Use the guidance in this comprehensive field guide to gain the support of your top executives for aligning a rational cybersecurity plan with your business. You will learn how to improve working relationships with stakeholders in complex digital businesses, IT, and development environments. You will know how to prioritize your security program, and motivate and retain your team.
Misalignment between security and your business can start at the top at the C-suite or happen at the line of business, IT, development, or user level. It has a corrosive effect on any security project it touches. But it does not have to be like this.
Author Dan Blum presents valuable lessons learned from interviews with over 70 security and business leaders. You will discover how to successfully solve issues related to: risk management, operational security, privacy protection, hybrid cloud management, security culture and user awareness, and communication challenges.
This open access book presents six priority areas to focus on to maximize the effectiveness of your cybersecurity program: risk management, control baseline, security culture, IT rationalization, access control, and cyber-resilience. Common challenges and good practices are provided for businesses of different types and sizes. And more than 50 specific keys to alignment are included.
What You Will Learn
- Improve your security culture: clarify security-related roles, communicate effectively to businesspeople, and hire, motivate, or retain outstanding security staff by creating a sense of efficacy
- Develop a consistent accountability model, information risk taxonomy, and risk management framework
- Adopt a security and risk governance model consistent with your business structure or culture, manage policy, and optimize security budgeting within the larger business unit and CIO organization IT spend
- Tailor a control baseline to your organization’s maturity level, regulatory requirements, scale, circumstances, and critical assets
- Help CIOs, Chief Digital Officers, and other executives to develop an IT strategy for curating cloud solutions and reducing shadow IT, building up DevSecOps and Disciplined Agile, and more
- Balance access control and accountability approaches, leverage modern digital identity standards to improve digital relationships, and provide data governance and privacy-enhancing capabilities
- Plan for cyber-resilience: work with the SOC, IT, business groups, and external sources to coordinate incident response and to recover from outages and come back stronger
- Integrate your learnings from this book into a quick-hitting rational cybersecurity success plan
Who This Book Is For
Chief Information Security Officers (CISOs) and other heads of security, security directors and managers, security architects and project leads, and other team members providing security leadership to your business
Conditions of Use
This book is licensed under a Creative Commons License (CC BY). You can download the ebook Rational Cybersecurity for Business for free.
- Title
- Rational Cybersecurity for Business
- Subtitle
- The Security Leaders' Guide to Business Alignment
- Publisher
- Apress
- Author(s)
- Dan Blum
- Published
- 2020-08-13
- Edition
- 1
- Format
- eBook (pdf, epub, mobi)
- Pages
- 359
- Language
- English
- ISBN-10
- 1484259513
- ISBN-13
- 9781484259528
- License
- CC BY
- Book Homepage
- Free eBook, Errata, Code, Solutions, etc.
