October 9, 2025 • 23 mins
Leadership churn is reshaping security from the top down. We open the door on why CISO tenures are shrinking to 18–26 months and what that says about pressure, culture, compensation, and board-level risk literacy. From startups that stretch leaders thin to enterprises that treat security as a cost center until the breach, we map the real incentives behind the “revolving door”—and share what actually extends tenure: clear mandates, aligned executives, and measurable outcomes.
Then we flip to hands-on security with a crisp CISSP Domain 5 deep dive. You’ll hear real-world IAM scenarios and how to reason through them: federated identity where users authenticate but can’t access apps (hint: attribute-to-role mapping at the service provider), RBAC implementations that quietly violate least privilege, and when mandatory access control beats RBAC or ABAC for classified environments. We also dissect deprovisioning gaps that leave terminated users active in SaaS platforms and outline the operational fixes—source-of-truth integration, event-driven provisioning, and reconciliation from the SaaS side. To cap it off, we tackle a red-team classic: static admin creds in scripts. The modern answer isn’t longer passwords; it’s just-in-time privilege through PAM and secret vaulting so nothing sensitive sits on disk.
If you’re a senior technologist eyeing the CISO seat—or a CISO seeking sustainability—you’ll get a blueprint for aligning authority, resources, and risk. And if you’re prepping for the CISSP exam, these identity and access patterns will sharpen your instincts for both test day and production. Enjoy the conversation, and if it helps, subscribe, share it with a teammate, and leave a quick review so others can find it too.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerbert.
I'm your host for thisaction-packed informative
podcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
Good morning everyone.
This is Chon Gerbert with CISSPCyber Training, and hope you all
are having a beautifully blessedday today.
Today is CISSP QuestionThursday, and we are planning to
discuss a deep dive related tothe questions on the CISSP
(00:41):
domain 5.
So we're pretty excited aboutthat.
But before we do, we are goingto be talking about an article
that I just saw in the CSOmagazine.
I've been actually sitting in mycamper, I'm on my mobile command
post recording this podcast aswe speak, uh, just having a
little bit of extra time as I'mout seeing my grandbabies.
(01:01):
So saw this article while I wasjust kind of looking around and
thought, oh, this is prettyinteresting.
And wow, it actually relates.
So the question, or should say,the article states is Is the
CISO chair becoming a revolvingdoor?
And this is by AmyChatterdevong.
I can't say her name very well,but she's a contributing writer
to CSO magazine.
(01:21):
Go check it out.
It's pretty good, actually.
But here are the basic nuts andbolts of it.
And you know what?
I will pretty much attest to itbecause it fit me like a glove.
So they're they're saying nowthe typical CISO is lasting
about 18 to 26 months, and it'sfar lower than the broader
C-suite for most organizations.
I was with my company muchlonger than that, but I would
(01:44):
say most of the people I talk toin this world from a CISO
standpoint, they are relativelyshort timelines.
They are pretty much 18 to 26months.
Some are a little bit longerthan that, but for the most
part, they seem to kind ofrotate in and rotate out,
especially if they've beenbrought in from an outside
entity.
If they've grown up from insidethe organization and the
culture, they tend to last a bitlonger.
(02:05):
That's kind of what happenedwith me.
Uh, I'd say the ultimate pointof all that, though, is a lot of
things we're going to go intohere real quick.
And the reason I'm telling youall this is because you all are
in uh most of the folks thatlisten to this podcast are
senior IT folks that are workingon their CEI SSP, or there are
folks that have a good enoughexperience that they're maybe
aspiring to be a CISO at some atone point in the future.
(02:29):
So a lot of things have tochange for the CISO area uh for
it to become a little bit betterfor much more tenure.
And realistically, 18 to 26months is not a long time for
any CISO to be in the seat.
Uh, it usually takes about sixmonths just to get your feet
underneath you for anyorganization.
But some of the driving factorsthat the article brings up is
(02:49):
the high stakes pressure and theblame environment.
Yeah, one single situation andthe CISO is basically all the
fingers are pointing at him orher.
So they're held responsible whenthings go wrong.
And in some cases, they shouldbe held responsible.
But in other cases, as we'lltalk about here in just a
minute, it a lot of it comesdown to the culture of the
organization as well.
So they they have to deal withvery complex cyber environments,
(03:14):
and they're trying to make thesesecured and protected can be
very challenging.
The startup versus the dynamicof the enterprise, uh, one thing
the CISOs are often stretchedinto multiple roles on the
startup.
I'm dealing with a startup rightnow that I'm working with, and
there are lots of differentaspects tied to it.
So it's it can be a verydaunting task.
(03:34):
Uh, but larger organizationstend to retain their CISOs
longer given they have a broaderscope and more teams and ongoing
complexity.
But that is not necessarily trueeither.
Uh a couple very largeorganizations I've been working
with here in the not too distantpast, uh, both of their CISOs
have moved on.
And uh it's one was because theywanted to, the other one was uh
(03:54):
you don't really know.
But could be one that they werenot happy with him.
Motivations and career pathevolution.
Some CISOs say they move onbecause they reach the business
as usual mindset, uh, and theirrole stops challenging them, and
they also don't haveopportunities outside of what
that role is for them.
