CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 357: Is Your Encrypted Data Already Stolen? Quantum Risk & Supply Chain Attacks for CISSP
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Someone is stealing encrypted data right now and they are not trying to read it today. They are saving it for later, betting that quantum computing will eventually break the encryption that protects it. I dig into the “Harvest Now, Decrypt Later” strategy, why it matters most for long-term confidentiality, and how security leaders can talk about it as a present-day risk instead of science fiction.
From there, I get practical with post-quantum planning: what the NIST post-quantum cryptography standards signal, why quantum key distribution is still niche for most organisations, and the big architectural idea to remember for the CISSP and for real enterprise security programs: crypto agility. We walk through concrete steps like building a cryptographic inventory, mapping where RSA and elliptic curve crypto live, identifying data with 10 to 20 year secrecy needs, and pushing vendors for a clear PQC roadmap.
Then we pivot into CISSP Domain 1 supply chain risk management (SCRM and CSCRM). I explain why supply chains are a prime target, how modern supply chain attacks can ride in through poisoned open source packages, and what SolarWinds showed the world about scale and impact. We close with the nuts and bolts that actually reduce third-party risk: lifecycle supplier management, meaningful assessments (on-site when it matters), document and policy review, audits, and minimum security requirements baked into contracts and SLAs.
If you want more training, check out CISSP Cyber Training, subscribe for weekly updates, share this with a friend who owns risk, and leave a quick review so more CISSP candidates can find the show.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Welcome And What We Cover
SPEAKER_00Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam first time. Hi, my name is Sean Gerber, and I'm your host of the Action Active Formative Podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cyber sector in knowledge. Alright, let's get started.
SPEAKER_01Good morning, everybody. It's Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Monday, and we are going to be getting into aspects related to the CISSP exam. And today we're going to be focused on supply chain. We've had been talking the past few months, quite a or a few weeks about supply chain, and today is the day as well. So we're going to get into supply chains and kind of how that all plays together. But before we do, I'm actually going to get into an article that I feel it's been out there for some time that everybody's been talking about, but I mean in little whispers, I should say. Nobody's actually kind of talked deep about it. So this is a really great article from CSO magazine about it. So what it's called is Harvest Now, Decipher Later. The quantum threat few are prepping for. And so it's going to kind of get into the quantum aspects of this. And I feel that this has been something that the military people have been thinking about for quite some time, as I've been thinking about it from when I was even a red team commander. And so there, that's that's a long time ago. That was back in the early 2000s. We knew it was going to come up at some point, but now it's actually only going to grow and get more challenging. So I thought this would be a really great article to kind of get into and talk about a little bit. And then from there, we're going to roll into supply chain and some aspects related to
Podcast Schedule Change And YouTube
SPEAKER_01it. But before we do, one thing I want to quick hit through a little note, program note out to y'all. I have gone back from basically, I started off with two episodes or one episode a week, then I went to two episodes a week, and then I went, and now I'm going back to one episode a week. And the reason is is because I felt like I was giving you enough content that was great and it was wonderful, but I was running out of time. And so I'm going to go to one content, uh, one episode a week. However, if you need more content that I'll be putting out, we'll be also available on YouTube as well. So you can go check out the videos there that may not necessarily make it to the podcast. I'm just trying to change the strategy around a little bit and trying to have a little bit more, uh give more time to myself and also some more quality tech uh video content as well out there on YouTube. So the podcast is still gonna be as amazing as always. We're still gonna have that, but we're only gonna go back to once a week versus having it twice a week. Okay, so let's get into what we're gonna talk about today.
