We are now getting into actually doing your cybersecurity program. If the previous chapters gave you the 40,000‐foot view, the next will take you straight down into the weeds. I've divided the doing part of the work into several phases:

1. Assets
2. Threats
3. Vulnerabilities
4. Environments
5. Controls
6. Incident‐response planning
7. People
8. Living cybersecure

We will deal with each phase separately, breaking down the various steps needed to build your cybersecurity program. We'll start with assets.

In Chapter 1, we defined assets as anything of value. So, what exactly are these things of value in your world? Always remember the basic rule: If it is of value to you, it is of value to someone else, and it will need appropriate care and protection.

Of course, all things in context, and our context is cybersecurity. It may well be true that your most valuable asset is a physical product, well worth considering and protecting, but in our case, we need to look at that physical asset from a cybersecurity perspective. We are looking at cyberassets! Those are typically digital assets, but not always.

Even if your most important asset is a physical thing of great value, the question to ask is: Is this asset a risk from a cyberattack? If yes, then that needs to be considered. If not, then the thing itself won't be considered, but the processes, data, systems, etc., that are involved in its creation still need to be looked at very carefully.

Let's consider a firm that makes a high‐end analog ...