WEBVTT

1
00:00:00.160 --> 00:00:02.680
<v Speaker 1>Welcome to our latest deep dive. I want you to

2
00:00:02.720 --> 00:00:07.400
<v Speaker 1>imagine an employee at a rapidly growing logistics company, right,

3
00:00:08.039 --> 00:00:10.640
<v Speaker 1>and they just happen to type an extra zero into

4
00:00:10.679 --> 00:00:11.599
<v Speaker 1>a shipping database.

5
00:00:11.720 --> 00:00:13.199
<v Speaker 2>Oh happens all the time, right.

6
00:00:13.080 --> 00:00:17.160
<v Speaker 1>So suddenly a routine three hundred dollars vendor payment just

7
00:00:17.280 --> 00:00:21.640
<v Speaker 1>magically becomes a three thousand dollars hemorrhage. Or a pictures

8
00:00:21.640 --> 00:00:25.120
<v Speaker 1>startup that just landed this massive enterprise client, only to

9
00:00:25.160 --> 00:00:28.559
<v Speaker 1>lose the entire contract because their lead developers stored the

10
00:00:28.600 --> 00:00:33.439
<v Speaker 1>client's proprietary data on you know, a public cloud server

11
00:00:34.000 --> 00:00:36.560
<v Speaker 1>open to anyone on the intern exactly anyone could access it.

12
00:00:36.759 --> 00:00:38.880
<v Speaker 1>So when you hear the word cybersecurity, your mind probably

13
00:00:38.960 --> 00:00:41.799
<v Speaker 1>jumps street to I don't know, hooded hackers in dark

14
00:00:41.840 --> 00:00:43.640
<v Speaker 1>basements breaking into main friends.

15
00:00:43.719 --> 00:00:45.799
<v Speaker 2>You have a classic movie trope, right.

16
00:00:45.679 --> 00:00:49.240
<v Speaker 1>But the reality of actual organizational survival is well, it's

17
00:00:49.320 --> 00:00:52.119
<v Speaker 1>far less theatrical and infinitely more structural.

18
00:00:52.200 --> 00:00:53.600
<v Speaker 2>We really is to actually.

19
00:00:53.240 --> 00:00:55.880
<v Speaker 1>Protect a business in the modern world, we have to

20
00:00:55.920 --> 00:00:59.280
<v Speaker 1>look past the firewalls and the malware. So your mission

21
00:00:59.280 --> 00:01:02.679
<v Speaker 1>for today's deep time is to master the fundamental language

22
00:01:02.679 --> 00:01:06.680
<v Speaker 1>and architecture of cybersecurity, which is so crucial. It is

23
00:01:06.920 --> 00:01:09.319
<v Speaker 1>whether you are stepping up to lead an IT department

24
00:01:09.799 --> 00:01:13.000
<v Speaker 1>or you just want to understand why your companies, you know,

25
00:01:13.120 --> 00:01:17.640
<v Speaker 1>seemingly frustrating security policies, operate the way they do. We

26
00:01:17.680 --> 00:01:20.120
<v Speaker 1>are going to cut through the noise and give you

27
00:01:20.159 --> 00:01:22.760
<v Speaker 1>the ultimate shortcut to being well informed.

28
00:01:23.159 --> 00:01:26.840
<v Speaker 2>And our roadmap for this comes from a truly authoritative text.

29
00:01:27.319 --> 00:01:30.239
<v Speaker 2>We were pulling insights today from the CISSP All in

30
00:01:30.280 --> 00:01:34.319
<v Speaker 2>One Exam Guide, eighth edition by Sean Harrison Fernando Mami.

31
00:01:34.239 --> 00:01:35.920
<v Speaker 1>A massive book by the way, Oh it's.

32
00:01:35.840 --> 00:01:38.760
<v Speaker 2>Huge, and within the industry, this isn't just some exam

33
00:01:38.799 --> 00:01:41.760
<v Speaker 2>prep manual, you know. It is often referred to as

34
00:01:41.760 --> 00:01:42.719
<v Speaker 2>a golden Bible.

35
00:01:42.959 --> 00:01:45.239
<v Speaker 1>Wow, a golden Bible.

36
00:01:45.319 --> 00:01:47.560
<v Speaker 2>Yeah, because the frameworks and the concepts laid out in

37
00:01:47.560 --> 00:01:51.519
<v Speaker 2>this book they provide the strategic, operational, and tactical blueprint

38
00:01:51.920 --> 00:01:55.000
<v Speaker 2>used to secure vital corporate and government networks globally.

39
00:01:55.159 --> 00:01:58.359
<v Speaker 1>I mean, reviewers literally credit the methodologies in this book

40
00:01:58.439 --> 00:02:02.000
<v Speaker 1>with preventing tens of thousands of catastrophic breaches. So okay,

41
00:02:02.079 --> 00:02:05.319
<v Speaker 1>let's unpact this. Because to defend any system, whether it's

42
00:02:05.359 --> 00:02:07.680
<v Speaker 1>a global bank or just a mid sized tech startup.

43
00:02:07.879 --> 00:02:10.439
<v Speaker 1>You have to know exactly what you are protecting, right.

44
00:02:10.479 --> 00:02:12.240
<v Speaker 2>You need a baseline.

45
00:02:11.759 --> 00:02:16.360
<v Speaker 1>Exactly, and more importantly, you need a precise, agreed upon language.

46
00:02:16.800 --> 00:02:19.639
<v Speaker 1>Without that, I mean a business is just throwing money

47
00:02:19.639 --> 00:02:22.000
<v Speaker 1>at software while leaving the back door wide open.

48
00:02:22.159 --> 00:02:25.080
<v Speaker 2>And the bedrock of that shared language is something called

49
00:02:25.120 --> 00:02:26.479
<v Speaker 2>the AIC triad.

50
00:02:26.719 --> 00:02:29.560
<v Speaker 1>The AIC triad, Right, every.

51
00:02:29.319 --> 00:02:32.680
<v Speaker 2>Single security control a company implements is ultimately trying to

52
00:02:32.719 --> 00:02:38.159
<v Speaker 2>provide one or more of these three core protections, availability, integrity,

53
00:02:38.280 --> 00:02:39.400
<v Speaker 2>and confidentiality.

54
00:02:39.680 --> 00:02:42.039
<v Speaker 1>So let's break those down. Availability is the one people

55
00:02:42.039 --> 00:02:45.439
<v Speaker 1>often forget about until well until it's completely.

56
00:02:45.080 --> 00:02:46.840
<v Speaker 2>Gone, usually when the service crash. Right.

57
00:02:46.960 --> 00:02:50.879
<v Speaker 1>This is all about reliable, timely access to data and resources.

58
00:02:50.960 --> 00:02:53.879
<v Speaker 1>So if an e commerce platform goes down on Black

59
00:02:53.919 --> 00:02:56.479
<v Speaker 1>Friday because of a server crash and they had no backup,

60
00:02:56.800 --> 00:02:58.639
<v Speaker 1>that is a massive availability failure.

