How To Think Like A Manager for the CISSP Exam - Director's Cut

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] welcome to another study notes in theory csp video this is this is actually this is like a director's cut version i did a webinar a few weeks ago with one prob ner from infosec train he is a fellow cisp instructor based out of india i've known prav for a long time since since i started this csp website thing uh he is legit he is a professional okay i know he's a professional because the webinar i did was handled so dang professionally and and you know i don't really like do those things you know webinars live courses you know group chats or whatever the hell a watch party is what is that a watch party what is that you know all prob did was ask me to join and talk about my new book and how to think like a manager since i don't really market myself because i really don't have any time and prob said uh hey do this webinar and i'll handle the rest now this was a relief for me because i didn't have to do anything but prepare for the webinar that's it the marketing the user registration the banner and even the moderating of the webinar prob did all that he managed all that like an expert too i just logged on noticed there were a lot of participants and he reduced all chat audio private messages anything like that he just eliminated those from my from my for my vision i had no distractions very professional thank you again prob it was a great time it really was uh again prob nar infosec train csb instructor good guy so what i talked about on that webinar i just kind of wanted to do it here as a director's cut because of the because of so much more other information that i did not get to mention and as with all my other csv videos i always start out by saying this was supposed to be just a 30 minute video i promise it'll be just a 20 minute video and it winds up being like an hour because you're never really done talking about the csp there's always something to add but uh but but before all that uh how are you doing how are you yes you right now doing if you're watching this video you're probably taking the csp exam in like what a month maybe two months maybe a week away from the exam boy that's a stressful time huh a week away oh you probably don't even feel ready you feel like you got your entire life and career on the line with this exam because kind of how it felt for me and uh and if you're one of those who has to take the exam because of your boss because your boss said you had to oh man that that's some high pressure that is not a preferable place to be for the cisp exam you need a clear mind for this thing void of all distractions like if this is an exam you have to pass for your job it's a little different for you you have stress upon stress for this one that's a tough place to be i won't even pretend to understand what that's like but um you'll do it you'll pass you will i've seen people do it multiple times um if they can do it you can do it you're no different than anybody else especially if you're taking the csp exam you know no one's heard about this exam just just the fact that you're attempting this is a big thing i always say that and i'll stick with that you will pass this thing through your own steely determination or are you two days away or are you one day away from the exam or are you sitting in your car outside the testing center right now fidgeting with your covet mask and watching this video right now i ask you are you ready are you ready for this thing because it's happening you're about to take it there's no going back you paid the exam fee this is either going to make you or if you let it it'll break you so but you know just just chill out chill out just take a deep breath like that you've prepared or you are preparing you've been reading your cybex you're sean harris your 11th hour taken thousands of tedious csv practice exam questions participated in countless online group discussions to the extent of which that you can just leave a paper trail of all your hard work spewed all over the internet thousands of years from now when people engage in an internet called this the unisphere across the galaxy they're gonna look back on the legacy of what was our internet and they'll see your name in various comments and posts and forums and chat groups and you will have left a trail of your own cissp legacy not to mention you've also spent a good chunk of money on online video courses or thousand dollar boot camps or or or were even tempted to google the words real cisp exam questions where can i get them because you just wanted to see if they're around you know just just because you were curious but then but then you quickly changed your mind because it is unbecoming of a security professional to do such things and you don't feel too good about it either because if you cheated with exam dumps you truly never be a cissp when people congratulate you and look at you as an inspiration for their own exam you will feel like a total fraud because you know deep down inside you cheated and and after all this hard work that's just not a risk you want to take you want to earn this thing not to mention csv exam dumps do not exist they're a myth the csp is awesome like that it's unlike any other exam there are no cheat codes up up down down left right left right ba start is not going to work here all right okay i am sure that on the course of your journey to the elusive csb certification you have heard countless number of times that you have to think like a manager as a former person who was also on his quest to the cisp that was filled with sleepless nights missing time my family not being able to watch the world cup or the newest netflix series and just sacrificing nearly all the time i had all i heard was you have to think like a manager you have to think like a manager i'm like okay but i'm just a network security engineer a technical person i have a manager but but how am i supposed to think like him am i just supposed to tell people what to do like my manager does without knowing any technical concepts at all kind of but you know not really um nobody could really give me a clear and concise answer or even if they did it was never the same answer someone said it's all about human life the other said it's all about saving money someone else says about making sure there are processes in place or not fixing the issue or not picking picking the technical answer i'm like well which one is it which one is it is there no one who can give me a clear answer on this you know and at this point i was like counting down to my exam and i was desperate to get some sort of edge and the fact that i didn't know how to think like a manager which the exam was all about pretty much had me thinking i'm going to fail this thing right and i know you've been trying to get trying your best to get a grip on this how to think like a manager thing too i can feel it i can feel your curiosity and puzzlement through this monitor or phone screen or or tablet that you're looking through i can see through this portal as if there was a distortion in space time and we have just connected through cyberspace i could feel that i can feel that we're always being told the cisp is a high level exam in which you have to think like a manager but what does that mean exactly to think like a manager let's go over it in this video first let's talk about why why is it important to ask why for the cisp exam why is it important to ask why for the cisp exam if you ask why enough times well let's answer this because asking why is much more important than any of the other questions like how when what and where if you ask why enough times you will eventually answer all those other questions anyway and at the same time reach the ultimate reason and the ultimate high level answer let me just quickly go through an example of asking why continuously here is a simple question you can ask yourself during the course of your cisb studies and this is just an example you can substitute in any other topic why do we have saml tokens we have saml tokens to pass authentication information between an identity provider and a service provider right saml token otherwise known as a as a saml assertion it's xml based and it just contains doesn't contain your authentication information just information about your authentication information from the identity provider which resides within your organization going to the service provider i got a whole bunch of videos on that in the members portal so continuing on you know why do we use saml tokens we use saml tokens to pass authentication information back and forth okay why do we want to use saml for this type of client to service provider there's a few reasons but one of those reasons is single sign-on why do we want to use single sign-on again a few reasons but one of which is that users don't have to manage a lot of usernames and passwords to different online service providers so far by asking why we have answered why we use saml tokens and the answers we have come up with are technical answers right authentication stuff single sign-on these are technical answers but let's continue on why don't we want to manage company employees having a lot of usernames and passwords because users are going to either forget all the passwords or they're going to misplace some passwords or they're going to have so many passwords that it may inadvertently create some more security risks so right here right now by asking why we've reached some high level answers some thinking like a manager type answers by stating that we use saml tokens for single sign-on that's a technical answer by continuing to ask why and really drilling down and going higher and higher in the management echelon we have reached some how to think like a manager type answers sure i mean managers care about single sign-on but they don't like single sign-on because of its technological abilities they like it because of what it does for the money the potential to reduce administrative overhead and reduce security vulnerabilities just by asking why we've gone from a technical answer to higher level types of thinking that's how you start