So they basically kind of shifttowards more of a fractional or
(04:15):
consulting roles, mentoring orvendorship leadership, basically
seeking the balance and theissues that go along with that.
Hence that is what happened tome.
Just to kind of put it inperspective, uh, I was told what
over before Christmas, aboutthis time last year, or not last
year, a few years ago, uh, whenI talked to my senior
leadership, and they said Iasked if I could work from home
based on my um my kids'schedule, and they were doing a
(04:39):
big push for well basicallycoming back to work kind of
thought process.
They were back to work for awhile from the office
standpoint, but there was a bigpush to not do any work from
home, and I just made asked thequestion, hey, do you mind if I
work from home for a coupleweeks while my grandkids are in
town?
And that was all I needed forthe dear lord to push me in the
direction of going, no, you needto leave, because they came back
(05:02):
and said, No, I'm sorry, but youneed to work in the office.
And I was like, Are you kiddingme?
We just went through COVID andall I'm asking for is two weeks
to work from home.
And uh so after that, that wasall it took for me.
But uh, bottom line is that youneed to kind of figure out what
is going to be best for you.
Liability versus compensationimbalance.
Uh CISAs often have to deal witha lot of risk and exposure to
(05:26):
lack that is commensurate withthe authority, resources, and
the rewards.
Uh, that is very true.
Uh, my income was not that ofmany of my peers, and that not
that that was a huge factor, butit does play into all of this
because you start going, well,is the grass greener on the
other side of the fence?
I will warn you, it's nevergreener on the other side of the
fence.
(05:46):
Uh, there's other organizations,basically, the implications for
ideas around this, one of thethings you want to have to help
fix this problem is that youreally need to have a you really
need to support your CISOs froma well-defined role standpoint
and executive alignment.
I've seen this and lived itwhere the executives are not
fully aligned with thecybersecurity plan for the
organization, and therefore youbecome relegated as just kind
(06:08):
of, yeah, go sit in the cornerand don't worry about it.
Uh that then when something badhappens, guess what?
You're on the your neck is onthe line.
I had a situation that occurredthat I was treated much, very
much like that, where you justgo sit in the corner, uh, you do
your cyber stuff, we'll callyou, don't call us, kind of
thing.
And they're very good.
And I'm not saying this is a badthing on any of the
(06:28):
organizations I've been with.
That is just kind of themindset, and it's understandably
why, because they want to makemoney.
Cyber is a cost uh center, andit just kind of ends up being
more and more money.
However, until the hack occurs,and then they look at you and
they go, What did you do?
How did you fix this?
And yeah, I felt very a lot ofpressure to the fact that if I
hadn't had a good plan in place,um, I definitely would no longer
(06:50):
be with the organization.
So, again, that's one of thosethings where you really got to
plan for it.
Emphasizing communication,stakeholder management, and
board level risk literacy, animportant part of that.
You also need to recognize whenthe CISO's mission has matured
or when new challenges areneeded.
If they've matured, what do youdo beyond that?
How do you help this person whenthey're in a cybersecurity
(07:11):
standpoint?
What is their next step in theirnext role?
So it's a big factor there.
And then the rise of thefractional or hybrid uh CISO
models.
This is partly responsible forthe intense demand as well,
because if you know, I Ipersonally look at myself, I do
not want a full-time CISO role.
I do not want that.
My quality of life is muchbetter with what I have now.
Do I make as much money?
(07:32):
No.
Do I need as much money?
No.
And what I've learned is thatthe more money you make, the
more you pay in taxes, and youreally just end up working for
the tax man.
So you gotta kind of weigh outwhat does it work for you.
If the compensation wassubstantially higher, well, then
you would think twice about it.
But when the the compensation isthat of probably some high
managers, then you startquestioning, is it really worth
(07:54):
the effort?
So, something to kind ofconsider.
Again, great article from CSOmagazine.
Is the CISO chair becoming arevolving door?
Okay, so let's move into ourdeep dive questions.
Okay, so you can get all of thisat CISSP Cyber Training.
You just sign up for my freecontent.
You can get all kinds of freestuff that's available.
(08:15):
I've got about 360 freequestions.
They're all available at you foryou at CISSP Cyber Training.
This questions, the deep divequestions, and I'm actually in
the process of building out atest, a 250 question test that
you will be able to test yourknowledge at the end of going
through my content.
Uh, that's all gonna beavailable through you some
through my paid products.
(08:36):
I have three different paidproducts that are available for
you to check out.
Go check those out at CISSPCyber Training.
I'll tell you bluntly, it's thecheapest you'll ever spend on
the CISSP training, and it's allthere laid out for you.
If you go through this training,you will pass the CISSP exam.
But you gotta go through thetraining, you gotta follow the
blueprints, and you've got to beable to do all that.
But these questions are allthere for you at CISSP Cyber
(08:59):
Training.
It's great, great products thatare out there, if I do say so
myself.
So this is domain five, deepdive questions.
Let's go into these questions togive you an idea of what you
need to kind of expect for theCISSP exam.
Again, disclaimer, these are notquestions you will see verbatim
on the test.
They're just not.
These are ones that were createdby myself.
(09:19):
But the point of this is is justto kind of give you an idea of
what is out there and how youshould start thinking about the
different test questions.
Question one.
A multinational organization isintegrating with several cloud
service providers usingfederated identity models.
