the question day, thequestion of the day, the
questions that we talk about onThursday is usually typically
(00:48):
related to the topic we talkabout on Monday, and which was
domain 1.3 of the CISSP exam.
So we're going to get into somedeep dive around some questions
that are related to it.
The purpose of this is thatthere's tons of questions at
CISSP cyber training, but Iwanted to focus specifically
around some deep dive or alittle bit deeper in questions
versus kind of running through abunch of list of questions that
(01:09):
you should be paying attentionfor.
So that when it comes right downto the CISSP, as we all know,
there's lots of different waysfor you to learn and grow with
the CISSP exam and get preparedfor it.
And one of the typical commentsout there is you have to go
through a lot of questions tomake this happen.
And I do agree you need to gothrough a lot of questions to
kind of help understand themindset.
However, it can be daunting ifyou're saying you got to go
(01:30):
through about two or threethousand questions.
So the point of this is just tokind of delve a little bit
deeper into some of thesequestions, why the thought
process is that way, and thenreinforce that with the training
you get at CISSP Cyber Training.
Because again, the ultimatepoint is that you want to have
something that helps you passthe exam the first time.
So before we do that, though, Iwanted to go over an article I
(01:51):
saw uh in the news.
And it's one of these thingsthat's related to AI, which I
kind of am going down this patha little bit more as of late.
Two reasons.
One is the company I work withnext peak.
Uh, we have a really good AIsecurity assessment program
that's out there for companies.
And two, I do not feel thatthere's a lot of knowledge
around AI, uh, that it isgrowing very quickly, and
(02:14):
there's limited knowledge aroundit specifically.
And I know when you get a largeenterprise, you probably have
plenty of people that thatunderstand it well enough that
they can add security controls.
My biggest concern is thesemiddle and small end businesses
or companies that are trying touse AI in a way that can help
them.
I don't know if they trulyunderstand some of the risks
that they're seeing.
And this article kind of talksabout they're trying to sell
(02:36):
their products, right, fromdifferent types, well, how they
can help secure the world fromwhat their plans are.
But they bring up some goodpoints that I wanted to kind of
highlight as it relates to AIsecurity.
Uh, one of the things theybright they act or they talk
about in the article is AIsprawl.
Now, if you are a company thathas some level of artificial
intelligence slash LLMs that areincorporated within your
(02:59):
network, you will start to seemore and more of this in place,
especially if you do not havegood policies on how to manage
the data and how to manage thetechnology within your company.
And a lot of people are usingthis as they they see this as a
way to one uh maximize theircapability of enhancing their
people and what they can do.
Also, it's a way to limitemployees, right?
So if there's employees that aredoing more mundane tasks, uh,
(03:22):
why do I want to have them onthe payroll?
And I could use them for moreimportant things than just doing
basic data entry.
So that's part of the issue thatthat why AI has grown so much.
So one of the things thatthere's some key risks that
you're seeing out there, right?
So data sprawl is one,vulnerable uh supply chain
vulnerability is another, dataexposure risk, these are all big
(03:43):
factors that can potentiallyaffect companies.
But there's the one thing that Ithink I kind of come back to is
shadow AI.
Um, and this is whereunsanctioned employee use of
shadow AI is being accomplished.
Now, if you don't have a goodpolicy, like I mentioned before
earlier, in your environmentthat is limiting the amount of
AI that can be done at work, thefolks are gonna find ways around
(04:03):
it.
And just like they did withwebsites, they're gonna be the
filters that you have in placeto limit AI are going to be
missed, or they're gonna bemissing things and are gonna
allow employees to be able toutilize these tools.
So, one, you have to have areally good policy, two, you
have to have tools in place tominimize the effort, and then
three, you have to have somereally good training to help
(04:24):
your employees understand theyshouldn't do these things.
If they do it, there areconsequences that go with that.
Obviously, there's complete uhcomplex AI supply chain
dependencies, there's dataleakage, obviously, of external
AI services, and then legacycontrols just don't understand
and they fail against many ofthese uh fast-moving AI type of
(04:45):
kit capabilities.
So there's some really big risksfor organizations if they're not
paying attention to it.
So, what are some things thatyou can can do that you need to
keep aware of if you are goingto be deploying AI within your
environment?
One is disc continuous discoveryfor any new AI tools.
Do you have software in placethat is looking for uh employees
using AI tools?
(05:05):
Now, proxy is a good example ofthat.
Is your proxy aware to know thatif employees are using AI, will
it flag, will it alert on that?
You have real-time monitoringand analytics.
Uh, if you're a medium to smallcompany, you may not be doing
that in-house, which I actuallydon't even recommend doing it
in-house uh unless you have aspecific software company that
you are and you may have thatcapability already built in.
(05:28):
I would outsource it to somebodywho it's in their competitive
advantage, comparative advantageto be able to uh be successful
in that.
They have adaptive context-awarerisk assessment.
Are you do you have some sort ofrisk assessment that you've done
to understand the risksassociated with it?
And again, that you need toreally understand what is the
problem you're trying to solvehere.
(05:48):
And then the big one that I feelis a big aspect is governor
governance controls to enforcecompliance and safe use.
If you don't have thesegovernance in place, or that
comes down to policies, it comesdown to having some sort of
procedures.
If you don't have these in placerelated to AI, you're gonna
you're really asking youremployees to just figure it out
on their own.
And that's not a good place tobe, especially if you are in a
(06:11):
regulated environment where youcan't get away with that.
You're if if something badhappens, they're coming after
you.
Even if you're not in aregulated environment, you
what's going to happen is ifsomething does occur within your
organization, you now are set upfor litigation just from a civil
standpoint that employee, or notemployees, but uh people that
have, you've got their data cancome after you as well.
(06:33):
So it's just imperative that youdo have some level of governance
around your AI within yourorganization.
Uh, you just you really have tothink about this pretty hard.
Uh so again, safe innovation,employees can adopt AI tools
with confidence.
That's a good thing you wantthem to do.
You want to reduce yourexposure, obviously, to AI or
LLMs, regulatory readiness, youhave a strong governance plan in
(06:56):
place, and then they talk aboutenterprise trust, strengthen the
relationship between customers,partners, and regulators.
Again, being transparent,dealing with all of that out
front, and explaining whereyou're at with it, all of that
will go a long ways to helpingyou in your program.
So it's a good article.