Table of Contents About the Author About the Technical Reviewers Acknowledgments Introduction Chapter 1: Executive Overview 1.1 Understand the Rational Cybersecurity Context 1.1.1 Risk and the Digital Business 1.1.2 Compliance and the Duty to Protect 1.1.3 Taking Accountability for Risk 1.1.4 Aligning on Risk 1.2 Start the Rational Cybersecurity Journey 1.2.1 Define Rational Cybersecurity for Your Business 1.2.2 Gain Executive Support and Risk Ownership 1.2.3 Align Stakeholders on the Security Program 1.3 Set the Rational Cybersecurity Priorities 1.3.1 Develop and Govern a Healthy Security Culture 1.3.2 Manage Risk in the Language of Business 1.3.3 Establish a Control Baseline 1.3.4 Simplify and Rationalize IT and Security 1.3.5 Control Access with Minimal Drag on the Business 1.3.6 Institute Resilient Detection, Response, and Recovery 1.4 Scale Security Programs to your Organization Type 1.4.1 Size of the Organization 1.4.2 Complexity of the IT Infrastructure 1.4.3 Security Pressure 1.4.4 National and Industry Origins 1.4.5 Maturity 1.5 Call to Action Chapter 2: Identify and Align Security-Related Roles 2.1 Recognize the People Pillars of Cybersecurity Defense 2.2 Understand Business and Security-Related Roles 2.2.1 Board-Level Oversight 2.2.2 Chief Executive Officers (CEOs) 2.2.3 Head of Security or CISO 2.2.4 Other Chief Executives (CXOs) 2.2.5 Audit, Compliance, and Other Security-Related Functions 2.2.6 Corporate Administration 2.2.7 Line of Business (LOB) Executives 2.3 Address Common Challenges 2.3.1 Working at Cross-Purposes 2.3.2 Cybersecurity Not Considered Strategic 2.3.3 Poor Coordination Between Security-Related Functions 2.3.4 Security Leaders Struggle with Stress and Overwhelm 2.3.5 Frustrated and Under-Resourced Security Teams 2.3.6 Crisis Conditions 2.3.7 Bottom Line 2.4 Hire, Motivate, and Retain Key Security Staff 2.5 Make Engaging the Business the First Order of Business 2.6 Clarify Security-Related Business Roles 2.7 Earn Trust and Cooperation from Users 2.8 Call to Action Chapter 3: Put the Right Security Governance Model in Place 3.1 Address Common Challenges 3.1.1 Security Governance Model Not Aligned with Organizational Structure or Culture 3.1.2 Lack of Security Governance Maturity 3.1.3 Security Leadership Disengaged from Business Units 3.1.4 Perverse Incentives 3.2 Understand Security Governance Functions 3.3 Understand and Apply the Optimal Security Governance Model 3.3.1 Centralized Models 3.3.2 Decentralized Models 3.3.3 Trade-offs 3.3.4 Matrix Models 3.4 Reset (or Define) Security Governance 3.4.1 Choose the Appropriate Security Governance Model 3.4.2 Charter the Security Organization 3.4.3 Specify CISO Reporting 3.5 Institute Cross-Functional Coordination Mechanisms 3.5.1 Cross-Functional Security Coordination Function or Steering Committee 3.5.2 Risk Management Forums 3.5.3 Interaction with IT Projects and Other Security Processes 3.6 Manage Security Policy Libraries, Lifecycles, and Adoption 3.6.1 Types of Policy Documents 3.7 Budget in Alignment with Risk and the Governance Model 3.8 Call to Action Chapter 4: Strengthen Security Culture Through Communications and Awareness Programs 4.1 Address Common Challenges 4.1.1 Business Executives Not Engaged at the Strategic Level 4.1.2 Business Units at Odds with IT and Security 4.1.3 Hard to Change Culture 4.1.4 Ineffective Security Communication Styles 4.1.5 Measuring Culture Is a Soft Science 4.2 Understand Security Culture and Awareness Concepts 4.2.1 Your Greatest Vulnerability? 4.2.2 Or Your Best Opportunity? 4.2.3 Attributes of Security Culture 4.2.4 Security Culture Styles 4.3 Make Enhancing Communication a Top Security Team Priority 4.4 Use Awareness Programs to Improve Behaviors and Security Culture 4.4.1 Promote More Secure Behavior 4.4.2 Target Awareness Campaigns and Training Initiatives 4.4.2.1 Special Considerations for Work at Home, or Bring Your Own Device (BYOD) Programs 4.4.3 Coordinate Awareness Messaging with Managers and Key Influencers in Target Audiences 4.5 Commit to Improving Security Culture 4.6 Measure and Improve 4.6.1 Measure Your Ability to Improve Security-Related Communications 4.6.2 Measure the Effectiveness of Security Awareness Programs 4.6.3 Measure Security Culture Comprehensively 4.7 Call to Action Chapter 5: Manage Risk in the Language of Business 5.1 Address Common Challenges 5.1.1 Lack of Consistent Information Risk Terminology and Alignment with Other Enterprise Risk Domains 5.1.2 Unrealistic Expectations and Ineffective Analysis