Cyber Canon Book Review: “Digital Resilience: Is Your Company Ready for the Next Cyber Threat?” by Ray Rothrock (published April 18, 2018)
Book Reviewed by: Ron Gula, President Gula Tech Adventures & Co-Founder Tenable Network Security, December 20, 2018
Bottom Line: I don’t recommend this book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
I got into cybersecurity because I read books like Winn Schwartau’s “Information Warfare,” William Gibson’s “Neuromancer” and Cliff Stoll’s “Cuckoo’s Egg.” These books gave me a very balanced view of what cybersecurity could be, even though no one called them cyber in the 90s. Until I got Ray Rothrock’s book, “Digital Resilience,” I didn’t have a book I was comfortable with suggesting as a great first read to the next generation of cyber professionals.
If you’ve recently been put in charge of IT or IT operations and didn’t grow up in cyber over the past 20 years, “Digital Resilience” is for you. This book is also equally useful for new CEOs, CFOs or board members who need to understand cyber risk without getting overwhelmed with IT technology or the defeatism of “hackers and nation-states will always get in, so why bother.”
The book does a great job of giving some context to the rich history of cyber events and the evolution of IT technology over the past few decades. It answers many of the “how did we get here?” types of questions, and more importantly, the “where are we going?” questions.
It also does an equally good job of offering some prescriptive actions organizations should take to measure and strengthen their overall cybersecurity defenses. It does all of this with what I would consider basic common sense and a focus on resilience, rather than relying on compliance or security frameworks, which can be very off-putting to first time cyber readers.
The eight chapters take the reader on a walk through cyber with very good prescriptions. Chapters one through three makes the case for why resilience is the best strategy. As an engineer, this really resonates with me. Unless you design security into things from the start, you are always patching and adding to your problem. The scope of how much we’re already connected, even for on-premises networks and applications, is also discussed. The complexity of modern networks, including their dependency on each other and a large amount of cloud services and SaaS applications, is discussed. More importantly, Ray suggests a variety of strategies in these chapters to help the reader get up to speed and be proactive.
The remaining chapters focus on building resilience and take the reader into some crucial concepts. These include measuring resilience. I am a fan of the approach the book describes. It talks about what types of key metrics make good metrics, but stops short of claiming a grand, unified theory of modeling cyber risk. The two hardest things for cyber professionals to do well are to speak to their management team effectively and to keep track of all of their assets. To help, Ray does an excellent job of giving a variety of ideas for how executives should be briefed on cyber issues, as well as guidelines for presenting to boards. Ray also does a great job of explaining why keeping track of your digital assets, both on-premises and in the cloud, is step one. You can’t protect what you don’t know.
Ultimately, I found this book very welcoming and inviting to new cyber professionals. There is a very even-handed approach to understanding that cybersecurity is about balancing your people, processes and technologies – and communicating this to your management. These approaches will be valid for the next generation of technologies, and this book will still feel very fresh and modern even 10 years from now.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!