Harvest Now Decrypt Later Explained
SPEAKER_01So now I know what some of you probably are thinking, Sean, quantum is years away. I've got ransomware, phishing campaigns, and a board that won't fund my MFA. So what am I gonna worry about, right? And I totally get you, I do. But here's the thing the threat isn't entirely in the future, part of it is happening at this moment. And we're gonna kind of talk about one of the things that we're seeing out there with specifically nation state countries and how they're handling this. So the question is is harvest now decrypt later? This is by Maria Ramos Dominguez. Uh, this is on CSO magazine. Uh you can see that on the video, it's right there. Most organized most most orgs recognize quantum's looming threat to encryption, but just one in 20 have a strategy in place. Okay, so there's an attack strategy floating around in nation state actor circles called Harvest Now, Decrypt Later. The concept is simple, really, and honestly, it's terrifying when you think through it. But adversaries that we're largely talking about are well-resourced nation-state actors. China, Israel, US, France, all big companies, right? Big countries, I should say. They're actively stealing encrypted data today. They're not trying to crack it at this moment, but they're basically banking it. They're storing it. They're waiting for the day when the quantum computers are powerful enough to break encryption that is protecting it. And we've talked about that, how this is going to be something that we need to worry, we can need to concern ourselves about. So think about this for a second. That's classified government communications, that financial transactions, it's healthcare data, all of those things that have been intercepted in transit, they're now being stored in adversary locations, right? There's a big uh, should say, storage location out in the United States, out west, where there are data that's being stored out there as well. So it's it's happening everywhere. And so it's just something to consider. So this is not a future problem. It's obviously a problem for the present. And it's something that is going to end up causing a lot of grief in the future, I firmly believe. So here's where it gets frustrating from a security leadership perspective, and this is what you, as a security person, need to be aware of as you go to your organization. So, according to the 2025 Isaka survey, only 5% of cybersecurity professionals considered quantum a high priority threat. Even though two-thirds said they were concerned about quantum's ability to eventually break encryption. So, this is something that people have just been kicking the can down the road. I remember being in a meeting with our senior leaders, and this was many years ago. This is probably back when I first started at Coke Industries. Uh, there were senior leaders in the room and they were talking about quantum and how it's gonna be broken. That was something that people have been dealing with. And realistically, I would say it's still a little ways off. However, it's something to consider as you are putting together your enterprise, especially if you're you're brand new to a CISO role, you're probably gonna be there for a while. At least that's your hope. You need to have a good consideration around this. So we have around 66 of the people who are worried about it, but only 5% treat it like it's a priority. And the same 5%, that's also the number of organizations that actually have a defined strategy to prepare for quantum risk. So, what does that tell you? Most people aren't prepared, right? They don't have a clue what's going on here. So, this is where leadership is a problem. And for those of you that are studying for your CISSP or working as security leaders in your organization, recognizing that gap can be between awareness and action is exactly the kind of managerial thinking that will separate the good leaders from the not so good leaders. And so that's an important part for you to consider is as a security person within your company, are you getting ahead of it? So, again, it's not something you need to go, I need to drop what I'm doing at this moment, but it is something for you to put on your list of to-dos that maybe you should start kind of considering and how you want to deal with it. Now, let me give you some context around the timeline.
