How to think like a Manager for CISSP Exam. Session by Luke Ahmed

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] instructor prabhnaya thank you my friend and even though we've never met and we live tens of thousands and thousands of miles apart i truly do consider you my friend bro you always have my best interest in mind and you never ask me for anything i truly appreciate that and will not forget it thank you thank you no problem thank you to you and your entire team for setting up and hosting this webinar it is thanks to you taking out your busy schedule and editing out maybe schedule this session and it will be a definitely a great session for our uh our future aspirants who are preparing for the cssb i hope so i hope to do my best because it is an honor and a privilege as you said for me to be here with every one of you who are taking time out of your busy lives studying for the cisp exam balancing your job and family life maybe a little bit of anxiety over our global pandemic that we're all going through together but if you think about it this quarantine has brought all of us together whenever we get to finally travel and do things again we will always have this commonality of cobit even if we're complete strangers to each other we will always have something to talk about of how we dealt with our lives how we how we manage our lives during covet and i bet no matter how different each of us are we will all have shared the common situation of being thankful to have our health our families and just going through it together just like we do for the cisp exam thank you for your precious time and i promise to do my best to try to explain how to think like a manager for this eisp exam that's great and one small guideline for everyone participants you if you have any questions you can basically type your question in the chat box as you know it can interrupt the entire session if you basically unmute and speak so this is a basic hygiene we need in the session you can just share your questions in the chat box and then the last you can happy to help with those answers even i'm there to answer those questions will it okay so i just want a small request from everyone yeah okay and uh by the way hello aditya i see you i am sure that on the course of your journey to the elusive cisp certification you have heard countless number of times that you have to think like a manager as a as a former person who was also on his quest to the cisp which was filled with sleepless nights missing time with my family not being able to watch the world cup or the newest netflix series and just sacrificing all the time i had all i heard was you have to think like a manager you have to think like a manager i'm like okay well i'm just a network security engineer a technical person by profession my mindset is just to fix the problem as fast as possible before my manager yells at me i mean i have a manager at work but how am i supposed to think like him am i just supposed to tell people what to do like my manager does to me without knowing any of the technical concepts well larry just give me a second i think you get muted sorry am i back yeah yeah yeah yeah okay okay okay uh so nobody could really give me a clear and concise concise answer to this question or or even if they did it was never the same answer which which was frustrating nobody gave me the same answer twice about thinking like a manager because there really isn't a set set procedures or set amount of instructions on how to do that you know some someone would say it's all about preserving human life and the other would say it's all about saving money someone else said it's about making sure there are processes in place or or not fixing the issue but but finding a long-term solution or the very classic one that we all hear about don't unplug the server if there is an incident you've all heard it i'm sure it was at this time during my own exam studies that i was counting down to my exam date and was desperate to get some sort of edge over the exam some sort of advantage the fact that i didn't know how to think like a manager which the exam sounded like it was all about pretty much had me thinking i'm going to fail this thing right and i know you've been trying your best to get a grip on this how to think like a manager too i can feel it i can feel your curiosity and frustration through let me start with this if you keep asking why throughout your csv studies and trying to understand how to think like a manager believe me you will eventually gain the necessary clairvoyance into understanding this question let's take a look at why it is important to ask why when thinking like a manager why is it important to ask why for the csp exam because asking why is much more important than any of the other questions like how when what and where if you ask why enough times you will eventually answer all those other questions anyway and at the same time reach the ultimate reason and the ultimate high level answer let me just quickly go through an example of asking why continuously here is a simple question you can ask yourself during the course of your csb studies why do we have a firewall to protect our network that's the technical answer okay why do we have to protect our network because of the data because of the value of the information because the servers on the network may contain personally identifiable information or have other confidential data okay so you have now reached a mix of technical and high level answers pii confidential data these are high level answers protecting the network that's a technical answer data on servers is a technical answer and talking about the confidentiality of data is a high level answer now ask why do we need to protect private or confidential data because it holds value to our organization and the loss of confidentiality integrity and availability of that data is going to cost us both in financial terms and for the company's reputation so now we're starting to get into the high-level reason when we're talking about financial numbers with quantitative analysis or how the company is going to look to customers and competitors these are now qualitative answers both these combined these are now becoming more high-level answers from our very simple technical question of why do we have a farm now we're thinking like a manager do you see what i'm saying asking why do we have a firewall and then saying it is to protect our network is a technical answer but continuing to ask why even more and seeing that we're pretending protecting the network and servers because they may affect the business objectives of the company all of a sudden brings us to a more high level answer continuously asking why while studying for the csp exam will automatically divert you from a technical thinking perspective to one that aligns more with a high level manager i mean try this ask a network engineer why we have a firewall and ask a manager why we have a firewall and i guarantee you 100 you will get two completely different answers do you have to think like a manager for the cisp exam because thinking like a manager requires a high level view of the organization let's take a look at another visual example of all the points we have to cover as a manager while studying for the sys thinking like a manager means you have to have a high level interconnected understanding what do we mean by interconnected understanding now as i have been grinding every night for the last two thousand nights of my life as a cip instructor i have found that everything in one csp domain relates to everything else in the other cisb domains one thing relates to everything else by some small degree firewalls relate to database security database security relates to proper physical security facility design physical security design relates to defense and depth defense in depth relates to encryption it's all interconnected that's the reason we have eight domains in the cisp common body of knowledge the best thing you can do for yourself when trying to think like a manager is not is not to think all of those domains as separate domains but as a single fluid entity one domain relates to another there is overlap it's swimming with overlap the policies procedures standards baselines we establish in domain one security and risk management are exactly what determines the guiding factors of what happens in domains 2 3 4 5 6 7 8. and it's when you understand how all eight of these domains come together do you truly understand what it is to think like a manager and pass your cisp exam and you'll find that in doing so whether you pass a cisp exam or not you will have become a better security professional i've been saying that