I mean, it's really prettyquick, it's about three and a
half minutes of reading, but theultimate point of it is that if
(07:17):
you are utilizing AI within yourenterprise, whether you're big
or small, you truly need to havesome level of risk assessment
that is done to understand youroverall risks around the AI
infrastructure and AIcapabilities.
If you don't, it's really hardfor you to protect something you
don't even truly understandyourself.
Again, you may have this allunder control.
You may be under this and not abig deal, and good on you,
(07:39):
you've got it.
But this is for the companiesthat maybe aren't quite there
where you're at.
Uh, it's it's an important partthat you need to consider.
So, again, go check it out.
Uh again, evolving enterprisedefense to secure modern AI
supply chain, and this is on thehacker news.
Okay, so let's get started aboutwhat we're gonna talk about
today.
Okay, so this is domain one deepdive questions.
(08:01):
We're gonna be talking aboutdomain one dot three.
And as you can go, you can go toCISSP Cyber Training and get
access to all of my questions.
These included, as well as uh my10-day boot camp that I'm
building and my uh overallquestions that are gonna be tied
to that.
So there's a lot of great stuffcoming to CISSP Cyber Training,
um, and even more than what Icurrently have.
(08:23):
I mean, there is so much stuffout there at CI.
One of my um uh mentors made acomment to me and said, You you
have so much content out here.
How in the world can uh is it soreasonable?
And realistically it is.
You all the content you need topass the CISSP is on my site,
period.
That's it.
Uh, there is so much out therefor you that is available, and
just go out to CISSP CyberTraining and check it out.
(08:46):
Uh, it's again, I've got a bunchof free content, a lot of free
stuff, as well as the paidcontent if you really need some
extra help and you need you wantto really get it done in a time
frame that makes it work for youand your busy schedule.
So again, go out to CISSP CyberTraining and check it out.
Okay, domain one, deep divequestions.
Let's get into question numberone.
(09:06):
A multinational corporation witha decentralized IT operation is
struggling to implementconsistent information security
practices.
Local business units resistcorporate mandates, claiming
conflicts with the regionalregulations and business needs.
From a governance perspective,what is the most effective
mechanism to address thischallenge?
So you have a lot going on here.
(09:28):
You have multinationals, youhave decentralized IT, they have
security practices, and you havelocal business units.
So there's a lot of people.
And we talk about in the CISSP,well, we talk about it from a
CISO standpoint, is it's allabout influence.
And you're gonna have to figureout how to influence these
people.
But it's asking what is the mosteffective mechanism to address
this specific challenge?
(09:50):
A enforce in centralizedcorporate control with mandatory
compliance audits.
B delegate full controlresponsibilities to local
business units.
C.
Adopt only the strictestregional regulations and apply
it globally, or D apply afederated governance model that
balances global and localrequirements.
Okay, so let's break each ofthese down.
You enforce a centralizedcorporate control with mandatory
(10:11):
compliance audits.
That will work, but it will notbe it's it's if you're using
basically a mallet for a verysmall job, right?
Uh it's it's you're you'regetting a hammer out and you're
beating on people.
Don't I wouldn't recommend that.
Delegate full governanceresponsibilities to local
business units.
Okay, so now you are havinginstead of one governance plan,
you have many governance plansand they're in different
(10:33):
jurisdictions, and thereforethey have different regional
issues that they have to workthrough.
So that is going to be make itextremely complex and painful.
So I would not do B.
C is adopt only the strictestregional regulations and apply
it globally.
Okay, so this I have seenhappen.
Uh I used to do this when Iworked at my my multinational
(10:55):
that out at Cook Industries.
And we would do this, we wouldlook at the most strict
regulation and we would try toapply it as much as possible
globally.
Because again, if it's the moststrict, it would affect
everyone.
That may or may not be the rightcall for you.
It is possible, right?
Depending upon the size of yourenterprise and also how much
power foot or uh uh leadershippowers behind it, but it can be
(11:16):
very onerous and it can add alot of additional compliance
requirements that you may notnecessarily need.
Some people may need it, maybeit may be good for some
organizations, but it's it'sprobably maybe not the most
effective mechanism.
D is apply a federatedgovernance model that balances
global and local requirements.
Okay, so now you are blending inthe local and the global
(11:36):
requirements.
It's kind of an in-between ofthe C where it's the strictest
regional regulation, uh, butyou're now balancing out trying
to be as best you possibly canwith the local requirements.
You may end up at C when youstart doing this, but the point
of it is that you're trying tofigure out a balance between
what's happening locally as wellas what's happening globally,
(11:56):
and then trying to come to ahappy medium in between.
Now, this is not something as asecurity professional you would
do on your own by any stretch ofthe imagination.
You would have your legal,compliance, and HR folks all
involved in this discussionbecause it would affect many,
many people from many differentareas.
Because again, a multinational,so you're dealing with lots of
different geographic locations.
(12:17):
It is not just the CISO can makethis call.
It's going to take a village tomake that happen.
Okay, so let's move on toquestion two.
An international financialorganization is developing a
security governance framework.
The board of directors hasmandated that a framework must
be aligned with the businessobjectives, demonstrate
accountability, and providemeasurable outcomes.
Sounds familiar.
(12:38):
Big thing.
Which of the following is themost critical first step in this
process?
Okay, you have an internationalfinancial organization that's
developing a governanceframework.
So that's big, right?
Financial, big money,international, big scope, big
scale.
The board of directors aremandating something.
Okay, so that means that theCISO along with the CIO and the
(12:59):
CEO all have agreed that this iswhat we need to do.
So you've got top levelleadership approval.
The framework must align withthe business objectives,
demonstrate accountability, andprovide measurable outcomes.
Again, metrics, important,imperative.
Which of the following is themost critical first step in this
process?
A let's just do the questions.
I'll read through them first.
A.
Define the organization's riskappetite and tolerance levels.
(13:21):
B establish a formal securitysteering committee with business
leaders.
C.
Conduct the business impactassessment across all functional
areas, or D.
Implement a control frameworksuch as ISO IEC 27001.
Okay, so what's the mostcritical first step?
If you go back to the paragraph,what is the one that you really
must accomplish first?
(13:42):
So let's start with ones we knoware wrong.
Implement a control frameworksuch as ISO uh 27001.
Okay, that is something you'llwant to do.
However, it will not be thefirst step because that's
usually about step five or sixdown the road, maybe more like
three or four.
But you that's not the firststep.
Conduct a business impactassessment across all functional
(14:03):
areas.
Okay, so that could be somethingyou would want to do.