During testing, users are ableto authenticate but cannot
access specific cloudapplications even though
(09:40):
authorization tokens aresuccessfully issued.
What is the most likely cause ofthis issue?
A identity identity providersare not signing SAML assertions
properly.
B the service provider is notmapping SAML attributes to the
local roles correctly.
C, OAuth 2.0 tokens have expireddue to the short token lifespan
(10:02):
or lifetime configurations.
Or D the IDP clock is out ofsync with the SP, causing the
assertions and validationfailures.
Okay, so let's walk through eachof these.
So when it comes down to it,with A, the identity provider is
not signing SAML assertionsproperly.
Incorrect signatures wouldprevent login entirely.
(10:23):
So if you didn't have that, ifyou didn't have the right
signatures in place or theassertions in place, then you
wouldn't even be able to log inat all.
With Skilkit C with OAuth 2.0tokens have expired due to short
token lifetime configurations.
Okay, the token lifetime issueswould cause session timeouts and
not immediate access denial.
So that wouldn't be the issue aswell.
(10:44):
And then let's look at D.
The IDP clock is out of syncwith the service provider
causing assertion timevalidation failures.
So clock skew basically causesfailed assertions, not partial
access failures.
So this is a partial accessfailure, and so what could that
possibly be?
So it really comes down toauthentication, basically users
that are being logged in,they're able to be logged in,
(11:06):
but the authorization fails.
This is the point where the roleor the attribute mapping issue
between the IDP and the SESP,the service provider.
So this is between your identityprovider and this is also
between your service provider.
The service provider musttranslate identity attributes
and thus this for into localpermissions, and then if this
fails, the users areauthenticated but denied access.
(11:28):
So in this situation, theservice provider is not mapping
SAML attributes to the localroles correctly.
Question two (11:35):
a financial institution implements
role-based access controls orRBAC.
However, the auditors find thatusers in multiple departments
share the same role, but havedifferent access needs.
What security principle has theorganization most likely
violated?
Okay, so they have roles, butthey are all basically
(11:55):
everybody's lumped into a bunchof roles.
Okay, A.
Separation of duties.
B least privilege.
C need to know.
Or D accountability.
Okay, so let's talk about this alittle bit.
A separation of duties.
Separation of duty incurs thatno single user will have the
ability to have a specificinformation, and it's not really
(12:18):
based around role structure.
So therefore, it really wouldn'tbe something that would be tied
to a role.
Need to know is a focus onaccess for specific information,
not general role structure.
So you just need to know thatinformation.
That doesn't really match withour R back, which is your
role-based access controls.
Or D, accountability, itbasically deals with the
(12:39):
traceability of actions, not aspecific role assignment.
So again, A doesn't sound right,C doesn't sound right, D doesn't
sound right, it is right.
Of course, B least privilege,right?
So least privilege is what you'dbe looking at from an R back
standpoint.
These roles grant only theminimum permissions necessary
for users to perform thespecific job duties.
(13:01):
So you want them to have theleast amount of privileges for
the specific role.
Now, if people are all throwninto a bucket, what ends up
happening?
Well, now everybody has the samelevel of privileges.
So you're not doing the you'renot breaking people's roles out,
you're just making everybodyhave the same level of access.
And so what would end uphappening is I ideally that role
that is there probably has asignificant amount of capability
(13:23):
within it.
So interesting part aboutquestion two, but the answer the
correct answer is leastprivilege.
Question three An organizationhandling classified data needs
to prevent users with lowerclearance levels from accessing
higher classification data andalso prevent high level users
from writing to lower levels.
(13:44):
Which access control modelshould be implemented?
Okay, so we've got adiscretionary access controls or
DAC.
B role-based access controls orRBAC.
C mandatory access controls MACor D attribute-based access
controls, ABAC.
Okay, so let's walk throughthese.
(14:06):
A, let's look at that one.
DAC allows owners to modifypermissions unsuitable for a
classified data.
So that's your discretionarypiece of this.
And that would probably beincorrect because you're looking
for some level of mandatoryaccess controls.
So let's look at why role-basedaccess is not the important
proper one.
(14:26):
It's role driven, it's notclassification driven.
So again, you're dealing withclassification, so it would
focus on mandatory accesscontrols because those are the
classification levels in whichyou're going to be mandatory
requiring them.
ABAC, attribute-based, is moredynamic and policy-based, but
not used for strict governmentclassifications.
(14:47):
I say that it can be used forgovernment uh aspects, but it's
when you're dealing with it in amore dynamic environment,
attribute-based makes it alittle bit more challenging.
When you're dealing with justonly a couple tiers, uh such as
classified top secret, secret,and so forth, mandatory access
controls based on your specificcapability is really what you'd
(15:09):
want to focus on.
This implements when you'redealing with that, so Mac will
enforce the security labels suchas confidential secret, top
secret, and so forth, as well asthe various clearance levels
that are associated to it.
It implements the Bella Putamodel, which prevents read up
and write down, maintainingconfidentiality in the area that
you have access to.
So again, you can't, when you'rein that bucket, you're in the
(15:30):
classified bucket, you cannotread up and you cannot write
down.
So now I will say that if youare in a top secret, you can
write, you can read down ifyou're a top secret into the
carrier various aspects of thesecret environment.
