I've just done the cisa with a very good score and I can say one thing for sure: the mindset you're developing is the same as that for auditing. I started preparing for the CISSP a few days ago and I find it very similar to auditing. I hope to give you some good news in a few months' time.
I passed CCSP this week on my first attempt! You were absolutely right, this test is really technical but it also has a lot of managerial questions. There were numerous examples of where I clicked the technical answer "Implement DLP/other tooling" but then saw the "Employee background check" or some other people answer. Ended up switching answers on a lot of questions and passed :).
That is terrific news! Congratulations!! I believe you have to spot those manager answers when they do show up, otherwise it is very hard to pass this test. Beyond that you really need to understand cloud technology to get through this one!
Hi Gwen. I want to thank you for this, and all your videos on the CISSP. I passed my test today. Your insights, tips, tricks on techniques on how to approach questions and answers were invaluable. I found you to be correct, the vast majority of the questions could be answered from a management perspective ( a business & security management perspective). Thanks again!!
Thanks Gwen, I just passed CISSP provisionally yesterday and I appreciate your Video . Exam was totally different from the practice test but it helped 😂
I felt like I bombed CISSP last year and walked out with a pass! Today, I took CCSP and didn’t even get close…and didn’t feel like I did when I completed CISSP, which is to say Dread! Oh well, bought peace of mind and test again in September. Your classes taught me a lot though, so this is clearly my problem!
37:19 Indeed. Treat them with respect, support them, and make them loyal to your enterprise. If you want to be cynical about it, it’s safer and cheaper in the long run.
12:24 I don’t know much about it, but the MFA systems are not infallible. I was reading yesterday about Kerberos, and even I (not being particularly smart and definitely not knowledgeable) could see it’s vulnerable. What good is it to rely so much on an authentication server that checks credentials with a database that has had a SQL injection? The SSO that embodies the accessibility principle at the detriment of integrity and confidentiality (since when putting all your eggs in one basket is safe practice?). As I said, I don’t know all the terminology, but I hope you will understand the idea.
17:34 It is a genuinely good idea to make everyone (and I mean everyone) in an organisation more aware of risks, safety, and being money wise, BUT not at the detriment of other things. Money and technicalities of any safety system are contingent on threats, business landscape, how good you are at playing the money making game. Other things are not contingent on externalities. It’s like a human body- if its immunity is good, it can fend off all sorts of infections. Whereas your security paradigm is mostly reactive, for what I could gather, that’s why Zero Days happen. A virus in your system causes a devastating pandemic because your employees don’t know how to cyber wash their hands properly etc.
10:36 I wholeheartedly agree. But my definition of ‘wisely’ doesn’t fit with the common nonsense. What do you invest in? Expensive software, pentesting services, fancy physical security devices? How much less money would you have spent had you invested in people’s training and attitudes? That’s why I’m saying your paradigm is myopic.
26:20 That’s where the risks assessments are flawed. Take Mitre Att&ck which is a superb endeavour. It cannot help you assess unknown risks and prepare properly (maybe against script kiddies attacks and other small hacker fish). All you can reliably assess is your defences. What do all successful attacks have in common? Or, better put, why are they successful? (*Hint* the first and most important layer of the answer is non- technical).
13:37 Get your priorities right! First and foremost the human wellbeing which includes the lives of people in a hospital, so if you’re a boss who makes money off the backs of ill people, at least you could pay due diligence and part with a part of your profit to ensure that you don’t put their lives in danger by allowing a ransomware attack. Those money greedy CEOs should face criminal prosecution and not be allowed to settle in court by paying their weekly coffee budget.
27:33 There are sectors that should not be left at their own devices, at the whim of irresponsible corporate managers. Take the energy sector, transport, water supply, healthcare, telecommunications- they should be recognised for what they are i.e. critical infrastructure. Imagine a big water supply company being hacked into. Or a biolab database being compromised (modifying data would be worse than stealing it for corporate espionage purposes).
24:42 Yeah, video streaming. I was thinking about that, actually, when I read yesterday about UDP which I understand is much less safe than TCP. In all fairness, ensuring integrity via using HTTPS and TCP is kinda obsolete in the age of deepfakes. Maybe Communication science should not be divorced from the Information Technology. PS- I am not referring to your video. I don’t know who you really are, but I think that you are a highly intelligent lady with loads of experience. My criticism pertains to this damned test.
14:15 What is the average amount paid for a ransomware attack? I don’t know, let’s say $500,000. Spending $499,999 on developing your immunity to attacks by training and checking your staff’s attitudes and safety- related behaviour, sacking a few bad apples, and continuously helping the individuals to attain maturity and good posture is still cheaper.