since 2015. my goal probs goal is not to just help you pass the csp exam but to make you a better security professional look two things will happen when you take your csp exam you'll pass it or you'll have taken the most expensive and most realistic practice exam question set there is whatever the result you will have been a more knowledgeable security professional than you were a few hours ago a day ago a week ago or months before that let's take a quick look at what it means to have a high level interconnected understanding as a manager look at the central let's look at the central um vector right there what does a manager think about when handling confidential information if you were to look at domain one they would first need a classification policy from manage right everything needs policy in the cisp you've heard it all before nothing gets done without policy and if as you shift to domain two now that confidential information needs a classification level a meta data tag which is confidential a manager then has to think about domain three what encryption type to use if this is data at rest are you going to use aes 256 the strongest symmetric encryption algorithm there is today or are you going to use triple des you have to understand the encryption type is reflective of the value of the information and in domain 4 managers think about well we have this data at rest and even though it's encrypted we still need a firewall to protect the outer perimeter of the network so now you've traversed from domain one two three four and then you go on to domain five cl if the data is in the cloud you need to learn about cloud identity management managers think about identity access and management is what domain five is all about as you go around the circle now you come on to domain six vulnerability assessment you're going to do a vulnerability assessment of the environment where that confidential data is so in doing so you can transfer that knowledge to domain seven in case of an incident so you're prepared for incident response again it's not just about labeling data as confidential and then saying we're done you have to think about everything else in these domains which includes the most important incident response manager has to think about that as well what to do in case there's a breach of this data unplugging your server isn't it there's a whole process to know about that and then domain 8 you're going to have to know about database security the database on which this data is how secure is that was there a proper software development lifecycle model followed to protect that data to design the database are we are we what is our cmmi level capability maturity model integration level are we part of that imagine just think about all of them [Music] thanks so much i'm really sorry so in that box right there with the orange circle you can put in anything what does a manager think about when handling confidential information what does a a network engineer think about when or what does a manager think about when a network engineers implemented a security policy on the firewall if you were if you're a technical person and i asked you how do you handle confidential information firewall encryption that's it but if you're a manager you got to think about all these things okay that's a high-level view of why you have to think like a manager in order to successfully answer the questions on the csp exam a security exam a business exam an exam that tests not just your understanding of keeping a business running but also an understanding of the security industries in lexicon there is one question i would like to present because this is one of the question from the participants when it comes to domain three there is a you know topic called cryptography we have right yep so when we say a think like a manager right you know uh when it comes to the encryption usage you know aes is better than this or des is better than aes or ecc versus rsa whatever it is okay so do you think so we need to understand something in a very detailed like you know how particular algorithm works or you know i believe this is the normal question from all the participants when it comes to domain three because cryptography is something it's like you know a very complex topic and the person who is not a technical person he always struggle with cryptography and in the domain four which is called as a security protocols correct me if i'm wrong team those were part of this session today so what is your thoughts what is your input for those particular section which is normally we receive as a feedback and question from participants yeah what do you the like if it's in our cias people i i support you as well i'm sorry you support what i'm sorry to interrupt okay i'm sorry i support what he just said you look at issues like this this has got five operating modes during to go into detail to understand all those modes how they operate from the perspective of a manager look shawn harris and mike chapman i think that was my tradition didn't write these books for nothing there's a reason they included the details of cryptography do you have to know them in exact detail do you have to know how many cpu cycles aes 256 goes through per clock cycle no as a manager you have to know that aes256 uses more processing power than triple desk you have to know that aes 256 is unbreakable right now and triple des has been broken or you know is a weaker function and you have to know why it's a weaker function and why aes is stronger dependent on that information then you can apply those to the type of protection you're going to do if you're on a call with your customers and they ask you should we use aes 256 or triple dev and you're the manager you're going to have to answer that and that's why it's in our cisp books so you can answer it in detail and talk about the advantages and disadvantages okay i talk about i'm going to go into that in the technical knowledge folder so the answer to your question prob is yeah you gotta know that thank you don't don't don't skip on anything because the one thing that you're gonna skip on is exactly what the cat exam is going to figure out that you don't know and you'll get nothing but those questions don't let it overpower you like that okay sure so we've answered why it is important to think like a manager and we've answered why it is important to keep asking why now let's take a look at some primary concepts of thinking like a map as in let's take a look at the concepts that will align your thought process with that of an information security manager everyone's still with me you guys awake yes yes yes go ahead okay i'm just kidding i mean sometimes i feel that you know now this will be a one-sided so they can just share the the you know the questions in the chat box so i'm consolidating all the questions here my biggest fear is boring everybody i don't want to board yeah so one of the one of the parties event has raised the point is can't sleep when luke is here so it's a good feedback right okay sounds good good all right and thank you to everyone who's staying up later at night in the evening as well okay let's quickly look at some primary concepts of thinking like a manager and just general things to remember while taking the csp exam hey a lot of people ask me what do we need to memorize for the cisp exam or what do we need to write down on that piece of paper during the exam back uh back when i took the exam i pretty much wrote down things like the osi model layers or port numbers or the different symmetric encryption types or those annoying little desmos to remember you know like oh it uses 56 usable bids but it actually has 64 bits for some reason that just screamed out like hey make sure you know this this is definitely going to be an exam yeah everyone thinks that for somebody that's like the one encryption fact that everyone tries to remember and uh but none of that really really mattered you know initialization vectors or or cipher block chaining um you know what i should have written down was the following we're about to go over and thanks to uh randy nguyen for insight into these topics as well and randy thank you for your service okay the first one should be no surprise human safety is the top priority there is a simple reason we protect the lives of humans and the famous astronomer carl sagan said it best out of 100 billion galaxies you will not find another human the billions of years of complex evolution that took place for us humans to be here are at a astronomical odds to occur anywhere else in the galaxy protect and save your fellow human beings at all costs and we're going to go more into human safety right after right after all this