Cert Week – Think Like a Manager

By Madura Malwatte

Posted on Linked in and Reddit

“Think like a manager” – a phrase synonymous with the CISSP

For those who come from a technical background, cultivating the appropriate mindset is crucial when tackling the CISSP. Answering the exam questions solely from a technical standpoint, delving too deeply into problem-solving specifics, may lead to an unsuccessful outcome.

I’ve curated a list of ESSENTIAL TIPS to consider from valuable content accessible on YouTube and other sources.

1. Human safety comes first
2. Order of choice: People > Process > Technology
3. All decisions start with risk management, which begins with evaluating assets
4. There is no security department without the business
5. Pick the most broad/high-level answer
6. Which choice would senior management/CISO choose?
7. Isolate from the answers, the:
– manager answer
– technical answer
8. You are an advisor, not a technician. Don’t fix problems.
9. Don’t spend $10 to save $5. Look for the cost-justified / cost-benefit answer (is it value for money?).
10. Security should meet business goals which means “just enough” security
11. Does one choice do some or all of the other choices?
12. If you pick one choice, you can’t do the other choices
13. The better answer is:
– more general
– more attuned to risk
– has better cost-impact/cost-benefit
14. From the CIA – Availability (criticality) is a better choice
15. If it is a “goal” then eliminate the activities
16. “Prevent” means stop something from even getting a chance to happen
17. Incorporate security into the design – early in the SDLC, not an add-on for later
18. Think high-level and end-game – risk, policy, governance, the business, etc
19. Justify your answer
20. Don’t add more info to the question

I had this note posted on the wall between my desk and surfboard for a constant reminder (includes a special unicorn smiley my daughter made to go with it).

Luke AhmedAndrew RamdayalKelly HanderhanGuenevere (Gwen) BettwyLarry GreenblattPrabh Nair


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.