0:53 I do, but I don’t like it. Which makes me doubt I will ever work for such managers. Is this test an empathy test? It should test knowledge, attitudes, and cognitive resilience. But not like that- not telling the candidates what they’re tested for. It’s patronising, disrespectful, and dishonest- are these qualities that are part of a manager’s job description? Now I know what job descriptions I will weed out.
5:45 I want to help them, but they don’t want to be helped because their big egos get in the way. Very well, then, suit yourselves. And talking about being rude- isn’t it rude to test people in a covert manner? Isn’t permission based on transparency the thing that makes the difference between pentesting and hacking? Why is psychological hacking, then, allowed? What are the candidates- criminals interrogated by FBI?
8:15 Lady, that’s nonsense. Had you discussed something confidential in this call you would have not allowed just everyone to join in, uploaded it on UA-cam, etc.
4:02 No. If you care about people, you care about your colleagues, your clients, and about your dumbarse CEO who has no clue about anything but the bank accounts and ‘networking’ whilst playing golf with other muppets in high positions. If you do care about people, you will do the technical bits related to security. If you don’t, you won’t. Even worse, not cultivating this attitude leads to inside threats. It’s an idiotic and myopic management strategy.
I've just done the cisa with a very good score and I can say one thing for sure: the mindset you're developing is the same as that for auditing. I started preparing for the CISSP a few days ago and I find it very similar to auditing. I hope to give you some good news in a few months' time.
There is definitely a common thread through these certs! Best of luck!
I passed CCSP this week on my first attempt! You were absolutely right, this test is really technical but it also has a lot of managerial questions. There were numerous examples of where I clicked the technical answer "Implement DLP/other tooling" but then saw the "Employee background check" or some other people answer. Ended up switching answers on a lot of questions and passed :).
That is terrific news! Congratulations!! I believe you have to spot those manager answers when they do show up, otherwise it is very hard to pass this test. Beyond that you really need to understand cloud technology to get through this one!
Thank you for the amazing content Gwen. These really helped get hang of the mindset. I have provisionally passed CISSP today.
Congratulations!!! So happy to have helped. 20 years of teaching CISSP I have found a few tricks that sure do help!
Hi Gwen. I want to thank you for this, and all your videos on the CISSP. I passed my test today. Your insights, tips, tricks on techniques on how to approach questions and answers were invaluable. I found you to be correct, the vast majority of the questions could be answered from a management perspective ( a business & security management perspective). Thanks again!!
Congratulations!!!! So glad you found my video before the test!
Thanks Gwen, I just passed CISSP provisionally yesterday and I appreciate your Video . Exam was totally different from the practice test but it helped 😂
Nice collection of tips! Also, Luke Ahmed has a book called How To Think Like a Manager which aspiring CISSPs might be interested in.
I do have a think like a manager video here on youtube as well
Great content. Watched your video yesterday and today I passed cissp. Thank you
Congratulations!!!!
Bookmarking 34:52 for remembering the order! Great video!!!
Thanks for that!
GREAT video on CISSP, CCSP test taking tips. It helps get my head on focused on how to approach the exam day
Awesome!
This video was the last one I watched and I passed today. Thanks Gwen
Congratulations!!!!
I felt like I bombed CISSP last year and walked out with a pass! Today, I took CCSP and didn’t even get close…and didn’t feel like I did when I completed CISSP, which is to say Dread! Oh well, bought peace of mind and test again in September. Your classes taught me a lot though, so this is clearly my problem!
Consider one of my live classes so that I can help you figure out where your thinking/logic/learning needs to go.
Great job as always, thank you for sharing.
Thank you! Cheers!
I came across this video. Im planning on taking the CISSP in 2 weeks. thanks for this. Hopefully it will help me.
Best of luck!
@@GwenBettwyTSI thank you.
I failed the CISSP test a year ago, and now have another year of studying. Will try for Jan-Feb again. Appreciate your videos.
Thank you and best wishes.
Did you pass ?
@@frob530 Hi, I am taking the exam April . Spending 2 years on this LOL. I want to know this material like there is no tomorrow 🙏
@@Dogrescuerules You pass? lol
Thanks Gwen, I passed my CISSP yesterday.
Congratulations!!!!
This is what I was told “put on your CEO hat” answer the question as CEO. Should the answer that down at make sense.
44:50 Two framed photos on the wall behind you caught my eye, maybe because I am a cocky lone wolf 😄
😊😊
appreciate ..,great it is helpings me lot
..,
You are most welcome.
This is GOLD!
Thanks for leaving a comment! I am glad it was helpful!
Excellent !
Glad you like it!
37:19 Indeed. Treat them with respect, support them, and make them loyal to your enterprise. If you want to be cynical about it, it’s safer and cheaper in the long run.
12:24 I don’t know much about it, but the MFA systems are not infallible.