How Soon Is Quantum Really
SPEAKER_01So, because there's a lot of hype on both ends of the spectrum on when is air or the air quotes Q Day, quantum day. The idea, the single pivotal moment where quantum computers suddenly shatter all classified crypto overnight. Yeah, right. So European think tanks are security agencies are pushing back on that narrative, and think that I think that they're right to do so totally. The reality is that this is going to be a gradual shift, not a single event that's gonna be send shock waves across the world. Now, estimates on when cryptography relevant quantum computers will exist that range anywhere from a few months, which I think is extremely optimistic for advertisers to a decade or more, which I think is probably a little bit on the more conservative side. So the director of Spain's National Cybersecurity Institute put it well. This capability, when it arrives, will likely only be accessible to a small number of entities, major government agencies, given the enormous cost involved. And they're gonna be building the infrastructure in place now. So your China, your US, your Russia maybe, depending upon the situation. So big comp countries are gonna be the ones that are gonna be dealing with this. So this isn't a threat where the Script Kitty is gonna go spin up a quantum computer in their basement. This is the nation-state level capability, but it still matters enormously, especially if you're in the defense, finance, healthcare, or in critical infrastructure. And I think critical infrastructure, I mean, from an adversarial standpoint, I would be targeting that. So that's an important part. If you can go and affect people's lives, both from a from a physical standpoint of, you know, poisoning their water, or just even, like I said before, you don't even have to do it. You just have to actually hint that you can do it. And what has happened? Like the Iranians, for an example, during this Iranian conflict, I'm not disputing that they have the capability. But there was a lot of hype on they're gonna do this, they're gonna do this. And well, have they done it to this point? They haven't. They might be wanting to keep their powder dry, but they haven't done it yet. So just something to consider in this spot. So the big news on this standard front is that NIST, the National Institute of Standards and Technologies, published the first three post-quantum crypto standards in 24. And we've talked about those on CISSP Cyber Training. These are specifically designed to withstand attacks from quantum computers, and they're being tested and adapted across various technologies at this moment. And there's one of the things around quantum and the US government's brought up by the NIST standards is the fact that anytime you are looking at some sort of product that you're putting out there, you need to utilize these to ensure that they are quantum safe. Now they there's something called a quantum key distribution or quantum-based approach to key exchange that uses properties of quantum physics as a kind of early warning system. So if someone were to intercept the key exchange, the system detects it and the compromise systems get or compromised keys will get discarded. It's an interesting technology, but it's currently reserved for those with very specific high sensitivities sensitivity scenarios. And I just don't know if it's going to happen because it does require a significant amount of investment and specialized infrastructure. So for most organizations, the more for most organizations, the more practical near-term path to P PQC is post-quantum cryptography. See, there's a lot of hard words. PQC, that's a great acronym. Post-quantum cryptography. Uh it integrates more easily into existing environments without full architectural overhaul.
Crypto Agility And Practical Steps
SPEAKER_01So here's a concept I want you to lock into your cranium. Crypto agility. Yeah, that's a big word. So this idea is that organizations should be building systems that can rapidly swap out or combine crypto algorithms when needed. Okay, so it's a redesign. So that way you don't have to redesign your entire architecture. You just basically pull and play, pop and play, right? When one of the things I was in the military and we flew airplanes, and I was in avionics, you had the ability to remove and replace different pieces of equipment, and they were just plug and play kind of things. So think about it from a risk management perspective. The organizations that are going to weather this quantum transition are the best ones that aren't necessarily the ones who have the perfectly predicted when Q Day arrives. They're the ones that have the ability within the organization already built there to adapt quickly when the standards and threats landscape do shift. So here's an example. Kayaksa Bank. I can't spell that, or can't say that. K C A I C A I X A Bank, a major European financial institution, right? So they have a great example of what they've done. So their approach isn't to swap one algorithm for another. They're building a crypto agility model with a target date of 2029, ensuring that they can rotate keys, change crypto models, and adopt new standards quickly in a controlled way. So this is really an important part. So, all right, so let's talk about how this happened to you? What's the importance of all of this? So, as a leader, as a security leader, looking for your CISSP, this is something you really want to get into. You need to conduct a cryptographic inventory. You need to know where there are algorithms you're using across your environment. Where is RSA deployed? Where are you using elliptic curve crypto? Your data that requires long-term confidentiality, where is it stored? So if you don't know the answers to this, this is a really good place for you to start. You need to also assess your data sensitivity timeline. So that's this basically thought process of what we have the article. The harvest now decrypt later threat is the most dangerous for data that needs to stay confidential for the next 10, 15, 20 years. So you're dealing with intellectual property, that may or may not be the right case for you. But when you're dealing with healthcare records, government intelligence, especially financial transactions history, these are your highest priority targets. So if you're in those fields, those might be something for you to just kind of consider doing this. Get familiar with NIST post-quantum standards. Again, these are now published. Your vendors are going to start incorporating them. Actually, they're doing it right now, and you need to know what they are, and you need to start asking your vendors about their PQC roadmap, right? Post quantum computing roadmap. Now, fourth, you need to build crypto agility in your architecture. When you're evaluating new systems and new vendors or new infrastructure, it needs to be crypto agile. Okay, so there needs to be a requirement and it needs to be not an afterthought within your company. And then number five, don't wait for perfect certainty. All right, organizations handling sensitive long-term information, waiting for absolute certainty, means taking a risk that they may be unacceptable. And that's exactly the kind of risk framing you need to bring to your leadership and to your board. Okay, so this is again this is a wrap real quick on the whole harvest now, decipher later the quantum risk that few are preparing for. So it's a good rate article. Uh I again we went a little bit deeper into there in some different areas that are related to Q Day and PewKC. Why do I call it PewKC? I don't know. It's like pew pew. No, it's not that. It's PQC. Yes, these acronyms are a bugger. All right, but again, really great article. Lots of great stuff in there. It's full of chalk full of really good stuff that is detailed for you and your organization and things you need to be aware of related to post-quantum and that aspect.