the next one you may be faced with decisions sorry i'm drinking water here just to just to propel myself here behave ethically laws versus boss you may be faced with decisions in your security career where ethics will play a strong role it is at this point where you have to decide whether to follow your ethics or that of the organization it's not an easy choice nothing in easy nothing in security is always an easy choice as we saw from that diagram as a manager you have multiple things to think about which is why in security you get paid the big bucks okay and remember the cip code of ethics is very testable on the exam as a security professional and as a manager your knowledge will only increase if you know the code of ethics and how to apply them i'll just say what dr king has said the arc of the moral universe is long but it bends towards justice behave the way you know deep down is the right way and if you have doubts then refer to the isu squared code of ethics remember they are testable and doesn't just apply to being a security manager but security professionals from all realms the third one is business continuity business will not fail do not let the business fail have a baby i want to interrupt here one point as you said about ethically law versus the boss there is a small advice to everyone there is a cbk fourth edition is there which is adam book in that they have explained much in detail about this code of ethics which is basically missing in the cybex and others so it is my suggestion and those who are referring the cssp fourth edition they have discussed about each and every canon detail that is very important for you to prepare okay which is missing in cybex and other books so it is my suggestion please do check the cbk fourth edition for all the four canon okay papa p-a-p-a sorry luke i was just adding that point i'm really sorry yeah please go ahead prob you can interrupt me anytime you want it's not a problem okay again do not let the business fail have a bcp drp plan in place this means that if there is a virus on a server unplugging it isn't going to save the business we don't know what that's going to do but having a proper incident response plan is going to save the business maximize corporate profits don't get it twisted guys next to human life the most important thing for a business is to make money if businesses love the smell of money they love making it the only thing they don't like is wasting or spending it maximize your corporate profits help your company make money which also means implement policies procedures and other processes to save money make money and not to waste money avoid or minimize threats to understand this you have to understand the management decisions in your cisb study guides such as accepting avoiding rejecting or transferring risk make sure to know those learning about those will align with topic number five and i can go on like about all these in greater detail on topic number five i can just spend six hours talking about that but we don't have six hours so i'm just kind of flying through these any elaboration talk to pro topic topic six all controls must be cost justified don't spend more money than you have to and don't spend too little money on a valuable asset like don't spend 15 on a shelf from ebay to put your rolex watch on you want a shelf that's going to last and going to give you the confidence your expensive watch isn't going to fall to the floor and break or an example is don't spend too much on a counter measure that costs more than an asset don't spend five thousand dollars in a firewall to protect an asset that is valued at a thousand dollars okay senior management must drive the security program look at this webinar right now i am just a participant who's a senior management in this webinar prop he is driving this uh webinar he's telling me again i want to hijack please don't misinterpret the information here you are the senior management i'm a custodian i'm just managing the access and everything so right this and i'm just managing the access to make sure everyone should be in the same channel yeah please don't don't miss interpret prop you are the board of directors to me okay uh this is your show i'm just i'm just providing here so this is this is our show not your mind this is our show this is our show for our students our clients aspirants yeah that point senior management's drive the secure program is one of the most important things you can learn as in you know your co-worker doesn't get to tell you to start an information security program or your supervisor or manager manager they don't just get you to tell you that it must come from senior management that is part of thinking like a manager and even then even if you're even your manager doesn't get to tell you to do something or start a new project unless it's been signed up by management your manager just can't say hey dude make sure you have a clean desk policy and if you ask why they don't get to say because i said so no that's not a good manager a good manager will say that it is good practice in order to prepare for our iso 27001 certification that's a good reason to have a clean desk policy luckily i had some great managers in my lifetime and i looked after them and they were instrumental in helping me pass the csv exam just by being who they are okay number eight security professional has no decision making authority unless assigned by management just because you're getting paid so much money doesn't get doesn't mean you get to do stuff without asking when taking the cisp exam act like you are a hired consultant in the company you don't want to touch anything pretend you got it protect this is what you should pretend pretend you got hired then turned on your zoom conference meeting because we're on under lockdown right and you're attending a meeting with an organization's security management and security team to go over their assets you then just advise them because you physically don't get to touch anything because you're behind a monitor that's uh that's actually pretty good advice now that i think about it when you're taking the csp exam pretend you are a security consultant in a zoo meeting only you are not at the company's site and you can't touch anything you can just advise over zoo that's it you know what yeah do that actually now that i think about it that's a solid way of looking at it when you're in the testing center and looking at the computer monitor of questions just pretend you are being asked these questions by an actual organization and respond that way don't touch because you can't just advise last one is use automated tools where appropriate some things a machine can just do better and faster than humans right a manager will use automated tools so they don't tie up a systems administrator to add accounts manually or or have a security team manually scan devices for vulnerabilities a vulnerability scanner can do a much better and faster job because it was created and built for that okay just another way to save time and money thinking like a manager those are my top nine recommended ways to think like a manager let's uh let's check out this folder on safety uh again i want to hijack your session here just just a small example can you share with the participants in which conditions we can go with the automations and in which conditions we can go for the manual efforts i believe it is also another question which is raised by one of the participants adding seven to eight participants about you know in which conditions we can go for automation or in which conditions we can go for the uh you know uh manual case or you know the manual process if you can basically highlight say you have a security incident and event management sen siem and you have two security engineers assigned to a sim environment and they're supposed to take care of everything an environment of 60 devices they are not going to go to all 60 devices and check the logs you need to write a python script or some kind of script to to run those scripts and retrieve those laws don't the most important part of automated tools to answer your question prop is checking logs you don't want that to be manual because it's time consuming just taking all that raw data right you want vulnerability there there are plenty of vulnerabilities scanners like nessascan or gfi languard that were built to look for vulnerabilities you don't need to assign precious resources and and personnel to do that so basically to answer your question anything that can be automated do that make it automated great thanks thanks luke yep let's look at work safety um you know with this pandemic i'm too scared to even touch a doorknob much less