to think like a manager and and you know try this ask a software developer while we have saml tokens and then ask a manager why we have saml tokens and i guarantee you 100 you will get two completely different answers why do you have to think like a manager for the csp exam because thinking like a manager requires a high level view of the organization let's take a look at another visual example of all the points we have to cover as a manager when studying our cisp thinking like a manager means you have to have a high level interconnected understanding what do we mean by interconnected understanding now as i've been grinding every night for the last 2 000 nights of my life as a csb instructor i have found that everything in one csp domain relates to everything else in another cisp domain firewalls relate to database security database security relates to proper physical security facility design facility or physical security design can relate to to defense and debt and defense in depth relates to encryption it's all interconnected that's the reason we have eight domains in the cisp common body of knowledge the best thing you can do for yourself when trying to think like a manager is not to think of all those domains as separate but as a single fluid entity as as in all these eight domains are just trying to maintain tranquility with all the other domains one domain relates to another there is overlap it's swimming with overlap the policies procedures standards baselines we establish in domain one security and risk management are exactly what determines the guiding factors of what happens in domains two three four five six seven and eight okay and it is when you understand how all eight of these domains come together do you truly understand what it is to think like a manager and pass your csp exam and you'll find that in doing so whether you pass the csp exam or not you will have become a better security professional i've been saying that since 2014. my goal or probs goal is not to just help you pass the csp exam but to make you a better security professional two things will happen look here's here's here's one of the realest things you'll ever hear two things will happen when you take your csp exam either you'll pass it or you'll have taken the most expensive and most realistic practice exam question set there is whatever the result you will have become a more knowledgeable security professional than you were a day a week or months before that okay let's take a look at what it means to have a high level and interconnected understanding as a manager so if we take a look at this diagram here right in the center of it it says what does a manager think about when handling confidential information and that center text is now surrounded by our eight domains of the of the csp common body of knowledge so as a manager you're in the center of it all you're in the center and you have to look at and consider all the different eight the eight different vectors of the csv domains when dealing with just one topic that text in the orange box would say anything what does a manager think about when handling a a router what does a manager think about when when implementing two-factor authentication for this one it says what does a manager think about when handling confidential information well if we were to go in order starting with domain one you're going to need support from senior management to implement a classification program so for that to happen you need a classification policy you need senior management to give you permission to spend the amount of money and use the amount of resources to start a classification program so a classification policy would come first and really anything in the cisp a policy has to come first before anything anyone does anything i don't know if i said this already but i think at the beginning of the video i said everything that happens in domain one the policies procedures baseline standards all that determines everything else that goes on in the rest of the domains so with domain one a manager gets his or her policy their permission from senior management moving on to domain two asset security now what do we do with this information now you're thinking like a manager not a not a systems administrator not a network security engineer you're thinking like a manager so for to secure this asset as a manager you're going to classify it if you're thinking like a technical person you might say oh to secure this asset we need this confidential information we need to encrypt it yeah that's right but that's in domain four or i mean uh domain three or domain four with the firewall if you're using ipsec or vpns that comes later so as a manager dealing with the the concept of asset security you're going to want to classify this information first so people know how to handle it right you're not going to handle confidential information the same way you're going to handle information that's public there are two two different complexities to them so with domain two you are going to look you're going to assign it a classification level of confidential if you're working in organization if you're in the military or in a government agency it would probably be something like top secret okay then you move to domain you shift to domain three remember you're looking at this as a manager not as a technical person you're shifting to domain three and then you have to choose the encryption type as a manager you can't just say okay use aes 256 that's the strongest thing we have uh make sure everyone uses aes256 that actually probably is the best best course of action but as a manager you have to consider is aes going to be is it going to take up too many resources do we have the ability to implement aes 256 why can't we use triple des why can't we use some other symmetric encryption algorithm so this is why you have to know domain 3 and cryptography so as a manager if you know about it you know which which method to best implement now you can't just pick one you have to know about it and i'll go over you know people ask me it's not a technical exam do i have to know a lot of network security you don't have to know it like that but yeah you do have to know about it because what you understand for domain four network security is what's going to help you as a manager to make the best decisions that you can like domain four a manager is going to want to implement a firewall depending on where this information is if it's on a server you're go and if it's on the network you're going to want a firewall to protect that server on the network so halfway through halfway through the domains we looked at domain one a manager has to consider the policy from domain one the classification level domain two an encryption type in domain three a a perimeter protection a technical perimeter protection like a firewall and if this data just happens to be in the cloud or somewhere else manages to consider that cloud identity management system has to think about what kind of cloud it's in is in the public cloud is it in a private cloud is it being hosted in a software as a service or a platform platform as a service or is there a database in the cloud itself and only people internal to organization has to be part of a part of a federated identity management using single site you know all of that domain six the data the confidential information is it on a server that's high risk or should there be vulnerability assessments on it should we always have an annual or quarterly vulnerability assessment to make sure no new vulnerabilities have come up the answer to that is yes for the csp exam you're never just done with one vulnerability assessment or risk assessment or business impact assessment or analysis it's never just a one-time thing as as as our security environment becomes more complex introduces more risk so we have to keep up with their assessments everything's always changing right i mean even the csp exam is changing it changes in may 2021. this is because it is keeping up with the changes in the security industry you can't avoid it it's just how it's going to happen and in lieu of vulnerability assessment a manager allows us to think about what happens if there's an incident on the on on the on the data if there's a breach how will the company respond to it how can the company put in processes in place incident steps in place so it can deal and contain it as fast as possible what is their incident response plan that's why you know sometimes you hear about how do you think like a manager well a lot of people say well you don't want to unplug the server when there's an incident you want to contact the manager and this is why a manager will say hey um forget about the confidential information for a second just say that the that a server has data on it and the server has shown to have virus on it a very low impact virus a manager might not say oh unplug that from a network immediately the manager might say that hey let the server run because it's generating money for us now and it's a low risk virus let's wait till after business hours to pull that plug but if it's like a worm which propagates throughout the network then a manager might say yeah disconnect that web server immediately will take the loss from that from disconnected from the network which might be less than the loss of if that worm propagated throughout the network and took over other servers okay so you you're about to do a 360 degree turn so as a matter you have to look at all directions it's like a battlefield you got to look at all different aspects of it including domain 8 a manager may never be a developer he or she may never be a network engineer but they have to consider all eight domains and you as a person who is studying for the csp exam this is why you're studying it you're not studying it to pass an exam you're studying to understand all these areas of security so you can better serve your employer or if you own your own business which you might one day as a cisp you have a better you can set a direction you you might be senior management one day and armed with the knowledge that the cisp exam has given you you will be able to make better