Skip to main content

Think like a C-Suite

You may have heard the mantra "think like a manager" numerous times, be it from resources like Reddit or YouTube, as a part of your CISSP preparation, and it makes perfect sense. But what does that mean? Anyone can be a manager... What strategies and do you need to do to be a CISSP manager?

This chapter provides answers to these questions in a concise and clear manner. We will dissect the crucial elements that need to be internalized for successful navigation through the CISSP exam, supported by real-world examples to enhance your understanding.

Considering the CISSP exam's tendency to stimulate critical thinking, adopting a managerial perspective is a solid method - everyone tells you do think like that for a reason. I'm just going to tell you how to do it. 

Due Diligence vs Due Care

Due Diligence involves practicing activities that contribute to the continuous maintenance of Due Care efforts. Conversely, Due Care supports Due Diligence by representing what a reasonable person would do in a specific situation. This principle is often referred to as the "prudent man" rule. Together, these concepts aid in reducing senior management's culpability and potential liability in the event of a loss.

Without Due Diligence and Due Care, the organization could be held responsible not only for their own losses, but also those of other parties such as vendors, business partners, and customers.

Due Diligence (Pre-Decision) Due Care (Post-Decision)
Research Implementation
Planning Operation & Maintenance
Evaluation Reasonable

Look, I'm simplifying to illustrate the point that Due Diligence predominantly occurs before a decision. Sometimes, activities such as evaluation can also occur post-decision to ensure security measures remain effective. Remember:

  • Due Diligence is about thinking before you act. Don't be reckless; make informed decisions.
  • Due Care is about doing – actions speak louder than words. When it comes to liability and culpability, good intentions aren't enough. Actions protect us in due care scenarios.

Examples of Due Dilligence & Due Care

Due Diligence - Knowledge and researching Due Care - Execution
Laws and regulations Reporting security incidents
Industry standards Security awareness training
Best practices Promptly disabling access

Auditing & Due Care:

Security audits and effectiveness reviews are crucial components demonstrating due care in information security. An example of due care in practice is maintaining a well-documented audit trail, which showcases responsible actions taken.

Whenever you're unsure, it's a good rule of thumb to act with common sense, prudent management, and responsible action - all of which are alternative ways to describe 'due care'. 

The concept of 'due diligence' goes hand in hand with 'due care'. Due diligence is the process of systematically identifying risks and implementing measures to reduce these risks.

There will be questions on both these concepts in the exam, so try out the practice questions in the official study guide.

Know Your Priorities!

So, now we've already got the fundamentals of thinking like a manager. And a big part of being a manager is understanding your priorities, knowing your responsibilities, and effectively guiding your team. From a CISSP perspective, you can layer the responsivities of the organization into three hierarchical categories:

Planning Level Time Frame Primary Responsibility Examples
Strategic Long Term (3-5 years) Top Management / Chief Information Security Officer (CISO) Setting security goals for the company, deciding on major security initiatives, evaluating long-term risks
Tactical Midrange (about 1 year) IT Directors / Managers Creating security policies based on strategic goals, planning training programs, preparing for audits
Operational Short Term (Immediate) IT Engineers Implementing security measures, daily system checks, immediate problem-solving, escalating risks

Risks are escalated upwards from the operational level, flagged for management's attention. Conversely, objectives are handed down from strategic to operational level. In a strategic role, your main concerns are human safety, business continuity, protecting business profits, and reducing liability and risk.

Directors and managers focus on policy development and planning at a more granular level. They also manage the operational staff who implement and operate based on the objectives cascaded down to them.

You're a strategist, not an executor. Your focus should always be on the broader picture: the overarching objectives.

flowchart-objective-risk.png

One helpful mental model is to think of yourself as an external security consultant advising an organization, or as a Chief Financial Officer. In these roles, you would typically provide advice rather than take direct action. Or imagine being out at lunch with a colleague from another company seeking your input on a matter. Your role would be to guide and advise based on your expertise, not to do anything yourself. 

Your attention as a CISSP should be concentrated on processes, roles, due diligence, and due care. This managerial perspective is vital for effective leadership in information security.

Processes, Roles and Responsibilities

Being a manager plays a big role in setting the direction and making critical decisions, so it's important we understand the key processes and frameworks to empower us to do this properly. Refer to the Processes, Roles and Responsibilities chapter to freshen up on each key process and framework. 

Practice Question

At which stage should the team conduct a root cause analysis?

A) Response

The focus during this phase is to limit damage and keep operations running. A root cause analysis comes later.