Um now, you may not do itagainst against all functional
areas.
You may want to do it againstthe highest risk functional
areas, but you have to figureout what your risk is first
before you do that.
B or yeah, B, next not B.
The next one, establish a formalsecurity steering committee with
business leaders.
(14:23):
Okay, that is an important stepas well.
So understanding gettingbusiness leaders involved in the
conversation, having themunderstand what's going on, that
is an important step as well.
So all of these are good, right?
They're not bad, they're justdifferent.
But it's not the first step inthis process.
The first step in this processis define the organization's
risk appetite and tolerancelevels because this will feed
(14:45):
many of the other areas toinclude your BIA, uh steering
committees, and so forth.
If you have areas that arereally low risk, then you don't
necessarily need to pull onthose business leaders maybe as
much.
I would still have them involvedin the conversation, but you may
be having more detailed, moreroutine meetings with the folks
that have risk in higher riskareas than folks that are not in
(15:06):
the high risk areas.
But again, the number one, thefirst, most critical step is to
define the organization's riskappetite and their tolerance
levels.
Question three The CISO of thehealthcare organization is
tasked with reporting on theeffectiveness of its security
governance to the board.
Makes sense.
Which of the following is thebest indicator of governance
effectiveness?
(15:27):
Okay, so the CISO has to go tothe board and they have to
report on the governanceeffectiveness.
A number of security incidentsdetected by monitoring tools.
B a percentage of staffcompleting mandatory security
awareness training.
C, degree of alignment betweensecurity investments and the
business objectives, or D, thenumber of audit findings
resolved within the requiredtime frame.
(15:47):
Okay, so this is going to theboard, and the board is the
money people.
The board are the ones thatrelease the money.
They're the ones that say, yes,go spend this cash.
So that's an important thing foryou to know from a contextual
standpoint.
So which of the following is thebest indicator of governance
effectiveness?
Well, let's let's start with theones that are not correct.
Number of audit findingsresolved within the required
time frame.
(16:08):
Okay, so having audit findingsuh and that have been resolved
is an important part, and yourboard may want that.
Depending upon the situation.
Some boards will want thatinformation, some boards will
not.
If you're just getting startedand you're working with your
board, that might be a goodmetric for you to track.
Again, it gives them, shows themprogress, shows that you're
moving forward.
(16:28):
However, it is not the bestindicator of governance
effectiveness.
It's it's saying that you cancheck box, you can go through
things, but it's not telling youhow effective you might be.
Number of security incidentsdetected by monitoring tools.
So this is not something thatit's it gives you a good idea of
that your tools are actuallydoing something.
However, it's not truly findingout what is going on within your
(16:50):
organization and it's notremediating any of this.
So is it a bit an indicator ofthe effectiveness?
Um, yeah, maybe not so much.
Uh it gives you an idea thatagain your tools are in place
and they've paid for that andthen they're actually working,
but it's not an indicator ofgovernance effectiveness.
B percentage of staff completingmandatory security awareness
training.
Okay, so this is another partthat it could say that your
(17:13):
governance is important, thatyou're doing things with
governance.
Maybe part of your training istied to that.
However, it doesn't really gointo the effectiveness of it.
One thing that would be probablymore effective is how many
events after training did youremployees report when they did a
phishing exam or phishing test.
That would be a good metric onhow their governance might be
being effective.
(17:34):
However, in this case, that'snot the question they're asking.
The next with the most correctanswer is DRSC, degree of
alignment between securityinvestments and business
objectives.
Okay, so this is based on theoverall strategic alignment of
what the board of directorswanted.
And this helps to ensure that ifthey're what they're planning,
what their investments aredoing, are meeting the business
(17:54):
objectives and they're aone-for-one.
Now, in there, you're gonna haveto unpack that a bit and to
figure out, explain to them whyit's meeting those objectives.
But again, think about it thisway if it's the board of
directors, it's strategic.
If you're dealing with somethingthat comes up very tactical,
that is probably not a board ofdirectors question.
So all three of those were alltactical.
(18:14):
The ones that were incorrectwere tactical.
The one that was correct wasmore strategic.
So if you don't know, thinkabout it that way.
Question four Which of thefollowing best demonstrates a
principle of due care in anorganization security governance
framework?
Okay, so we're talking about duecare, right?
Remember, we talked about thatin the training of 1.3 on
Monday.
(18:35):
So due care in an organizationsecurity governance framework.
Okay, so let's start off withthe questions.
A ensuring a senior managementaccepts accountability for
implementing controls.
B documented security policiesthat reflect organizational
goals and legal obligations.
C conduct regular vulnerabilityscans and penetration tests on
critical systems.
(18:55):
Or D.
Purchasing cybersecurityinsurance to offset potential
financial losses.
Okay, so question four, which ofthe following best demonstrates
the principle of due care in anorganization's security
governance framework.
So let's talk about thequestions that are not correct.
Okay, purchasing cybersecurityinsurance to offset potential
final financial losses.
(19:16):
Okay, so that doesn't really getinto due care because the due
care is what you want to do isyou're looking at ways to help
take reasonable steps to protectthe assets and the stakeholders.
Now, this purchasingcybersecurity insurance is more
of a way for you to transferrisk to another organization.
It's not necessarily doing duecare to figure out what's going
on within your organization.
So that would not be a due caretype of activity.
(19:38):
Conducting regular vulnerabilityscans and penetration tests on
critical systems.
So this is not a due care typeof activity.
This is a due diligence type ofactivity where you're basically
taking what you should be doing,such as doing security audits,
threat intelligence, you'redoing penetration scans.
That is where you're taking thediligence.
(19:58):
You're doing the activities tomake sure that your systems are
protected.
It's not a due care aspect.
Ensuring senior managementaccepts accountability for
implementing controls, that isnot something that really falls
into any of this.
This is one of those aspectswhere you just have to work with
senior management to ensure thatthey're aligned with your plan.
At the end of the day, ifthey're aligned with your goals,
(20:19):
they will accept theresponsibility and
accountability for it.
If they don't aren't alignedwith your controls, they will
not accept accountability andresponsibility.
So you got to make sure, again,this is the influence piece that
you need to make sure they'realigned with all of that.
And then the correct answerdocumenting security policies
that reflect organizationalgoals and legal obligations.
This is the due care piece ofthis where you're taking
reasonable steps to protect theassets and the stakeholders.