But if you're in secret, youcan't read up, but you can read
down into the unclassifiedenvironment.
So again, that when you'redealing with classification
(15:52):
levels, the answer would be C,mandatory access controls.
Question four.
A global enterprise recentlydeveloped an identity governance
solution to automateprovisioning and deprovisioning.
During the review, securitydiscovers several terminated
users still have access tothird-party SaaS platforms.
That's software as a service.
(16:13):
Which of the m which is mostlikely reason for this specific
issue.
Okay, so let's walk through eachof these.
A a privilege account wereexcluded from periodic
certification reviews.
B.
The deprovisioning process isnot integrated with the external
identity stores.
C, multi-factor authenticationwas not enforced on SaaS
(16:34):
platforms, or D.
Federation metadata between IDPand the SP has expired.
Okay, so let's break this down.
A privileged accounts wereexcluded from the periodic
certification reviews.
Now, what privileged accountsare a risk, but the issue
affects all terminated users.
(16:54):
It does not affect theprivileged ones.
So therefore, this is notsomething that would be correct
answer.
When you deal with C, MFAdoesn't handle access removal.
So your multiple multiplemulti-factor is basically
focused specifically aroundtheir additional access control.
Now, D is your expired metadatawould break authentication, not
(17:16):
cause excessive accessretention.
Question four A globalenterprise recently implemented
identity governance solution toautomate provisioning and
deprovisioning.
During the review, securitydiscovers several terminated
users still have access tothird-party SaaS platforms.
What is most likely reason forthe issue?
A privilege accounts wereexcluded from periodic
(17:37):
certification reviews.
B.
The deprovisioning process isnot integrated with external
identity stores.
C.
Multifactor authentication, orMFA, was not enforced on the
SaaS platforms, and then thefederated metadata between the
IDP and the service provider hasexpired.
Okay, so let's look at some ofthese and which are the correct
(17:59):
answers.
Okay, so A, let's look at that.
Privileged accounts wereexcluded from periodic
certification reviews.
Now, privileged accounts are arisk, but they this issue just
only affects terminated users.
It isn't affecting privilegedaccounts.
So you could throw that one out.
C, which is dealing withmulti-factor authentication,
okay, this multi-factor doesn'thandle access removal.
(18:22):
Now you may pull theirmulti-factor once they have
terminated, but multi-factor isnot involved with access
removal.
So think about that in the chainof when MFA is used.
If you're not real sure, going,well, MFA isn't tied to
terminations.
Now the federation of metadatabetween the IDP and the service
provider has expired.
Metadata would breakauthentication.
(18:43):
So that's that's an importantpart.
Not cause excessive accessretention.
So you'd one of the things toconsider is that if you have the
metadata, it would break yourauthentication piece of this.
But if you look at the questionit's asking about it, they
discovered that several terminalusers still have access to
third-party SaaS platforms, thatwouldn't be a problem because,
(19:04):
right, if your metadata wouldbreak your access, it wouldn't
allow you, it wouldn't give youmore access.
So then the right answer is B.
A deprovisioning process is notintegrated with external
identity stores.
So how does this all play out?
Well, access lingering onthird-party SaaS apps will
indicate a lack of integrationbetween the enterprise IDP and
(19:25):
the external service providers.
So again, if you're not, if it'snot connecting between them, uh
then you're gonna have aproblem.
I've seen this happen many timeswith products that are like the
um the ones that you sign, orwhat do you call it?
I can't think of the name of it,but you actually will sign it
for any sort of signatures andtheir DocuSign, that's it.
Like DocuSign has in the past,and I think they've fixed that
(19:48):
since then, they've hadintegration challenges.
So if you don't have a goodintegration between you and your
IDP your IDP and your serviceprovider, you can end up having
a lot of challenges.
Uh so that and it can end uphaving access that you don't
want people to have.
If it connects or through APIsand they don't propagate the
deprovisioning commands, theusers also can retain their
access for post-termination.
(20:09):
So APIs are very useful, butthey also can be very
challenging.
Alright, last question.
During a red team exercise,testers successfully escalate a
privilege escalated privilegesusing stored administrative
credentials found in a scriptwithin a production server.
Not good.
Which control would mosteffectively prevent this in the
(20:30):
future?
A implement session recordingfor privileged users.
Require dual approval forprivileged account creation.
C.
Rotate administrative passwordsevery 30 days, or D.
Enforce just in time privilegeelevation through a PAM
solution.
So let's talk about this.
A implement session recordingfor privileged users.
(20:50):
Session recording aids inforensics, not prevention,
right?
This would not stop this fromoccurring.
Okay, require dual approval forprivileged account creation.
So dual approval will preventmisuse of creation, but not the
overall credential exposure.
The credentials are alreadythere.
They're already in the open,they're in the wild, but this
would not stop that.
(21:11):
They're already doing theirthing.
Password rotation, right?
So if we deal with uh rotateadministrative passwords every
30 days, so password rotationwill help, obviously, but it
does not eliminate credentialstorage issues.
So what ends up happening inmany cases is these credentials
will not be moved from wherethey're at.
So therefore, what ends uphappening is they just get
(21:34):
stored there for forever andthey never get changed.
So again, not good.
Okay, that is all I have for youtoday.
I hope you enjoyed this.
Go check me out at CISSP CyberTraining.
