All I Really Need To Know About Cybersecurity I Learned in First Grade

Jung Lee, Head of Certification Preparation

After a 20 year career in different areas of education,  I enjoy the learning process and studying the latest developments in learning science. So, you could understand that when I had the opportunity to audit my son’s first grade class, I took it. I sat cross-legged next to my son and his classmates and listened the teacher explain the basic principles of first grade. As the instructor relayed the principles, I couldn’t help but notice that most all of the principles related to cybersecurity. So, if you’re studying for your CISSP right now, put down the CBK for a moment and get back to first grade basics.

Think of People First = Protect Your Greatest Asset

Several domains of the CISSP exam teach security practitioners about the importance of protecting critical assets. And CISSPs learn early and often that no technology or data is as critical as human life. Indeed, the priority of nearly every emergency response plan is to ensure employee safety.
The teacher’s admonishment to the class, “safety first,” is the same lesson that CISSP exam content stresses when it discusses Disaster Recovery Plans and Business Continuity Plans.

Two Wrongs Don’t Make a Right = Don’t Hack Back

We’ve all been there: You’re on the playground, minding your own business, when the class bully comes over to incite a scuffle. You wonder if you should fight back one of these days. Maybe then the bully will finally leave you alone.
To translate this analogy into CISSP terms: The school bully isn’t a fellow 6-year-old trying to steal your lunch money – it’s Russia, and they’re coming for your organization’s intellectual property. Believe it or not, the same rules from first grade apply to this situation: two wrongs don’t make a right. As a security practitioner, it’s not your job to “hack back” against attackers. In fact, the course of action you should pursue is pretty similar to grade school, too: alert the proper authorities.

Follow the Class Rules = Have Established Policies and Procedures

CISSP exam content is full of circular diagrams and process lists. These cycles are crucial, because they are used by cybersecurity professionals to codify security protocols and help make order out of chaos. For example, the software development lifecycle provides clear and logical steps for creating and reviewing code. When the process is closely followed by a development team, it leads to a product that’s functional and meets security standards.
Same goes for class rules. There are rules for everything: How to line up for the bathroom, where to put backpacks, and how to get the teacher’s attention during class. These rules ensure there is order and there is a process to accomplish things. This makes for a more efficient and less chaotic classroom, two goals shared by security professionals.

Get the Teacher’s Permission = Get Explicit Approval from Senior Management

Speaking of rules, there is one school rule that is perhaps more important than all the others: Before doing anything, notify and get permission from the teacher. Want to play a board game? Ask the teacher. Want to use the bathroom? Ask the teacher.
Security professionals know the feeling. Since security should enable, not hinder, business objectives, security professional need to check with senior business leaders before implementing any security control. Senior management buy-in gives security measures credibility, authority, accountability, and legitimacy. For example, if you are conducting a pen test on your company’s new web server, the first, more important step is to get explicit approval. Approval usually comes in the form of an SLA or other formal documentation. Without documentation, your pen test is illegal. Indeed, the only difference between a pen tester and a hacker is permission.

1 + 1 is 2 = Defense in Depth

If you take two amounts and combine them, then you have more than you did before. This basic math teaches first graders that there is strength in numbers and that combination is a way to improve upon the individual things you do have.
The concept of defense in depth – also known as layered security – also involves combining solutions to create an environment that was more secure than before. Think about an office building, for example. To improve security, you could post a guard by the main entrance, require a badge to call an elevator, log footage using CCTV, lock the server room door, and require a biometric palm reader to open it. These security solutions work together to improve the organization’s overall security posture and provide back-up security controls in case one control goes down or is bypassed by an attacker.

Cleanliness = Security

In the classroom, it’s important to be tidy. This keeps things clean, organized, and teaches the important life skill of not being a slob.
Tidiness is also a friend of security. The Clean Desk Policy, in the security world, removes the amount of clutter and items on employees’ desks. This is important because some clutter, such as access cards, sensitive papers, and file cabinet keys, is of value to attackers. Clearing your desk of these items helps keeps information protected because it reduces the likelihood of theft and information disclosure.
This theme of cleanliness is why the phrase “cyber hygiene” has come to mean good online security behavior. Indeed, the health of an organization and classroom’s assets depends on user responsibility, accountability, awareness, training, and direction from senior management.

Be a CISSP, Not a Script Kiddie

I want you to come away from my blog post realizing that CISSP content can be linked to other, more familiar parts of your life. Making the content relatable is a great strategy to make it more digestible and easier to remember, one of the many learning science lessons we teach in our CISSP Prep Course. To learn more or enroll in one of our upcoming courses, click here.