decisions so with domain 8 the data might be on a database you want to know what kind of database security is on that server or on that database what kind of access control is on that database was the database created with uh with a good software development life cycle plan that kind of stuff remember you could put anything in that in that square box but as a manager you have to think about all eight domains okay that's a high level view of why you have to think like a manager in order to successfully answer the questions on the cisp exam a security exam a business exam an exam that tests not just your understanding of keeping a business running but also an understanding of the security industries lexicon okay so we've answered why it is important to think like a manager and we've answered why it is important to keep asking why let's now take a look at some primary concepts of thinking like a manager as in let's take a look at the concepts that will align your thought process with that of an information security manager is uh is everybody awake it's probably a long video already i think it's like 30 minutes already um this is the good part all right if you learn nothing then just focus on this this folder of of primary concepts let's take let's take a let's take a really quick look at the primary concepts because a lot of people ask me what do we need to memorize for the cisp exam or what do we need to write down on that piece of paper during the exam back when i took back when i took the exam i pretty much wrote down things like osi model layers or or port numbers or the different symmetric encryption types or those annoying little des mode things to remember you know uh one of the des modes use 56 bits usable 56 bits blocks that's usable but it has 64 bits total everybody asked me if we need to remember that and even i was like you know what i should i should really remember this it seems like something i should know no things like cipher block chaining you know initialization vectors you know that's good to know but do you really need to specifically memorize that no you need to understand that because writing that down on that piece of paper none of that really mattered what i should have written down were the following we're about to go over there is a simple reason we protect the lives of humans and the famous astronomer carl sagan said it best out of 100 billion galaxies you will not find another you will not find another human being stretch from one end of this galaxy a hundred thousand light years to the other side the billions of years of complex evolution that took place for us humans to be here are at an astronomical odds to occur anywhere else you're not going to find another one of us protect and save your fellow human beings at all costs please and we'll go more into human safety right after this all these domains domain one through eight access policies security management even software development they are at a core to help save human life then the business but always human life first [Music] second is behaving ethically you may be faced with decisions in your security career where ethics will play a strong role it is at this point where you have to decide whether to follow your ethics or that of the organization it's not an easy choice nothing in security is always an easy choice and remember the the csb code of ethics is very testable on the exam the isc squared wants you to know those code of ethics for the exam and and as a csp in real life as a security professional and as a manager your knowledge will only increase if you know the code of ethics and how to apply them i'll just say what dr martin luther king jr has said before the arc of the moral universe is long but it bends towards justice behave justly behave the way you know deep down inside is the right way and then if you have doubts refer to the isc square code of ethics right remember they are testable it just doesn't apply to being a security manager but security professionals from all realms third is business continuity do not let the business fail have a bcp drp plan in place this means as stated earlier if there is a virus on a server unplugging it isn't going to save the business what's going to save the business is having a proper incident response plan that's what's going to save it and for the bcp drp planning phases step one two three four i think the first one is initiation business impact analysis recovery strategies and then implementation out of all those steps if you don't know i mean if you don't know about bcp drp you know that's bad but if you specifically don't know about the business impact analysis phase of bcbdrp you will fail the exam you will fail the exam like the business will have failed if you don't know about business recovery disaster business continuity and disaster recovery okay know about know your bcpdrp for the csp exam next is to maximize corporate profits guys do not get it twisted next to human life the next most important thing for a business is to make money maximize your corporate profits help your company make money even if you're a chief information security officer and you think your whole focus is just the security of the of the business no your whole job is to make sure everything stays secure so there's no incidents to take care of and waste money on right you're trying to prevent incidents from happening which will cost money no business no security no security we don't have a job so make sure the business makes money which also means implement policies procedures and other processes to save money to make money and not to waste money okay number five is to understand to avoid or minimize threats you have to understand the management decisions in your csb study guide such as accepting avoiding rejecting or transferring risk this also goes in in line with bcp drp and knowing things like a code site a warm site a hot site and when to use each one that's the thing with the csp exam you can't just know a topic and memorize it and say okay i memorized the definition that's it no you have to know when to use them and when it's not appropriate to use them if your company has a very small budget you're not going to get a hot site that's like the most expensive recovery business disaster recovery plan there is you're gonna maybe negotiate a cold side or a warm side things like that number six is all controls must be cost justified don't spend more money than you have to and don't spend too little money on a valuable asset like don't spend 15 on a shelf from ebay so you can put your rolex watch on it you want a shelf that's going to last and is going to give you the confidence that your expensive watch isn't going to fall to the floor and break or a csp example is don't spend too much on a counter measure that costs more than the asset don't spend five thousand dollars on a firewall to protect an asset that is valued at one thousand dollars right logical stuff number seven is senior management must drive the security program it's a top to bottom approach everything comes from the top your your co-worker doesn't get to tell you to start an information security program or your supervisor doesn't just get to tell you to start startup start a project it must there must be a reason and that reason comes from senior management that is part of thinking like a manager and even then even your manager doesn't get to tell you to do something or start a new project unless it's been signed off by management or told to your management manager by management your managers can't say hey uh make sure you have a clean desk policy and if you ask why they don't get to say because i said so no that's not a good manager a good manager will say that we are implementing clean desk policies per senior management because we are preparing for upcoming iso 27001 certification that's a great reason to have clean desk policy okay number eight is security professional a security professional has no decision making authority unless assigned by management when taking the csp exam act like you are a hired consultant in the company you don't want to touch anything pretend you got hired and you then turned on your zoom conference meeting and you're attending a meeting with an organization's security management team and their security team to go over their assets and recovery strategies then over zoom you're not at the company site right you're over zoom now you're you're looking you're screen sharing or you have your camera on you just advise them you physically don't get to touch anything which uh i said this on probs webinar that's actually a pretty good idea for the real exam when you're taking the csv exam right pretend you are a security consultant in a zoo meeting only you are not at the company site and you can't touch anything you can just advise over zoom that's it yeah actually actually do that now that i think about it that's a solid way of looking at it when you're in the testing center for your csp exam looking at the computer monitor of questions just pretend you are being asked these questions by an actual organization and respond that way don't touch just advise and the last one is use automated tools where appropriate some things a machine can just do better and faster than humans and this gets more and more true as as the years progress along a manager will use automated tools so they don't tie up a systems administrator to add accounts manually or or have a security team manually scan devices for vulnerabilities because a vulnerability scanner can do a much better and faster job because it was created and built for that purpose okay it's like those password resets in your company if every time a user forgot their password it's best to just have a a self reset function within your organization instead of having to call the systems of the it administrator every single time that's a waste of a time it's a waste of time and money really that's thinking like a manager all right these are my top nine recommended ways to think like a manager let's uh let's check out this folder on safety real quick shall we i'm kind of kind of losing my place here because uh i guess i didn't write this