We're excited to work with youguys at CISSP Cyber Training.
All the CISSP questions youneed, all the training is there
for you.
I've got a plethora of freecontent.
(21:56):
Go check it out.
And if you just really want tostudy for your CISP and really
feel confident that you aregonna pass, go check out my paid
products.
They are there, they are soinexpensive for what you get in
related to passing the CISSPexam.
I guarantee you, I do.
There's some great, greatcontent.
And the amount of money that youspend, just save yourself a few
Starbucks uh lattes, and youwill pay for it.
(22:18):
It's not that terriblyexpensive, and it's there for
you to be successful in theCISSP.
Okay, thank you so very much,and hope you have a wonderful,
wonderful day, and we will catchyou on the flip side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
(22:40):
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerbert.
I'm your host for thisaction-packed informative
podcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
Good morning everyone.
This is Chon Gerbert with CISSPCyber Training, and hope you all
are having a beautifully blessedday today.
Today is CISSP QuestionThursday, and we are planning to
discuss a deep dive related tothe questions on the CISSP
(00:41):
domain 5.
So we're pretty excited aboutthat.
But before we do, we are goingto be talking about an article
that I just saw in the CSOmagazine.
I've been actually sitting in mycamper, I'm on my mobile command
post recording this podcast aswe speak, uh, just having a
little bit of extra time as I'mout seeing my grandbabies.
(01:01):
So saw this article while I wasjust kind of looking around and
thought, oh, this is prettyinteresting.
And wow, it actually relates.
So the question, or should say,the article states is Is the
CISO chair becoming a revolvingdoor?
And this is by AmyChatterdevong.
I can't say her name very well,but she's a contributing writer
to CSO magazine.
(01:21):
Go check it out.
It's pretty good, actually.
But here are the basic nuts andbolts of it.
And you know what?
I will pretty much attest to itbecause it fit me like a glove.
So they're they're saying nowthe typical CISO is lasting
about 18 to 26 months, and it'sfar lower than the broader
C-suite for most organizations.
I was with my company muchlonger than that, but I would
(01:44):
say most of the people I talk toin this world from a CISO
standpoint, they are relativelyshort timelines.
They are pretty much 18 to 26months.
Some are a little bit longerthan that, but for the most
part, they seem to kind ofrotate in and rotate out,
especially if they've beenbrought in from an outside
entity.
If they've grown up from insidethe organization and the
culture, they tend to last a bitlonger.
(02:05):
That's kind of what happenedwith me.
Uh, I'd say the ultimate pointof all that, though, is a lot of
things we're going to go intohere real quick.
And the reason I'm telling youall this is because you all are
in uh most of the folks thatlisten to this podcast are
senior IT folks that are workingon their CEI SSP, or there are
folks that have a good enoughexperience that they're maybe
aspiring to be a CISO at some atone point in the future.
(02:29):
So a lot of things have tochange for the CISO area uh for
it to become a little bit betterfor much more tenure.
And realistically, 18 to 26months is not a long time for
any CISO to be in the seat.
Uh, it usually takes about sixmonths just to get your feet
underneath you for anyorganization.
But some of the driving factorsthat the article brings up is
(02:49):
the high stakes pressure and theblame environment.
Yeah, one single situation andthe CISO is basically all the
fingers are pointing at him orher.
So they're held responsible whenthings go wrong.
And in some cases, they shouldbe held responsible.
But in other cases, as we'lltalk about here in just a
minute, it a lot of it comesdown to the culture of the
organization as well.
So they they have to deal withvery complex cyber environments,
(03:14):
and they're trying to make thesesecured and protected can be
very challenging.
The startup versus the dynamicof the enterprise, uh, one thing
the CISOs are often stretchedinto multiple roles on the
startup.
I'm dealing with a startup rightnow that I'm working with, and
there are lots of differentaspects tied to it.
So it's it can be a verydaunting task.
(03:34):
Uh, but larger organizationstend to retain their CISOs
longer given they have a broaderscope and more teams and ongoing
complexity.
But that is not necessarily trueeither.
Uh a couple very largeorganizations I've been working
with here in the not too distantpast, uh, both of their CISOs
have moved on.
And uh it's one was because theywanted to, the other one was uh
(03:54):
you don't really know.
But could be one that they werenot happy with him.
Motivations and career pathevolution.
Some CISOs say they move onbecause they reach the business
as usual mindset, uh, and theirrole stops challenging them, and
they also don't haveopportunities outside of what
that role is for them.
So they basically kind of shifttowards more of a fractional or
(04:15):
consulting roles, mentoring orvendorship leadership, basically
seeking the balance and theissues that go along with that.
Hence that is what happened tome.
Just to kind of put it inperspective, uh, I was told what
over before Christmas, aboutthis time last year, or not last
year, a few years ago, uh, whenI talked to my senior
leadership, and they said Iasked if I could work from home
based on my um my kids'schedule, and they were doing a
(04:39):
big push for well basicallycoming back to work kind of
thought process.
They were back to work for awhile from the office
standpoint, but there was a bigpush to not do any work from
home, and I just made asked thequestion, hey, do you mind if I
work from home for a coupleweeks while my grandkids are in
town?
And that was all I needed forthe dear lord to push me in the
direction of going, no, you needto leave, because they came back
(05:02):
and said, No, I'm sorry, but youneed to work in the office.