go into an office so work safety is very important the very first thing you see on here is safety first then you see uh someone wearing a a protective headgear protection physical security you have regulations we don't follow regulations just to follow regulations you do it to save a human life like the fire regulation fire standards the hazard signs the actual sign of the hazards health insurance provided by your company they don't want you to get sick or if you do get sick you have a plan a backup plan so in your cisb studies when you see something like bcp drp first try to relate it to human life human life is a number one priority for bcpdrp only after that is it availability and then after that is the more technical answer of recovery and restoration as far as physical environment there is cpted one of my favorite things crime prevention through environmental design there isn't a lot of data centers in in florida here but there are i do see like this is like nice sunny and good lots of weather for growing trees trees will be built around the facility to hide people from looking in or anything like that so that's facility security you're securing you're stopping intruders from coming in to save human life consider the physical environment in parallel to saving human life same with awareness signs like you know electrical signs please be aware or if you see something say something these are all to preserve human life even in the enterprise system resilience i'm not talking about you know server system i'm talking about electrical systems electrical grids uh water uh power dams or or what's that called a scada you keep these up because these are critical national infrastructures of national security in the u.s it's the home department of homeland security that's overseas so they're trying to make sure all this is running so our heart keeps speeding same weight energy intrusion detection i'm not talking about a technical thing i'm talking about those those um you know like turn styles or or uh like a like a fire other it's not a firewall a close circuit camera to look for intrusions uh what's that thing called a data center man traps going in and out you need to learn about piggybacking or following someone in same with power and lighting lighting you're learning about lighting and candle power and extinct fire extinguishers and the types of glass not because you're going to be tested on them but you have to keep those in mind when you're taking the cisp exam what they're for and most importantly which situation you're going to use them in okay just one more example on this is if there's a door and there's a fire at this electronically gauge door and there's a fire how do you want that door to act in case of a fire the cip term is fail safe fail open if there's a fire you don't want that door to lock automatically you want that to open so people can get out okay value and cost there's a difference between value and cost i don't think the csv books go into this an asset is a straight fixed cost purchasing a 5 000 firewall is a cost sorry i took a drink of water the fact that the same firewall protects multiple web servers which if compromised would cost the company hundreds of thousands of dollars that's the value value and cost are two different things i don't think the csp study guides go into value and cost maybe the maybe the sean harris because that book goes into everything it's important to know the difference let's take a look at an example using gdpr what is the cost of gdpr compliance say your company is a brand new company they're dealing with european union citizens and uh it's found out that your company used to spend ten thousand dollars to be pr compliant and to be compliant means you have to know the principles of gdpr the workings of it the articles you know article 50 article 51 and the roles of responsibilities what are those data processor data one of those that's the cost it just it's just gonna cost you ten thousand dollars to get compliant whether your management does that or not is the real decision suppose you don't do gdpr complaining he says yeah i'm not gonna do it i deal with european union citizens but uh you know what i'm just not gonna do it well that can cost you a potential revenue of 100 000 lost from non-compliance if i live in like uh sweden or france and i see that your company is not going to take the steps to protect my personal data i'm going to say i'm not going to do business with you the impact from this six-figure income loss revenue loss suppose you do have eu citizen data and you're not gdp or compliant and there's a breach oh that's a million dollar fine and i think that's in the low end millions companies have been fined millions so by just not spending the cost of ten thousand dollars you've lost a value of a hundred thousand dollars and you've been fined a million dollars okay cost value very important no for the csb exam yep cost benefit analysis have to do that thinking like a session again here luke sorry for hijacking your session so i thought we are talking about gdpr so small small information i would like to share with everyone in gdpr when you're preparing for the exam in gdpr principles you need to have a good understanding of all the six principles and along with that the security breach reporting and the role of a data protection officer so when you're preparing for this make sure you should have a good understanding of the gdpr6 principles and oecd principles too because we got a lot of questions in the chat box does it privacy important yes privacy important so gdpr oecd is both are quite important for the exam okay over to you luke thank you bro the interruptions are welcome it gives me a time to drink my water and uh kind of get hydrated again what prop said is correct and oh it is drinks drinks uh it's it's not water just water no no beer this time yes um yeah i'm sure prob and i get a lot of questions about is do we have to do we have to memorize the u.s laws look we can't really say what you have to and not have to do for the cisp exam because that is against the nda u.s law this is an international why would you need to know u.s laws i'm going to say you don't really pub you probably don't have to know this gdpr is an international uh regulation so that's why you have to know that but should you just skip over the u.s law section no don't do that the u.s sometimes serves as a guiding line for laws for the rest of the world like an example so understand sarbanes-oxley why it was created understand graham leech bailey why it was created okay okay process roles and responsibilities prob how am i doing on time it's okay you can it's it's your it's your it's your stage so okay i'm enjoying okay if everyone okay with that thinking like a manager needs to know the processes that you study in your cisp books you have to know the processes you have to know the roles involved in those processes and you have to know the responsibility of those roles in those processes let's take a look at a few important examples and we'll just run through this thing do not skip on your software development life cycle very important process never skip your pcb drp process you gotta know that if there's nothing if you don't study your bcpdrp specifically the business impact analysis you will fail the cisp exam study your bcp drp process incident response your whole security life is going to be reactionary it's going to be nothing but reacting to incidents know your incident response process remember these aren't topics or subjects these are all processes there's multiple steps involved in those pki public key infrastructure right have to know that process cloud vendor it's not just about opening an aws account and creating you know vm machines there's a whole process to that before engaging aws or azure you have to check out their risk what risks do they present can they provide the right coverage for you these are all done through a service level agreement cisp topic data handling like we talked about our manager confidential information is it just about labeling the confidential and being done no there is a handling process information security program big process you can you can probably say the information security program drives all the other processes so now i want to focus on what roles are involved in each of these processes i'm not going to talk about every single role otherwise you'll be here for six hours and i truly will be boring so for the software development lifecycle what role is involved in that instinctively i think you think programmer developer uh software tester the more important role to focus on is management why because it is their responsibility in the