博客來Business executives consider what is necessary to protect the company. It comes down to people, process and technology, organized within an information security program. Everything has its place within the program, including business processes, assets and the right blend of controls to protect them.
This book describes program architecture, the discipline of designing, implementing and leading information security programs.
- Prove Yourself Ready Now
- Team Development and Retention
- Program Maturity
- Influence Support and Funding
- Cyber Threat Intelligence
- Third Party Risk Management
- Metrics and Reporting
- Insider Risk Monitoring and Response
- Threat Landscape and Controls Analysis
- Conduct an Assessment
- Crisis Communications
- Control by Governance
This book provides practical advice in the areas of cybersecurity and operational risk management. The goal is to provide readers with practical advice they can use upon return to work.
Chapter abstracts:
Chapter 1
Prove yourself ready now
This chapter provides practical advice to prove yourself ’ready now’ for a cybersecurity management role. The journey begins with a view from the executive’s side of the table and how to speak in terms of risk. There is an overview of risk management, with tips for influencing risk mitigation. Focus transitions to how a communications plan can make you more effective as a leader. There is practical advice for developing presentation skills with limited stress and anxiety through a four-step approach. With that skill in-place you can communicate program statuses to executives. Professional development and C-Level presentation round out the chapter.
Chapter 2
Team development and retention
This chapter provides leaders with practical advice for developing employees in their current role, with tips to help them move laterally or to pursue promotion to management. The focus shifts to management routines throughout a calendar year, including performance and development plans, communications, financial acumen, talent review and program architecture. The chapter begins to conclude with performance calibration, succession planning, promotions and retention risk.
If you are an individual contributor with a goal of being promoted to leadership, there is a significant value in this chapter. There are also activities behind the scenes that you should know about in your current role.
Chapter 3
Program maturity
Information security professionals must focus on maturity within cybersecurity and operational risk contexts. This chapter provides guidance to improve program maturity within four levels. It starts by establishing a foundation with a control framework, laws, regulations and contractual obligations. Next are common controls, necessary and common sense from an information security perspective. Active risk management includes types of analysis, assessment and mitigation. Strong risk management is conducted by organizations that have a very low risk tolerance. This risk-prioritized approach can be used to influence funding. So that’s part of the strategy, you need support and funding to mature the program over years.
Chapter 4
Influence support and funding
Influencing change with business and IT executives is a learned skill. This chapter begins with five areas of focus to influence support and funding. The concept of ’bring friends’ solicits the support of other operational risk functions. Management routines are provided as effective ways to mitigate risk, including a risk register process, a cybersecurity committee, tabletop exercises and a cybersecurity risk management framework. Three risk analysis methodologies are provided as practical advice to communicate security risk. Tips to develop financial acumen include two budget slide examples. The chapter concludes with emphasis on the need to be a change agent and to close on projects, initiatives and risk mitigation.
Chapter 5
Cyber threat intelligence
A Cyber Threat Intelligence (CTI) Program drives change to adapt to emerging threats and new technology. That change reduces incident occurrence, with a goal of preventing an incident from becoming a data breach. The chapter provides practical advice to establish a CTI program that generates system hardening, threat hunting, monitoring and incident response. CTI inputs are detailed within advisory subscriptions and six other categories. CTI activities continue with an intake process, processing an advisory, taking action and CTI meetings. CTI program architecture continues with security monitoring alerts and tips to establish a threat hunting program. The chapter concludes with adversarial tactics and CTI program indicators.
Chapter 6
Third party risk management
This chapter describes designing a Third Party Risk Management (TPRM) program. It details the end-to-end process: identify, risk rank, assess, risk treatment, monitor, oversight, escalations and decommissioning. A framework is provided as a program outline, with decision points to select from. Options presented will help mitigate third party risk, whether you have an existing TPRM program or if you need to establish one. This chapter is also an example of program architecture in practice. These concepts can be used to design, implement and lead other risk management programs. The goal of this chapter and this book is to provide you with practical advice you can use upon return to work.
Chapter 7
Metrics and reporting
This chapter provides practical advice to establish information security metrics, Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). It begins with an explanation of the differences between them and why each is necessary. Mid-level details of the end-to-end process are provided, from cre