61
00:02:58.759 --> 00:03:01.759
<v Speaker 2>The business might be technically secure from theft, but they

62
00:03:01.800 --> 00:03:03.879
<v Speaker 2>are bleeding money by the second exactly.

63
00:03:04.000 --> 00:03:06.719
<v Speaker 1>Then you have integrity, which ties directly back to that

64
00:03:06.759 --> 00:03:08.080
<v Speaker 1>opening scenario I mentioned.

65
00:03:08.080 --> 00:03:11.080
<v Speaker 2>With the extra zero you have the logistics company. Integrity

66
00:03:11.120 --> 00:03:15.479
<v Speaker 2>ensures the accuracy and reliability of information. It prevents unauthorized

67
00:03:15.560 --> 00:03:19.080
<v Speaker 2>or even just accidental changes, so stopping the typo precisely,

68
00:03:19.960 --> 00:03:22.639
<v Speaker 2>it's the assurance that the data hasn't been tampered with

69
00:03:22.719 --> 00:03:26.520
<v Speaker 2>in transit or altered by an untrained employee. If your

70
00:03:26.560 --> 00:03:29.800
<v Speaker 2>financial database lacks integrity, I mean the entire company is

71
00:03:29.800 --> 00:03:30.520
<v Speaker 2>flying blind.

72
00:03:30.919 --> 00:03:34.599
<v Speaker 1>That makes total sense. And finally, confidentiality. This is the

73
00:03:34.639 --> 00:03:38.639
<v Speaker 1>secrecy aspect right preventing unauthorized disclosure.

74
00:03:38.759 --> 00:03:41.080
<v Speaker 2>It's what most people think of when they hear cybersecurity.

75
00:03:41.280 --> 00:03:44.879
<v Speaker 1>Right keeping the secret secret. It's ensuring that an automated

76
00:03:44.879 --> 00:03:48.199
<v Speaker 1>bought can't just scrape your customer list. But it also

77
00:03:48.240 --> 00:03:51.240
<v Speaker 1>applies to the physical world, which I found super interesting

78
00:03:51.240 --> 00:03:53.719
<v Speaker 1>in the text. A classic example the book Brings Up

79
00:03:53.759 --> 00:03:54.759
<v Speaker 1>is shoulder surfing.

80
00:03:54.919 --> 00:03:56.879
<v Speaker 2>Oh yeah, the coffee shop scenario.

81
00:03:56.560 --> 00:03:59.960
<v Speaker 1>Exactly where someone literally stands behind an executive at a coffee

82
00:04:00.039 --> 00:04:03.560
<v Speaker 1>shop and just read sensitive emails right off their laptop screen.

83
00:04:03.800 --> 00:04:07.319
<v Speaker 2>It's so low tech but highly effective. And once an

84
00:04:07.400 --> 00:04:14.080
<v Speaker 2>organization understands that they are protecting those three pillars availability, integrity, confidentiality,

85
00:04:14.680 --> 00:04:17.040
<v Speaker 2>they have to define what actually threatens them.

86
00:04:17.079 --> 00:04:20.240
<v Speaker 1>And this is where corporate communication usually completely breaks down,

87
00:04:20.279 --> 00:04:20.680
<v Speaker 1>doesn't it.

88
00:04:20.959 --> 00:04:24.959
<v Speaker 2>Oh entirely. People throw around words like risk and threat

89
00:04:25.319 --> 00:04:27.879
<v Speaker 2>as if they mean the exact same thing, but there

90
00:04:28.000 --> 00:04:30.319
<v Speaker 2>was an entirely different stages of a disaster.

91
00:04:30.600 --> 00:04:32.879
<v Speaker 1>So what's the actual vocabulary we need to use.

92
00:04:33.079 --> 00:04:38.199
<v Speaker 2>The core terms we need to isolate are vulnerability, threat, risk, exposure,

93
00:04:38.360 --> 00:04:39.000
<v Speaker 2>and control.

94
00:04:39.120 --> 00:04:41.959
<v Speaker 1>Okay, let's apply these to a modern business scenario to

95
00:04:41.959 --> 00:04:46.040
<v Speaker 1>see how they actually interact. So imagine a rapidly growing

96
00:04:46.079 --> 00:04:49.839
<v Speaker 1>software company that uses cloud storage buckets for their client data.

97
00:04:49.920 --> 00:04:53.399
<v Speaker 1>Good example of vulnerability is just a flaw or weakness,

98
00:04:53.480 --> 00:04:57.439
<v Speaker 1>right in this case, maybe an engineer accidentally leaves a

99
00:04:57.480 --> 00:05:00.839
<v Speaker 1>storage bucket misconfigured, no password protection.

100
00:05:00.639 --> 00:05:03.879
<v Speaker 2>Just sitting there open, and the threat is the entity

101
00:05:03.920 --> 00:05:06.720
<v Speaker 2>that could exploit that weakness. So say an automated web

102
00:05:06.759 --> 00:05:10.199
<v Speaker 2>scraping bot constantly scouring the Internet for open data buckets.

103
00:05:10.240 --> 00:05:12.720
<v Speaker 1>But notice that the vulnerability the open bucket, and the

104
00:05:12.720 --> 00:05:16.319
<v Speaker 1>threat the bot. They exist completely independently of the actual

105
00:05:16.360 --> 00:05:17.639
<v Speaker 1>business impact.

106
00:05:17.519 --> 00:05:21.240
<v Speaker 2>Exactly, And that is where risk comes into play. Risk

107
00:05:21.519 --> 00:05:26.199
<v Speaker 2>is the mathematical probability that the scraping bot actually finds

108
00:05:26.360 --> 00:05:31.319
<v Speaker 2>your specific misconfigured bucket, combined with the financial and reputational

109
00:05:31.399 --> 00:05:34.439
<v Speaker 2>damage of losing that specific client data.

110
00:05:34.519 --> 00:05:38.560
<v Speaker 1>So if the bucket only contains like public press releases,

111
00:05:38.600 --> 00:05:41.680
<v Speaker 1>that are already on your website. The vulnerability is the same,

112
00:05:41.959 --> 00:05:43.680
<v Speaker 1>but the risk is virtually.

113
00:05:43.319 --> 00:05:45.839
<v Speaker 2>Zero because the impact is zero. Who cares if they

114
00:05:45.839 --> 00:05:47.000
<v Speaker 2>steal a public press.

115
00:05:46.720 --> 00:05:50.600
<v Speaker 1>Release, right, But if that bucket contains proprietary source code,

116
00:05:50.639 --> 00:05:51.879
<v Speaker 1>the risk is catastrophic.

117
00:05:51.959 --> 00:05:55.160
<v Speaker 2>And then exposure is the actual instance of loss. It's

118
00:05:55.160 --> 00:05:58.079
<v Speaker 2>the moment the bot downloads the code and the damage

119
00:05:58.079 --> 00:05:58.959
<v Speaker 2>is officially.

120
00:05:58.600 --> 00:05:59.759
<v Speaker 1>Doed game over right.

