Thinking Like a Manager: In Practice
If you’ve looked into earning your CISSP® certification, you have probably heard that one of the keys to success on the exam is “thinking like a manager.” It’s sage advice, but what does it actually mean, and how can a managerial perspective help you on test day?
Thinking like a manager involves three main considerations: senior management, financials, and personnel.
1. Senior Management
In a traditional organizational structure, CISSPs are the link between senior managers and front line security practitioners. CISSPs communicate security progress, issues, and other updates up to management. This means CISSPs need to understand the perspective of those they are reporting to. That perspective is a high-level concern of how security controls are improving business operations. Senior leaders care about security most when it is directly tied to business operations.
With that in mind, let’s take a look at a sample CISSP question:
You are creating a Business Continuity Plan and presenting it to the Chief Technology Officer (CTO) for approval and endorsement. Which of the following is the most important element to be included in the plan?
A. Business Impact Analysis (BIA)
B. Business case
C. Regulatory and legal concerns
D. Threat analysis
We’ll give you an unhelpful hint: all four answers are pretty reasonable. But there is one best answer, which is answer B, business case. A business case is the justification for a project or plan. It often includes a cost/benefit analysis that articulates the business benefits of developing and executing a plan. Senior leadership is also concerned with a BIA (Business Impact Analysis), which details the specific impact of threats on assets, but a BIA is a step of a BCP (Business Continuity Plan) which is completed after management approval. Regulatory and legal concerns are important, but they often included in a business case. If two answer choices over overlap, pick the encompassing or “umbrella” answer choice. A Threat Analysis is also of interest to management, but management will eventually ask what plan you have in place to deal with an incident, and how much it will cost.
As we learned from the previous question, finance is the language of executives. So it should also be the language of CISSPs. In fact, if financial considerations are built into security proposals, then including them will expedite the decision approval process and make business operations more efficient. With that in mind, try the question below:
What physical security implementation would you choose to secure a wiring closet?
A. Fingerprint scanner
B. Smart card reader
C. Chip and pin system
D. Combination padlock
Here a helpful hint: the right answer is the least expensive and least technical one. That is answer D, combination padlock. Now this isn’t to imply that wiring closets aren’t important; they are. But with a proper layered defense system, a padlock won’t be your only line of defense. When answering questions, think about justifying the cost to a senior manager. Only pick an expensive solution when it is necessary, and proportional to the assets you are protecting.
Personnel are the only assets that supersede financial considerations, and all other considerations for that matter. Personnel safety is weaved into several important CISSP exam topics including risk assessments, BIAs, Disaster Recovery Plans, and physical security.
Check out the question below:
You are designing a server room that will host electric equipment and security personnel. Which of the following types of glass should you implement in the room?
A. Bullet-proof glass
B. Tempered glass
C. Laminated glass
D. Wired glass
Your hobbies may not include glass blowing, but, the answer is B, tempered glass. You may be grumbling that in this scenario, you’d need to know specific glass types, but the point is that you need to understand these details so you can prioritize personal safety. Tempered glass is the glass that makes up car windshields. When it breaks, it doesn’t break into large, sharp pieces but rather crumbles into safer, smaller pieces. All of the other options are far more secure (laminated glass is the glass used on ground-level stores and is extremely hard to break). But, remember, think about the safety of personnel over the security of equipment. In cases of emergencies that require evacuations, tempered glass is the best way to preserve human life.
4. A Managerial Exam
The CISSP® exam is challenging. A big part of what makes it so hard is not necessarily all the things you need to memorize (although there is plenty of that, too). Instead, it requires a shift in perspective. It requires resisting the temptation to choose the technical solution, and instead thinking like a senior manager and prioritizing business concerns, financials, and personnel safety.