Pivot To Supply Chain Risk
SPEAKER_01Okay, so let's get started in what we're gonna talk about today. Okay, so we're gonna roll into supply chain risk management concepts. So S C R M, and this is all tied to 1.2 of the CISSP exam book. Uh, that's their IC Squared. Um, so this is the plan. However, before we get into today's topic around domain one, wanted to quick do a couple real quick shout-outs.
CISSP Sprint Cohort Shoutout
SPEAKER_01One, go check out CISSP Cyber Training and check out my Sprint cohort that's kicking off. July 7th is when the cohort is kicking off. You gotta go check it out. It's awesome. There's a lot of great stuff. I've got early bird pricing that's set up specifically for you before the June 27th. So you can get in there and save a hundred bucks on it if you go check it out now. This cohort is an eight-week thing. It's gonna be awesome. If you're truly interested in getting your CISSP done in the next two months and you are a self-study person who does not want to spend $10,000 or more on a boot camp, this is specifically set for you. It's a great cohort. We're gonna meet weekly. We're gonna get get your questions answered. There's a good plan on how you're going to go and study for the exam. However, here's the thing I recommend is if you already are a CI or already have a good knowledge of what you need and you have your five years experience that we talk about at CISSP Cyber Training, there's gonna be a diagnostic exam for you to take at the beginning. It's gonna give you an idea of where we need to understand the places you have you're positive in, you've got good understanding, and then where are your weak areas? And let's focus on those weak areas. So it's a really great way. It's a cram session. It's designed specifically to get you to the CISSP in eight weeks. Again, I highly recommend it if you are looking to get your CISSP done, knock it out of the park and be done with it. The cohort starts July 7th. July 7th is the first day. Last day for registration is July 6th. Okay, so let's roll into what we're
SCRM Basics And Why It Exists
SPEAKER_01gonna talk about. Okay, so domain one, applying supply chain risk management SCRM concepts. So what is this? So we're gonna get into supply chain, foundry, hardware and software manufacturing, all different aspects related to the CISSP and the supply chain. So where did this originate, right? So this came from you need from a military standpoint, you need to know where your parts are originating from. Where are they coming from? How are they being mass produced? Who is dealing with that? And in the case of today, with CMMC is such an important part of your cybersecurity maturity model, this is an important part that you must be aware of of how the military or how your products are being sourced to you. And there was a NIST had a case study around Boeing and EchoStar, but bottom line is that there is a situation where if you are having products that are being sent to you, how are they being sourced? Who, what up the supply chain has access to these systems and who is going to produce those to your organization? This comes into the situation, especially when you're dealing with CMMC and you have multiple vendors. I do here in Wichita, Kansas, we have multiple vendors that are trying to get CMMC certified because they want to do things with the defense industry. For that to happen, you have to have a long laundry list of things in place to ensure that you are properly positioned to secure the information that you are being entrusted with. Another thing with supply chain is related to mergers and acquisitions. So you need to understand the culture of the purchasing equipment. So when the equipment that you're buying from this company, where did this come from? How is the equipment brought to you? Are there any sanctions on the equipment that was purchased that so like when you have to go buy parts for it in the future? So, as an example, you have a big old uh generator of some kind that does a certain type of thing. Generator is probably not the right word because that's very standard, but like some piece of equipment that is very, very standard to your needs. And that thing is being sourced out of a country in Pakistan, which isn't a bad thing at this moment. Uh, but what you don't know is that the actual equipment is being manufactured in Iran. So now it goes from Iran to Pakistan to you. That's a problem. Depending upon the organization that you're with, many times sourcing that type of equipment can put you in violation of certain regs, regulations that are out there and make you a target for the US government to go, you're not doing what you need to be doing. If you are dealing with CMMC, that would definitely be a red flag uh related to your supply chain. So you need to understand the culture of where is this