B) Reporting

This step is about communicating the current situation, not identifying why it occurred.

C) Remediation

Remediation often this phase often involves identifying the root cause of the incident.

D) Lessons Learned

Close, but this phase happens after the root cause analysis.

With an easier question like this, we can eliminate other possible questions using logic and reasoning but best way to answer these types of questions is to understand each step in the process.

The best way to answer such questions is to understand the steps involved in the process and the objectives of each step.

Domain 7 Revision: Incident Response Steps:

  1. Detection
  2. Response (limiting damage)
  3. Mitigation (containing the incident)
  4. Reporting
  5. Recovery
  6. Remediation (root cause analysis)
  7. Lessons Learned (improvements based on the root cause analysis)

Shared Responsibility Model

Have you ever worked with a MSP (Managed Service Provider) or CSP (Cloud Service Provider) and had issues or misunderstandings? A shrug or responsibility, or a ticket closed because "the other party is handling it"?

The shared responsibility model is important because it clearly outlines who is doing what. In addition to this, in the case of an incident, it's clear who has responsibilities in what area which helps quickly expedite the issue and minimize the potential damage.

There are four main models, On-Premise, Infrastructure-as-a-Service, Platform-as-a-Service, and Subscription-as-a-Service

On-Premise
 All hardware and software managed by your company Your own web server
IaaS
 You manage applications and data; rest is handled by the CSP. Amazon EC2/VPS
PaaS
 You manage only the applications and data; platform is maintained by the CSP. 
 Google App Engine
SaaS All components managed by the cloud provider; you only use the software. Dropbox

Okay, and now let's outline the responsibilities clearly in the table below, where grey is the responsibility of the cloud service provider:

On-premise
 IaaS (Infrastructure)
 PaaS (Platform)
  SaaS (Subscription)
Applications
 Applications
 Applications
 Applications
Data
 Data
 Data
 Data
Runtime
 Runtime
 Runtime
 Runtime
Middleware
 Middleware
 Middleware
 Middleware
OS
 OS
 OS
 OS
Virtualization
 Virtualization
 Virtualization
 Virtualization
Servers
 Servers
 Servers
 Servers
Storage
 Storage
 Storage
 Storage
Networking
 Networking
 Networking
 Networking

Scenario: Imagine you're the CTO of a company that needs to run an application and store customer data.

  1. On-premise:

    • What You Do: You purchase physical servers, set up a local data center, install OS, set up networking, ensure storage is available, manage security at every layer, install middleware, ensure runtime compatibility, deploy your application, and manage backups for your data.
    • Why Choose This: You want complete control over every aspect, have specific compliance needs, or feel this option offers better security. However, it requires a higher upfront cost and more hands-on management.

  2. IaaS (Infrastructure as a Service):

    • What You Do: You rent virtualized hardware resources from a cloud provider. You still choose the OS, install your own middleware, runtime, manage your application, and look after your data, but you don't worry about physical servers, storage, or networking.
    • Why Choose This: You want flexibility without dealing with physical hardware. This is ideal if you have unique OS or middleware needs but don't want the responsibility of managing underlying infrastructure.

  3. PaaS (Platform as a Service):

    • What You Do: You focus on developing your application and managing your data. The cloud provider handles everything from runtime to networking. You're mostly concerned with deploying your code and sometimes configuring scaling options.
    • Why Choose This: You're mainly interested in development and don't want to deal with infrastructure concerns. PaaS offers a quicker time to market, but you're often confined to the tools and configurations offered by the provider.

  4. SaaS (Software as a Service):

    • What You Do: You simply use an application provided by a third party. All you care about is the data you input and the results you get. You have minimal control over how the software functions or its infrastructure.
    • Why Choose This: Your company needs to use software like CRM, email, or collaboration tools. You don't want any development or infrastructure responsibilities and prefer a subscription model. This is ideal for non-core business applications where customization and control are not critical.

Difference Between PaaS and Serverless:

Sally and Bob are both tech entrepreneurs who want to launch a new app.

Sally's Journey with PaaS:

Sally decides to use a Platform as a Service (PaaS) for her app. She chooses a PaaS provider that gives her a ready-made environment where she can directly deploy her app's code. She doesn't worry about the operating system or the server configurations; the PaaS provider takes care of all that.

However, she still needs to think about how her application scales, to some extent. If her app faces a sudden influx of users, she may need to manually adjust resources or set specific rules for scaling.

Responsibility-wise, Sally is in charge of the application and its data, while the PaaS provider handles everything from the runtime environment down to the physical infrastructure.