121
00:06:00.120 --> 00:06:03.160
<v Speaker 2>To prevent that exposure, the organization has to implement a

122
00:06:03.160 --> 00:06:06.800
<v Speaker 2>control or a countermeasure like what well, this could be

123
00:06:06.800 --> 00:06:10.160
<v Speaker 2>an automated script that constantly scans the company's cloud infrastructure

124
00:06:10.160 --> 00:06:12.639
<v Speaker 2>and instantly locks down any open buckets it finds.

125
00:06:12.720 --> 00:06:17.079
<v Speaker 1>Okay, now, speaking of countermeasures, the source outlines this deeply

126
00:06:17.160 --> 00:06:20.120
<v Speaker 1>flawed mindset that businesses fall into when they try to

127
00:06:20.160 --> 00:06:23.279
<v Speaker 1>design these controls. It's called security through obscurity.

128
00:06:23.360 --> 00:06:25.199
<v Speaker 2>Oh yeah, a terrible idea.

129
00:06:25.279 --> 00:06:28.199
<v Speaker 1>It's literally the equivalent of hiding your house key under

130
00:06:28.199 --> 00:06:30.360
<v Speaker 1>a fake rock on the porch and just assuming a

131
00:06:30.360 --> 00:06:33.439
<v Speaker 1>burglar won't notice it. In the tech world, the text

132
00:06:33.439 --> 00:06:36.240
<v Speaker 1>gives the example of an administrator changing a network port

133
00:06:36.279 --> 00:06:40.639
<v Speaker 1>from the standard port eighty to say port eighty eighty, just.

134
00:06:40.600 --> 00:06:43.519
<v Speaker 2>Hoping that malicious actors simply won't find the traffic because

135
00:06:43.519 --> 00:06:44.439
<v Speaker 2>it's slightly hidden.

136
00:06:44.639 --> 00:06:44.839
<v Speaker 1>Right.

137
00:06:45.120 --> 00:06:48.879
<v Speaker 2>What's fascinated here is how this mindset fundamentally misunderstands the

138
00:06:48.920 --> 00:06:53.160
<v Speaker 2>modern threat landscape. I mean, security through obscurity relies on

139
00:06:53.199 --> 00:06:57.040
<v Speaker 2>the assumption that your adversary is lazy or less intelligent than.

140
00:06:56.959 --> 00:06:59.439
<v Speaker 1>You are, just rarely the case exactly.

141
00:06:59.279 --> 00:07:03.759
<v Speaker 2>In reality, attackers use automated port scanners and protocol analyzers

142
00:07:03.800 --> 00:07:07.079
<v Speaker 2>that will detect traffic on Port eighty eighty in milliseconds.

143
00:07:07.480 --> 00:07:09.240
<v Speaker 2>It doesn't hide anything from a machine.

144
00:07:09.399 --> 00:07:12.279
<v Speaker 1>Or like a company deciding to write its own proprietary

145
00:07:12.360 --> 00:07:14.800
<v Speaker 1>encryption algorithm, thinking well, if no one knows how the

146
00:07:14.839 --> 00:07:16.360
<v Speaker 1>math works, no one can break it.

147
00:07:16.360 --> 00:07:20.800
<v Speaker 2>Which inevitably ends in absolute disaster. Highly motivated adversaries have

148
00:07:20.879 --> 00:07:25.800
<v Speaker 2>sophisticated reverse engineering tools. They will just deconstruct a homegrown algorithm,

149
00:07:26.399 --> 00:07:28.879
<v Speaker 2>find the mathematical flaws, and exploit them.

150
00:07:28.759 --> 00:07:30.040
<v Speaker 1>Because they always have flaws.

151
00:07:30.240 --> 00:07:35.480
<v Speaker 2>Always. True robust security relies on Cookoff's principle. This is

152
00:07:35.519 --> 00:07:38.560
<v Speaker 2>the idea that a system should be secure even if

153
00:07:38.680 --> 00:07:43.399
<v Speaker 2>everything about the system except the key itself is public knowledge.

154
00:07:43.519 --> 00:07:47.560
<v Speaker 2>You have to rely on proven, pure viewed industry standard algorithms,

155
00:07:47.959 --> 00:07:49.680
<v Speaker 2>not on hiding your flaws.

156
00:07:49.319 --> 00:07:51.920
<v Speaker 1>In the dark, right, because hiding in the dark doesn't work,

157
00:07:51.959 --> 00:07:54.759
<v Speaker 1>so we have to actively build defenses. But a single

158
00:07:54.800 --> 00:07:58.279
<v Speaker 1>control like that automated bucket scanner we talked about, isn't enough,

159
00:07:58.360 --> 00:07:58.639
<v Speaker 1>is it?

160
00:07:58.680 --> 00:08:01.199
<v Speaker 2>No, not at all, because if this scanner fails where

161
00:08:01.199 --> 00:08:04.639
<v Speaker 2>an employee bypasses it, the system is completely exposed again.

162
00:08:04.800 --> 00:08:07.839
<v Speaker 1>And that's where the text introduces the concept of defense

163
00:08:07.959 --> 00:08:10.600
<v Speaker 1>in depth. This is basically the practice of layering your

164
00:08:10.600 --> 00:08:11.680
<v Speaker 1>protection exactly.

165
00:08:12.040 --> 00:08:15.160
<v Speaker 2>You want to introduce calculated friction. The logic is that

166
00:08:15.199 --> 00:08:19.800
<v Speaker 2>an adversary has to defeat multiple distinct, overlapping mechanisms just

167
00:08:19.839 --> 00:08:23.360
<v Speaker 2>to reach the critical asset. The source categorizes these layers

168
00:08:23.360 --> 00:08:27.120
<v Speaker 2>into three main types, administrative, technical, and physical.

169
00:08:27.319 --> 00:08:31.319
<v Speaker 1>I found the administrative controls fascinating because they are basically

170
00:08:31.600 --> 00:08:34.720
<v Speaker 1>the psychological and procedural layers. Right. These are your corporate

171
00:08:34.759 --> 00:08:39.480
<v Speaker 1>security policies, your mandatory pre employment background checks, the annual

172
00:08:39.519 --> 00:08:40.720
<v Speaker 1>security awareness training.

173
00:08:40.759 --> 00:08:42.399
<v Speaker 2>They dictate human behavior, right.

174
00:08:42.799 --> 00:08:46.200
<v Speaker 1>And then technical or logical controls are the software and

175
00:08:46.279 --> 00:08:53.240
<v Speaker 1>hardware enforcing those policies. Firewalls, encryption protocols, multi factor authentication.

176
00:08:52.879 --> 00:08:54.600
<v Speaker 2>Intrusion detection systems, all the.

177
00:08:54.559 --> 00:08:58.120
<v Speaker 1>Tech stuff exactly. And then physical controls are exactly what

178
00:08:58.159 --> 00:09:01.279
<v Speaker 1>they sound like. They're the literal bearer protecting the actual

179
00:09:01.279 --> 00:09:01.879
<v Speaker 1>hardware and.

180
00:09:01.840 --> 00:09:06.759
<v Speaker 2>Personnel fences, biometric locks on data center doors, security guards,

181
00:09:06.919 --> 00:09:07.720
<v Speaker 2>and mantraps.

