The Cybersecurity Canon - Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Executive Summary

“Our freedom, our individual liberties, our economic independence, and our national security are
inextricably intertwined with the strength and security of our computer and cloud networks.” (Preface, p. VII)

This is the new reality we face in today’s cyber world. How do we protect our most critical cyber assets? What steps are necessary within companies and between organizations? Those are the questions Paul Ferrillo and Christophe Veltsos answer in their book, Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives.

This book is a must-read for any manager, director, or executive responsible for keeping their organization’s systems and data safe. The ten chapters that make up the meat of the book provide brief explanations as well as goals for anyone responsible and accountable for security. Chapters cover a wide range of cyber topics, such as federal regulations, cybersecurity oversight and governance, cybersecurity insurance, cyber risk management and reporting, the NIST Cybersecurity Framework, spear phishing, incident response, artificial intelligence and machine learning, and cloud computing.

The real value of this book is in asking the right questions rather than pretending to have all of the answers. Along with critical questions are vignettes direct from security leaders, allowing readers to learn from their experiences. While this book is meant for executives, it’s a good reference for all cybersecurity professionals to understand why and how to Take Back Control of Your Cybersecurity Now.

Review

Introduction

Executives today are under fire. There is constant news of cyber breaches and more regulations to keep them up at night. Many lack the background on the strategies, tactics, and technologies required to adequately protect their organization’s crown jewels. The ever-changing cybersecurity technology is also daunting. That’s the niche filled by Take Back Control of Your Cybersecurity Now. The authors, Paul Ferrillo and Dr. Christophe Veltsos, provide not only timely answers but also the questions executives need to ask to help guide their companies through the cybersecurity storm. The subtitle, Game Changing Concepts on AI and Cyber Governance Solutions for Executives describes new technologies affecting our world and how executives can leverage them for not only security but also efficiency.

Both Paul and Chris have a long history with information security. Paul is legal counsel in Weil, Gotshal & Manges’s Litigation Department and Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance and risk management issues. Chris – aka DrInfoSec™ – is both a university faculty member and an InfoSec practitioner. Both authors are passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people.

Many in management don’t have time to read tomes. Take Back Control provides short, targeted messages with action items throughout that are easy for anyone to follow. It’s not a book that has to be read from start to finish, but can be used as a reference whenever you hit a cybersecurity snag. You get the mission-critical information up front, followed by the tools and critical questions to help you improve your cybersecurity posture.

Take Back Control is actually the second edition of the book. The first, titled Navigating the Cybersecurity Storm: A Guide for Directors and Officers was written for a similar purpose: to guide decision-makers through the swampy cybersecurity waters. The second edition provides insights on technological innovations that are now prevalent on the security battlefield, such as cybersecurity automation, orchestration, machine learning, deep learning, and artificial intelligence. Paul and Chris collaborated on updating and adding content to ensure the book continues as a primary resource for decision-makers.

Time to Take Back Control of Your Cybersecurity

The preface and first chapter offer a reality check about today’s perilous cybersecurity environment. Each provides background to the book’s purpose, why executives need to care about their organization’s cybersecurity posture, and tools for getting it done, together. Paul and Chris balance the bad news with the good. There are many tools available to fight the battle. Many are simply a change in culture, policy, and practice. For most, ignorance and complacency are the enemy, and collaboration is king. “Cybersecurity is the ultimate team sport. We are all in this fight together. It is time to act, and there is no better time than right now.”

For those who are new to cybersecurity, this book also shows why you need to care. Chapter 1 contains an explanation of threat actors who want to disrupt your business. It is important for readers to be aware of the new reality of cyberthreat actors and their threat vectors for attack. The authors provide many examples here to prove, “it’s not if, but when.”

Each chapter starts with a purpose with a corresponding three to five takeaways. There are stories in each chapter than explain “why” and “how” to accomplish the goals. The authors provide many references throughout where you can learn more on the particular chapter’s topic. The extensive reference lists at the end of each chapter demonstrate the level of detail they went through to vet the concepts and provide significant value.

How to Do It

The ten chapters that make up the meat of the book (Chapters 2 through 11) deliver insights for managing security and technology for anyone responsible and accountable for security. Chapters cover a wide range of cyber topics, such as: federal regulations, cybersecurity oversight and governance, cybersecurity insurance, cyber risk management and reporting, the NIST Cybersecurity Framework, spear phishing, incident response, artificial intelligence and machine learning, and cloud computing. They provide hope for all organizations, no matter the size, structure, or function, waking up to the realization that cybersecurity isn’t an issue that should be relegated to the IT department.