Methods 5.1.3 Myopic Focus on Control Assessment While Ignoring Other Risk Treatment Options 5.1.4 Analysis Paralysis and Uncertainty About Where to Start 5.2 Understand and Employ Risk Management Framework Standards 5.2.1 ISO 31000 Risk Management 5.2.2 Open Factor Analysis of Information Risk (FAIR) 5.2.3 Tiered Risk Assessment Process 5.3 Establish the Context for the Risk Program 5.3.1 Prepare Analysis of Business Risk Context 5.3.2 Outline a Proposed Risk Framework 5.3.3 Obtain Top-Level Sponsorship 5.3.4 Socialize Risk Framework for Broad Stakeholder Buy-in 5.3.5 Define Accountabilities, Risk Appetites, and Risk Processes 5.4 Implement Tiered Risk Assessment 5.4.1 Use a Tiered Risk Assessment Process 5.4.2 Implement Asset Risk Profiling 5.4.3 Identify Issues That Could Bubble Up to Risk Scenarios 5.4.4 Use a Lightweight Method to Triage Risk Scenarios 5.4.5 Develop Risk Scenario Evaluation Processes 5.4.6 Perform Enterprise Risk Assessments to Identify Top Risk Scenarios 5.5 Treat Risks Holistically 5.5.1 Formalize Risk Acceptance and Risk Exception Processes 5.5.2 Educate the Business on Risks to Avoid 5.5.3 Share Responsibility, Outsource, or Obtain Insurance to Transfer Risk 5.5.4 Evaluate Business Changes and Controls for Risk Mitigation 5.6 Monitor Issues and Risks Continuously 5.7 Communicate Risk to Stakeholders Effectively 5.7.1 Business Staff and Associates 5.7.2 Explaining Risk to Business Risk Owners 5.7.3 Board Communication 5.8 Call to Action Chapter 6: Establish a Control Baseline 6.1 Understand Control Baselines and Control Frameworks 6.2 Address Common Challenges 6.2.1 Too Many Controls? 6.2.2 Difficulty Risk Informing Controls 6.2.3 Controls Without a Unifying Architecture 6.2.4 Lack of Structure for Sharing Responsibility with Third Parties 6.2.5 Controls Out of Line with Business Culture 6.3 Select a Control Baseline from the Essential Control Domains 6.3.1 Serve Up a Balanced Diet of Controls 6.3.2 Identify All Aspects of Situational Awareness 6.3.3 Protect Information Systems and Assets 6.3.4 Win the Race to Detect 6.3.5 Respond Effectively and Appropriately 6.3.6 Recover from Outages or Breaches 6.4 Develop Architectural Models and Plans for Control Implementation 6.4.1 Maintain Assessments, Target Architectures, and Implementation Road Maps 6.4.2 Use a Two or Three Lines of Defense Model for Control Assurance 6.4.3 Apply a Shared Responsibility Model to the Control Baseline 6.4.4 Tune Controls to Security and Business Needs 6.5 Scale and Align the Control Baseline 6.5.1 Scale to Business Size, Type, and Industry 6.5.2 Align Control Deployment and Business Functions 6.6 Call to Action Chapter 7: Simplify and Rationalize IT and Security 7.1 Address Common Challenges 7.1.1 IT Out of Alignment with Digital Business Initiatives 7.1.2 Complexity as the Enemy of Security 7.1.3 New DevOps or Agile Models Fielded Without Security Provisions 7.2 Help Develop a Strategy to Consolidate and Simplify IT 7.2.1 Understand How to Reduce Macro-Complexity by Consolidating or Rationalizing Enterprise Applications 7.2.2 Understand How to Consolidate Core Infrastructure and Security Platforms Infrastructure Platform Background Security in the IT Strategy for Infrastructure Platforms 7.2.3 Understand How to Simplify Micro-Complexity by Adopting Consistent Management Practices for the IT Environment 7.2.4 Discern the IT Strategy and Align the Security Road Map to It 7.2.5 Take Opportunities to Position Security as a Coordinating Function 7.3 Learn from Digital Initiatives 7.4 Provide Security for a Governed Multicloud Environment 7.4.1 Identify the Risk of Shadow IT 7.4.2 Align with the Evolution from IT-as-Provider to IT-as-Broker 7.4.3 Manage Cloud Risk Through the Third-Party Management Program 7.4.4 Collaborate with IT on Operationalizing Shared Security Responsibilities 7.4.5 Include Security Services in the IT Service Catalog 7.5 Upgrade IT Operations with DevSecOps and Disciplined Agile 7.5.1 Use