182
00:09:08.000 --> 00:09:11.480
<v Speaker 1>So within those three types, these controls have specific jobs

183
00:09:11.600 --> 00:09:15.080
<v Speaker 1>or functionalities. According to the book, preventive controls try to

184
00:09:15.159 --> 00:09:18.879
<v Speaker 1>stop an incident before it happens. Detective controls identify that

185
00:09:18.919 --> 00:09:22.440
<v Speaker 1>an incident is currently happening or has happened. Corrective controls

186
00:09:22.480 --> 00:09:23.639
<v Speaker 1>fix the damage.

187
00:09:23.279 --> 00:09:24.840
<v Speaker 2>And don't forget Deterrent controls.

188
00:09:25.000 --> 00:09:29.320
<v Speaker 1>Oh right. Deterrent controls discourage the attacker from even trying

189
00:09:29.360 --> 00:09:32.399
<v Speaker 1>in the first place, like a massive warning banner on

190
00:09:32.440 --> 00:09:35.919
<v Speaker 1>a login screen stating that unauthorized access will be prosecuted.

191
00:09:36.039 --> 00:09:37.360
<v Speaker 2>Yeah, just trying to scare them off.

192
00:09:37.639 --> 00:09:40.799
<v Speaker 1>And then there are compensating controls. Now, okay, I have

193
00:09:40.840 --> 00:09:42.919
<v Speaker 1>to push back on the texts definition of this one

194
00:09:42.960 --> 00:09:45.679
<v Speaker 1>because it honestly tripped me up initially. Well, if a

195
00:09:45.720 --> 00:09:48.639
<v Speaker 1>fence and an armed security guard both serve the exact

196
00:09:48.679 --> 00:09:52.320
<v Speaker 1>same function keeping people out of a restricted area, why

197
00:09:52.440 --> 00:09:55.039
<v Speaker 1>is the fence classified as a compensate and control?

198
00:09:55.399 --> 00:09:58.679
<v Speaker 2>Ah, I see a way that's confusing. It really comes

199
00:09:58.720 --> 00:10:02.080
<v Speaker 2>down to the realities of corporate governance and pudgetary constraints.

200
00:10:03.080 --> 00:10:06.639
<v Speaker 2>A compensating control is not just a random alternative. It

201
00:10:06.720 --> 00:10:10.600
<v Speaker 2>is a formalized substitute when a primary requirement simply cannot

202
00:10:10.600 --> 00:10:14.240
<v Speaker 2>be met. Okay, So suppose a company's risk assessment dictates

203
00:10:14.279 --> 00:10:17.120
<v Speaker 2>that the strict physical security of an armed guard is

204
00:10:17.159 --> 00:10:19.919
<v Speaker 2>the required primary control for a specific facility.

205
00:10:20.039 --> 00:10:21.159
<v Speaker 1>Right, the guard is plan A.

206
00:10:21.440 --> 00:10:24.200
<v Speaker 2>But then the CFO looks at the quarterly budget and says, yeah,

207
00:10:24.240 --> 00:10:26.720
<v Speaker 2>we absolutely cannot afford a full time guard rotation.

208
00:10:27.120 --> 00:10:29.960
<v Speaker 1>But the risk doesn't magically disappear just because the budget

209
00:10:30.000 --> 00:10:31.000
<v Speaker 1>is tight, exactly.

210
00:10:31.320 --> 00:10:35.080
<v Speaker 2>The organization still has to implement an alternative that provides

211
00:10:35.120 --> 00:10:39.600
<v Speaker 2>a comparable level of mitigation. So the fence compensates for

212
00:10:39.639 --> 00:10:42.120
<v Speaker 2>the lack of the guard. Oh, I get it now,

213
00:10:42.200 --> 00:10:45.320
<v Speaker 2>And technologically it is the same thing. If a legacy

214
00:10:45.320 --> 00:10:50.000
<v Speaker 2>of business application absolutely requires an outdated, vulnerable protocol to

215
00:10:50.080 --> 00:10:53.879
<v Speaker 2>communicate through the firewall, the security team can't just block.

216
00:10:53.720 --> 00:10:55.600
<v Speaker 1>It because it would break the business right.

217
00:10:55.960 --> 00:10:59.679
<v Speaker 2>Instead, they might set up an isolated proxy server specifically

218
00:10:59.759 --> 00:11:03.480
<v Speaker 2>to monitor and filter that traffic. The proxy is the

219
00:11:03.480 --> 00:11:05.000
<v Speaker 2>compensating control.

220
00:11:05.000 --> 00:11:09.399
<v Speaker 1>That reframes it perfectly. It's a calculated, documented compromise. And

221
00:11:09.480 --> 00:11:12.879
<v Speaker 1>the real magic is how all these functionalities harmonize. You

222
00:11:12.919 --> 00:11:16.200
<v Speaker 1>build a preventive model, but you support it with detective

223
00:11:16.240 --> 00:11:19.120
<v Speaker 1>and corrective mechanisms. You have to work together, right, Like

224
00:11:19.279 --> 00:11:22.159
<v Speaker 1>if a preventive control, say an electronic lock on a

225
00:11:22.240 --> 00:11:25.639
<v Speaker 1>server room, fails because someone just props the door open.

226
00:11:25.480 --> 00:11:27.559
<v Speaker 2>With a chair, which happens all the time, all the.

227
00:11:27.600 --> 00:11:31.080
<v Speaker 1>Time, a detective control, like an alert from a thermal camera,

228
00:11:31.399 --> 00:11:35.360
<v Speaker 1>catches the intrusion and this immediately triggers a corrective control

229
00:11:35.799 --> 00:11:39.759
<v Speaker 1>like dispatching a guard or automatically terminating active server sessions.

230
00:11:40.039 --> 00:11:43.799
<v Speaker 2>Then you have constructed a highly secure environment. But here

231
00:11:43.919 --> 00:11:46.679
<v Speaker 2>is the critical pilit the book makes. You can have

232
00:11:46.759 --> 00:11:50.960
<v Speaker 2>the most perfectly layered firewalls and the most brilliant compensatory

233
00:11:50.960 --> 00:11:54.360
<v Speaker 2>controls in the world. If the layout of this security

234
00:11:54.480 --> 00:11:58.519
<v Speaker 2>architecture actively prevents the sales team from accessing client data

235
00:11:59.039 --> 00:12:02.039
<v Speaker 2>or prevents the developed for some shipping code, the business

236
00:12:02.039 --> 00:12:02.840
<v Speaker 2>goes bankrupt.

237
00:12:03.000 --> 00:12:07.360
<v Speaker 1>Wow, which brings us to the massive concept of enterprise architecture.

238
00:12:07.399 --> 00:12:08.639
<v Speaker 2>It's a huge shift in thinking.

239
00:12:08.799 --> 00:12:12.720
<v Speaker 1>Yeah, because there is this deeply rooted, almost adversarial divide

240
00:12:12.759 --> 00:12:16.759
<v Speaker 1>between technology practitioners and business leaders. The text highlights how

241
00:12:16.759 --> 00:12:20.519
<v Speaker 1>technology people tend to speak in acronyms, udp ip sec,

242
00:12:20.759 --> 00:12:22.000
<v Speaker 1>raid arrays.