(20:43):
So by creating documents andsecurity policies for your
organization, this will helpwith any sort of organizational
goals and legal obligations youmay have.
So again, those are importantparts of your overall due care
for your organization.
Question five, a newly appointedCEO wants assurance that the
company's information securityprogram supports the business
(21:03):
strategy.
The CISO explains that thesecurity governance framework is
designed to achieve this.
Which of the following elementsis least likely to demonstrate
the effective securitygovernance to the CEO?
Again, newly appointed CEO wantsto assurance that the company's
information program supports thebusiness strategy.
Does it meet the strategy ofwhat he's outlined?
The CISO explains that thegovernance framework is designed
(21:25):
to achieve this.
Which following elements isleast likely to demonstrate,
least likely to demonstrate theeffective security governance to
the CEO.
So again, watch the question.
Which of the elements is leastlikely to demonstrate this?
So that could get you.
You could be thinking, oh,what's likely?
What's the likelihood way?
And then you're gonna bite offand you'll get confused.
Least likely.
(21:46):
Okay, a mapping of securityobjectives to corporate
strategic objectives.
B clear assignment ofaccountability for information
security and the executivelevel.
C.
Regular operational reportsshowing patching timelines and
incident response metrics, ordeestablished risk management
processes that incorporatebusiness priorities.
Okay, so let's go through thequestions that are not correct,
(22:06):
that are not least likely todemonstrate effective security
governance.
A mapping security objectives tocorporate strategic objectives.
Okay, that is something thatwould definitely be something
that your security governanceprogram and your CEO would be
very interested in.
If the objectives and thecorporate strategic objectives
meet, then life is good.
We have Nirvana.
(22:26):
And yes, the CEO's happy and theCISO still has his job.
B clear assignment ofaccountability for information
security at the executive level.
Yes, that is something the CEOwould want.
He would definitely want that.
That would not be a least likelykind of thing.
So you would go, well, of coursethat makes sense.
If you're reading through thisquick, you go, click, I've got
that.
Yes, and then you got it wrong.
(22:48):
Next question is establish arisk management process that
incorporates businesspriorities.
Again, sounds wonderful.
It is wonderful if you have agood security program in place
and the CEO is happy.
Yes, that is what you want.
However, the least likely todemonstrate effectiveness of
your security governance to theCEO is regular operational
(23:08):
reports showing patchingtimelines and incident response
metrics.
So the CEO is interested withgovernance, right?
Does he want to know metricsaround patching, incident
response, and all those things?
Highly unlikely that he or sheis going to be care too much
about that whatsoever.
Now, unless they're asking youquestions around it, yes, that's
fine.
But that is not something thatwould show the effectiveness of
(23:31):
his security governance to theCEO.
It just wouldn't do it.
So the CEO is going to want toknow more around strategic
aspects, accountability,enterprise risk management.
That's what the CEO, he or shewill want.
So you're going to want to makesure that you don't give them
the metrics.
And I've seen this time andagain, and they have metrics
everywhere.
They're showing metrics of stuffsaying, you look at your product
(23:52):
is working so well.
That's not what they want.
They don't want that.
Now they I I say that.
Now the one person's going toemail me saying, Yes, they do.
They want that.
My CEO wanted it.
Yeah, I get it.
I mean, some cases they're goingto want it.
But in most cases, they're goingto go yawn, you're the geek,
figure it out.
I cannot tell you how many timesI've been in a meeting with a
CEO and he's thinking aboutfinancial aspects.
(24:14):
And when one of the guysprevious to me had a slide up
there with patching metrics, andit was like he just looked at me
like, what is this?
And I'm like, that was a cringemoment.
It was not good.
Um, now, that being said, therewas a time when I did have the
metrics up there about where wewere patched, because there was
a situation that required us toaddress it immediately.
(24:37):
And he wanted to know, okay,what how big of a risk do I have
to my organization?
That was a one-time slide thatbasically said, here's what we
have, here's what we don't have,here's the gap, and this is what
we're doing to affix it.
And then he was happy.
The point of that is that youmay have this, but it's more of
a strategic kind of thoughtprocess.
It isn't tactical around whatare your specific metrics on
(25:00):
each specific tool, on what sortof patching, etc., etc.
So again, be very careful withthat.
Do not read these questions toofast.
Take your time, go one questionat a time, do it.
A newly appointed CEO wantsassurance that their program and
business strategy meets what itshould be.
Period.
The CISO explains, blah, blah,blah.
Period.
(25:20):
Read it that slow and thatmethodical.
If you do it that way, you havea much better chance of at least
if you don't know the questionor know the answer, you can
guess more appropriately.
Okay, that is all I have for youtoday on CISSP Cyber Training.
Go to CISSP Cybertraining.com,check out my free stuff.
Lots of great stuff, lots offree stuff, amazing amount of
(25:42):
paid stuff.
And the paid stuff, again, likeI said before, you can, I mean
it, you cannot go out there andfind what you got at CISSP Cyber
Training.
You're gonna pay thousands andthousands of dollars for the
content that you have at CISSPCyber Training, and I'm making
it better all the time.
So if you're studying for theCISSP, it's the best money you
would ever spend is going outthere to the CISSP Cyber
(26:03):
Training and purchasing some ofmy paid products.
I again, I I highly stress thatto you.
It's it's it it's inexpensive.
I purposely made it inexpensivefor people to be able to go out
and do this.
And there's new content addedall the time.
I mean it.
These podcasts, I routinelywould may be making new podcasts
each and every week.
And so the content that apodcast, the content that I put
(26:24):
out there, the differentblueprints, all of that is
available to you at CISSP CyberTraining.
Go check it out.
If you don't want to pay foranything, that's fine.
I've got free stuff that willhelp you along as well.
It puts you in a much betterposition than I was when I
studied for it.
And so again, it's there for youfor your taking at CISSP Cyber
Training.
And this is coming from someonewho's been there, done that, got
(26:45):
that t-shirt, and the CISSP.
You've got 20-some years as aCISO at working in security, and
as a CISO, this stuff is there.
It's available for you.
I can't I'm again, I can't ranton it enough just because of the
fact that it is very inexpensivefor you.
All right, go ahead, check itout.
Have a wonderful day.
We will talk to you.
We'll catch you all on the flipside.
(27:05):
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes.
I would greatly appreciate yourfeedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conopopia ofcontent to help you pass the
CISSP exam the first time.
(27:26):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber.
I'm your host for thisaction-packed informative
podcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is, yes, CISSP questionThursday.