section in my script that i'm falling here i don't i don't have a section for for safety here i guess when i did probs webinar i didn't i just i kind of did this you know what forget the script you know i'll just do this off the cuff you know during this pandemic you know i'm too scared to even i'm too scared to even touch a doorknob much less go into the office or or travel anywhere but human safety is especially true these days you know you know before the pandemic i really wanted to get this like full sleeve tattoo right on my right or left arm i couldn't figure out which or maybe both some sometime around march or april right right as the quarantine started you know just as the quarantine hit now i don't i don't even know when that's even going to happen i mean i guess after the vaccine i i'll probably be able to get that and yeah yeah i know i know these are these are first world problems but you know i'm gonna i'm at a position in my life where i don't have to answer to anyone so so it's it's the best time for me to get a tattoo without worrying about what what it's gonna do to my career or or whatever you know i better i bet joe barnes and i are going to be the only csb instructors in this world with full sleeve tattoos joe barnes is a csb instructor with training camp uh consider yourself lucky if you happen to get him as your instructor you're you're as good as gold joe will show you the way he's uh he's a good guy straight shooter all right well what's first here uh work safety okay human safety the number one priority always in the cip exam and everything in real life is human safety several things within your organization may drive the preservation of saving human life without you even knowing it but it's doing it in the background all those signs that say safety first or or wear hard hats in construction sites or or following safety regulations uh those hazard signs health monitors or or even health insurance these are all here to keep the human heart beating that comes above everything else it's good and key to think that a sound bcp drp program in an organization and within the pages of our csv books is for making sure of the availability of our most critical systems right and and for the proper recovery and restoration of an organization after a disaster but the real reason is to make sure that during a serious or non even even a non-serious disaster that there are properly tested procedures and processes in place to make sure people can survive the disaster that's really it same with our physical environments physical environment security controls things like cptd crime prevention through environmental design or facility security and and just general awareness awareness of what's going on going on around you it's all about safety first you got to keep that in mind and then within the enterprise things like system resilience and you know i don't i mean like i don't mean like servers or something that kind of systems i mean like systems like electricity the hvac systems water suppression systems and in some cases even even the oxygen levels like in a laboratory or something that's the system resilience i'm talking about and intrusion detection again we mean physical intrusion detection systems things like uh electromechanical or volumetric heat sensors wave patterns disturbances in light or pressure mats man traps piggybacking tailgating uh what else what else uh those emergency fire doors that fail safe or fail open in case there's a fire right in case of a fire you want those doors to open you don't want them to automatically lock that that's all about human life uh having the right power supply in case of blackouts or or brownouts and the right candle power needed for visibility in dark areas it's to make sure that people don't die all right don't let people die that's your number one job as a cssp don't let people die otherwise not only are you going to go to prison but worse that's going to be on your conscience for the rest of your life and that's almost as bad as going to jail sometimes you know what i'm saying do your thing don't let someone son daughter mother father die on your watch all right uh hey let's let's get out of this grim slide um let's take a look at happier things like money everybody loves money right yeah you do don't deny it i love money i love earning it i love spending it and i especially love it when i hear my homies are making it with me but uh but we're gonna talk about money as it relates to the cisp in the form of cost and value an asset is a straight fixed cost purchasing a five thousand five thousand dollar firewall is a cost the fact that the same firewall protects multiple web servers which if compromised would cost the company hundreds of thousands of dollars that's the value value and cost are two different things i i don't think the csv study guys go into value and cost maybe the sean harris does but but it's important know the difference let's take a look at an example using gdpr okay gdpr what does it mean to be gdpr ready gdpr ready means to know the gdpr the principles of it the workings of it the articles and the roles and responsibilities and i'm talking about gdp already for you for the csv exam not a company but when i say what in this slide when it says the cost of gdpr compliance i'm talking about what it would cost your company to be gdp already you know and as a cssp they're going to look at you to be they're going to look at you and say hey we need to be gdp already well i mean frankly you should already be that because it's already here but if they look to you to say you they need to be gdpr compliant you need to know what that entails so take for example the cost of being for getting your organization organization ready for gdpr it costs your company ten thousand dollars okay that's a lot of money ten thousand dollars when we talk about the potential revenue lost from non-compliance think about it if you don't spend that ten thousand dollars to get your company ready for for gdpr your potential customer or clients might not want to do business with a non-gdpr compliant company even if it's if it's a usa based company with european union citizens right that's what the gdpr is it's a way for european union citizens to have more control over the data and there's a lot more regulations with what companies can do with that data even if you're a company in the united states if you handle eu customers you know if you do international business which is like a lot of businesses your company needs to be gdp already or or any customers from europe if they find out that you're not doing all you all you can to protect their private data per the gdpr you could lose up to a hundred thousand dollars just for not spending ten thousand dollars so the cost of not being gdpr ready may save you ten thousand dollars but in the end you may lose a hundred thousand dollars right and if there happens to be a breach within your organization and it looks like you don't have if you're not gdpr compliant and if you do have eu citizen data the fine can be in the hundreds of millions the slide says a million dollars that's that's actually on the cheap end i think some company just got slapped with like a quarter billion dollar fine for gdpr i could be reading that long wrong it either says 250 million or 25 million i can't tell which one so as far as value and cost i manage just to think about that do you want to save ten thousand dollars by not being gdpr compliant with the potential of losing a hundred thousand dollars in revenue with an even greater potential of being fined a million dollars so by trying to save ten thousand dollars you've just lost a million dollars and a hundred thousand now if you paid that ten thousand dollars you you would have gained a hundred thousand and would have not have to pay the one million dollar fine right the cost is ten thousand but the value of that reaches above a million that's value and cost just want to touch on that real quick um let's check out some other important points about thinking like a manager and that's the processes roles and responsibilities for the csp exam very important oh why didn't i not bother to write a script for this part i'm gonna have to do this completely from my mind and i feel like i'm gonna miss out telling you guys something if that happens i'll make sure to put in captions and stuff in the final edits uh thinking like a manager means to know the processes that you study in your csp books okay that's that's a solid definition you just have to know the process that's in the books but not a lot of people might put an emphasis on the fact that you also have to know the roles involved in those processes otherwise how are you going to know who's going to do what and you have to know the responsibilities of those roles in those processes let's take a let's take a few important examples and we'll just we'll just run right through this thing what are some important processes for the for the cisb ones that come to mind are of course the software development life cycle you gotta know that there's an entire domain dedicated to that everyone always asks me what are the proper steps to the software development life cycle or what are the no no what they ask me is what are the official steps that we have to know for the csp exam the answer is there are no official steps there are no official steps to anything in the cisp the best way to understand what steps are involved in the software development cycle is to do this this is here's a there's a nice little tactic you read about the steps in the cybex book read about the steps in this in the sean harris book and then you read about the steps in uh say the nist document then you take all three documents and and i feel like i've already said this in this video beforehand did i already say that see i should have written the script for this uh so in case i didn't say before i'll say it again you take the you take what each the the two books and and some other source says about the steps of the sdlc and then you just go through the general step if you look at all three documents you'll see that the first step is initiation bar none they all