first step to approve the funding and this and acknowledge the security security controls and making sure that you do have developers and software testers and software engineers available who are gonna get paid to do this who are being told to do this and as you as a security professional you have to tell them in that first stage of sdlc about security if they had it their way they would never incorporate security you as a security professional have to tell them because the first step of the sdlc is the most management facing step they're only going to get involved in the first step they're not going to be there when they ask what kind of code do we have to use they don't care about that so take this time and opportunity to make sure they know about security bcpdrp departmental departmental leaders why do we need departmental leaders in the bcp drp because they need to provide input during the business impact analysis business impact analysis is an analysis of the critical ask fund business functions throughout each department who knows each department best the leader of that department you need them in the bia incident response why do you need a manager during an instant response i mean it's always the technical guys the the ccies the security the cisps the cehs who are like incident we're we're the blue team let's go we're gonna get this covered because the manager has to make the decision on what to do unless there's a pos unless there's a set process nobody's going to know what to do everyone's going to be like well i want to shut down the server well i want to keep the server going well i want to i want to i want to black hole the traffic this way and all these other fancy technical terms doesn't matter you do what the manager tells you to do you look to that person for the decision of an innocent response because a manager knows if the incident is just a virus on a computer and it's not that big of a deal maybe shut down the server at 5 pm after business but if it's a worm that propagates throughout the network maybe immediately shut that down so more damage can't be done okay pki certificate authority why is a certificate authority an important role in pki simple reason provides trust it provides a third party trust for a client and server to trust each other cloud vendor cloud service provider what role do they play security of infrastructure if you're going to get a sas software as a service platform as a service it's not your responsibility to secure that software that's the cloud service provider's responsibility okay that's their role the data that's your responsibility data handling as we have said important term if you don't know the term data owner you will fail the csb exam why do we need a data owner for data classification why do we need a data classification so we know how to assign the proper protections to that asset again that word why it floats everywhere information security program why do we need a cso for information security program because of tip number six or seven from the previous slide senior management must drive the information security program or any other business driven decisions right yeah they are the driving factor so get these are by no means any of the total process rules and responsibilities but get to think of this this list as you go through your studies i want to hijack the session here just need to add one point uh the luke share this point called as a data owner and see so so the luke book we have called how to think like a manager for cssp exam in that book he has discussed this question and he has given a very good explanation so those who are basically always get confused regarding the management aspects you can basically check his book and that book basically has a well-written explanation about these rules over to you luke thank you thanks rob okay process roles responsibilities and we're done with primary concepts and on to the fun stuff technical knowledge this is either a welcoming for you this picture will either welcome you into knowledge that you already have or make you cringe do you need to have technical knowledge for the csp exam i'll answer it this way simple question do you understand this network architecture do you understand what's going on here do you know what a switch is do you know what a fiber optic cable is utp hub do you know what kind of symmetric and asymmetric encryption ciphers there are aes pki ipsec blowfish do you know when and why to use them do you know what a digital signature is do you know what it's like when you what's the difference between signing by a private key and uh encrypting by a public key you got to know that kind of stuff those are technical stuff this is technical stuff you need to know look the cispe is going to ask you technical questions okay everyone says think like a manager it doesn't mean there's no technical questions it's just not like that you're gonna get technical questions do you know where to put an ids ips do you know the difference between ids ips you have to know that do you know what ipsec is do you know that it runs on the firewall do you know once you understand how ipsec works you will understand that it upholds confidentiality integrity authentication right these are things you have to know it's technical stuff it's very technical and if you don't have technical knowledge of these things do what i do hack the knowledge go to youtube type in how to configure ipsec vpn on firewalls and look how those people do it look how the ccies the ccna is doing and pretend you're at your job and you're watching your technical guide do that you've already you've now gotten your technical knowledge but we also have a shortcut here luke you have a very good uh blog on the ipsec with cssp why are you hiding that device yeah i don't know what i did five minutes ago or yesterday that's what i did years ago but thank you yeah i shared the link with everyone regarding the ipsec awesome do you know what federated identity yeah yeah thank you for thank you for that i i approve as data and i approve thank you for that um do you know what a federated identity management is do you know the cloud technologies private cloud public cloud do you know that you got to know that it's the technical stuff you have you have to know the technical knowledge in order to understand the high level choices you're presented with on the exam do you know what 802.1x is if there's nothing about 802.1x that you know know at least that is a layered two functionality of the switch rdp remote access security do you understand why rdp exists what are the security concerns with rdp how do we secure it guess what you can use ipsec you can use federated identity management with single sign-on for rdp remote access everything correlates to everything else kerberos everyone's favorite topic you know you spend hours hours learning about ticket grant and ticket ticket granting server three-headed dog printer access and at the end people are like i studied so much i can i can memorize it and ace that on the exam i i i know for sure that that exam is gonna ask about a three-headed dog no wep w for kerberos understand it's understand the weaknesses and disadvantages uh which is i guess the same thing understand the strengths and disadvantages kdc is a single point of failure have redundancy for that right you know i mean know about the tickets and everything and why the mechanism of kerberos simply is that it's a mechanism so passwords are not exchanged for access vlans do you know vlans you gotta you don't have to know vlans but it's good to know vlans same with everything in the cisp it's good to know things virtual lands broadcast domain collision domain do you know the difference between tcp udp i strongly suggest you know the difference between tcp udp which one requires a connection which one doesn't require a connection which one is connection less when would you use something that is udp and when would you use something that requires tcp yeah dns port 53 speaking of ports osi model dns is port 53 udp to exchange the exchange of queries but we use dns port 53 with tcp for zone transfers why do we need tcp for zone transfers and udp for just dns queries you got to know that because it because at a high level for the manager they have to decide that hey if we're going to do zone transfers to zone transfer using tcp it's going to take a little bit more effort it's going to take the engineer a little bit more time to configure that instead of just automatically configuring dns udp and letting it letting it take it do its course okay do you need to understand technical do you need to have technical knowledge of the csp exam as much as you might not want to