And we are going to be goinginto some deep dive questions
related to domain 1.3.
And again, the question day, thequestion of the day, the
questions that we talk about onThursday is usually typically
(00:48):
related to the topic we talkabout on Monday, and which was
domain 1.3 of the CISSP exam.
So we're going to get into somedeep dive around some questions
that are related to it.
The purpose of this is thatthere's tons of questions at
CISSP cyber training, but Iwanted to focus specifically
around some deep dive or alittle bit deeper in questions
versus kind of running through abunch of list of questions that
(01:09):
you should be paying attentionfor.
So that when it comes right downto the CISSP, as we all know,
there's lots of different waysfor you to learn and grow with
the CISSP exam and get preparedfor it.
And one of the typical commentsout there is you have to go
through a lot of questions tomake this happen.
And I do agree you need to gothrough a lot of questions to
kind of help understand themindset.
However, it can be daunting ifyou're saying you got to go
(01:30):
through about two or threethousand questions.
So the point of this is just tokind of delve a little bit
deeper into some of thesequestions, why the thought
process is that way, and thenreinforce that with the training
you get at CISSP Cyber Training.
Because again, the ultimatepoint is that you want to have
something that helps you passthe exam the first time.
So before we do that, though, Iwanted to go over an article I
(01:51):
saw uh in the news.
And it's one of these thingsthat's related to AI, which I
kind of am going down this patha little bit more as of late.
Two reasons.
One is the company I work withnext peak.
Uh, we have a really good AIsecurity assessment program
that's out there for companies.
And two, I do not feel thatthere's a lot of knowledge
around AI, uh, that it isgrowing very quickly, and
(02:14):
there's limited knowledge aroundit specifically.
And I know when you get a largeenterprise, you probably have
plenty of people that thatunderstand it well enough that
they can add security controls.
My biggest concern is thesemiddle and small end businesses
or companies that are trying touse AI in a way that can help
them.
I don't know if they trulyunderstand some of the risks
that they're seeing.
And this article kind of talksabout they're trying to sell
(02:36):
their products, right, fromdifferent types, well, how they
can help secure the world fromwhat their plans are.
But they bring up some goodpoints that I wanted to kind of
highlight as it relates to AIsecurity.
Uh, one of the things theybright they act or they talk
about in the article is AIsprawl.
Now, if you are a company thathas some level of artificial
intelligence slash LLMs that areincorporated within your
(02:59):
network, you will start to seemore and more of this in place,
especially if you do not havegood policies on how to manage
the data and how to manage thetechnology within your company.
And a lot of people are usingthis as they they see this as a
way to one uh maximize theircapability of enhancing their
people and what they can do.
Also, it's a way to limitemployees, right?
So if there's employees that aredoing more mundane tasks, uh,
(03:22):
why do I want to have them onthe payroll?
And I could use them for moreimportant things than just doing
basic data entry.
So that's part of the issue thatthat why AI has grown so much.
So one of the things thatthere's some key risks that
you're seeing out there, right?
So data sprawl is one,vulnerable uh supply chain
vulnerability is another, dataexposure risk, these are all big
(03:43):
factors that can potentiallyaffect companies.
But there's the one thing that Ithink I kind of come back to is
shadow AI.
Um, and this is whereunsanctioned employee use of
shadow AI is being accomplished.
Now, if you don't have a goodpolicy, like I mentioned before
earlier, in your environmentthat is limiting the amount of
AI that can be done at work, thefolks are gonna find ways around
(04:03):
it.
And just like they did withwebsites, they're gonna be the
filters that you have in placeto limit AI are going to be
missed, or they're gonna bemissing things and are gonna
allow employees to be able toutilize these tools.
So, one, you have to have areally good policy, two, you
have to have tools in place tominimize the effort, and then
three, you have to have somereally good training to help
(04:24):
your employees understand theyshouldn't do these things.
If they do it, there areconsequences that go with that.
Obviously, there's complete uhcomplex AI supply chain
dependencies, there's dataleakage, obviously, of external
AI services, and then legacycontrols just don't understand
and they fail against many ofthese uh fast-moving AI type of
(04:45):
kit capabilities.
So there's some really big risksfor organizations if they're not
paying attention to it.
So, what are some things thatyou can can do that you need to
keep aware of if you are goingto be deploying AI within your
environment?
One is disc continuous discoveryfor any new AI tools.
Do you have software in placethat is looking for uh employees
using AI tools?
(05:05):
Now, proxy is a good example ofthat.
Is your proxy aware to know thatif employees are using AI, will
it flag, will it alert on that?
You have real-time monitoringand analytics.
Uh, if you're a medium to smallcompany, you may not be doing
that in-house, which I actuallydon't even recommend doing it
in-house uh unless you have aspecific software company that
you are and you may have thatcapability already built in.
(05:28):
I would outsource it to somebodywho it's in their competitive
advantage, comparative advantageto be able to uh be successful
in that.
They have adaptive context-awarerisk assessment.
Are you do you have some sort ofrisk assessment that you've done
to understand the risksassociated with it?
And again, that you need toreally understand what is the
problem you're trying to solvehere.
(05:48):
And then the big one that I feelis a big aspect is governor
governance controls to enforcecompliance and safe use.
If you don't have thesegovernance in place, or that
comes down to policies, it comesdown to having some sort of
procedures.
If you don't have these in placerelated to AI, you're gonna
you're really asking youremployees to just figure it out
on their own.
And that's not a good place tobe, especially if you are in a
(06:11):
regulated environment where youcan't get away with that.
You're if if something badhappens, they're coming after
you.
Even if you're not in aregulated environment, you
what's going to happen is ifsomething does occur within your
organization, you now are set upfor litigation just from a civil
standpoint that employee, or notemployees, but uh people that
have, you've got their data cancome after you as well.
(06:33):
So it's just imperative that youdo have some level of governance
around your AI within yourorganization.
Uh, you just you really have tothink about this pretty hard.
Uh so again, safe innovation,employees can adopt AI tools
with confidence.
That's a good thing you wantthem to do.
You want to reduce yourexposure, obviously, to AI or
LLMs, regulatory readiness, youhave a strong governance plan in
(06:56):
place, and then they talk aboutenterprise trust, strengthen the
relationship between customers,partners, and regulators.
Again, being transparent,dealing with all of that out
front, and explaining whereyou're at with it, all of that
will go a long ways to helpingyou in your program.
So it's a good article.