three sources agree that the first step of the software development life cycle is initiation okay so in your mind you know that initiation is the first step of the software development life cycle you can do this with any of the processes in the in the csv study guides what's another important process bcpdrp you gotta know bcpdrp and i know i said this at the beginning of the video if you don't know bcpdrp you will fail the csp exam it's as simple as that what's another good process incident response how you respond to an incident most of the csps i help around the world are are responding to incidents in some capacity right they always always say hey i'm i'm a network engineer i'm a ccie i don't really know a lot of high level stuff my job is security i work on the firewall or the router or i'm a bgp engineer and i usually respond to something i react to something i'm not a manager who creates policies for others to do i'm more reactive than proactive so that's incident response there are steps to incident response and you do the same thing you look at your cybex book you look at your sean harris book and i believe there is a nist document for for specifically for just incident response it may be for just malware handling but you you'd get the general idea so i highly recommend looking at those nist document for i think it's called incident handling for malware response or malware response incident handling something like that pki public key infrastructure certificate authority registration authority client server digital certificates you gotta know this process for the csp exam it helps greatly to reinforce your knowledge of cryptography if you know public key infrastructure because it involves almost all the elements things like digital certificates transport layer layer security um 802.1x uh what's that called uh eep eap extensible authentication protocol all that derives from public key infrastructure certificates important to know that process you know not only for the exam but in real life if some if your manager at work asks you to ask your opinion on how we can get a public key infrastructure for the office what are you going to say right you got to know that at least know what a public and private key pair is and what happens when you encrypt with a public key versus signing with a private key right what services do they provide you know they provide confidentiality integrity uh authentication non-repudiation just know those high level concepts cloud vendor is not exactly a process but it's there is a process to obtain a cloud vendor right before you before your company engages with azure or aws and decides to get like a virtual firewall virtual server or user user storage for data you want to research that cloud vendor this is i think this is just specifically for the csp exam i don't think in real life anybody even does this but for the csp exam before choosing not just a cloud vendor think of a cloud vendor as a third party before engaging a third party make sure to do your due diligence in the form of a risk assessment check out that third party make sure they're doing business well are they following do do their systems follow common criteria do they have assurance levels do they have uh are they following the steps of the capability maturity integration model cmmri do your research before engaging a third party because whoever you're doing business with their risk becomes your risks okay especially with cloud vendors because you don't know what's going on in their infrastructure they don't give you complete visibility you only own what you own if you're if you engage a software as a service you just get access to the software you you don't know how they're securing all that in real life odds are amazon or or microsoft is doing a superb job securing their infrastructure better than we can even dream of but as far as the cisp exam is concerned you gotta do your due diligence you gotta trust but verify and then there is oops sorry and then there is what's the next one data handling there is a process to data handling in your csp study guides marking labeling classification meta tags if someone hands you some confidential data or any data really you gotta know what to do with that starting from the beginning for one thing data you don't enhance you know maybe you as a security professional gets handed data but when you need that data to be given to senior management for analysis that's when the data becomes information information is useful data is not so you have to know how to handle that how to make how to transform that data into information the other process is an information security program itself now we're veering away from being a technical person to taking more of a role of a chief information security officer a cso if you're a csu of a company maybe after getting the cis you will become one down the line they're gonna say hey you're now the new cso we just had a breach last year we want to make sure that doesn't happen again or at least reduce the the effects of it what are you going to do to start an information security program you have to kind of know that process the processes i picked in these in this slide these these one two three four five six seven processes they're not the most critical these are just random processes that i picked except for software development lifecycle and bcpdrp those are important and incident response at least know the top three that's why i put those in the top three okay so those are some processes you studied them you know about them you know the steps you're familiar with them and you think you can brush it off and be like i'm ready for the csp exam you gotta know the roles contained within them as well as a roles responsibility so for software development life cycle when i think of sdlc or someone may think of sdlc you may think oh software development one of the roles is an engine a software developer a a database engineer or anything like that what i think is management and their responsibility is approval funding and addressing security concerns it's not that you have to know just the processes of software development life cycle but this is a security exam so you have to know where in the process you're going to put security for me security well not for me this is for the csp exam you always got to start with security at the beginning so for the role of management as far as the software development life cycle they get involved in the very first step initiation that's the most that's the first step they're gonna be in and probably the only step this is your only chance to interface interface with management and ask them hey i know you're you're approving this uh you're proving the funding you're giving us the money you're allocating the resources but as a cssp i must also ask you that hey you must look at these security concerns with this new software that you're going to develop with this new system that you're going to buy okay so management's role in the software development life cycle is to approve the actual sdlc is to provide funding and to address any security concerns and all you're looking for them as a security concern approval is just to say yeah listen to the cssp we've heard his his he gave us some interesting points about what the security concerns are and we would like them to be addressed moving forward so if they've given you approval to address security moving forward right because nobody wants to address security unless they have to you as assist have to push for that the next one for the bcp drp one of my most important roles for that is departmental leaders the business functional leaders the vp of sales the vp of marketing the the head developer the the it director all these higher level roles are needed for their input during the business impact analysis that's the most important part we can test the bcpdrp we can come up with recovery strategies but all that doesn't matter if we don't know from the departmental leaders during the business impact analysis what the most critical assets are they are the ones during the bia that tell us that hey this server it cannot go down for for even a second for even a minute if if this server goes down for a minute we're gonna lose hundreds of thousands of dollars okay they're the ones who tell us that because they know what's the most important thing in the department because they're responsible for it and they don't anything they don't want anything to go wrong with it so that's where they act during the business impact analysis to let the bcp team know that hey put in recovery strategies to make sure this is this is made available during a disaster otherwise this company is going to be obliterated okay important role during the bi during the bcpdrp is departmental leaders who provide input during the bia and during incident response i just have a manager around as stated before if there's an incident you as a network engineer as a technical person don't get to make any decisions you don't get to decide to unplug that server you don't get to decide to reboot that firewall you don't get to decide any of that you need to find a manager who's responsible for making that decision and coming to the conclusion of the decision making process i think earlier we talked about you know if if the virus on a server is low impact there's no point in unplugging the web server you're going to lose too much money for what it's worth you want to wait until some uh something more serious happens okay instant response don't make any decisions wait for your manager who's going to take up the role of the decision making process for pki an important role is the certificate authority the certificate authority is the trusted third party like in uh in in um extensible authentication protocol uh that uses certificates right client and server if i forget if eap uses and requires both client and server eap tls i think only the server needs the certificate while eap t tls both the both the client and server need to authenticate themselves either way in order for the client to trust the server or the server to trust the client they're just not going to trust each other they need someone