equipment coming from and how is this manufactured and who where where's the sourcing behind it? Is there sensitivity in your business processes that require a full understanding of the supply chain? Do you need to know that? Now, again, depending when I worked at Coke Industries, they were very, very specific on understanding our supply chain. Very specific. We did not buy equipment or services from those different entities or countries that were sanctioned by the U.S. government. They were very specific about that. And which is great, it's good, right? But it does limit to you in some cases. So you need to understand the supply chain around that. Is that a problem for you and your company if you're buying equipment and it's being sourced from countries that might be sanctioned by the U.S. government? Regulatory requirements. Do you have a purchase in a specific country? Do you have to use a specific vendor? Again, back to these regulatory requirements. You're gonna need to know those, especially if you're trying to get regulatory compliance and certifications from these various regulatory bodies. Okay, supply chain
Real Supply Chain Attacks Today
SPEAKER_01attacks. So this is we're just gonna give one example of a supply chain attack, and this is one Light LLM and Team PCP, which is a threat group, for March of 2026. So Team PCP injected malicious code into two versions of Light LLM, and this is an AI infrastructure library on PYPL, and it had approximately 3.4 million downloads a day on this for Light LLM. Now, what they did was they poisoned the package versions published through legitimate channels. And we've talked about this in recent uh podcasts, about that specifically, and they had a code that it would auto-execute on install. Now it would target high-value secrets such as your AWS, GCP, and Azure tokens, right? So trying to steal the credentials, SSH keys, and Kubernetes credentials as well. And the goal was, as we just mentioned, credential harvesting and lateral movement within your organization. So this malicious version lived for only approximately three hours before it was quarantined, quarantined, but because of that, they also hit Trivi, Kix, and Tel NICs in the same month. So what the bottom line is that they are targeting your environment, specifically related to, in this case, it's the overall the supply chain aspects of it. So implicit trust in open source packages is critical attack surface. And we talked about this, I think, last week or week before. You really truly need to tighten down, especially any sort of GitHub repositories, because they are going after this. Whether it's in a PMP or PYPL or a GitHub repository of other some other kind, they are specifically going after those. So you need to rotate the credentials, you need to understand where they're at, and you need to be able to minimize the amount of activity that or access to those systems. Now, another comment was that around 66 of the reported attacks were focused on suppliers' code. Again, we've mentioned this in the past. It's a huge factor of all these folks. They're going after their code bases. So you need to really truly understand what is your code out there and how is it being validated. INSA is at the European Security Agency, they basically had a identify and document suppliers and service providers, define risk criteria for different types of suppliers and services, and then monitor of your supply chain risks and your threats. You need to manage suppliers over the whole lifecycle of the product and their service, and you need to classify assets and information shared accessible to suppliers. Bottom line is you need to have a good plan on how you're going to manage these different Dependencies that you have and document all of this within your organization. So, more recommendations from ENSA is again ensure security infrastructure for development, design, develop, manufacture, and deliver follows the cybersecurity best practices that you currently have. You need to implement development practices with cybersecurity best practices. And then that's a big factor right there. I'll be to willing to stress is your development practices. Most developers, they're getting much better. I will I'm gonna caveat that, but they don't truly understand the cybersecurity best practices behind this. And so you as a security professional are gonna need to make sure that they understand that. You're gonna need to communicate that with them. You need to monitor vulnerabilities reported by internal or external sources, and then maintain an inventory of assets, including patch relevant information. Now we talked about the solar winds attack. Now, this is one of the largest and most sophisticated attacks the world has seen at this time. And there's many, I should say, wannabe type solar winds that have come