I mean, it's really prettyquick, it's about three and a
half minutes of reading, but theultimate point of it is that if
(07:17):
you are utilizing AI within yourenterprise, whether you're big
or small, you truly need to havesome level of risk assessment
that is done to understand youroverall risks around the AI
infrastructure and AIcapabilities.
If you don't, it's really hardfor you to protect something you
don't even truly understandyourself.
Again, you may have this allunder control.
You may be under this and not abig deal, and good on you,
(07:39):
you've got it.
But this is for the companiesthat maybe aren't quite there
where you're at.
Uh, it's it's an important partthat you need to consider.
So, again, go check it out.
Uh again, evolving enterprisedefense to secure modern AI
supply chain, and this is on thehacker news.
Okay, so let's get started aboutwhat we're gonna talk about
today.
Okay, so this is domain one deepdive questions.
(08:01):
We're gonna be talking aboutdomain one dot three.
And as you can go, you can go toCISSP Cyber Training and get
access to all of my questions.
These included, as well as uh my10-day boot camp that I'm
building and my uh overallquestions that are gonna be tied
to that.
So there's a lot of great stuffcoming to CISSP Cyber Training,
um, and even more than what Icurrently have.
(08:23):
I mean, there is so much stuffout there at CI.
One of my um uh mentors made acomment to me and said, You you
have so much content out here.
How in the world can uh is it soreasonable?
And realistically it is.
You all the content you need topass the CISSP is on my site,
period.
That's it.
Uh, there is so much out therefor you that is available, and
just go out to CISSP CyberTraining and check it out.
(08:46):
Uh, it's again, I've got a bunchof free content, a lot of free
stuff, as well as the paidcontent if you really need some
extra help and you need you wantto really get it done in a time
frame that makes it work for youand your busy schedule.
So again, go out to CISSP CyberTraining and check it out.
Okay, domain one, deep divequestions.
Let's get into question numberone.
(09:06):
A multinational corporation witha decentralized IT operation is
struggling to implementconsistent information security
practices.
Local business units resistcorporate mandates, claiming
conflicts with the regionalregulations and business needs.
From a governance perspective,what is the most effective
mechanism to address thischallenge?
So you have a lot going on here.
(09:28):
You have multinationals, youhave decentralized IT, they have
security practices, and you havelocal business units.
So there's a lot of people.
And we talk about in the CISSP,well, we talk about it from a
CISO standpoint, is it's allabout influence.
And you're gonna have to figureout how to influence these
people.
But it's asking what is the mosteffective mechanism to address
this specific challenge?
(09:50):
A enforce in centralizedcorporate control with mandatory
compliance audits.
B delegate full controlresponsibilities to local
business units.
C.
Adopt only the strictestregional regulations and apply
it globally, or D apply afederated governance model that
balances global and localrequirements.
Okay, so let's break each ofthese down.
You enforce a centralizedcorporate control with mandatory
(10:11):
compliance audits.
That will work, but it will notbe it's it's if you're using
basically a mallet for a verysmall job, right?
Uh it's it's you're you'regetting a hammer out and you're
beating on people.
Don't I wouldn't recommend that.
Delegate full governanceresponsibilities to local
business units.
Okay, so now you are havinginstead of one governance plan,
you have many governance plansand they're in different
(10:33):
jurisdictions, and thereforethey have different regional
issues that they have to workthrough.
So that is going to be make itextremely complex and painful.
So I would not do B.
C is adopt only the strictestregional regulations and apply
it globally.
Okay, so this I have seenhappen.
Uh I used to do this when Iworked at my my multinational
(10:55):
that out at Cook Industries.
And we would do this, we wouldlook at the most strict
regulation and we would try toapply it as much as possible
globally.
Because again, if it's the moststrict, it would affect
everyone.
That may or may not be the rightcall for you.
It is possible, right?
Depending upon the size of yourenterprise and also how much
power foot or uh uh leadershippowers behind it, but it can be
(11:16):
very onerous and it can add alot of additional compliance
requirements that you may notnecessarily need.
Some people may need it, maybeit may be good for some
organizations, but it's it'sprobably maybe not the most
effective mechanism.
D is apply a federatedgovernance model that balances
global and local requirements.
Okay, so now you are blending inthe local and the global
(11:36):
requirements.
It's kind of an in-between ofthe C where it's the strictest
regional regulation, uh, butyou're now balancing out trying
to be as best you possibly canwith the local requirements.
You may end up at C when youstart doing this, but the point
of it is that you're trying tofigure out a balance between
what's happening locally as wellas what's happening globally,
(11:56):
and then trying to come to ahappy medium in between.
Now, this is not something as asecurity professional you would
do on your own by any stretch ofthe imagination.
You would have your legal,compliance, and HR folks all
involved in this discussionbecause it would affect many,
many people from many differentareas.
Because again, a multinational,so you're dealing with lots of
different geographic locations.
(12:17):
It is not just the CISO can makethis call.
It's going to take a village tomake that happen.
Okay, so let's move on toquestion two.
An international financialorganization is developing a
security governance framework.
The board of directors hasmandated that a framework must
be aligned with the businessobjectives, demonstrate
accountability, and providemeasurable outcomes.
Sounds familiar.
(12:38):
Big thing.
Which of the following is themost critical first step in this
process?
Okay, you have an internationalfinancial organization that's
developing a governanceframework.
So that's big, right?
Financial, big money,international, big scope, big
scale.
The board of directors aremandating something.
Okay, so that means that theCISO along with the CIO and the
(12:59):
CEO all have agreed that this iswhat we need to do.
So you've got top levelleadership approval.
The framework must align withthe business objectives,
demonstrate accountability, andprovide measurable outcomes.
Again, metrics, important,imperative.
Which of the following is themost critical first step in this
process?
A let's just do the questions.
I'll read through them first.
A.
Define the organization's riskappetite and tolerance levels.
(13:21):
B establish a formal securitysteering committee with business
leaders.
C.
Conduct the business impactassessment across all functional
areas, or D.
Implement a control frameworksuch as ISO IEC 27001.
Okay, so what's the mostcritical first step?
If you go back to the paragraph,what is the one that you really
must accomplish first?
(13:42):
So let's start with ones we knoware wrong.
Implement a control frameworksuch as ISO uh 27001.
Okay, that is something you'llwant to do.
However, it will not be thefirst step because that's
usually about step five or sixdown the road, maybe more like
three or four.
But you that's not the firststep.