And I was like, Are you kiddingme?
We just went through COVID andall I'm asking for is two weeks
to work from home.
And uh so after that, that wasall it took for me.
But uh, bottom line is that youneed to kind of figure out what
is going to be best for you.
Liability versus compensationimbalance.
Uh CISAs often have to deal witha lot of risk and exposure to
(05:26):
lack that is commensurate withthe authority, resources, and
the rewards.
Uh, that is very true.
Uh, my income was not that ofmany of my peers, and that not
that that was a huge factor, butit does play into all of this
because you start going, well,is the grass greener on the
other side of the fence?
I will warn you, it's nevergreener on the other side of the
fence.
(05:46):
Uh, there's other organizations,basically, the implications for
ideas around this, one of thethings you want to have to help
fix this problem is that youreally need to have a you really
need to support your CISOs froma well-defined role standpoint
and executive alignment.
I've seen this and lived itwhere the executives are not
fully aligned with thecybersecurity plan for the
organization, and therefore youbecome relegated as just kind
(06:08):
of, yeah, go sit in the cornerand don't worry about it.
Uh that then when something badhappens, guess what?
You're on the your neck is onthe line.
I had a situation that occurredthat I was treated much, very
much like that, where you justgo sit in the corner, uh, you do
your cyber stuff, we'll callyou, don't call us, kind of
thing.
And they're very good.
And I'm not saying this is a badthing on any of the
(06:28):
organizations I've been with.
That is just kind of themindset, and it's understandably
why, because they want to makemoney.
Cyber is a cost uh center, andit just kind of ends up being
more and more money.
However, until the hack occurs,and then they look at you and
they go, What did you do?
How did you fix this?
And yeah, I felt very a lot ofpressure to the fact that if I
hadn't had a good plan in place,um, I definitely would no longer
(06:50):
be with the organization.
So, again, that's one of thosethings where you really got to
plan for it.
Emphasizing communication,stakeholder management, and
board level risk literacy, animportant part of that.
You also need to recognize whenthe CISO's mission has matured
or when new challenges areneeded.
If they've matured, what do youdo beyond that?
How do you help this person whenthey're in a cybersecurity
(07:11):
standpoint?
What is their next step in theirnext role?
So it's a big factor there.
And then the rise of thefractional or hybrid uh CISO
models.
This is partly responsible forthe intense demand as well,
because if you know, I Ipersonally look at myself, I do
not want a full-time CISO role.
I do not want that.
My quality of life is muchbetter with what I have now.
Do I make as much money?
(07:32):
No.
Do I need as much money?
No.
And what I've learned is thatthe more money you make, the
more you pay in taxes, and youreally just end up working for
the tax man.
So you gotta kind of weigh outwhat does it work for you.
If the compensation wassubstantially higher, well, then
you would think twice about it.
But when the the compensation isthat of probably some high
managers, then you startquestioning, is it really worth
(07:54):
the effort?
So, something to kind ofconsider.
Again, great article from CSOmagazine.
Is the CISO chair becoming arevolving door?
Okay, so let's move into ourdeep dive questions.
Okay, so you can get all of thisat CISSP Cyber Training.
You just sign up for my freecontent.
You can get all kinds of freestuff that's available.
(08:15):
I've got about 360 freequestions.
They're all available at you foryou at CISSP Cyber Training.
This questions, the deep divequestions, and I'm actually in
the process of building out atest, a 250 question test that
you will be able to test yourknowledge at the end of going
through my content.
Uh, that's all gonna beavailable through you some
through my paid products.
(08:36):
I have three different paidproducts that are available for
you to check out.
Go check those out at CISSPCyber Training.
I'll tell you bluntly, it's thecheapest you'll ever spend on
the CISSP training, and it's allthere laid out for you.
If you go through this training,you will pass the CISSP exam.
But you gotta go through thetraining, you gotta follow the
blueprints, and you've got to beable to do all that.
But these questions are allthere for you at CISSP Cyber
(08:59):
Training.
It's great, great products thatare out there, if I do say so
myself.
So this is domain five, deepdive questions.
Let's go into these questions togive you an idea of what you
need to kind of expect for theCISSP exam.
Again, disclaimer, these are notquestions you will see verbatim
on the test.
They're just not.
These are ones that were createdby myself.
(09:19):
But the point of this is is justto kind of give you an idea of
what is out there and how youshould start thinking about the
different test questions.
Question one.
A multinational organization isintegrating with several cloud
service providers usingfederated identity models.
During testing, users are ableto authenticate but cannot
access specific cloudapplications even though
(09:40):
authorization tokens aresuccessfully issued.
What is the most likely cause ofthis issue?
A identity identity providersare not signing SAML assertions
properly.
B the service provider is notmapping SAML attributes to the
local roles correctly.
C, OAuth 2.0 tokens have expireddue to the short token lifespan
(10:02):
or lifetime configurations.
Or D the IDP clock is out ofsync with the SP, causing the
assertions and validationfailures.
Okay, so let's walk through eachof these.
So when it comes down to it,with A, the identity provider is
not signing SAML assertionsproperly.
Incorrect signatures wouldprevent login entirely.
(10:23):
So if you didn't have that, ifyou didn't have the right
signatures in place or theassertions in place, then you
wouldn't even be able to log inat all.