in the middle to voucher both of them at the same time which is the certificate authority the ca they provide the trust okay the certificate authority is an important role in public key infrastructure with the responsibility of providing trust this is why it's important to know the process the roles involved and their responsibilities and with the cloud vendor it is a role of the cloud servers provider to give you the service that you're looking for and to make sure that they are giving you the service you're looking for you need to have service level agreements or non-disclosure agreements prepared before engaging them because you're trusting them with the security of your infrastructure with the security well it's really their infrastructure but you're renting it and it's you're the one who's paying for it so you want to make sure everything's right you want to make sure that csp is giving all the tenants like you the proper security of the infrastructure to meet your business requirements to meet your level of risk acceptance okay another role in cloud vendor could be the tenant or well that's it really right and when it comes to the cloud all i can think about is the cloud service provider or or the tenant i don't know maybe if you're watching a ccsp video cloud certified security professional video they can go into more detail or you know check out uh check out uh prashant mohan's new new document free pdf document called cirrus that talks all about ccsp he'll he'll he'll tell you everything you need to know uh as far as data handling come on these are these are terms you already know data owner data custodian what's the data owner responsible for what's the number one thing the data owner is responsible for data classification they're the one who gets data in and says that's confidential that's top secret or that's private that's sensitive or that's sensitive but unclassified whatever that means i don't know what that means i've never seen sensitive but unclassified in real life i think that's in the cybex i have no idea what they mean by that so data handling remember next to human life money and data are probably the next most important thing so you have to know how to handle that and one of the roles of that is data owner so know your data owner data custodian um that's all i can think of the end for information security program who did we say is the most important role the cso chief information security officer and why are they an important role because they are the driving factor remember in the last slide of those nine points i said something like uh the the senior management has to drive uh priorities they have to drive the security program they have to drive the business initiatives for the information security program the cso has to is the driving factor it all starts with him now the cso might get orders from the ceo but it's not the ceo's job to be the driving factor of the information security program that's the cso the ceo might be ultimately responsible if that fails but you know the ceo's gonna blame the cso just in case you know he's gonna do that or she's gonna do that no one wants to take responsibility when security goes down that's why they get the cso i mean the whole point of a ciso was invented was to take the blame i remember when target had their breach they didn't have a ciso i think the ceo took the brunt of the blame for that one and immediately later they created a ciso position just so when things hit the fan again they can blame the cso just in case everything went wrong hey don't blame me the ciso is in charge of the information security program he or she is the driving factor okay so in your company if they suddenly enthusiastically come to you as as the new cissp and they offer you the cis position be careful what you're getting into you better know your stuff and you better know what happens if something goes wrong okay i think i spent way too much time on processes roles and responsibilities let's let's move on to something else and a burning question that everybody always has and that's how much technical knowledge do i need to have for the csp exam do i need to be technical do i need to be technical for the cisp exam i get asked this question so much always with a tinge of fear or almost with a with a with a little bit of hope that i'll say oh not that much guess what yeah you need you don't need to be you don't need to be a ccie for the you don't even need to be a ccna for the for the csp exam but it really helps domain four has the most pages in any csv book i guarantee you that sean harris it's got it's the thickest chapter uh cybex is the thickest chapter and the truth about domain four network security is if you don't work in in network security in real life it's not going to come easy to you it's just not but there are ways to counter that so take a look at this picture if you can answer some of these questions if you can get a good grasp of what i'm asking you should be okay so one of the first things i just want to simply ask is do you understand this network architecture do you understand what happens at the internet why there's a router that close to internet why there's a firewall after the router why there's a switch the difference between fiber optic cable or unshielded twisted pair why there's another switch why there's five different servers why there is a hub in between the printers why there is that weird looking device with two antennas uh giving off wireless signals to those other three wireless clients do you know what's going on here if someone were to ask you draw me a network diagram would you draw something like this or just somewhere to ask you like how if i give you a server how would we connect to the internet what what devices would we need you need a router uh you don't need one but it's highly advised that you get a firewall the firewall is probably the strongest network security device you can have in your organization basically look at these servers this is why you need to know your cryptography do you know how to use symmetric or asymmetric encryption to secure their servers are you going to encrypt the data on those drives with aes or are you going to encrypt it with non-repudiation that was a trick question you don't encrypt anything with non-repediation if you know your cryptography you would have caught that so that's why we learn cryptography so we know how to encrypt the mail server we know how to encrypt the web ftp proxy dns server what and i mean why are we using an ftp server that's not secure we'd rather use ftps uh why are we using it that web server it's probably internet facing is it using tls transport layer security are all these servers using transport layer security if they're if they're being connected to from the web yeah that's why you have to know that that's why you have to know encryption symmetric encryption algorithms and why they're strong and when to use which one or or what encryption complements another hashing uh algorithm right encryption hashing are two different things you have to use them in combination because encryption provides confidentiality and hashing provides integrity you gotta have both right then then if i were to ask you where would you put an ids intrusion detection system or intrusion prevention system do you know where to put that on the network do you know why you'd put that on the network do you know how an ips differs from ideas in case of a incoming threat say uh a malicious virus signature a malicious signature just comes into your network how would an ips react versus an ids right you need to know that just just fyi an intrusion prevention system would try to block it immediately in real time an intrusion detection system would just probably send an alert to the administrator that hey this is happening you need to do something whereas ips would take the responsibility on themselves do you know what ipsec is ip security do you know why it's handled on the firewall ipsec is probably a big part of part of being the cisp it secures data in motion it's probably the strongest thing there is to secure data in motion right that's again it's part of part of uh domain four big part of domain four actually internet protocol security do you know what federated identity management is cloud stuff single sign-on sam all identity provider oauth all those cloud terms do you know how that fits into the entire network here that's why you study those cloud terms cloud computing terms public cloud private cloud just everything in a federated identity management system how does a single sign-on to the mail server work how would federated identity help doing single sign-on to to those wireless clients that kind of stuff you you have to know that do you know what 802.1x is if you at least don't know the details of 802.1x at least do you know that it's on layer 2 it's a layer 2 technology it's not a layer 3. it works at the data link layer do you know how to secure those remote clients getting rdp remote access security that kind of goes hand in hand with ipsec ipsec is like site-to-site vpns while rdp remote access security is like using transport layer security ssl or tls you want to use tls because ssl is obsolete due to the poodle attack you know kerberos everyone wants to know about kerberos and everyone thinks that memorizing the fact that it's a three-headed dog or uses what port number is and they're good for the exam no you have to if i were to if i i'm putting that word kerberos there underneath the over over the printer what can you tell me about that looking at this video if i were to ask you explain how that printer would use kerberos you should be able to explain it to me that they use ticking a ticket granting server issues tickets to a client using ticket granting tickets and session keys and and and all the passwords for all the clients and authentication mechanisms are stored on the on the kdp and the kdp is a single point of failure and they issue all these tickets that allow the client to access the printer through the use of the trust of the kdp you should know all that that's why we study all that that's part of knowing domain four network security