Below is a brief overview of each chapter to show how you can take back control of your cybersecurity:

• Chapter 2 delivers an overview of the ever-changing scene of federal regulations and oversight regarding cyber issues. Let’s be honest, compliance is often a driver for a business’s cybersecurity initiatives. Cybersecurity is a board-level responsibility, and management at all levels needs to be aware of the rules governing it. This chapter is country-specific in focusing only on U.S. government regulations. I would like to see this broadened to include other, prominent laws and standards driving cybersecurity compliance.

• Chapter 3 covers the benefits of leveraging security and risk frameworks, such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework (“CSF”) and ISO 27001. The point is to emphasize the importance of an organization adopting an organized start for information security management based upon its own particular risk profile. For the many organizations still in the process of standards adoption, this is a good summary of the framework’s implementation tiers and key attributes.

• Chapter 4 touches on the human side of security, since humans are always the weakest security link while driving all aspects of the business. Another driver for many organizations is the threat of fraud through human vulnerabilities. This chapter provides a synopsis of common social threat vectors, along with simple prevention and detection methods.

• Chapter 5 explains the process for responding to incidents. Security failure is inevitable. It’s crucial that executives follow the Boy Scout motto of “Be Prepared,” have an Incident Response Plan (IRP) in place, and learn from your own and others’ mistakes. This chapter describes the most important elements of a cyber IRP through ownership, preparation, testing, containment, remediation and recovery. If your organization doesn’t have an IRP or hasn’t tested it, then this chapter is for you.

• Chapter 6 is the chapter you’ve been waiting for: The Future of Cybersecurity. It introduces new and promising developments in artificial intelligence and machine learning capabilities to sift through the prominent problems of “big data” plaguing all institutions. That data is a treasure trove not only for business intelligence but also for detecting threats as, if not before, they occur.

• Chapter 7 reminds top leadership of its fiduciary duties regarding cybersecurity. It reminds us that it’s all about the money. While financials are glossed over by many cybersecurity pundits, the authors explain how cybersecurity is an economics problem that needs to be included in the business plan.

• Chapter 8 covers the benefits of cyber risk insurance, a burgeoning field plagued with many landmines, especially when it comes to paying claims for data breaches. This is another chapter that really only applies to an organization’s executive decision-makers. For the rest of us, it’s a good reference when needed.

• Chapter 9 outlines how top leadership’s involvement in cybersecurity governance activities benefits the entire organization. Executives and board members can try to hide from cyber risk at their own peril. They need to provide clear direction on how to manage the cyber infrastructure: that is, through organizational governance and risk management. This chapter provides a cybersecurity governance primer and risk cycle that can be used by any organization to stay off of the firing line.

• Chapter 10 presents tough questions that executives need to ask. They form the basis for critical conversations regarding not only cybersecurity but also the business’ resiliency. If you read only one chapter of the book, it should be this one. Cybersecurity leadership is not about always having the answers but asking the right questions that drive action. These questions apply to everyone seeking to understand the nature of cyberthreats and how to avoid them.

• Chapter 11 explains the many benefits of cloud computing for all organizations. Outsourcing to cloud service providers is a technology solution for many organizations, especially those lacking the talent or resources to manage them internally. This chapter is a good introduction for those who may not be familiar with the types of cloud service models and their organizational benefits.

Don’t Abandon Ship

Chapter 12 brings it all together by reminding us of the key points of the book. For those who are short on time, you may want to read this after Chapter 1. It provides action items applicable to all organizations. Some cost money; some cost little. But all of them will take you toward a more secure tomorrow.

Conclusion

Take Back Control of Your Cybersecurity Now is a book for anyone fighting strategic battles on the cyber warfront. Paul and Chris, two “Cyber Avengers,” have taken their experiences on the battlefront and digested them into an easy-to-read book segmented into very timely and applicable chapters. They cover a number of sensible and critical concepts that are changing how we fight this war. For executives, this is a must-read. While others may not see the value, it provides insights on strategies, tactics, techniques, and technologies affecting everyone in our connected world. It is for this reason that I recommend it as a Cybersecurity Canon book.