243
00:12:21.679 --> 00:12:25.679
<v Speaker 2>And business executives speak in terms of net profits, operational efficiency,

244
00:12:25.720 --> 00:12:26.320
<v Speaker 2>market share.

245
00:12:26.440 --> 00:12:29.080
<v Speaker 1>They are speaking two entirely different languages while trying to

246
00:12:29.159 --> 00:12:30.840
<v Speaker 1>run the exact same company, and.

247
00:12:30.799 --> 00:12:34.879
<v Speaker 2>This disconnect leads to what the industry calls stovepipe solutions.

248
00:12:35.559 --> 00:12:38.799
<v Speaker 2>The IT department buys an expensive new software tool to

249
00:12:38.879 --> 00:12:43.840
<v Speaker 2>solve one specific technical problem completely without considering how it

250
00:12:43.960 --> 00:12:45.759
<v Speaker 2>impacts the broader business workflow.

251
00:12:45.879 --> 00:12:48.279
<v Speaker 1>They're just living in their own bubble exactly.

252
00:12:48.240 --> 00:12:51.720
<v Speaker 2>And the result is an exhausted organization constantly putting out

253
00:12:51.840 --> 00:12:57.600
<v Speaker 2>localized fires instead of executing a unified strategy. Enterprise architecture

254
00:12:57.679 --> 00:13:01.919
<v Speaker 2>is the discipline of fixing. This provides conceptual blueprint that

255
00:13:02.080 --> 00:13:06.759
<v Speaker 2>translates the complex organization into digestible, interconnected layers.

256
00:13:07.159 --> 00:13:10.440
<v Speaker 1>Think about walking into a medical clinic. Right on one wall,

257
00:13:10.559 --> 00:13:13.720
<v Speaker 1>there is a poster showing the human skeleton. On another wall,

258
00:13:13.759 --> 00:13:16.679
<v Speaker 1>there's a diagram of the circulatory system, and on a

259
00:13:16.720 --> 00:13:18.639
<v Speaker 1>third a map of the nervous system.

260
00:13:18.679 --> 00:13:20.320
<v Speaker 2>That's a great analogy, right.

261
00:13:20.279 --> 00:13:22.320
<v Speaker 1>They were all the exact same human body, but they

262
00:13:22.320 --> 00:13:24.720
<v Speaker 1>are viewed through completely different lenses depending on what the

263
00:13:24.720 --> 00:13:28.679
<v Speaker 1>specific specialist actually needs to see. A surgeon needs the organs,

264
00:13:28.919 --> 00:13:32.399
<v Speaker 1>a physical therapist needs the skeleton. An enterprise architecture does

265
00:13:32.440 --> 00:13:33.279
<v Speaker 1>this for a corporation.

266
00:13:33.720 --> 00:13:36.480
<v Speaker 2>It allows the CEO and the network engineer to look

267
00:13:36.519 --> 00:13:39.679
<v Speaker 2>at the same company and understand their distinct roles within it.

268
00:13:40.039 --> 00:13:42.440
<v Speaker 2>The Zachmann framework is one of the classic models for this.

269
00:13:42.519 --> 00:13:43.600
<v Speaker 1>How does that don't work?

270
00:13:43.759 --> 00:13:46.559
<v Speaker 2>It is essentially a two dimensional matrix. It takes six

271
00:13:47.159 --> 00:13:50.720
<v Speaker 2>basic interrogatives what, how, where, who, when and why and

272
00:13:50.840 --> 00:13:54.639
<v Speaker 2>maps them across different audience perspectives from the executive planner

273
00:13:55.000 --> 00:13:56.360
<v Speaker 2>all the way down to the technician.

274
00:13:56.440 --> 00:13:59.000
<v Speaker 1>So if we look at the who column, the executive

275
00:13:59.000 --> 00:14:03.200
<v Speaker 1>planner sees the com company's macro organizational chart and department heads.

276
00:14:03.360 --> 00:14:07.600
<v Speaker 1>Right the business manager sees the specific workflow teams. But

277
00:14:07.720 --> 00:14:10.039
<v Speaker 1>by the time you get down to the technician perspective,

278
00:14:10.559 --> 00:14:14.919
<v Speaker 1>who translates into active directory groups and specific database access

279
00:14:14.919 --> 00:14:15.720
<v Speaker 1>control lists.

280
00:14:15.720 --> 00:14:18.919
<v Speaker 2>It's the exact same concept of identity, just translated down

281
00:14:18.960 --> 00:14:19.360
<v Speaker 2>the chain.

282
00:14:19.399 --> 00:14:21.720
<v Speaker 1>That traceability is vital, It really is.

283
00:14:22.039 --> 00:14:25.080
<v Speaker 2>Another major model the book covers is two OgF The

284
00:14:25.159 --> 00:14:28.759
<v Speaker 2>open group architecture framework. This one divides the enterprise into

285
00:14:28.799 --> 00:14:33.399
<v Speaker 2>four domains business, data, applications, and technology.

286
00:14:32.879 --> 00:14:35.600
<v Speaker 1>So it forces a specific order exactly.

287
00:14:36.080 --> 00:14:38.759
<v Speaker 2>This ensures that before you buy a piece of technology,

288
00:14:39.120 --> 00:14:43.000
<v Speaker 2>you verify it supports an application which utilizes the correct data,

289
00:14:43.440 --> 00:14:45.399
<v Speaker 2>which ultimately drive the business goal.

290
00:14:46.279 --> 00:14:49.279
<v Speaker 1>The source also dives into frameworks born from the military,

291
00:14:49.480 --> 00:14:53.000
<v Speaker 1>like DOUGHDAF in the US and MODAFF in Britain, and

292
00:14:53.039 --> 00:14:56.759
<v Speaker 1>these highlight a totally different kind of friction interoperability.

293
00:14:56.919 --> 00:14:58.960
<v Speaker 2>Military systems are incredibly complex.

294
00:14:59.080 --> 00:15:02.840
<v Speaker 1>Yeah, modern warfare relies on wildly diverse systems. You have

295
00:15:02.919 --> 00:15:06.879
<v Speaker 1>a spy satellite in orbit capturing imagery, an intelligence analyst

296
00:15:06.919 --> 00:15:09.720
<v Speaker 1>on another continent processing it, and a drone in the

297
00:15:09.759 --> 00:15:11.480
<v Speaker 1>air waiting for targeting data.

298
00:15:11.559 --> 00:15:13.919
<v Speaker 2>And if those systems are built by different defense contractors

299
00:15:14.000 --> 00:15:17.919
<v Speaker 2>using proprietary data formats, they cannot communicate.

300
00:15:17.399 --> 00:15:19.759
<v Speaker 1>Seamlessly, which means the mission fails right.