hear it yeah you do okay let's talk about the the book now i just want to get all that out of the way before we talk about the book um everything i just talked about is new stuff not all of that is found in the book so this is actual stuff new no everything i just laid out isn't also in the book otherwise what's the point of this session i'm going to give you new information not stuff that's already out there hey do you like that cover so add that so one thing about that one thing is that you just need to understand something uh uh you know the book that you're talking about here uh the study notes uh the how to think like a manager only recently just two days back my two clients has cleared the exam my two gladiators has created the exam and it is a well-written book so i thought you know i i also you know requested you to just have a high level overview about this book in this session because this book is really worth to be frank i have seen my gladiators who are literally struggling with answering the questions and all that they have referred this book and they have cleared the exam so i thought look i have requested the look to have a high level overview about this book and how to read this book and when to read this book so look over to you thank you hey congratulations to those gladiators for passing that's wonderful news uh do you guys like this cover my uh uh my wife actually came up with the idea when she kept hearing me talking about ipsec vpn tunnels i always used to talk about encryption and decryption she was just like why don't you put something a lock unlocking unlocking by unlocking human decryption so that's exactly that was that was her idea it's got nice little icons on it like little little keys and usb keys and computers and all that kind of stuff i love that cover uh management decision right absolutely not absolutely not she is senior management and and she she you know she's the most important thing to me very very important and she gave a good suggestion and i really like that cover so when i cover it's the lock is unlocking i am unlocking your knowledge of how to think like a manager or something like that this is how the book's laid out there is a page that has a practice csv related question it's set up just like any other practice question you take a question and four choices right underneath the question is the suggested mentality and strategy that should be running through your mind at this time what this is is doing what this is doing is making you understand that don't just rush into answering the question right away you have too much writing in your life in your job to do that you spend all this time studying so don't just rush try to hyper analyze every single choice all the choices may seem like the right answer but you have to choose the best answer you will always hear me say that it is not only important to find the right answer but it is say with me more important to know why the other choices are wrong this book emphasizes that no stone should be unturned when it comes to answering cisp practice and real questions because the more work you put in while you're studying the faster the better and more confidently you will be able to handle the real exam questions the better you'll be prepared to take them on because you went through this arduous process of hyper analysis beforehand yeah everyone tells you how to take the csp exam but nobody tells you how to think during the course of the exam they think you can do that by yourself but sometimes you just need a little bit of help the questions in the book are here to help you establish the patience discipline and stamina to build endurance required to sit through the cisb cat exam this uh this particular question asks expenses extra responsibilities and reduced profits are a result of what and the choices are security efficiency convenience and operability classic thinking like a manager and in the exam strategy section information is provided about each of the choices arguing whether it could or could not be the answer within these pages of questions and answers you will find quick notes and graphics that identify when to think like a manager and what to think given the situation right so that's this is how it's laid out i'm not going to read over it because frankly you can just read over it and i mean i know this is copyright material but right now nothing is stopping you from screenshotting this and reading it later so for those who want to screenshot it i'll let you screenshot it right now you know after writing this book i guess i'm uh i'm a very approachable guy i must be the only cisp author in the world who where people come to me and comfortably ask me in a very warm regard how can i get a cop a pdf or a or a non-copyright version of this book can you help me with that i'm like dude i wrote this book i can't possibly give you an illegal copy it's unbecoming of a security professional but i am confident that right but i am complimented that you can come to me in a very physical manner ask for illegal copies for some reason i like that or social media i don't know why i can't give you an illegal copy because what i wrote the book and two uh i can't stop you from looking for one but you know i advise getting it the right way like we all are uh within these pages of questions and answers you will find quick notes and graphics that identify when to think like a manager and when to think as a given situation now in the explanation section the correct answer is identified in orange but really the answer is the least important part of the explanation provided is a thorough understanding of why security is the answer to this question and why the other choices are not the answer remember it asked about what reduces profits creates more work and whatever the other question was security security is always an afterthought management isn't going to come out and be like hey uh i really want to spend some money on the security program what do you guys got for me it's more like the security professional going hey you desperately need to spend some money to to to secure this thing provided is a thorough understanding of why security is the answer and uh much like the practice questions section throughout the whole book various tips of how to think like a manager or core csv concepts is provided that's how this entire book is like it's 25 questions of just this kind of layout you get a question with an analysis of choices and then the answer with a complete explanation it tells why it is important to get approval from management instead of just jumping in and fixing problems it tells you why it's important to perform a risk analysis after a major change or acquisition in an organization it tells you how to handle questions with the words best least or most or why security should be embedded not just at the beginning but every step of the software development life cycle and that's how it should be too right what's the point of csv practice questions if a full explanation isn't provided or at least some kind of explanation i bet my entire reputation on that that's all we want i agree with that i haven't seen any book which basically give you that's that's right look i haven't seen any book which basically you know uh give this kind of explanation about you know like how to think like a manager or this concept need to think like you know technical and all that the way you have you know uh defined this kind of a content in this book so that is also one of my reasons that okay i was pushing you to just have a one small brief overview about your book to everyone so they get a high level visibility about what kind of a book it is because it has not been i believe it's the first time a session that in which you are presenting this kind of uh uh first time you know you're just presenting this kind of uh the internal framework of your book correct me if i'm wrong this is not only the first time about a book presentation this is the first time i'm doing a public presentation at all i'm a very private person i don't like to engage anybody i don't like to do anything like that i'm very i just do my videos and sit in my basement and enjoy time my family that's all i'm gonna see more videos from you we'll have more sessions from you i'm only doing this for prop is he's a good guy i wrote this book yeah in the same form as if that's what i would have wanted in a book about thinking like a manager okay how to use it how to use this book after you've completed the book i hope you can still take the same tips strategies and thinking like a manager concepts and apply them to other city questions once you keep doing this you will retain the same mindset with