The Cybersecurity Manager's Guide
The Art of Building Your Security Program
Paperback Engels 2021 9781492076216Samenvatting
If you're a cybersecurity professional, then you know how it often seems that no one cares about (or understands) information security. InfoSec professionals frequently struggle to integrate security into their companies' processes. Many are at odds with their organizations. Most are under-resourced. There must be a better way. This essential manager's guide offers a new approach to building and maintaining an information security program that's both effective and easy to follow.
Author and longtime chief information security officer (CISO) Todd Barnum upends the assumptions security professionals take for granted. CISOs, chief security officers, chief information officers, and IT security professionals will learn a simple seven-step process for building a new program or improving a current one.
- Build better relationships across the organization
- Align your role with your company's values, culture, and tolerance for information loss
- Lay the groundwork for your security program
- Create a communications program to share your team's contributions and educate your coworkers
- Transition security functions and responsibilities to other teams
- Organize and build an effective InfoSec team
- Measure your company's ability to recognize and report security policy violations and phishing emails
Specificaties
Lezersrecensies
Inhoudsopgave
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
1. The Odds Are Against You
Fact 1: Nobody Really Cares
Fact 2: Nobody Understands
Fact 3: Fear Drives Our Industry
Conclusion 1: It’s All Up to You
Conclusion 2: You’ll Always Be Under-Resourced
Conclusion 3: Being Successful Requires Thoughtful Work
Conclusion
2. The Science of Our Business:The Eight Domains
Why Am I Commenting on the Eight Domains?
Domain 1: Security and Risk Management
IT Policies and Procedures
Security Governance Principles
Risk-Based Management Concepts
The Other Areas in the First Domain
Domain 2: Asset Security
Domain 3: Security Engineering and Architecture
Domain 4: Communications and Network Security
Domain 5: Identity and Access Management
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
Domain 8: Software Development Security
Conclusion
3. The Art of Our Business: The Seven Steps
The Sumo Approach
The Judo Approach
The Seven Steps to Engage Your Organization
Step 1: Cultivate Relationships
Step 2: Ensure Alignment
Step 3: Use the Four Cornerstones to Lay the Groundwork for Your Program
Step 4: Create a Communications Plan
Step 5: Give Your Job Away
Step 6: Build Your Team
Step 7: Measure What Matters
Conclusion
4. Step 1: Cultivate Relationships
Caution: The Nature of Our Work
Making Relationships a Top Priority
Your Program Will Be Only as Good as Your Relationships
Relationships Aren’t Sexy
Hiring Staff with Relationships in Mind
Building Strong Relationships: It Takes a Plan
Understanding the Value of Listening
Reaping the Benefits of Relationships: Teamwork
Fostering Special Relationships
Legal
Corporate Audit
Corporate Security
Human Resources
Conclusion
5. Step 2: Ensure Alignment
What I Mean by Alignment
Choosing Where to Start on Alignment
Seeing Alignment as the Starting Point
Determining Your Company’s Risk Profile
The Ideal Alignment
Understanding Your Company’s Unique Risk Profile
Creating Alignment Through Councils
Security business council
Extended security council
Executive security council
Recognizing Signs of Misalignment
Conclusion
6. Step 3: Use the Four Cornerstones to Lay the Foundation of Your Program
The Four Cornerstones
Cornerstone 1: Documentation
The Charter
Information Security Policy
Security Incident Response Plan
Takeaways
Cornerstone 2: Governance
Cornerstone 3: Security Architecture
What Does Architecture Look Like?
How to Put the Security Architecture Together
What’s the Outcome of Developing the Security Architecture?
Cornerstone 4: Communications, Education, and Awareness
The Benefits of Training and Educating Others
Conclusion
7. Step 4: Use Communications to Get the Message Out
What Is a Communications Program?
Why Is a Communications Program So Important?
Communications Within the InfoSec Team
The Goal and Objectives of the Communications Program
Starting Your Communications Program
Not All Departments Require Equal Levels of Communication
Your Team’s Responsibilities
Communications at Work
Example 1: Training with Industry Experts
Example 2: Collaborative Decision Making
Example 3: InfoSec Campus Events
Signs the Communications Plan Is Working
Conclusion
8. Step 5: Give Your Job Away...It’s Your Only Hope
Giving Your Job Away, a History Lesson
The 1990s
The Early 2000s
The Late 2000s
2010 to Today
Understanding Your Challenge
Relationships and the Neighborhood Watch
The Need for Governance
Understanding the Risks to Giving Your Job Away
Risky Situation 1
Risky Situation 2
Risky Situation 3
Working with Your New Neighbors
Helpful Hints for Working with Other Teams
Conclusion
9. Step 6: Organize Your InfoSec Team
Identifying the Type of Talent You’ll Need
Managing a Preexisting Team
Where You Report in the Organization Matters
Working with the Infrastructure Team
Dealing with Toxic Security Leaders
Turning Around an InfoSec Enemy
Defining Roles and Responsibilities of Team Members
Conclusion
10. Step 7: Measure What Matters
Why Measure?
Understanding What to Measure
Recognizing Policy Violations
The Mother of All Metrics: Phishing Tests
Social Engineering and Staff Training
Technology Versus Training
Conclusion
11. Working with the Audit Team
The Audit Team Needs Your Help to Be Effective in Cybersecurity
A Typical Encounter with Auditors When Not Guided by InfoSec
Partnering with the Audit Team to Influence Change
Where Did Auditors Get Such License?
Getting Value from an Audit
Conclusion
12. A Note to CISOs
Seeing the CISO as a Cultural Change Agent
Keeping Your Sword Sharp
Hiring Techies
Utilising Lunches
Free Lunch Fridays
Lunches with Other Companies
Holding Cybersecurity Conferences
Meeting with Other CISOs
Conclusion
Final Thoughts
Where to Go from Here
Conclusion
Index
Mensen die dit boek kochten, kochten ook...
Rubrieken
- Advisering
- Algemeen management
- Coaching en trainen
- Communicatie en media
- Economie
- Financieel management
- Inkoop en logistiek
- Internet en social media
- IT-management / ICT
- Juridisch
- Leiderschap
- Marketing
- Mens en maatschappij
- Non-profit
- Ondernemen
- Organisatiekunde
- Personal finance
- Personeelsmanagement
- Persoonlijke effectiviteit
- Projectmanagement
- Psychologie
- Reclame en verkoop
- Strategisch management
- Verandermanagement
- Werk en loopbaan