Conduct a business impactassessment across all functional
(14:03):
areas.
Okay, so that could be somethingyou would want to do.
Um now, you may not do itagainst against all functional
areas.
You may want to do it againstthe highest risk functional
areas, but you have to figureout what your risk is first
before you do that.
B or yeah, B, next not B.
The next one, establish a formalsecurity steering committee with
business leaders.
(14:23):
Okay, that is an important stepas well.
So understanding gettingbusiness leaders involved in the
conversation, having themunderstand what's going on, that
is an important step as well.
So all of these are good, right?
They're not bad, they're justdifferent.
But it's not the first step inthis process.
The first step in this processis define the organization's
risk appetite and tolerancelevels because this will feed
(14:45):
many of the other areas toinclude your BIA, uh steering
committees, and so forth.
If you have areas that arereally low risk, then you don't
necessarily need to pull onthose business leaders maybe as
much.
I would still have them involvedin the conversation, but you may
be having more detailed, moreroutine meetings with the folks
that have risk in higher riskareas than folks that are not in
(15:06):
the high risk areas.
But again, the number one, thefirst, most critical step is to
define the organization's riskappetite and their tolerance
levels.
Question three The CISO of thehealthcare organization is
tasked with reporting on theeffectiveness of its security
governance to the board.
Makes sense.
Which of the following is thebest indicator of governance
effectiveness?
(15:27):
Okay, so the CISO has to go tothe board and they have to
report on the governanceeffectiveness.
A number of security incidentsdetected by monitoring tools.
B a percentage of staffcompleting mandatory security
awareness training.
C, degree of alignment betweensecurity investments and the
business objectives, or D, thenumber of audit findings
resolved within the requiredtime frame.
(15:47):
Okay, so this is going to theboard, and the board is the
money people.
The board are the ones thatrelease the money.
They're the ones that say, yes,go spend this cash.
So that's an important thing foryou to know from a contextual
standpoint.
So which of the following is thebest indicator of governance
effectiveness?
Well, let's let's start with theones that are not correct.
Number of audit findingsresolved within the required
time frame.
(16:08):
Okay, so having audit findingsuh and that have been resolved
is an important part, and yourboard may want that.
Depending upon the situation.
Some boards will want thatinformation, some boards will
not.
If you're just getting startedand you're working with your
board, that might be a goodmetric for you to track.
Again, it gives them, shows themprogress, shows that you're
moving forward.
(16:28):
However, it is not the bestindicator of governance
effectiveness.
It's it's saying that you cancheck box, you can go through
things, but it's not telling youhow effective you might be.
Number of security incidentsdetected by monitoring tools.
So this is not something thatit's it gives you a good idea of
that your tools are actuallydoing something.
However, it's not truly findingout what is going on within your
(16:50):
organization and it's notremediating any of this.
So is it a bit an indicator ofthe effectiveness?
Um, yeah, maybe not so much.
Uh it gives you an idea thatagain your tools are in place
and they've paid for that andthen they're actually working,
but it's not an indicator ofgovernance effectiveness.
B percentage of staff completingmandatory security awareness
training.
Okay, so this is another partthat it could say that your
(17:13):
governance is important, thatyou're doing things with
governance.
Maybe part of your training istied to that.
However, it doesn't really gointo the effectiveness of it.
One thing that would be probablymore effective is how many
events after training did youremployees report when they did a
phishing exam or phishing test.
That would be a good metric onhow their governance might be
being effective.
(17:34):
However, in this case, that'snot the question they're asking.
The next with the most correctanswer is DRSC, degree of
alignment between securityinvestments and business
objectives.
Okay, so this is based on theoverall strategic alignment of
what the board of directorswanted.
And this helps to ensure that ifthey're what they're planning,
what their investments aredoing, are meeting the business
(17:54):
objectives and they're aone-for-one.
Now, in there, you're gonna haveto unpack that a bit and to
figure out, explain to them whyit's meeting those objectives.
But again, think about it thisway if it's the board of
directors, it's strategic.
If you're dealing with somethingthat comes up very tactical,
that is probably not a board ofdirectors question.
So all three of those were alltactical.
(18:14):
The ones that were incorrectwere tactical.
The one that was correct wasmore strategic.
So if you don't know, thinkabout it that way.
Question four Which of thefollowing best demonstrates a
principle of due care in anorganization security governance
framework?
Okay, so we're talking about duecare, right?
Remember, we talked about thatin the training of 1.3 on
Monday.
(18:35):
So due care in an organizationsecurity governance framework.
Okay, so let's start off withthe questions.
A ensuring a senior managementaccepts accountability for
implementing controls.
B documented security policiesthat reflect organizational
goals and legal obligations.
C conduct regular vulnerabilityscans and penetration tests on
critical systems.
(18:55):
Or D.
Purchasing cybersecurityinsurance to offset potential
financial losses.
Okay, so question four, which ofthe following best demonstrates
the principle of due care in anorganization's security
governance framework.
So let's talk about thequestions that are not correct.
Okay, purchasing cybersecurityinsurance to offset potential
final financial losses.
(19:16):
Okay, so that doesn't really getinto due care because the due
care is what you want to do isyou're looking at ways to help
take reasonable steps to protectthe assets and the stakeholders.
Now, this purchasingcybersecurity insurance is more
of a way for you to transferrisk to another organization.
It's not necessarily doing duecare to figure out what's going
on within your organization.
So that would not be a due caretype of activity.
(19:38):
Conducting regular vulnerabilityscans and penetration tests on
critical systems.
So this is not a due care typeof activity.
This is a due diligence type ofactivity where you're basically
taking what you should be doing,such as doing security audits,
threat intelligence, you'redoing penetration scans.
That is where you're taking thediligence.
(19:58):
You're doing the activities tomake sure that your systems are
protected.
It's not a due care aspect.
Ensuring senior managementaccepts accountability for
implementing controls, that isnot something that really falls
into any of this.
This is one of those aspectswhere you just have to work with
senior management to ensure thatthey're aligned with your plan.
At the end of the day, ifthey're aligned with your goals,
(20:19):
they will accept theresponsibility and
accountability for it.
If they don't aren't alignedwith your controls, they will
not accept accountability andresponsibility.
So you got to make sure, again,this is the influence piece that
you need to make sure they'realigned with all of that.
And then the correct answerdocumenting security policies
that reflect organizationalgoals and legal obligations.
This is the due care piece ofthis where you're taking
reasonable steps to protect theassets and the stakeholders.