up. But it took up to a thousand engineers to pull this thing off, and it had a backdoor install that allowed access into numerous U.S. cybersecurity firms and federal agencies. And again, it was a huge supply chain risk that was out there. And that's a part that the solar winds attack you've heard about over and over again. So again, supply chain attacks, I can't stress it enough, they are a big factor in any organization. So what are some big, I mean, what are some ramifications of supply chain attacks and how they affect your company? Businesses can lose the ability to produce products, right? So you don't have the ability for your your products are being sent, they are being manufactured upstream, or then your your whatever you've created is going downstream. They don't have the ability to pro to manufacture products, and therefore what ends up occurring is you now have you're not making revenue. It impedes government or businesses from all aspects of their functions, and it potentially can cause kinetic type events, or such as a military conflict, if they were to occur. So again, you you hack somebody's power station. The bad guys or girls do that to the good people, whoever those people are, and they end up hacking a power station, taking down a water treatment facility. All these things can affect people, which then in turn could cause different types of situations within a war. Called could cause kinetic type activities. So again, the supply chain attacks are such an important part of our organization, of any country's ability to protect itself and to defend itself.
NIST CSCRM Framework In Practice
SPEAKER_01Cyber supply chain risk management. So this is C S C R M. So when you're dealing with supply chain, this is for information and operational technology relies on complex global distributed supply chains. They have to happen. So if you are in the OT space, you have a very complex supply chain. Working in the OT space for many years, my supply chain was massive. It was. It was all over the globe trying to deal with that was extremely challenging. And today, with all the electronic aspects, the technological aspects that are being incorporated within the OT space and the IT, but specifically in the OT space, it's a huge risk that you have to manage. It provides highly refined, cost-effective, and reusable solutions. And then there's compromise of various entities, technologies, laws, policies, and procedures, etc. So CSCRM is a process of identifying, assessing, and mitigating risks associated with the IT environments and OT specifically. So the NIST CRS, the NIST CSRM approach is the following key pieces to it. You have foundational practices. This is where you develop policies, standards, and guidelines to protect the supply resources. This should go without saying that you are working hard to develop these policy standards and guidelines for that. There's an enterprise-wide processes, enterprise activity involving individual tiers, organizations, missions, businesses, processes, all these things are enterprise-wide. It needs to be incorporated and baked into your overall process. There needs to be a risk management process. This is the implemented part of the overall risk management product, the management activities and the supply chains. And these will all vary from industry to industry. So the risk, you need to have a proper understanding of the risk associated with the processes and the decisions to deliver cyber products. You need to understand the threats and vulnerabilities. This is where you have a comprehensive view of threats and vulnerabilities, either adversarial or non-adversarial. So adversarial equals obviously tampering, counterfeits, non-adversarial would be poor quality, natural disasters, and so forth. So you need to understand that from a risk management standpoint. What are the risks and what are the threats and vulnerabilities to your systems? Once you determine they have critical systems, then you need to develop a craw cost-effective program to focus on the most vulnerable or which can cause the largest organizational impact if compromised. So again, you gotta really build all this together. These are some big key steps that are super helpful with your organization, but you just need to have a good plan on how you're gonna
Third Party Assessments That Matter