With Skilkit C with OAuth 2.0tokens have expired due to short
token lifetime configurations.
Okay, the token lifetime issueswould cause session timeouts and
not immediate access denial.
So that wouldn't be the issue aswell.
(10:44):
And then let's look at D.
The IDP clock is out of syncwith the service provider
causing assertion timevalidation failures.
So clock skew basically causesfailed assertions, not partial
access failures.
So this is a partial accessfailure, and so what could that
possibly be?
So it really comes down toauthentication, basically users
that are being logged in,they're able to be logged in,
(11:06):
but the authorization fails.
This is the point where the roleor the attribute mapping issue
between the IDP and the SESP,the service provider.
So this is between your identityprovider and this is also
between your service provider.
The service provider musttranslate identity attributes
and thus this for into localpermissions, and then if this
fails, the users areauthenticated but denied access.
(11:28):
So in this situation, theservice provider is not mapping
SAML attributes to the localroles correctly.
Question two (11:35):
a financial institution implements
role-based access controls orRBAC.
However, the auditors find thatusers in multiple departments
share the same role, but havedifferent access needs.
What security principle has theorganization most likely
violated?
Okay, so they have roles, butthey are all basically
(11:55):
everybody's lumped into a bunchof roles.
Okay, A.
Separation of duties.
B least privilege.
C need to know.
Or D accountability.
Okay, so let's talk about this alittle bit.
A separation of duties.
Separation of duty incurs thatno single user will have the
ability to have a specificinformation, and it's not really
(12:18):
based around role structure.
So therefore, it really wouldn'tbe something that would be tied
to a role.
Need to know is a focus onaccess for specific information,
not general role structure.
So you just need to know thatinformation.
That doesn't really match withour R back, which is your
role-based access controls.
Or D, accountability, itbasically deals with the
(12:39):
traceability of actions, not aspecific role assignment.
So again, A doesn't sound right,C doesn't sound right, D doesn't
sound right, it is right.
Of course, B least privilege,right?
So least privilege is what you'dbe looking at from an R back
standpoint.
These roles grant only theminimum permissions necessary
for users to perform thespecific job duties.
(13:01):
So you want them to have theleast amount of privileges for
the specific role.
Now, if people are all throwninto a bucket, what ends up
happening?
Well, now everybody has the samelevel of privileges.
So you're not doing the you'renot breaking people's roles out,
you're just making everybodyhave the same level of access.
And so what would end uphappening is I ideally that role
that is there probably has asignificant amount of capability
(13:23):
within it.
So interesting part aboutquestion two, but the answer the
correct answer is leastprivilege.
Question three An organizationhandling classified data needs
to prevent users with lowerclearance levels from accessing
higher classification data andalso prevent high level users
from writing to lower levels.
(13:44):
Which access control modelshould be implemented?
Okay, so we've got adiscretionary access controls or
DAC.
B role-based access controls orRBAC.
C mandatory access controls MACor D attribute-based access
controls, ABAC.
Okay, so let's walk throughthese.
(14:06):
A, let's look at that one.
DAC allows owners to modifypermissions unsuitable for a
classified data.
So that's your discretionarypiece of this.
And that would probably beincorrect because you're looking
for some level of mandatoryaccess controls.
So let's look at why role-basedaccess is not the important
proper one.
(14:26):
It's role driven, it's notclassification driven.
So again, you're dealing withclassification, so it would
focus on mandatory accesscontrols because those are the
classification levels in whichyou're going to be mandatory
requiring them.
ABAC, attribute-based, is moredynamic and policy-based, but
not used for strict governmentclassifications.
(14:47):
I say that it can be used forgovernment uh aspects, but it's
when you're dealing with it in amore dynamic environment,
attribute-based makes it alittle bit more challenging.
When you're dealing with justonly a couple tiers, uh such as
classified top secret, secret,and so forth, mandatory access
controls based on your specificcapability is really what you'd
(15:09):
want to focus on.
This implements when you'redealing with that, so Mac will
enforce the security labels suchas confidential secret, top
secret, and so forth, as well asthe various clearance levels
that are associated to it.
It implements the Bella Putamodel, which prevents read up
and write down, maintainingconfidentiality in the area that
you have access to.
So again, you can't, when you'rein that bucket, you're in the
(15:30):
classified bucket, you cannotread up and you cannot write
down.
So now I will say that if youare in a top secret, you can
write, you can read down ifyou're a top secret into the
carrier various aspects of thesecret environment.
But if you're in secret, youcan't read up, but you can read
down into the unclassifiedenvironment.
So again, that when you'redealing with classification
(15:52):
levels, the answer would be C,mandatory access controls.
Question four.
A global enterprise recentlydeveloped an identity governance
solution to automateprovisioning and deprovisioning.
During the review, securitydiscovers several terminated
users still have access tothird-party SaaS platforms.
That's software as a service.
(16:13):
Which of the m which is mostlikely reason for this specific
issue.
Okay, so let's walk through eachof these.
A a privilege account wereexcluded from periodic
certification reviews.
B.
The deprovisioning process isnot integrated with the external
identity stores.
C, multi-factor authenticationwas not enforced on SaaS
(16:34):
platforms, or D.
Federation metadata between IDPand the SP has expired.
