I saw this post by Prabnair1 on Reddit, and just had to share it with my CISSP students.
- P – Policy & Strategy Level
- R – Risk-Based Decisions
- O – Operational Impact
- T – Technical Details (Last consideration)
For Example
A global organization experiences frequent system outages during patch deployments. The CISO needs to improve the patching process while minimizing business disruption. Which of the following approaches would BEST address this issue?
A. Implement automated patch deployment tools across all systems
B. Develop a risk-based patch management strategy with defined maintenance windows.
C.Increase the frequency of patch deployments;
D. Deploy redundant systems for failover during patching
ELIMINATION PROCESS:
Step 1: Apply Business-First Thinking
- Identify business impact (system outages, disruption)
- Consider strategic objectives (stability, availability)
Step 2: Eliminate Tactical/Technical-Only Solutions
- Eliminate A: Pure technical solution, no business consideration
- Eliminate C: Increases problem frequency, no strategic value
Step 3: Compare Remaining Options Through Risk Lens
- Option B: Strategic, risk-based, considers business impact
- Option D: Technical redundancy, costly, doesn’t address root cause
Step 4: Select Best Management-Level Solution
- Choose B: Provides strategic framework, considers business needs, manages risk
- WHY B IS CORRECT:
- Strategic approach
- Risk-based decision making
- Considers business operations
- Provides management framework
- Balances security with business needs
Remember:
- Always choose strategic over tactical
- Risk-based over technical-only
- Business impact over technical capability
- Long-term solution over quick fix
My own guidance on thinking like a manager includes looking for answers that involve:
- Planning
- Policy
- Documentation
- Reporting
Also look for answers that are part of the Lifecycle Model:
- Planning
- Information gathering
- Design
- Implementation and testing
- Operation and maintenance (except perhaps this step – too technical and hands on!)
- Review and update or end of life
Also look for answers that involve the Business Continuity Planning process:
NIST SP 800-34 Contingency Planning
- (Plan) Develop the contingency planning policy statement
- (Info Gathering) Conduct the Business Impact Analysis
- (Design) Identify and deploy preventive controls
- (Design) Create contingency strategies
- (Design) Develop an information system contingency plan
- (Implement and Test/Operation and Maintenance) Ensure plan testing, training, and exercises
- (Operation and Maintenance/Review and update) Ensure plan maintenance
Also recommended: Luke Ahmed’s book “How to Think Like a Manager for the CISSP”
OCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com