301
00:15:20.080 --> 00:15:23.639
<v Speaker 2>DOTEF is created to enforce a standardized architecture so that

302
00:15:23.720 --> 00:15:27.039
<v Speaker 2>all these disparate systems share a common operational picture, and

303
00:15:27.120 --> 00:15:31.120
<v Speaker 2>corporations use these same principles during massive mergers and acquisitions

304
00:15:31.360 --> 00:15:35.000
<v Speaker 2>to ensure two entirely different it infrastructures can actually talk

305
00:15:35.039 --> 00:15:35.559
<v Speaker 2>to each other.

306
00:15:35.840 --> 00:15:39.360
<v Speaker 1>Here's where it gets really interesting, though, Where does cybersecurity

307
00:15:39.399 --> 00:15:43.080
<v Speaker 1>actually sit inside these massive organizational blueprints. Do we just

308
00:15:43.639 --> 00:15:45.200
<v Speaker 1>slap a firewall on the drone?

309
00:15:45.240 --> 00:15:47.759
<v Speaker 2>Well, that brings us to SABBS The show would Applied

310
00:15:47.799 --> 00:15:52.960
<v Speaker 2>Business Security Architecture SADBSA is a security specific framework and

311
00:15:53.039 --> 00:15:56.480
<v Speaker 2>its primary mechanism is creating a chain of traceability.

312
00:15:56.600 --> 00:15:59.039
<v Speaker 1>Traceability again, yes, it insists.

313
00:15:58.720 --> 00:16:01.519
<v Speaker 2>That security does not exist in a vacuum. You started

314
00:16:01.519 --> 00:16:04.039
<v Speaker 2>at the very top layer with the contextual business needs

315
00:16:04.240 --> 00:16:08.440
<v Speaker 2>and the executive risk models. Every single security decision must

316
00:16:08.440 --> 00:16:10.759
<v Speaker 2>trace backup to that top layer.

317
00:16:10.840 --> 00:16:14.039
<v Speaker 1>So an IT director doesn't just buy a next generation

318
00:16:14.120 --> 00:16:16.360
<v Speaker 1>firewall because they read an article saying it's the best

319
00:16:16.399 --> 00:16:16.840
<v Speaker 1>new tech.

320
00:16:17.039 --> 00:16:17.799
<v Speaker 2>No, they can't.

321
00:16:17.960 --> 00:16:20.240
<v Speaker 1>They have to prove that the firewall supports the new

322
00:16:20.320 --> 00:16:23.960
<v Speaker 1>secure remote work policy, and that remote work policy traces

323
00:16:23.960 --> 00:16:27.080
<v Speaker 1>directly up to the CEO's strategic objective of reducing the

324
00:16:27.120 --> 00:16:30.480
<v Speaker 1>company's commercial real estate footprint by allowing employees to work

325
00:16:30.519 --> 00:16:30.919
<v Speaker 1>from home.

326
00:16:31.279 --> 00:16:35.440
<v Speaker 2>Exactly, the technology justifies itself by enabling a business goal.

327
00:16:36.120 --> 00:16:38.840
<v Speaker 2>If we connect this to the bigger picture, the security

328
00:16:38.840 --> 00:16:42.519
<v Speaker 2>apparatus is simply the immune system and the business itself

329
00:16:42.600 --> 00:16:45.399
<v Speaker 2>is the human body. I love that the immune system

330
00:16:45.440 --> 00:16:48.600
<v Speaker 2>exists entirely to support, protect, and enable the body to

331
00:16:48.639 --> 00:16:51.720
<v Speaker 2>explore the world safely. The body does not exist to

332
00:16:51.759 --> 00:16:52.759
<v Speaker 2>serve the immune system.

333
00:16:52.919 --> 00:16:56.440
<v Speaker 1>Right. If security acts as a roadblock, the business dies.

334
00:16:56.919 --> 00:17:00.600
<v Speaker 2>Good security architecture enables the business to take calculated risks

335
00:17:00.879 --> 00:17:02.840
<v Speaker 2>and offer new services securely.

336
00:17:02.960 --> 00:17:07.279
<v Speaker 1>Okay, So having a brilliant architectural blueprint is amazing on paper.

337
00:17:07.400 --> 00:17:08.960
<v Speaker 1>You know where the data flows, you know why the

338
00:17:09.000 --> 00:17:12.960
<v Speaker 1>firewalls exist. But a blueprint doesn't manage people, No, it doesn't.

339
00:17:13.119 --> 00:17:16.759
<v Speaker 1>How do organizations ensure that thousands of human beings actually

340
00:17:16.839 --> 00:17:19.920
<v Speaker 1>follow the rules day in and day out without the

341
00:17:19.960 --> 00:17:22.839
<v Speaker 1>whole operation just descending into chaos.

342
00:17:23.119 --> 00:17:26.160
<v Speaker 2>The architecture provides the structure, but you need process and

343
00:17:26.200 --> 00:17:30.000
<v Speaker 2>control frameworks to actually manage the daily activities within that structure.

344
00:17:30.279 --> 00:17:32.759
<v Speaker 1>And this is where the source throws a massive alphabet

345
00:17:32.880 --> 00:17:34.480
<v Speaker 1>soup of acronyms at the reader.

346
00:17:34.559 --> 00:17:35.759
<v Speaker 2>Oh, there are so many.

347
00:17:35.759 --> 00:17:42.440
<v Speaker 1>COVID nissed SP eight hundred and fifty three COSO itil CMMI.

348
00:17:43.680 --> 00:17:45.920
<v Speaker 1>I mean when you first look at this list, the

349
00:17:45.960 --> 00:17:49.880
<v Speaker 1>immediate reaction is just total overwhelm. How is any company

350
00:17:49.960 --> 00:17:52.279
<v Speaker 1>supposed to implement all of these simultaneously.

351
00:17:52.400 --> 00:17:54.920
<v Speaker 2>Well, the secret is that you don't. You should view

352
00:17:54.960 --> 00:17:58.359
<v Speaker 2>these frameworks as a highly specialized toolbox. You wouldn't use

353
00:17:58.359 --> 00:18:00.279
<v Speaker 2>a wrench to drive a nail, right, right, You pull

354
00:18:00.279 --> 00:18:03.440
<v Speaker 2>out the specific framework designed to solve the organizational friction

355
00:18:03.519 --> 00:18:06.640
<v Speaker 2>you are currently experiencing. Let's break down the mechanisms of

356
00:18:06.640 --> 00:18:07.960
<v Speaker 2>how they are actually applied.

357
00:18:08.160 --> 00:18:10.279
<v Speaker 1>Let's start at the executive level. Say you have a

358
00:18:10.319 --> 00:18:13.000
<v Speaker 1>board of directors and they are terrified of financial fraud,

359
00:18:13.119 --> 00:18:16.599
<v Speaker 1>insider trading, or running a foul of regulations like Sarbanzoxley.

360
00:18:16.640 --> 00:18:18.400
<v Speaker 2>They aren't worried about malware.

361
00:18:18.240 --> 00:18:21.319
<v Speaker 1>No, they are worried about going to prison for inaccurate

362
00:18:21.319 --> 00:18:22.200
<v Speaker 1>financial reporting.