that's part of knowing all that do you have to be technical no you don't have to be technical but you kind of have to have a high level view of something like this in the diagram this is just one of thousands of different scenarios that there could be for network security do you know anything about wep or wpa2 wireless technologies if nothing at least know never to use wep because the passwords can be seen in clear attacks and to use a stronger one like wpa2 do you know how they secure wireless signals across across the wire i guess across the air you gotta know that vlans do you know the advantages of vlans what is a vlan and knowing the fact that a vlan stands for virtual local area network is not enough you have to know things like broadcast domain or or what's the other one collision domain you have to know the differences between that you have to know about uh uh uh why uh what's that called uh csma and cs um you know the collision detection and collision avoidance read up on that they'll help you to understand vlans if nothing at least know if a protocol uses tcp or udp what are the advantages of tcp versus udp do you know about the three-way handshake look you're not going to be tested on the on the csp exam that what is the second step of the three three-way tcp handshake you're not going to have to say oh that's synack you have to know why tcp would work over udp and for what reason which one is better for security which one doesn't need security but has a accompanying security protocol like like dns dns uses udp 453 but it uses tcp for zone transfers just differences like that which is really difficult to know if you don't work in the sector i know i know it's hard i work in network security and you and i it's hard for me it's just too much information that's too much do you know the osi model i'll tell you a secret if you really get to know the osi model everything else in this diagram will look will make sense everything the internet the web servers the firewall tcp udp 802.1x kerberos all of those fall into one of the layers of the osi model if you know the osi model i don't want to say you're sad but it'll give you a base to better understand the network security domain so do you have to be technical for the csp exam after what i've said you decide it's not that you're going to get technical questions on the exam is that there's going to be technical terminology probably use that you're going to need to know in order to just understand the question or the choices that's how it works same with security in real life people are going to be using all sorts of technical information you better be on point and be ready to answer that and not be like oh i don't know what that means i never studied it because i'm not in the i'm not in i'm a network security engineer yeah well you're a project manager who's handling network security engineers so you got to keep up with how they talk okay do you need to be technical you tell me all right i guess now we'll talk about the book you know this whole video this whole webinar for prague was to kind of talk about think like a manager but not specifically about the book we're not trying to just make this a whole promotional type of deal but i will talk about it uh most importantly the most important thing i want to ask you right now is do you guys like that cover i love that cover i love that cover because my wife came up with it she saw that i always talk about vpns at home i talk about encryption i talk about decryption i talk about why a customer's phase 2 vpn tunnel wasn't coming up and then first thing tomorrow morning we're gonna run some ike debugs on it and figure it out it's most likely a a encryption domain problem you know i tell her all this stuff and she know she doesn't know all this but she likes the fact that i'm enjoying my job and that i like it that's why she's so great i love her for that she she listens to all my bs she listens to all my technical stuff with a smile and she knows that you know since i'm enjoying it she's happy that i'm happy so she says why don't you do something with uh something with all that unlocking you're talking about and by unlocking she meant decryption so that's why the symbol is a big big lock with like with little bits of symbols like flying away and then and you know i'm um the book is supposed to be me unlocking your brain to think like a manager or something like that it's got the little icons of like usbs and a key and all sorts of i.t related related stuff i thought i thought it was neat um you know this this whole book thing it's it's been a it's been an amazing journey i i i thought just a few people would would buy it but it seems to be a lot of people seems to okay so this is how the book is laid out there is a page that has a practice cisp related question just like you know any other practice question book it's you know it's set up just like any other practice questions you take a a question and four choices right underneath the question is the suggested mentality and strategy that should be running through your mind at this time what this part is doing is making you understand that don't just rush into answering the question right away try to hyper analyze every single choice all the choices may seem like the right answer but you have to choose the best answer you will always hear me say that it is not only important to find the right answer but it is more important to know why the other choices are wrong the book emphasizes that no stone should be unturned when it comes to answering csp practice questions because because the more work you put in while you're studying the faster the better and more confidently you will be able to handle the real exam questions the better you'll be prepared to take take them on because you went through this arduous process of hyper analysis beforehand you know you know everyone tells you how to take the csp exam but nobody tells you how to think during the course of the exam like the actual thinking like how your brain should operate the questions in the book are here to help you establish the patience discipline and stamina to build the endurance required to sit through the csb cad exam this uh this particular question asks expenses extra responsibilities and reduced profits are a result of what and the choices are security efficiency convenience and operability classic think like a manager type questions and and in the exam strategy section information is provided about each of the choices are arguing whether it could or could not be the answer within these pages of questions and answers you will find quick notes graphics both of which identify when to think like a manager and what to think given the situation now now in the uh explanation section the if you're if you're holding the paper back it's laid out like on the left side it's the question and the right side of the of the book is the is the answer and explanation it took like two weeks to work with the publisher to get that idea across man writing a book is not easy i mean you got to work with a publisher and and just kind of get your ideas across with them they have one set of ideas most publishers didn't even know what the cisp was or what kind of book this is they're like what kind of a book is this it's just questions and answers well they're asking me like why why why are you explaining each question and answer and how is this going to help readers uh you know who read like regular books i was like well this isn't for regular book readers these are for elite ci security professionals um you know it's hard to talk to someone who's not really in our sector and explain to them what my what my vision kind of was with this anyway with the explanation section the correct answer is identified in orange orange is like the whole theme of this book for some reason i don't know i i like the vibrancy of that color but really the answer is the least important part of the explanation provided is a thorough understanding of why security is the answer to this question and why the other choices are not the answer and much like the practice questions section various tips of how to think like a manager again uh are on display like the one on the top right as well as a core csv concept which is at the bottom left so you'll see things like core csv concepts to know and how to think like a manager icons throughout pepper throughout the book that's that's the entire book it's 25 questions of just this kind of layout you get a question with an analysis of the choices and then the answer on the next page with a complete explanation it tells why it is important to get approval from management instead of just jumping and fixing problems the book tells you why it's important to perform a risk analysis after a major change or acquisition in an organization and the book tells you how to handle questions with the words best least and most or the book can tell you why security should be embedded not just at the beginning but every step of the software development life cycle i try to take some core concepts and tips from each of the cisp domains of the in the common body of knowledge obviously this book can address every single core concept and tip and thinking methods that you have to know because they are endless but i just accumulated what i've come to know over six years of being a csb instructor and that's how it should be too right i mean what's the point of csu practice questions if a full explanation isn't provided or at least some kind of explanation that's all we want right someone to explain something to us look the csp is is confusing enough i i wrote this book i wrote this in the book in the same form as if that's what i would have wanted in a book about thinking like a manager all right let's look at how to use the book after you've completed the book i hope you can still take the same tips strategies and things like a manager concepts and apply them to other csv practice questions once you keep doing this you will retain the same mindset when taking the real exam instead of having to force yourself to think like a manager it will come naturally that's why you will find sprinkles throughout the book