Cert Week – Think Like Manager Elimination Process Might Help

I saw this post by Prabnair1 on Reddit, and just had to share it with my CISSP students.


MANAGERIAL MINDSET FRAMEWORK that i follow for isc2 exam only
  1. P – Policy & Strategy Level
  2. R – Risk-Based Decisions
  3. O – Operational Impact
  4. T – Technical Details (Last consideration)

For Example

A global organization experiences frequent system outages during patch deployments. The CISO needs to improve the patching process while minimizing business disruption. Which of the following approaches would BEST address this issue?

A. Implement automated patch deployment tools across all systems

B. Develop a risk-based patch management strategy with defined maintenance windows.

C.Increase the frequency of patch deployments;

D. Deploy redundant systems for failover during patching

ELIMINATION PROCESS:

Step 1: Apply Business-First Thinking

  • Identify business impact (system outages, disruption)
  • Consider strategic objectives (stability, availability)

Step 2: Eliminate Tactical/Technical-Only Solutions

  • Eliminate A: Pure technical solution, no business consideration
  • Eliminate C: Increases problem frequency, no strategic value

Step 3: Compare Remaining Options Through Risk Lens

  • Option B: Strategic, risk-based, considers business impact
  • Option D: Technical redundancy, costly, doesn’t address root cause

Step 4: Select Best Management-Level Solution

  • Choose B: Provides strategic framework, considers business needs, manages risk
  1. WHY B IS CORRECT:
  • Strategic approach
  • Risk-based decision making
  • Considers business operations
  • Provides management framework
  • Balances security with business needs

Remember:

  • Always choose strategic over tactical
  • Risk-based over technical-only
  • Business impact over technical capability
  • Long-term solution over quick fix

My own guidance on thinking like a manager includes looking for answers that involve:

  • Planning
  • Policy
  • Documentation
  • Reporting

Also look for answers that are part of the Lifecycle Model:

  • Planning
  • Information gathering
  • Design
  • Implementation and testing
  • Operation and maintenance (except perhaps this step – too technical and hands on!)
  • Review and update or end of life

Also look for answers that involve the Business Continuity Planning process:

NIST SP 800-34 Contingency Planning

  • (Plan) Develop the contingency planning policy statement
  • (Info Gathering) Conduct the Business Impact Analysis
  • (Design) Identify and deploy preventive controls
  • (Design) Create contingency strategies
  • (Design) Develop an information system contingency plan
  • (Implement and Test/Operation and Maintenance) Ensure plan testing, training, and exercises
  • (Operation and Maintenance/Review and update) Ensure plan maintenance

Also recommended:  Luke Ahmed’s book “How to Think Like a Manager for the CISSP”

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.