taking the real exam instead of having to force yourself to think like a manager it will come naturally that's why you will find sprinkled throughout the book general tips of how to think like a manager given a situation core cisp concepts and exam essentials the think like a manager icon are there to remind you about thinking about value cost processes roles responsibilities and keep yourself in the realm of high level thinking and once you start reading to think like a managers and once you can come up with your own ways of thinking like a manager the cisp exam is yours you will walk once you think of your own topics of thinking like a manager you can walk into that testing center and own that exam walk out with that congratulations okay the core csb concept icons are there to provide just some basic concepts of information security that are paramount to know the cisp is a test of concepts because concepts do not change whether you're studying for the cisp exam or hired as the chief information security officer for a global organization the concepts are the same whether your kid has the flu at home or you're trying to contain a global pandemic the concepts are the same whether you're trying to send a space shuttle to the moon for the first time or sending supply rockets to a base on the moon which will eventually be the relay point for the voyage to mars the concepts can the same concepts can be applied it's the same concepts the rocket theory you need 25 000 you need to you need to jettison jet fuel exponentially and reach a maximum speed of 25 000 miles per hour to get out of this orbit that's been the same for the space shuttle for the apollo missions it's the same for whatever elon musk is doing 25 000 miles per hour to get out of this orbit that doesn't change this is why the cisp is a vendor vendor neutral exam the constants of which can be applied to organizations that have anywhere from 10 users to 100 000. okay and the exam essentials icon will just add on a good bit of study habits just good general housekeeping exam habits they can go into saying that you should go beyond your suggested csv books and venture into the realm of other sources they talk about how to study what to study they will sharpen your sword for the exam itself okay when to use it and this is all dependent on experience six months before the exam it's going to be overwhelming my book or any other book it's overwhelming especially if you've never taken the exam before have any idea about it it's gonna at this point you're gonna read to you might find yourself trying to read to memorize but the book is trying to try and help you to read to understand right from the beginning security right from the beginning and it can serve as a warning that if you if you've picked the cisp exam as a thing that you're gonna do all the information in the book not just mine but anywhere else it's a warning to you that hey you better be ready for this thing this is not just like you know a simple exam this is this is a real thing you're gonna have to dedicate hours of your life to this and you got to be serious you know it's not seven hundred dollars for nothing although yesterday i did find out that the certified ethical hacker exam is like eleven hundred dollars or something like that that is crazy twelve hundred dollars for ceh exam wow um manage your mind three months before the exam if you start reading it it's gonna put you into that manager mindset right it's going to put you in that manager mindset it's going to give you exam strategies and they might start to click especially if you're studying your other csv books as well and it's going to give you those core concepts concepts just can't be taught you either know it or you don't you either experience it or you don't so this book outlines some general concepts that you may need to know as you progress through your studies one month before the exam two very important things that will serve you as a security professional patience and what's the other one what's the other one discipline you gotta have patience and discipline for this thing one month before the book because the questions are explained in such detail in such painstaking detail that it will instill discipline for you to respect the real exam and the real questions and read every single word not to skip anything or take it for granted and also time management although this is this is this is a fairly new concept if you're taking the exam for the first time time management may be your biggest enemy right if you take an exam for a second time you have a better idea of how to manage time so when you're taking csp practice questions think about your time and i will say this try to take your time for the first few questions to set a pace for yourself and take a lot of breaks you're giving breaks take them they're like vacation hours at work you use it or you lose it um i also like to say that you know my book alone is not enough to pass a csp exam i even put it in in the book as a disclaimer that i am not responsible for the failure or the passing of your exam i'm not responsible for your past or your fail i'm not responsible for your past because it's just you in that testing center i'm not look i want to i'm not here rob and i are here i want to i want to interrupt his this point is about you know when to use this book it is a practical example i can give you about this book uh luke what happened is uh the two participants who basically write this exam this week only they refer this book week before the exam actually you know why they refer all the books they practice all the questions now they want to know the thought process okay so when they want to know the thought process they basically purchase this book and that gives them a visibility okay we know this firewall now what luke is addressing how to think like a manager for that firewall is it clear team so this book it will not be a book that you can refer in a starting point where you have not read any other book but this book is basically will be more effective when you complete all the books questions and everything so you just need to you know have a high level understanding about okay i learned this concept now i need to understand think like a manager which can be referred by the blue book so this is how this book can be most effective if you're taking this a week before the exam and snt questions is already there which basically you know if english is not your primary language snt questions which is basically a paragraph based narrow based questions it can improve your reading skills it can improve your thought process so with luke hammett this book which is called think like a manager with snp question it's a deadly combination for the exam preparation i personally believe that okay more than boson on any of the sets luke hammett exam engine with this thing like a manager is the best combination for preparing for the certification that will give you a great heads up you know it can improve your time management it can improve your thought process it can improve your reading skills if if you are not a primary english reader sorry luke i'm i'm not doing advertising but i'm telling you the facts which is basically shared by my participant yeah this is why your senior management that's why no no no look and second last point which i would like to add in the time management of cssp your first don't go with this mindset okay i need to complete my exam in 100 questions don't ever try that go with the mindset i have a 150 questions that i need to answer in 180 minutes that is the most important thing you have to consider don't go with this mindset that i have to attempt this exam in hundred question which people do mistake they get panic after 100 questions and then they basically you know lose their concentration during the exams it is my suggestion keep your 180 minutes for the 150 question okay it is a trial tested method which i'm saying yeah over to you thank you and uh don't rush through your csv books or this book this book isn't like oh if i read this book i'm gonna pass no not at all the theme the thing about the cisp exam is that not my book not other csv books my website any other website no test engine nothing else available is even close to the questions found in the real exam this is why the cisp is the cisp what you are doing by reading and studying is to learn the concepts the basic security practices found to be the best practice in the security field the real exam doesn't care if you memorize any of the material what it does is test if you can apply the concepts you learned to their questions it's not a memorization exam you have to first learn the concepts and then apply