Bob's Journey with Serverless:

Bob, on the other hand, chooses a serverless architecture for his app. He goes to a cloud provider that offers serverless functions. Instead of deploying his app as a whole, he breaks it down into individual functions that get executed in response to events (like a user clicking a button).

Bob doesn't think about servers at all. When a specific function of his app needs to run, the serverless provider automatically allocates resources for that function and runs it. If a million users suddenly invoke that function, the serverless provider scales it instantly without Bob doing anything.

Responsibility-wise, Bob is mainly concerned with his code and data. The serverless provider takes care of executing the code, scaling, and everything down to the infrastructure layer.

In Conclusion:

  • With PaaS, Sally had an environment where she deployed her app. She didn't manage the underlying OS or servers, but she still thought about the application's structure and scaling to some degree.

  • With Serverless, Bob just focused on individual functions of his app. The infrastructure was entirely abstracted away, and automatic scaling was a fundamental feature.

Serverless takes the abstraction a step further than PaaS. While both abstract the infrastructure, serverless also abstracts the runtime environment, letting developers focus purely on code and data.

Public, Private, and Hybrid Cloud Models

Let's consider "HealthTech Innovations", a company that develops health monitoring apps.

Public Cloud

This is like using a large, public library building in the city center that's owned and operated by a third party.

  • Usage: You rent space to place your books, and the library ensures that there's always enough shelf space. If you suddenly acquire thousands of new books, the library can accommodate.
  • Difference: You don't own the building or the shelves. You just pay for the space you need, and the library handles the cleaning, maintenance, and security.
  • Example: AWS, Azure, and Google Cloud offering you virtual machines or storage, which you can scale up or down based on your needs.
Private Cloud

This is like having a personal library room in your house.

  • Usage: You build the shelves and decide on the room's layout. You control who enters and know exactly where each book is.
  • Difference: You're responsible for all the maintenance, cleaning, and security. The space might be limited to the room's size, but you have total control over its contents and structure.
  • Example: A company having its own data centers, controlling every aspect of the infrastructure from the ground up. They'd invest more upfront, but they have complete control and privacy.
Hybrid Cloud

This is a blend. You have your personal library room at home, but you also rent space in the public library.

  • Usage: Rare books or very valuable ones stay at your home for safety. But newer or less sensitive books can be placed in the public library, where there's more space and where more people might access them.
  • Difference: You maintain your room, but the city library maintains the space you rent there. You decide which books go where based on sensitivity, value, or space requirements.
  • Example: A company might keep critical data on its own private servers (like customer personal data) but utilize the vast scalable resources of a public cloud for hosting their website or app, which doesn't store sensitive data.

 

Policy, Standards, Guidelines, Procedures

AspectPolicyStandardsProceduresGuidelines
PurposeProvides a high-level statement of management intentions. It defines what needs to be done and why.Specifies the use of specific technologies or methods. Defines how to meet policy.Provides step-by-step instructions to achieve a specific task.Provides recommendations or best practices, but they are not mandatory.
Level of SpecificityBroad and high-level.More specific than policies but less detailed than procedures.Very detailed and specific.General suggestions and recommendations.
Mandatory?Yes, for those within its scope.Yes, if an organization chooses to adopt them.Yes, for those performing the task.No, they are optional.
Change FrequencyLow - Policies typically remain stable over time unless there's a significant change in business or law.Moderate - Standards might change with technology evolution or new business needs.High - Procedures can change frequently based on operational requirements.Varies - Can change with evolving best practices, but not as frequently as procedures.
Example"All users must authenticate before accessing company systems.""Passwords must be at least 12 characters long and contain a mix of characters."1. Open authentication page.
2. Enter username.
3. Enter password.
4. Click 'Login'.		"It's a good practice to change passwords every 60 days to enhance security."

The Most Important Question

To summarize how to think like a true manager/executive:

An effective manager avoids relying solely on their power - "do this because I told you so".

Self-inquiry is a critical part of the decision making process. This involves asking the following key questions

  1. Who is involved or affected?
  2. What is the task at hand?
  3. When does the issue need to be addressed?
  4. How should the issue be approached or resolved.
But what is the more important question we should be asking ourselves?

The most important question to ask is why. Asking why makes sure we consider all the essentials and gets us thinking, such as cost/value and safety. It highlights the importance of focusing on management level decisions and encourages critical thinking and being proactive.

Accreditation and source material

https://www.youtube.com/watch?v=vfC9OLsCqgk - large inspiration for structure and content

Back to top