(20:43):
So by creating documents andsecurity policies for your
organization, this will helpwith any sort of organizational
goals and legal obligations youmay have.
So again, those are importantparts of your overall due care
for your organization.
Question five, a newly appointedCEO wants assurance that the
company's information securityprogram supports the business
(21:03):
strategy.
The CISO explains that thesecurity governance framework is
designed to achieve this.
Which of the following elementsis least likely to demonstrate
the effective securitygovernance to the CEO?
Again, newly appointed CEO wantsto assurance that the company's
information program supports thebusiness strategy.
Does it meet the strategy ofwhat he's outlined?
The CISO explains that thegovernance framework is designed
(21:25):
to achieve this.
Which following elements isleast likely to demonstrate,
least likely to demonstrate theeffective security governance to
the CEO.
So again, watch the question.
Which of the elements is leastlikely to demonstrate this?
So that could get you.
You could be thinking, oh,what's likely?
What's the likelihood way?
And then you're gonna bite offand you'll get confused.
Least likely.
(21:46):
Okay, a mapping of securityobjectives to corporate
strategic objectives.
B clear assignment ofaccountability for information
security and the executivelevel.
C.
Regular operational reportsshowing patching timelines and
incident response metrics, ordeestablished risk management
processes that incorporatebusiness priorities.
Okay, so let's go through thequestions that are not correct,
(22:06):
that are not least likely todemonstrate effective security
governance.
A mapping security objectives tocorporate strategic objectives.
Okay, that is something thatwould definitely be something
that your security governanceprogram and your CEO would be
very interested in.
If the objectives and thecorporate strategic objectives
meet, then life is good.
We have Nirvana.
(22:26):
And yes, the CEO's happy and theCISO still has his job.
B clear assignment ofaccountability for information
security at the executive level.
Yes, that is something the CEOwould want.
He would definitely want that.
That would not be a least likelykind of thing.
So you would go, well, of coursethat makes sense.
If you're reading through thisquick, you go, click, I've got
that.
Yes, and then you got it wrong.
(22:48):
Next question is establish arisk management process that
incorporates businesspriorities.
Again, sounds wonderful.
It is wonderful if you have agood security program in place
and the CEO is happy.
Yes, that is what you want.
However, the least likely todemonstrate effectiveness of
your security governance to theCEO is regular operational
(23:08):
reports showing patchingtimelines and incident response
metrics.
So the CEO is interested withgovernance, right?
Does he want to know metricsaround patching, incident
response, and all those things?
Highly unlikely that he or sheis going to be care too much
about that whatsoever.
Now, unless they're asking youquestions around it, yes, that's
fine.
But that is not something thatwould show the effectiveness of
(23:31):
his security governance to theCEO.
It just wouldn't do it.
So the CEO is going to want toknow more around strategic
aspects, accountability,enterprise risk management.
That's what the CEO, he or shewill want.
So you're going to want to makesure that you don't give them
the metrics.
And I've seen this time andagain, and they have metrics
everywhere.
They're showing metrics of stuffsaying, you look at your product
(23:52):
is working so well.
That's not what they want.
They don't want that.
Now they I I say that.
Now the one person's going toemail me saying, Yes, they do.
They want that.
My CEO wanted it.
Yeah, I get it.
I mean, some cases they're goingto want it.
But in most cases, they're goingto go yawn, you're the geek,
figure it out.
I cannot tell you how many timesI've been in a meeting with a
CEO and he's thinking aboutfinancial aspects.
(24:14):
And when one of the guysprevious to me had a slide up
there with patching metrics, andit was like he just looked at me
like, what is this?
And I'm like, that was a cringemoment.
It was not good.
Um, now, that being said, therewas a time when I did have the
metrics up there about where wewere patched, because there was
a situation that required us toaddress it immediately.
(24:37):
And he wanted to know, okay,what how big of a risk do I have
to my organization?
That was a one-time slide thatbasically said, here's what we
have, here's what we don't have,here's the gap, and this is what
we're doing to affix it.
And then he was happy.
The point of that is that youmay have this, but it's more of
a strategic kind of thoughtprocess.
It isn't tactical around whatare your specific metrics on
(25:00):
each specific tool, on what sortof patching, etc., etc.
So again, be very careful withthat.
Do not read these questions toofast.
Take your time, go one questionat a time, do it.
A newly appointed CEO wantsassurance that their program and
business strategy meets what itshould be.
Period.
The CISO explains, blah, blah,blah.
Period.
(25:20):
Read it that slow and thatmethodical.
If you do it that way, you havea much better chance of at least
if you don't know the questionor know the answer, you can
guess more appropriately.
Okay, that is all I have for youtoday on CISSP Cyber Training.
Go to CISSP Cybertraining.com,check out my free stuff.
Lots of great stuff, lots offree stuff, amazing amount of
(25:42):
paid stuff.
And the paid stuff, again, likeI said before, you can, I mean
it, you cannot go out there andfind what you got at CISSP Cyber
Training.
You're gonna pay thousands andthousands of dollars for the
content that you have at CISSPCyber Training, and I'm making
it better all the time.
So if you're studying for theCISSP, it's the best money you
would ever spend is going outthere to the CISSP Cyber
(26:03):
Training and purchasing some ofmy paid products.
I again, I I highly stress thatto you.
It's it's it it's inexpensive.
I purposely made it inexpensivefor people to be able to go out
and do this.
And there's new content addedall the time.
I mean it.
These podcasts, I routinelywould may be making new podcasts
each and every week.
And so the content that apodcast, the content that I put
(26:24):
out there, the differentblueprints, all of that is
available to you at CISSP CyberTraining.
Go check it out.
If you don't want to pay foranything, that's fine.
I've got free stuff that willhelp you along as well.
It puts you in a much betterposition than I was when I
studied for it.
And so again, it's there for youfor your taking at CISSP Cyber
Training.
And this is coming from someonewho's been there, done that, got
(26:45):
that t-shirt, and the CISSP.
You've got 20-some years as aCISO at working in security, and
as a CISO, this stuff is there.
It's available for you.
I can't I'm again, I can't ranton it enough just because of the
fact that it is very inexpensivefor you.
All right, go ahead, check itout.
Have a wonderful day.
We will talk to you.
We'll catch you all on the flipside.
(27:05):
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes.
I would greatly appreciate yourfeedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conopopia ofcontent to help you pass the
CISSP exam the first time.
(27:26):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!