graphical tips of how to think like a manager given a situation core cisp concepts and exam essentials the think like a manager icons are there to remind you about thinking of value cost and and i lost my place where am i it is the worst to lose your place when you're trying to talk about a book that you wrote and you just kind of lost your place you know what i'm going to leave this edit in just to show that not everything not everything always goes perfect when making these videos i'm not even going to edit this out where was i oh the think like a manager icons yeah that's right i i had to write a script for this last part because like i couldn't i couldn't wing it anymore i just i just had to write the script i this last section i had to write it so for the things like a manager icons they're there to remind you about thinking of value cost processes roles responsibilities and to keep yourself in the realm of high level thinking the core cisb concept icons are there to provide just some basic concepts of information security that are paramount to know the cisp is a test of concepts because concepts do not change whether you're studying for the cip exam or hired as the chief information security officer for a for a global organization the concepts are the same whether your kid has the flu at home or you're trying to contain a global pandemic the concepts are the same whether you're trying to send a space shuttle to the moon for the first time or sending supply rockets to a base on the moon which will eventually be the relay point for the voyage to mars the concepts can still be applied they all use the same concepts that is why the csp is a vendor neutral exam the concepts of which can be applied to organizations that have anywhere from 10 users to 100 000 users okay and uh the exam essentials icon will just add on of add on just a little bit of good study habits you know just some good general test taking steps uh tips steps uh they go into saying that you should go beyond your suggested crc books and venture into the realm of other sources because you just can't use one source or two resources to study for the csb exam you gotta go beyond that you gotta you gotta really push yourself right these exam essentials they'll talk about how to study and what to study and they will sharpen your sword for the exam itself okay and when to use it well that all really depends on experience say say you're six months six months before your exam if you were to get the book at this time look even i'll tell you it's probably not worth it six months before the exam um did i say a disclosure to this to this book yeah as with all books this book is not enough by itself to help you pass the exam i would never flatter myself of ever saying something like that right no no single resource is enough so if you get this book six months before the exam it's going to be overwhelming most people who take the csp exam or start studying six months ahead i think this is like a ccna exam or a technical exam so when they start reading stuff about business and management they may not they might not even think it's the right book for the csp but you know it's about value and cost so things can be a little bit more overwhelming um at this point you know when you're studying your csp exam just try to read to understand don't don't try to memorize everyone goes and everyone goes in thinking i got to memorize this i got to memorize that yeah you got to memorize some things but you only memorize to make sure you understand that's why reading is paramount re read to understand not memorize there's nothing in this book that you need to memorize nothing not even those tips or goals or csv concepts that shouldn't be something you're like all right make sure you remember that uh that that that luka med's book said to remember cost or value that's not something you should remember that's something you should just know and the book and the entire csp documents and books can also be a warning at this time six months before your exam to let you know like hey this is no joke you better get ready you better get ready to devote quite a bit of time of your life and sacrifice sacrifice quite a bit of time of your life to to pass this thing this isn't the most prestigious security certification for nothing yeah it takes a lot to get this done this isn't just oh i read this book that they said as the official study guide oh i'm just going to read this and take the exam and that should that should that's all that's all it should be i'll join this elite club of security professionals after doing that no three months before the exam you know now you've read your book you've done a bunch of practice questions you've watched videos you've paid for all sorts of things and if you haven't gotten now now is when the book will start to frame your manager mindset you've absorbed everything in the cybax everything in the cbk book 11th hour um the sean harris seventh edition eighth edition practice question engines you've read all that and now you're starting to hear if if you haven't figured it out yourself others are telling you this is a manager manager level exam you're probably reading study experiences you know the study knows in theory website has i think hundreds of csb study experiences just write just google crack and csp and you'll find everything on my website about how others crack their csp exam and they always talk about thinking like a manager and at this point you should also start reading about exam strategies time management how many breaks you should take how many questions you will face what time is left where your testing center is don't leave things like where the testing center is and their and their protocols a month before the exam you need to know beforehand so you're not worrying about that you know six days before test day at this point try to understand the core concepts because three months may seem like a long time until your exam date but take it from me this is when you should be like basically ready to take the exam and the additional three months is to finalize and understand all other concepts that may seem unfamiliar that's a hard truth to to take in that you should be completely ready at the three month mark and the rest of that time for the next three months is just complete review i don't know how to explain that but that's what should happen especially with this book you get it three months beforehand this book isn't meant to be read once and then you're done if you if you've got the paper back of the book it's very it's it's a paperback and it's very bendable like i wanted it to be rolled up like a newspaper so it can be stuck in your book bag or stuck in the between the pages of your thick thick csp books it's supposed to go with you wherever just so you can quickly browse through it for any kind of things you want to understand further or apply whatever tips are in the book to other practice question engines and a month before the exam this book will teach you patience this book will teach you discipline and you will learn time management all right i'll be honest maybe not so much the time management because everybody thinks differently but the length and the explanations and analysis of each question in this book will build your patience it will build your discipline there's only 25 questions in this book okay i'll say that now so there's no confusion so later you're not like wow this was a short book i didn't expect such a short book or i expected more for all the hype that i'm hearing about it it's just 25 questions okay i'm telling you that right now i didn't write this book for the money i got a professional job i don't need the money from this book i just know that the question of how to think like a manager went unanswered for years and it had to be answered okay that's it as i've said before my book is not enough to pass a csp exam i even put it inside the cover of the book i said this book is not enough or responsible for you for the past or failure of your exam right if you fail the exam it's not my it's not the it's not my responsibility although i will feel very bad and i will do whatever i can to help you ace it next time and even if you pass i'm still not responsible for that whether you pass or fail that's on you because because the thing about the csp exam is that not my book not other csp books my website any other website or test engine and nothing else available is even close to the questions found on the real exam this is why the csp is the csp what you are doing by reading and studying is learning the concepts the best security practices to be found in the best practices in the security field the real exam doesn't care if you memorize any of the material what it does is test if you can apply the concepts you learned to their questions it's not a memorization exam you have to first learn the concepts and then apply it by choosing the correct choice everybody would have a csp for that easy the cisp is not for those who need constant motivation by studying doing practice questions and spending massive number of hours toward this thing you are cultivating a discipline that will carry on with you for the rest of your life right now if you're struggling sacrificing and staying up late nights on your journey to the csp i wrote this book for you you want to know how to think like a manager i just poured my heart out and told you i hope it was worth the time when i started the csp thing my goal was to be the number one cisb instructor in the entire world without allowing anybody to even come close to what i was doing to without allowing anybody to even come close to match the vision that i had but looking back that was a superficial goal unrealistic selfish the real prize was the difference that study knows in theory has been making on people's journey to the cssp the journey is the prize good luck on the exam and i thank you for watching [Music] you
Info
Channel: Study Notes and Theory
Views: 17,248
Rating: 4.9731545 out of 5
Keywords: cissp
Id: dq5eodSz_0k
Channel Id: undefined
Length: 93min 47sec (5627 seconds)
Published: Sun Jan 03 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.