Skip to main content
main-content
Top

About this book

Use the guidance in this comprehensive field guide to gain the support of your top executives for aligning a rational cybersecurity plan with your business. You will learn how to improve working relationships with stakeholders in complex digital businesses, IT, and development environments. You will know how to prioritize your security program, and motivate and retain your team.

Misalignment between security and your business can start at the top at the C-suite or happen at the line of business, IT, development, or user level. It has a corrosive effect on any security project it touches. But it does not have to be like this.

Author Dan Blum presents valuable lessons learned from interviews with over 70 security and business leaders. You will discover how to successfully solve issues related to: risk management, operational security, privacy protection, hybrid cloud management, security culture and user awareness, and communication challenges.

This open access book presents six priority areas to focus on to maximize the effectiveness of your cybersecurity program: risk management, control baseline, security culture, IT rationalization, access control, and cyber-resilience. Common challenges and good practices are provided for businesses of different types and sizes. And more than 50 specific keys to alignment are included.

What You Will Learn

Improve your security culture: clarify security-related roles, communicate effectively to businesspeople, and hire, motivate, or retain outstanding security staff by creating a sense of efficacy

Develop a consistent accountability model, information risk taxonomy, and risk management framework Adopt a security and risk governance model consistent with your business structure or culture, manage policy, and optimize security budgeting within the larger business unit and CIO organization IT spend Tailor a control baseline to your organization’s maturity level, regulatory requirements, scale, circumstances, and critical assets Help CIOs, Chief Digital Officers, and other executives to develop an IT strategy for curating cloud solutions and reducing shadow IT, building up DevSecOps and Disciplined Agile, and moreBalance access control and accountability approaches, leverage modern digital identity standards to improve digital relationships, and provide data governance and privacy-enhancing capabilities

Plan for cyber-resilience: work with the SOC, IT, business groups, and external sources to coordinate incident response and to recover from outages and come back stronger Integrate your learnings from this book into a quick-hitting rational cybersecurity success plan

Who This Book Is For

Chief Information Security Officers (CISOs) and other heads of security, security directors and managers, security architects and project leads, and other team members providing security leadership to your business

Table of Contents

Frontmatter

Open Access

Chapter 1. Executive Overview

Abstract
To even begin to achieve the promise of cybersecurity, security and business leaders must align to rationalize cybersecurity. They must go beyond the myths – such as the one that cybersecurity is just a technical problem – that still mislead many in the market.
Dan Blum

Open Access

Chapter 2. Identify and Align Security-Related Roles

Abstract
Most technical security controls, or processes, do little without people in control. Firewalls require administrators to install and configure them. Access request systems need managers to review who should have access to the target application or database. Secure software coding depends almost entirely on the coders learning the right practices and testing or scanning tools. Everyone in the business has some part to play. Therefore, this chapter introduces some core concepts that Chapters 3 and 4 will build on to describe how businesses can build on to improve security governance and security culture.
Dan Blum

Open Access

Chapter 3. Put the Right Security Governance Model in Place

Abstract
The security-related roles discussed in Chapter 2 must be enacted in security governance and established in security policy. Security governance is a set of processes and capabilities operated jointly by security and business leaders to establish and oversee appropriate operation of the security program. Through security governance, the combined leadership can manage cybersecurity risk, security policy, resource allocation, and reporting to executives and stakeholders.
Dan Blum

Open Access

Chapter 4. Strengthen Security Culture Through Communications and Awareness Programs

Abstract
Human error or misconduct of one kind or another must be either the direct cause or an enabling factor behind almost every security breach or outage. Whether it is the user clicking a phishing link, an operator accidentally deleting the corporate directory, a manager approving excessive privileges, a receptionist letting a thief or spy into the building, or an incident responder hitting the snooze button on the wrong malware alarm, the examples are legion.
Dan Blum

Open Access

Chapter 5. Manage Risk in the Language of Business

Abstract
Amid complex business, technology, regulatory, and threat landscapes, risk management is a complicated discipline. Businesses need an organizing framework. In this chapter, I’ll use the ISO 31000 Risk Management model – which enjoys broad industry consensus – as our organizing framework. I’ll walk through each element of the framework while providing guidance for security leaders on how to align with diverse business stakeholders on building or improving risk management processes.
Dan Blum

Open Access

Chapter 6. Establish a Control Baseline

Abstract
All security programs depend on having some basic controls, called a control baseline, in place. After all, one would not deem a house or an office “secure” without locks on the doors to control entry.
Dan Blum

Open Access

Chapter 7. Simplify and Rationalize IT and Security

Abstract
What you cannot manage, you cannot secure, and a control baseline can’t be fully or efficiently implemented across a chaotic IT environment. Although CISOs, or other security leaders, don’t own the IT strategy, they have an interest in making it as simple and well defined as possible.
Dan Blum

Open Access

Chapter 8. Control Access with Minimal Drag on the Business

Abstract
Access control is required for most IT assets, and many of the access rules must be managed by nontechnical business users. The work of managing access controls (“access governance”) involves both identity and access management (IAM) and data protection disciplines such as information classification and data governance.
Dan Blum

Open Access

Chapter 9. Institute Resilience Through Detection, Response, and Recovery

Abstract
Cyber-resilience is the ability to withstand and recover from inevitable risks materializing. Businesses should become more resilient by identifying their critical assets, top risk scenarios, and basic contingency plans. Starting with the standardization of logging formats, processes, and collection methods, businesses can build up the ability to detect suspicious or anomalous security events across all their IT environments. They can coordinate detection with third parties such as their vendors and service providers. Organizations with high levels of threat actor interest should also consider developing proactive threat hunting capabilities and building up 24x7 security operations center (SOC) coverage.
Dan Blum

Open Access

Chapter 10. Create Your Rational Cybersecurity Success Plan

Abstract
This has been Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment. I’ve made this guidance as detailed and specific as possible because all too often, we get only platitudes or generalizations on the topic. We can’t afford that anymore. Misalignment between security and the business has a corrosive effect on any security effort it touches. And as organizations transform into digital businesses, they fall under increasing IT-related risk and regulation. Aligning security to business leaders and business processes is exponentially more important now.
Dan Blum

Backmatter

Additional information

Premium Partner

    Image Credits