Think like a C-Suite
You may have heard the mantra "think like a manager" numerous times, be it from resources like Reddit or YouTube, as a part of your CISSP preparation, and it makes perfect sense. But what does that mean? Anyone can be a manager... What strategies and do you need to do to be a CISSP manager?
This chapter provides answers to these questions in a concise and clear manner. We will dissect the crucial elements that need to be internalized for successful navigation through the CISSP exam, supported by real-world examples to enhance your understanding.
Considering the CISSP exam's tendency to stimulate critical thinking, adopting a managerial perspective is a solid method - everyone tells you do think like that for a reason. I'm just going to tell you how to do it.
Due Diligence vs Due Care
Due Diligence involves practicing activities that contribute to the continuous maintenance of Due Care efforts. Conversely, Due Care supports Due Diligence by representing what a reasonable person would do in a specific situation. This principle is often referred to as the "prudent man" rule. Together, these concepts aid in reducing senior management's culpability and potential liability in the event of a loss.
Without Due Diligence and Due Care, the organization could be held responsible not only for their own losses, but also those of other parties such as vendors, business partners, and customers.
| Due Diligence (Pre-Decision) | Due Care (Post-Decision) |
| Research | Implementation |
| Planning | Operation & Maintenance |
| Evaluation | Reasonable |
Look, I'm simplifying to illustrate the point that Due Diligence predominantly occurs before a decision. Sometimes, activities such as evaluation can also occur post-decision to ensure security measures remain effective. Remember:
- Due Diligence is about thinking before you act. Don't be reckless; make informed decisions.
- Due Care is about doing – actions speak louder than words. When it comes to liability and culpability, good intentions aren't enough. Actions protect us in due care scenarios.
Examples of Due Dilligence & Due Care
| Due Diligence - Knowledge and researching | Due Care - Execution |
| Laws and regulations | Reporting security incidents |
| Industry standards | Security awareness training |
| Best practices | Promptly disabling access |
Auditing & Due Care:
Security audits and effectiveness reviews are crucial components demonstrating due care in information security. An example of due care in practice is maintaining a well-documented audit trail, which showcases responsible actions taken.
Whenever you're unsure, it's a good rule of thumb to act with common sense, prudent management, and responsible action - all of which are alternative ways to describe 'due care'.
The concept of 'due diligence' goes hand in hand with 'due care'. Due diligence is the process of systematically identifying risks and implementing measures to reduce these risks.
There will be questions on both these concepts in the exam, so try out the practice questions in the official study guide.
Know Your Priorities!
So, now we've already got the fundamentals of thinking like a manager. And a big part of being a manager is understanding your priorities, knowing your responsibilities, and effectively guiding your team. From a CISSP perspective, you can layer the responsivities of the organization into three hierarchical categories:
| Planning Level | Time Frame | Primary Responsibility | Examples |
| Strategic | Long Term (3-5 years) | Top Management / Chief Information Security Officer (CISO) | Setting security goals for the company, deciding on major security initiatives, evaluating long-term risks |
| Tactical | Midrange (about 1 year) | IT Directors / Managers | Creating security policies based on strategic goals, planning training programs, preparing for audits |
| Operational | Short Term (Immediate) | IT Engineers | Implementing security measures, daily system checks, immediate problem-solving, escalating risks |
Risks are escalated upwards from the operational level, flagged for management's attention. Conversely, objectives are handed down from strategic to operational level. In a strategic role, your main concerns are human safety, business continuity, protecting business profits, and reducing liability and risk.
Directors and managers focus on policy development and planning at a more granular level. They also manage the operational staff who implement and operate based on the objectives cascaded down to them.
You're a strategist, not an executor. Your focus should always be on the broader picture: the overarching objectives.
One helpful mental model is to think of yourself as an external security consultant advising an organization, or as a Chief Financial Officer. In these roles, you would typically provide advice rather than take direct action. Or imagine being out at lunch with a colleague from another company seeking your input on a matter. Your role would be to guide and advise based on your expertise, not to do anything yourself.
Your attention as a CISSP should be concentrated on processes, roles, due diligence, and due care. This managerial perspective is vital for effective leadership in information security.
Processes, Roles and Responsibilities
Being a manager plays a big role in setting the direction and making critical decisions, so it's important we understand the key processes and frameworks to empower us to do this properly. Refer to the Processes, Roles and Responsibilities chapter to freshen up on each key process and framework.
Practice Question
At which stage should the team conduct a root cause analysis?
A) Response
The focus during this phase is to limit damage and keep operations running. A root cause analysis comes later.
B) Reporting
This step is about communicating the current situation, not identifying why it occurred.
C) Remediation
Remediation often this phase often involves identifying the root cause of the incident.
D) Lessons Learned
Close, but this phase happens after the root cause analysis.
With an easier question like this, we can eliminate other possible questions using logic and reasoning but best way to answer these types of questions is to understand each step in the process.
The best way to answer such questions is to understand the steps involved in the process and the objectives of each step.
Domain 7 Revision: Incident Response Steps:
- Detection
- Response (limiting damage)
- Mitigation (containing the incident)
- Reporting
- Recovery
- Remediation (root cause analysis)
- Lessons Learned (improvements based on the root cause analysis)
Shared Responsibility Model
Have you ever worked with a MSP (Managed Service Provider) or CSP (Cloud Service Provider) and had issues or misunderstandings? A shrug or responsibility, or a ticket closed because "the other party is handling it"?
There are four main models, On-Premise, Infrastructure-as-a-Service, Platform-as-a-Service, and Subscription-as-a-Service.
| On-Premise |
All hardware and software managed by your company | Your own web server |
| IaaS |
You manage applications and data; rest is handled by the CSP. | Amazon EC2/VPS |
| PaaS |
You manage only the applications and data; platform is maintained by the CSP. |
Google App Engine |
| SaaS | All components managed by the cloud provider; you only use the software. | Dropbox |
Okay, and now let's outline the responsibilities clearly in the table below, where grey is the responsibility of the cloud service provider:
| On-premise |
IaaS (Infrastructure) |
PaaS (Platform) |
SaaS (Subscription) |
| Applications |
Applications |
Applications |
Applications |
| Data |
Data |
Data |
Data |
| Runtime |
Runtime |
Runtime |
Runtime |
| Middleware |
Middleware |
Middleware |
Middleware |
| OS |
OS |
OS |
OS |
| Virtualization |
Virtualization |
Virtualization |
Virtualization |
| Servers |
Servers |
Servers |
Servers |
| Storage |
Storage |
Storage |
Storage |
| Networking |
Networking |
Networking |
Networking |
The Most Important Question
To summarize how to think like a true manager/executive:
An effective manager avoids relying solely on their power - "do this because I told you so".
Self-inquiry is a critical part of the decision making process. This involves asking the following key questions
- Who is involved or affected?
- What is the task at hand?
- When does the issue need to be addressed?
- How should the issue be approached or resolved.
But what is the more important question we should be asking ourselves?
The most important question to ask is why. Asking why makes sure we consider all the essentials and gets us thinking, such as cost/value and safety. It highlights the importance of focusing on management level decisions and encourages critical thinking and being proactive.
Accreditation and source material
https://www.youtube.com/watch?v=vfC9OLsCqgk - large inspiration for structure and content