Risk-Informed DevSecOps Practices Cover the Full Software Development Life Cycle (SDLC) Process 7.5.2 Embrace the Disciplined Agile Approach 7.6 Call to Action Chapter 8: Control Access with Minimal Drag on the Business 8.1 Understand Access Control and Data Governance Models 8.2 Address Common Challenges 8.2.1 Immature Data Governance and Access Management Processes 8.2.2 Outdated IAM Deployments Meet Generational Challenges with Cloud, Privacy Rights, and Forced Digitalization 8.2.3 The Red-Headed Stepchild IAM Team 8.3 Build Up IAM Control Baseline Capabilities 8.4 Balance Access Control and Accountability 8.5 Modernize IAM to Enable Digital Business 8.5.1 Manage Digital Relationships 8.5.2 Take a Proactive Approach on Privacy 8.5.3 Enhance Identity Interoperability and Agility 8.6 Monitor Identity-Related Events and Context 8.7 Build Up Identity, Privilege, and Data Governance Services 8.7.1 Understand Identity Governance and Administration (IGA) Requirements 8.7.2 Understand Privileged Account Management (PAM) and Just-in-Time (JIT) PAM Requirements 8.7.3 Develop a Hybrid IGA and PAM Architecture 8.7.4 Model Roles and Business Rules to Drive IGA 8.7.5 Risk-Inform Access Management Functions Implement Advanced Data Governance and IGA When Required 8.8 Implement IAM and Data Governance in a Cross-Functional Manner 8.9 Call to Action Chapter 9: Institute Resilience Through Detection, Response, and Recovery 9.1 Understand Cyber-Resilience Requirements 9.2 Address Common Resilience Challenges 9.2.1 Business Unpreparedness for Incident Response and Recovery 9.2.2 Lengthy Cyberattacker Dwell Time 9.2.3 Lack of Visibility or Access to All IT Systems 9.2.4 Difficulty Hiring and Retaining Skilled Staff 9.3 Identify Critical Business Assets, Risk Scenarios, and Contingency Plans 9.3.1 Perform Business Impact Analysis (BIA) 9.3.2 Analyze Top Risk Scenarios 9.3.3 Develop Contingency Plans and Cybersecurity Strategy for Resilience 9.3.3.1 Plan for Unexpected Incidents 9.3.4 Develop Business Continuity and Disaster Recovery Plans 9.4 Detect Cybersecurity Events Consistently and Promptly 9.4.1 Monitor Event Logs, Alerts, and Reports 9.4.1.1 Collect Data for Investigations, Retain It for Compliance and Evidentiary Purposes 9.4.1.2 Use Context to Enrich Events 9.4.1.3 Automate Monitoring Tools, Processes, and Use Cases 9.4.1.4 Use Human Review to Supplement Automated Systems 9.4.2 Investigate and Triage Real-Time Alerts and Issues Found in Logs 9.4.3 Modernize and Scale Detection for Distributed Infrastructure 9.4.4 Hunt for Threats Proactively 9.4.5 Coordinate Detection with Users, Business Stakeholders, and External Parties 9.4.5.1 Engage Human Users as Sensors 9.4.5.2 Develop Collaborative Processes with Business Functions 9.4.5.3 Integrate Workflows and Notification Processes with Contracted Detection Services 9.4.5.4 Obtain and Share Threat Intelligence from Security Information Sharing Bodies 9.5 Respond to Incidents 9.5.1 Plan for Incident Response 9.5.2 Establish the IR Program 9.5.3 Evolve the IR Program for Cyber-Resilience 9.6 Recover from Incidents Caused by Cyberattacks and Operational Outages 9.6.1 Activate Business Continuity and Disaster Recovery Plans 9.7 Call to Action Chapter 10: Create Your Rational Cybersecurity Success Plan 10.1 Scope Out Your Priority Focus Areas 10.2 Identify Stakeholders 10.3 Make a Quick Assessment of Current State 10.4 Identify Improvement Objectives 10.4.1 Develop and Govern a Healthy Security Culture 10.4.2 Manage Risk in the Language of Business 10.4.3 Establish a Control Baseline 10.4.4 Simplify and Rationalize IT and Security 10.4.5 Control Access with Minimal Drag on the Business 10.4.6 Institute Resilient Detection, Response, and Recovery 10.5 Specify Metrics 10.6 Track Progress 10.7 This Is Not the End 10.8 This Is the Beginning of an Open Information Flow Glossary of Terms and Acronyms Security Concepts Tools and Technical Capabilities Governance or Process Capabilities Index