SPEAKER_01manage them. Now, third party evaluations and assessments. You need to do an assessment of these third parties that are in your uh in your vendor and third party environment. And we, if you go to CISSP cyber training or check out some of the videos that I have on YouTube, I actually have one specifically around third-party evaluations and assessments. So your assessment, you need to have a type of assessment. You need to have on-site versus phone or video conferencing. So are you gonna do those in person or are you gonna actually do them through video conferencing? COVID made things done a lot through video conferencing. However, there are times when you may need an on-site group that are gonna actually have to talk to people face to face because you don't you do lose some of that if you're doing video interviews. Detailed questions around the security of the system, they need to ask you very specific detailed questions around that. They need to do a document review and understand how the data is transferred between organizations. Is it protected? And if so, how is it best protected? And then you need to dig deep in this. Dig deep as much as much as you can to understand the documents that are associated with it. I will tell you this though. So often these documents are an afterthought. They're not the primary thing. So you're gonna need to understand their documentation. And if there are gaps in that, you need to highlight those gaps to that company that you're working with. Processes and policy review, copies of their security policies, processes and procedures, and you need to ask questions on how they utilize their policies and procedures. Are they just a checkbox? Yep, I have them, or do they actually utilize their policies and procedures? And then you need to audit this. Consider an external party to conduct an audit, or at a minimum, you go on site and you do the audit yourself. Security frameworks focused on an audit is a good thing to use as a reference point when you're looking at third parties and the evaluations behind them. So again, third party evaluations are an important part. Think about that. If you are the security professional in your company and you have some level of supply chain, you're gonna need to do an assessment of them at some point.
Contracts And Minimum Supply Requirements
SPEAKER_01Minimum security requirements for supply chains, you're gonna need to understand what is your minimum that you are gonna set up within your organization. So this is similar to what's used within any organization. You should have cyber requirements and in your contracts. You should have service level agreements with contracts for specifically supply chain. You need to make sure that they are connected, they understand the legal ramifications, and they have a plan in place. In the past, it used to be just kind of nonchalant and not really considered. But today's world, you need to make sure your cyber people are connected with your legal and contract people. I had a very strong relationship with my legal team and my con that, especially the legal team that dealt with contracts. Very focused on how they wrote contracts, and I was also part of many of the contract discussions, especially as it related to our data and or technological aspects within our company. So, again, inventory of authorized and unauthorized devices, you need to have an inventory of um authorized or unauthorized software, you need to have all of those things in place. Okay, that's just an important kind of a baseline you need to consider. The US Resilience Project from NIST, this is where best practices in cyber supply chain risk management, and you need to really be aware of the different aspects and the supply chain is being a target for many, many companies in today's world. So, again, back to what I talked about earlier with the LLMs, with you got Boeing and Exostar, you got SolarWinds, many of these different companies are there are all kinds of uh third-party and supply chain risks that you many comp country companies are dealing with on a routine basis.
Wrap Up And Next Steps
SPEAKER_01Okay, so that's all I've got for you today. Super excited about that. Head on over to CISSP Cyber Training. Hey, again, the cohort, eight weeks to get your CISSP, go check it out. You're gonna be happy if you do. Guaranteed. There's actually a link on my on the webpage at CISSP Cyber Training. You can sign up for it right now. Early bird pricing is now available until June 27th. After that, it goes up $100. It's then gonna be $597 for the eight-week boot camp. But let's be honest. Come on, guys. An eight-week boot camp for five, six hundred bucks for five to six hundred dollars, you're gonna get eight weeks to study hard for your CISSP, or you can go to a high expensive boot camp and spend ten thousand dollars, or you can study yourself and say, you know what, I can figure this out, and that's fine too. Whatever works, I've got that available for you. But go check it out at CISSP Cyber Training. I guarantee you you will be happy doing this, no question about it. All right, thank you so, so much for joining me today, and I hope you have a wonderfully blessed day, and we will catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a plethora or iconicopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.