363
00:18:22.400 --> 00:18:27.319
<v Speaker 2>For that specific friction, they implement the COOSO framework. COSO

364
00:18:27.359 --> 00:18:30.319
<v Speaker 2>is a model for corporate governance and internal control. It

365
00:18:30.319 --> 00:18:34.559
<v Speaker 2>helps management identify and assess risks related to financial reporting

366
00:18:34.680 --> 00:18:38.440
<v Speaker 2>and operational efficiency, completely independent of the IT department.

367
00:18:38.680 --> 00:18:41.279
<v Speaker 1>But wait, the IT department manages the systems where all

368
00:18:41.319 --> 00:18:44.119
<v Speaker 1>that financial data lives. So how do you align the

369
00:18:44.160 --> 00:18:46.480
<v Speaker 1>tech guys with the COSO mandates?

370
00:18:46.599 --> 00:18:50.160
<v Speaker 2>That is precisely what COVID was designed to do. COVID

371
00:18:50.240 --> 00:18:53.480
<v Speaker 2>derives many of its principles from COSO, but it translates

372
00:18:53.480 --> 00:18:54.680
<v Speaker 2>them into IT governance.

373
00:18:54.759 --> 00:18:56.720
<v Speaker 1>Oh, so bridges the gap exactly.

374
00:18:57.119 --> 00:18:59.799
<v Speaker 2>It provides a set of processes and metrics that allow

375
00:18:59.839 --> 00:19:03.200
<v Speaker 2>the business executives to measure whether the IT department is

376
00:19:03.200 --> 00:19:06.119
<v Speaker 2>actually delivering value and managing risk in a way that

377
00:19:06.160 --> 00:19:08.119
<v Speaker 2>aligns with the broader corporate strategy.

378
00:19:08.160 --> 00:19:11.519
<v Speaker 1>Okay, what if your company does work for the US government.

379
00:19:11.319 --> 00:19:14.119
<v Speaker 2>Then you reach for nist SP eight hundred and fifty three.

380
00:19:14.400 --> 00:19:15.480
<v Speaker 1>That sounds intense.

381
00:19:15.839 --> 00:19:19.279
<v Speaker 2>It is. This is a massive catalog of highly specific

382
00:19:19.519 --> 00:19:24.519
<v Speaker 2>security and privacy controls required for federal information systems. It's prescriptive.

383
00:19:24.799 --> 00:19:27.440
<v Speaker 2>It tells you exactly the baseline controls you need to

384
00:19:27.480 --> 00:19:28.839
<v Speaker 2>implement to be compliant.

385
00:19:29.039 --> 00:19:32.279
<v Speaker 1>Okay, let's pivot to the daily grind. The help desk,

386
00:19:32.920 --> 00:19:36.400
<v Speaker 1>the classic friction point where employees submit a ticket because

387
00:19:36.400 --> 00:19:38.240
<v Speaker 1>their laptop is broken and they feel like it just

388
00:19:38.319 --> 00:19:39.559
<v Speaker 1>vanishes into a black hole.

389
00:19:39.720 --> 00:19:40.599
<v Speaker 2>Everyone's been there.

390
00:19:40.759 --> 00:19:44.759
<v Speaker 1>Meanwhile, the IT staff feels completely overwhelmed and underappreciated.

391
00:19:45.039 --> 00:19:48.400
<v Speaker 2>Right to solve the friction of service delivery, you use ITEL.

392
00:19:48.960 --> 00:19:52.480
<v Speaker 2>ITEL focuses on IT service management. It shifts the IT

393
00:19:52.680 --> 00:19:56.880
<v Speaker 2>department's mindset from just fixing broken hardware to delivering a consistent,

394
00:19:57.000 --> 00:19:58.759
<v Speaker 2>measurable service to internal.

395
00:19:58.400 --> 00:20:02.640
<v Speaker 1>Customers, complete with standard incident management and change management processes.

396
00:20:02.759 --> 00:20:04.720
<v Speaker 2>Exactly. It smooths everything out.

397
00:20:04.759 --> 00:20:07.200
<v Speaker 1>And finally, how does an organization know if it's actually

398
00:20:07.200 --> 00:20:09.079
<v Speaker 1>getting better at any of this overtime?

399
00:20:09.240 --> 00:20:13.319
<v Speaker 2>They use cm CMMI. Yeah, the Capability Maturity Model Integration

400
00:20:13.480 --> 00:20:18.119
<v Speaker 2>developed by Carnegie Mellon CMMI measures maturity. It helps an

401
00:20:18.160 --> 00:20:21.720
<v Speaker 2>organization recognize if their processes are at level one, which

402
00:20:21.759 --> 00:20:26.640
<v Speaker 2>is chaotic, ad hoc and completely dependent on individual heroics.

403
00:20:26.799 --> 00:20:29.200
<v Speaker 1>Meaning if your lead developer goes on vacation, the whole

404
00:20:29.240 --> 00:20:29.960
<v Speaker 1>system crashes.

405
00:20:30.079 --> 00:20:32.480
<v Speaker 2>Exactly. The goal is to evolve through the levels until

406
00:20:32.480 --> 00:20:35.599
<v Speaker 2>you reach level five, where processes are optimized, measured, and

407
00:20:35.680 --> 00:20:38.079
<v Speaker 2>continuously improving based on quantitative data.

408
00:20:38.160 --> 00:20:41.079
<v Speaker 1>It really is a toolbox. But regardless of whether a

409
00:20:41.079 --> 00:20:44.119
<v Speaker 1>company is using cobit for governance or IEL for help

410
00:20:44.200 --> 00:20:50.000
<v Speaker 1>desk tickets, the text emphasizes one absolute, non negotiable rule

411
00:20:50.079 --> 00:20:53.039
<v Speaker 1>for implementing security. It must be a top down approach.

412
00:20:53.160 --> 00:20:57.079
<v Speaker 2>Yes, the underlying psychology and power dynamics of a corporation

413
00:20:57.680 --> 00:21:00.880
<v Speaker 2>dictate that a bottom up approach is simply doomed. To fail.

414
00:21:01.079 --> 00:21:08.000
<v Speaker 1>A bottom up approach is when the IT staff recognizes vulnerability.

415
00:21:08.519 --> 00:21:10.160
<v Speaker 2>Right and it creates immense friction.

416
00:21:10.519 --> 00:21:12.400
<v Speaker 1>I mean, think about it. If a mid level IT

417
00:21:12.599 --> 00:21:15.839
<v Speaker 1>administrator emails the vice president of sales and says, hey,

418
00:21:16.079 --> 00:21:19.480
<v Speaker 1>you must start using complex, rotated passwords and a VPN,

419
00:21:19.720 --> 00:21:20.319
<v Speaker 1>the VP.

420
00:21:20.160 --> 00:21:22.039
<v Speaker 2>Of sales is going to view that as an annoyance

421
00:21:22.039 --> 00:21:23.799
<v Speaker 2>that slows down their team exactly.

422
00:21:24.319 --> 00:21:26.599
<v Speaker 1>They will likely just ignore it or complain to their boss.