it by choosing the correct choice the cissp is not for those who need constant motivation by studying doing practice questions and spending massive number of hours toward this thing you are cultivating a discipline that will carry on with you for the rest of your life right now if you are sacrificing struggling and staying up late nights on your journey to the csp i wrote this book for you good luck and thanks for watching prob um ready for q a whenever you are team if you have any questions you can basically post in the chat box we already learning a bit 10 minutes late so luke we have one question do we need to remember everything from book and do we need to remember all the laws that we have is it important for remembering this conference will now be recorded luke there's a question is called how to prepare for domain four what is your thoughts on how to prepare for domain four because it is very technical if you don't have experience in domain 4 it is difficult to understand there is a reason domain 4 is the biggest chapter in every single one of your csp books it's got the most pages if you don't have experience in domain four and you then you're gonna find it really difficult just not and it's not just you it's everybody even i had difficulty you have you have to go through that remember that the diagram i just showed if i were to tell you in a job interview um i have a router i have a firewall i have a server i have a load balancer and i have the internet take these and put them in order and draw them on the board and tell me what layers of the osi model they belong in what protocols they use and how would you troubleshoot an issue in between there if the power is down layer one here's the thing about domain four and osi model this is this is for people who don't have experience learn the osi model then as you peruse through domain four if you see a router say okay a router uh it's only ip based it belongs in layer three okay uh uh a browser google chrome internet explorer these are applications on my computer so they're browsers and they're they use https 443 that means they're in the application layer if you look at your books that's exactly where they are application layer is is https things like dns if you're in front of your computer and you're interacting with a program that's in the application there so the best way to understand domain 4 is to understand the osi model and also what i mentioned the hack i mentioned earlier if you don't know a technology go straight to youtube and type in how to configure web how to configure wpa2 how to configure the benefits of a where to put the router or a firewall stateful versus packet filtering firewall you have to know that there's no way around it three-way handshake tcp udp you have to know that what's the advantages why do we why have we gotten rid of broadcast domains and have collision domains or or why have we gotten rid of collision domains and how broadcasting means what creates broadcast domains a switch you have to know things like that there is one question luke uh regarding sdlc i don't have a sufficient experience on coding so as an infosec manager where should i focus when learning the sdlc what is your thought in this who asks that what's what's that person's name his name is akshay akshay i also don't have any coding experience i am allergic to it so i studied s software development life cycle and domain 8 the least i was like you know what there's seven other domains i'm not going to get tested that much in domain 8. guess what i got a big surprise i have to you have to know you don't need to co i mean if you've never coded anything go to youtube type in how to code simple proglam and look what they do but if but if you really want to know about software development life cycle and domain 8 read the sections in your csb study guides but the best resource for you is the national institute of standards and technology document read that it's a free document it goes over the steps of the sdlc the security considerations of sdlc and what to look for in the processes in sdlc don't skip on the systems development cycle that is one of the most important things to know for the csv exam which is why i was on the slide you don't have the nist 800 137 is there a standard which you can refer for this particular thing 137 nist 800 137 yeah so just get a high level view of the processes and the individual functions of each process and you should be okay i understand the database stuff that you don't have to really know coding but it helps if you push your hands to the keyboard a few times but i get it it's intimidating and if if that domain is your weakest domain then you just have to spend a little bit more time with it uh hi prob hi luke we need love this side uh i have a quick question for luke uh how at what point of our of our study plan we should sequence the smt questions so we are going through with our primary study material which include going through with books and recording etc should we attempt snt questions at that point of our time or should we first finish up primary reading or study material and then take the questions what is your suggestion thank you the latter definitely uh thank you for the question definitely read your study guide books take some other practice questions and then go for the studies and theory questions because they are incredibly difficult and they will destroy your confidence if you start them at the beginning there because remember i said the beginning csu materials serve as a warning so if you start with studies and theory practice questions right at the beginning you're going to be slammed with just high level questions slam with difficult topics and you're just going to not want to do it if you want to you can but i best suggest about three to four months before your exam so not after you've done everything but make it three to three months before your actual exam and in those three months you will have probably already read your books and practice questions anyway and the thing about the settings and theory questions is no one's ever gotten over 80 not even me and i made this question i barely get 100 what they do is strengthen you to take the other questions like boson or cybex you take studies and theory questions and you get 56 and you got you got 70 percent in your cybex questions if you get 70 on the studios and theory questions you will see that your score and the other test questions are actually going up because you're reading more and you're understanding it so the point of studying those in theory questions is to make the other practice questions easier okay and another follow-up question uh how do we actually uh when we do smt and sorry we didn't we running already shorter than that because it's already 20 minutes later you can just share your question in the chat box because i also interrupt others too to have a query in the chat box okay sorry yeah so this is uh so luke any any any last minute note you would like to share you would like to share with everyone the last minute note just the fact that you are even taking the cisp exam is an incredible thing to do nobody in your family and friends i bet know what the csp is or information security or know what you're talking about so don't worry about failing or passing just the fact that you're taking it or have attempted it is is a is a is a testament to you yourself in this in this elite industry so wish you good luck in all that probably not here at all times good luck thank you for attending as well thank you team thank you so much and whatever the questions you have you can just share with luke and we together can help you to solve all those questions every time permits i'm just saying the cybex will be the the better book that you can prefer initially and really looking forward for this kind of sessions and will ensure that okay we have this kind of a quality sessions later also and i'm requesting luke for another sessions also i'm sure luke will do that so we'll try our best prashanth is also planning to give so we have more and more speakers who coming uh to discuss about cssp will keep the same momentum to make sure more and more people clear the cssp exam thanks luke thank you so much for your time thank you so much you're looking forward for the decision with the same parameter thanks

Info

Channel: Prabh Nair

Views: 9,616

Rating: 4.9052134 out of 5

Keywords: think like a manager for cissp, cissp exam, luke ahmed, luke ahmed cissp, cissp preparation plan, cissp, cyber security, cissp exam tips 2020, cissp exam questions, cissp preparation tips

Id: DXYcXOPz1Fo

Channel Id: undefined

Length: 80min 7sec (4807 seconds)

Published: Sun Dec 13 2020