Okay, so let's break this down.
A privileged accounts wereexcluded from the periodic
certification reviews.
Now, what privileged accountsare a risk, but the issue
affects all terminated users.
(16:54):
It does not affect theprivileged ones.
So therefore, this is notsomething that would be correct
answer.
When you deal with C, MFAdoesn't handle access removal.
So your multiple multiplemulti-factor is basically
focused specifically aroundtheir additional access control.
Now, D is your expired metadatawould break authentication, not
(17:16):
cause excessive accessretention.
Question four A globalenterprise recently implemented
identity governance solution toautomate provisioning and
deprovisioning.
During the review, securitydiscovers several terminated
users still have access tothird-party SaaS platforms.
What is most likely reason forthe issue?
A privilege accounts wereexcluded from periodic
(17:37):
certification reviews.
B.
The deprovisioning process isnot integrated with external
identity stores.
C.
Multifactor authentication, orMFA, was not enforced on the
SaaS platforms, and then thefederated metadata between the
IDP and the service provider hasexpired.
Okay, so let's look at some ofthese and which are the correct
(17:59):
answers.
Okay, so A, let's look at that.
Privileged accounts wereexcluded from periodic
certification reviews.
Now, privileged accounts are arisk, but they this issue just
only affects terminated users.
It isn't affecting privilegedaccounts.
So you could throw that one out.
C, which is dealing withmulti-factor authentication,
okay, this multi-factor doesn'thandle access removal.
(18:22):
Now you may pull theirmulti-factor once they have
terminated, but multi-factor isnot involved with access
removal.
So think about that in the chainof when MFA is used.
If you're not real sure, going,well, MFA isn't tied to
terminations.
Now the federation of metadatabetween the IDP and the service
provider has expired.
Metadata would breakauthentication.
(18:43):
So that's that's an importantpart.
Not cause excessive accessretention.
So you'd one of the things toconsider is that if you have the
metadata, it would break yourauthentication piece of this.
But if you look at the questionit's asking about it, they
discovered that several terminalusers still have access to
third-party SaaS platforms, thatwouldn't be a problem because,
(19:04):
right, if your metadata wouldbreak your access, it wouldn't
allow you, it wouldn't give youmore access.
So then the right answer is B.
A deprovisioning process is notintegrated with external
identity stores.
So how does this all play out?
Well, access lingering onthird-party SaaS apps will
indicate a lack of integrationbetween the enterprise IDP and
(19:25):
the external service providers.
So again, if you're not, if it'snot connecting between them, uh
then you're gonna have aproblem.
I've seen this happen many timeswith products that are like the
um the ones that you sign, orwhat do you call it?
I can't think of the name of it,but you actually will sign it
for any sort of signatures andtheir DocuSign, that's it.
Like DocuSign has in the past,and I think they've fixed that
(19:48):
since then, they've hadintegration challenges.
So if you don't have a goodintegration between you and your
IDP your IDP and your serviceprovider, you can end up having
a lot of challenges.
Uh so that and it can end uphaving access that you don't
want people to have.
If it connects or through APIsand they don't propagate the
deprovisioning commands, theusers also can retain their
access for post-termination.
(20:09):
So APIs are very useful, butthey also can be very
challenging.
Alright, last question.
During a red team exercise,testers successfully escalate a
privilege escalated privilegesusing stored administrative
credentials found in a scriptwithin a production server.
Not good.
Which control would mosteffectively prevent this in the
(20:30):
future?
A implement session recordingfor privileged users.
Require dual approval forprivileged account creation.
C.
Rotate administrative passwordsevery 30 days, or D.
Enforce just in time privilegeelevation through a PAM
solution.
So let's talk about this.
A implement session recordingfor privileged users.
(20:50):
Session recording aids inforensics, not prevention,
right?
This would not stop this fromoccurring.
Okay, require dual approval forprivileged account creation.
So dual approval will preventmisuse of creation, but not the
overall credential exposure.
The credentials are alreadythere.
They're already in the open,they're in the wild, but this
would not stop that.
(21:11):
They're already doing theirthing.
Password rotation, right?
So if we deal with uh rotateadministrative passwords every
30 days, so password rotationwill help, obviously, but it
does not eliminate credentialstorage issues.
So what ends up happening inmany cases is these credentials
will not be moved from wherethey're at.
So therefore, what ends uphappening is they just get
(21:34):
stored there for forever andthey never get changed.
So again, not good.
Okay, that is all I have for youtoday.
I hope you enjoyed this.
Go check me out at CISSP CyberTraining.
We're excited to work with youguys at CISSP Cyber Training.
All the CISSP questions youneed, all the training is there
for you.
I've got a plethora of freecontent.
(21:56):
Go check it out.
And if you just really want tostudy for your CISP and really
feel confident that you aregonna pass, go check out my paid
products.
They are there, they are soinexpensive for what you get in
related to passing the CISSPexam.
I guarantee you, I do.
There's some great, greatcontent.
And the amount of money that youspend, just save yourself a few
Starbucks uh lattes, and youwill pay for it.
(22:18):
It's not that terriblyexpensive, and it's there for
you to be successful in theCISSP.
Okay, thank you so very much,and hope you have a wonderful,
wonderful day, and we will catchyou on the flip side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
(22:40):
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!