423
00:21:26.880 --> 00:21:29.359
<v Speaker 1>The IT administrator does not have the authority to punish

424
00:21:29.400 --> 00:21:32.079
<v Speaker 1>non compliance or force cross departmental changes.

425
00:21:32.359 --> 00:21:35.480
<v Speaker 2>Furthermore, the IT staff does not hold the purse strengths.

426
00:21:35.759 --> 00:21:41.079
<v Speaker 2>They cannot allocate the massive budget required for enterprise wide controls. Initiation,

427
00:21:41.720 --> 00:21:45.599
<v Speaker 2>Visible support and constant direction must come from senior management

428
00:21:45.880 --> 00:21:46.640
<v Speaker 2>and the Board.

429
00:21:46.400 --> 00:21:48.359
<v Speaker 1>Of directors because they have the power.

430
00:21:48.440 --> 00:21:50.839
<v Speaker 2>They are the only ones with the authority to mandate

431
00:21:50.880 --> 00:21:54.799
<v Speaker 2>behavior across all departments and align the budget. When the

432
00:21:54.839 --> 00:21:58.319
<v Speaker 2>CEO mandates the use of a VPN, the VP of

433
00:21:58.359 --> 00:21:59.720
<v Speaker 2>sales complies.

434
00:22:00.319 --> 00:22:03.599
<v Speaker 1>So what does this all mean? We've journeyed from the

435
00:22:03.640 --> 00:22:07.160
<v Speaker 1>absolute foundational elements all the way to the executive boardroom.

436
00:22:07.480 --> 00:22:11.119
<v Speaker 1>We unpacked the AIC triad, realizing that security is just

437
00:22:11.119 --> 00:22:13.480
<v Speaker 1>as much about keeping the business running and accurate as

438
00:22:13.519 --> 00:22:14.759
<v Speaker 1>it is about keeping secrets.

439
00:22:14.839 --> 00:22:15.880
<v Speaker 2>It's a balancing act.

440
00:22:15.920 --> 00:22:18.680
<v Speaker 1>We learned that hiding vulnerabilities in the dark through obscurity

441
00:22:18.720 --> 00:22:21.759
<v Speaker 1>is a recipe for disaster. Instead, we must rely on

442
00:22:21.799 --> 00:22:26.279
<v Speaker 1>defense and depth, introducing calculated friction through overlapping administrative, technical,

443
00:22:26.400 --> 00:22:27.480
<v Speaker 1>and physical.

444
00:22:27.000 --> 00:22:28.720
<v Speaker 2>Controls layers upon layers.

445
00:22:29.039 --> 00:22:32.599
<v Speaker 1>We zoomed out to view the organization through enterprise architecture

446
00:22:32.599 --> 00:22:36.720
<v Speaker 1>models like Zachman and CBSA, proving that the security immune

447
00:22:36.759 --> 00:22:40.920
<v Speaker 1>system must serve the overarching business body. And finally, we

448
00:22:40.960 --> 00:22:44.240
<v Speaker 1>open the toolbox of processed frameworks like COBIT and CMMI

449
00:22:44.599 --> 00:22:48.440
<v Speaker 1>to manage the daily chaos driven entirely by top down leadership.

450
00:22:48.559 --> 00:22:49.559
<v Speaker 2>It's the only way it works.

451
00:22:50.000 --> 00:22:53.160
<v Speaker 1>Understanding the structure is the ultimate shortcut. You're no longer

452
00:22:53.200 --> 00:22:56.279
<v Speaker 1>just looking at isolated firewalls and policies. You can finally

453
00:22:56.319 --> 00:22:59.319
<v Speaker 1>see the entire board and how all the pieces move together.

454
00:23:00.000 --> 00:23:03.799
<v Speaker 2>Ating that macroscopic perspective is exactly what separates the strategic

455
00:23:03.839 --> 00:23:07.559
<v Speaker 2>professional from someone who merely knows how to configure a router.

456
00:23:09.000 --> 00:23:10.400
<v Speaker 2>As we wrap up, I want to leave you with

457
00:23:10.440 --> 00:23:13.480
<v Speaker 2>a final thought, inspired by the way the source material

458
00:23:13.759 --> 00:23:16.079
<v Speaker 2>describes the CISP exam itself.

459
00:23:16.160 --> 00:23:17.440
<v Speaker 1>Oh, this is fascinating.

460
00:23:17.519 --> 00:23:20.000
<v Speaker 2>The text notes that the English version of this certification

461
00:23:20.440 --> 00:23:23.759
<v Speaker 2>uses computer adaptive testing. As you take the exam, it

462
00:23:23.880 --> 00:23:26.079
<v Speaker 2>dynamically feeds you between one hundred and one hundred and

463
00:23:26.079 --> 00:23:29.799
<v Speaker 2>fifty questions. But here is the brilliant part. It constantly

464
00:23:29.839 --> 00:23:32.440
<v Speaker 2>adjusts its difficulty based on your previous.

465
00:23:32.079 --> 00:23:33.920
<v Speaker 1>Answers, so it's actively analyzing you.

466
00:23:34.240 --> 00:23:38.240
<v Speaker 2>Yes, it is deliberately programmed to hunt for your weak spots.

467
00:23:38.599 --> 00:23:42.880
<v Speaker 2>It adaptively probes your knowledge, digging deeper into the specific

468
00:23:42.920 --> 00:23:46.559
<v Speaker 2>areas where you show hesitation, Meaning the test always feels

469
00:23:46.559 --> 00:23:49.599
<v Speaker 2>incredibly difficult because it refuses to let you rest on

470
00:23:49.640 --> 00:23:50.279
<v Speaker 2>what you already know.

471
00:23:50.440 --> 00:23:54.559
<v Speaker 1>It actively weaponizes its algorithm to find your unlocked door precisely.

472
00:23:55.160 --> 00:23:58.279
<v Speaker 2>So, my question for you to ponder is this, If

473
00:23:58.319 --> 00:24:01.680
<v Speaker 2>the ultimate benchmark test for a security professional is designed

474
00:24:01.720 --> 00:24:05.359
<v Speaker 2>to relentlessly and adaptively probe their deepest areas of ignorance

475
00:24:05.519 --> 00:24:08.359
<v Speaker 2>until they feel like they are failing, how much does

476
00:24:08.400 --> 00:24:11.319
<v Speaker 2>your own organization rely on testing only the systems and

477
00:24:11.359 --> 00:24:14.680
<v Speaker 2>processes you already know you're good at, rather than actively

478
00:24:14.759 --> 00:24:16.119
<v Speaker 2>hunting for your weakest links.

479
00:24:16.279 --> 00:24:19.000
<v Speaker 1>That is a phenomenal question to end on, because if

480
00:24:19.039 --> 00:24:21.559
<v Speaker 1>you aren't hunting for your own vulnerabilities, you can guarantee

481
00:24:21.599 --> 00:24:24.759
<v Speaker 1>that the automated bots, the scraping algorithms, and the adversaries

482
00:24:24.799 --> 00:24:25.319
<v Speaker 1>already are