I was reading yesterday about Kerberos, and even I (not being particularly smart and definitely not knowledgeable) could see it’s vulnerable. What good is it to rely so much on an authentication server that checks credentials with a database that has had a SQL injection? The SSO that embodies the accessibility principle at the detriment of integrity and confidentiality (since when putting all your eggs in one basket is safe practice?).
As I said, I don’t know all the terminology, but I hope you will understand the idea.
Thanks for the video! I passed CISSP 1st try on 140 questions
Congratulations!!!!!
17:34 It is a genuinely good idea to make everyone (and I mean everyone) in an organisation more aware of risks, safety, and being money wise, BUT not at the detriment of other things. Money and technicalities of any safety system are contingent on threats, business landscape, how good you are at playing the money making game. Other things are not contingent on externalities. It’s like a human body- if its immunity is good, it can fend off all sorts of infections. Whereas your security paradigm is mostly reactive, for what I could gather, that’s why Zero Days happen. A virus in your system causes a devastating pandemic because your employees don’t know how to cyber wash their hands properly etc.
Is it just me or it goes blank after 51:00?
Yes it does.
Can we get some CRISC videos from you? thanks
Maybe someday. I have never done anything with CRISC. I do have a risk book in the works... so maybe someday.
10:36 I wholeheartedly agree. But my definition of ‘wisely’ doesn’t fit with the common nonsense. What do you invest in? Expensive software, pentesting services, fancy physical security devices? How much less money would you have spent had you invested in people’s training and attitudes? That’s why I’m saying your paradigm is myopic.
26:20 That’s where the risks assessments are flawed. Take Mitre Att&ck which is a superb endeavour. It cannot help you assess unknown risks and prepare properly (maybe against script kiddies attacks and other small hacker fish).
All you can reliably assess is your defences. What do all successful attacks have in common? Or, better put, why are they successful? (*Hint* the first and most important layer of the answer is non- technical).
39:20 😃 I like your style.
13:37 Get your priorities right! First and foremost the human wellbeing which includes the lives of people in a hospital, so if you’re a boss who makes money off the backs of ill people, at least you could pay due diligence and part with a part of your profit to ensure that you don’t put their lives in danger by allowing a ransomware attack. Those money greedy CEOs should face criminal prosecution and not be allowed to settle in court by paying their weekly coffee budget.
27:33 There are sectors that should not be left at their own devices, at the whim of irresponsible corporate managers. Take the energy sector, transport, water supply, healthcare, telecommunications- they should be recognised for what they are i.e. critical infrastructure. Imagine a big water supply company being hacked into. Or a biolab database being compromised (modifying data would be worse than stealing it for corporate espionage purposes).
35:27 What for?
Just to pass this test or the GRC bit of an audit?…
4:41 Accessibility principle.
50:39 I wish. Unfortunately, small people like me are at the mercy of idiots, so it becomes personal.
9:43 Oh, so it is about people. Allegedly.
24:42 Yeah, video streaming. I was thinking about that, actually, when I read yesterday about UDP which I understand is much less safe than TCP. In all fairness, ensuring integrity via using HTTPS and TCP is kinda obsolete in the age of deepfakes. Maybe Communication science should not be divorced from the Information Technology.
PS- I am not referring to your video. I don’t know who you really are, but I think that you are a highly intelligent lady with loads of experience. My criticism pertains to this damned test.
14:15 What is the average amount paid for a ransomware attack? I don’t know, let’s say $500,000. Spending $499,999 on developing your immunity to attacks by training and checking your staff’s attitudes and safety- related behaviour, sacking a few bad apples, and continuously helping the individuals to attain maturity and good posture is still cheaper.
0:53 I do, but I don’t like it. Which makes me doubt I will ever work for such managers. Is this test an empathy test? It should test knowledge, attitudes, and cognitive resilience. But not like that- not telling the candidates what they’re tested for. It’s patronising, disrespectful, and dishonest- are these qualities that are part of a manager’s job description? Now I know what job descriptions I will weed out.
5:45 I want to help them, but they don’t want to be helped because their big egos get in the way. Very well, then, suit yourselves.
And talking about being rude- isn’t it rude to test people in a covert manner? Isn’t permission based on transparency the thing that makes the difference between pentesting and hacking? Why is psychological hacking, then, allowed? What are the candidates- criminals interrogated by FBI?
23:05 Accessibility or marketing? 😏 Up to this point you haven’t said anything confidential.
8:15 Lady, that’s nonsense. Had you discussed something confidential in this call you would have not allowed just everyone to join in, uploaded it on UA-cam,
etc.
4:02 No. If you care about people, you care about your colleagues, your clients, and about your dumbarse CEO who has no clue about anything but the bank accounts and ‘networking’ whilst playing golf with other muppets in high positions. If you do care about people, you will do the technical bits related to security. If you don’t, you won’t. Even worse, not cultivating this attitude leads to inside threats. It’s an idiotic and myopic management strategy.