1 00:00:00,006 --> 00:00:03,002 - [Narrator] Security professionals must always remember 2 00:00:03,002 --> 00:00:07,004 that they perform a supporting service for the organization. 3 00:00:07,004 --> 00:00:09,005 While security is extremely important, 4 00:00:09,005 --> 00:00:12,007 it is not the reason that the business exists. 5 00:00:12,007 --> 00:00:15,001 Every organization has its own mission, 6 00:00:15,001 --> 00:00:17,005 and security is just one of many tools 7 00:00:17,005 --> 00:00:21,000 that help the organization achieve that mission. 8 00:00:21,000 --> 00:00:23,005 Security Leaders should think of themselves 9 00:00:23,005 --> 00:00:25,006 as wearing two different hats. 10 00:00:25,006 --> 00:00:27,007 Certainly, they're the subject-matter experts 11 00:00:27,007 --> 00:00:29,005 in the organization on issues of 12 00:00:29,005 --> 00:00:33,004 confidentiality, integrity, and availability. 13 00:00:33,004 --> 00:00:35,000 The organization will look to them for 14 00:00:35,000 --> 00:00:37,000 security leadership and the protection 15 00:00:37,000 --> 00:00:41,000 of information assets, response to security incidents, 16 00:00:41,000 --> 00:00:43,009 and other typical security functions. 17 00:00:43,009 --> 00:00:46,005 At the same time, Security Leaders must 18 00:00:46,005 --> 00:00:49,005 also be Business Leaders, who understand 19 00:00:49,005 --> 00:00:52,000 the primary mission of the organization, 20 00:00:52,000 --> 00:00:55,009 including both its strategic and tactical objectives. 21 00:00:55,009 --> 00:00:57,006 They must understand the short-term 22 00:00:57,006 --> 00:01:00,004 and long-term goals of the organization, 23 00:01:00,004 --> 00:01:03,007 and be able to seamlessly switch between their hats, 24 00:01:03,007 --> 00:01:07,008 thinking as both Security Leader and Business Leaders. 25 00:01:07,008 --> 00:01:10,008 The reason that wearing these two hats is so important, 26 00:01:10,008 --> 00:01:14,000 is that security controls can often be a barrier 27 00:01:14,000 --> 00:01:16,006 to the efficient operation of the business. 28 00:01:16,006 --> 00:01:19,002 The challenge facing security professionals 29 00:01:19,002 --> 00:01:21,008 is that they must design a control environment 30 00:01:21,008 --> 00:01:24,009 that manages the risks facing the organization, 31 00:01:24,009 --> 00:01:29,004 but balances security against other business considerations. 32 00:01:29,004 --> 00:01:31,007 That can be a really difficult task, 33 00:01:31,007 --> 00:01:35,003 and it's one that many security professionals struggle with. 34 00:01:35,003 --> 00:01:38,007 When you're taking the exam, keep this balance in mind. 35 00:01:38,007 --> 00:01:41,007 Watch out for questions that attempt to trick you 36 00:01:41,007 --> 00:01:45,000 into making decisions wearing only the security hat, 37 00:01:45,000 --> 00:01:46,007 that would have a disproportionately 38 00:01:46,007 --> 00:01:49,004 negative impact on the business. 39 00:01:49,004 --> 00:01:52,009 These are usually easy to spot in scenario questions, 40 00:01:52,009 --> 00:01:55,001 as long as you're approaching the exam 41 00:01:55,001 --> 00:01:58,007 with the image of those two hats in your mind. 42 00:01:58,007 --> 00:02:00,009 When proposing a new security control, 43 00:02:00,009 --> 00:02:02,007 security leaders often need to present 44 00:02:02,007 --> 00:02:05,002 a business case for that control 45 00:02:05,002 --> 00:02:08,001 that justifies the investment of time and money 46 00:02:08,001 --> 00:02:10,007 in the new control, as well as providing 47 00:02:10,007 --> 00:02:14,002 a solid basis for the impact on end users. 48 00:02:14,002 --> 00:02:16,003 You should approach these business cases 49 00:02:16,003 --> 00:02:19,009 as you would any other important security decision. 50 00:02:19,009 --> 00:02:23,004 Keep two models in mind: the security and business hats 51 00:02:23,004 --> 00:02:27,005 that you wear and the three goals of information security, 52 00:02:27,005 --> 00:02:31,004 confidentiality, integrity, and availability. 53 00:02:31,004 --> 00:02:33,007 Then just spell out the investment required 54 00:02:33,007 --> 00:02:35,008 to implement the control and the 55 00:02:35,008 --> 00:02:38,003 expected return on that investment. 56 00:02:38,003 --> 00:02:40,003 Another situation where security leaders 57 00:02:40,003 --> 00:02:42,008 must wear the hat of a business leader, 58 00:02:42,008 --> 00:02:45,005 comes in the form of the many administrative tasks 59 00:02:45,005 --> 00:02:48,006 that fall to any leader in the organization. 60 00:02:48,006 --> 00:02:52,000 Security professionals taking on management responsibilities 61 00:02:52,000 --> 00:02:54,001 will have to administer a budget, 62 00:02:54,001 --> 00:02:57,007 conduct performance reviews, council employees, 63 00:02:57,007 --> 00:02:59,005 and contribute to the organization's 64 00:02:59,005 --> 00:03:01,008 strategic planning processes. 65 00:03:01,008 --> 00:03:04,002 These non-security responsibilities 66 00:03:04,002 --> 00:03:07,000 are an important part of the information security 67 00:03:07,000 --> 00:03:11,000 professional's contributions to the broader organization. 68 00:03:11,000 --> 00:03:12,004 And they help maintain a solid 69 00:03:12,004 --> 00:03:15,000 connection to the rest of the business.