Remember our initial definition of cybersecurity? Cybersecurity is the ongoing application of best practices intended to ensure and preserve confidentiality, integrity, and availability of digital information as well as the safety of people and environments.

And, of course, the triad from our defense‐in‐depth discussion? People, technology, and operations.

Finally, which is one of the most effective controls in cybersecurity? People!

People, people, people! You may say I revel in stating the obvious, but all the work we've done so far is not about data, assets, or some document that defines a corporation. It is only about people. I've emphasized this in every chapter: Our work, your work, is people‐centric.

People, it bears repeating, are at once your biggest asset and potential liability. As assets, they create value, they align with goals, and help protect the values they create. As liabilities, they can just as easily destroy these values through lack of awareness, carelessness, or ill will.

Your challenges in creating your cybersecurity program are twofold: First, you are creating a program for your people. Second, you must engage the same people to make the program a success.

That last one is trickier than it sounds!

What's in It for Me?

Up until now we've been asking the question, “How much is it worth to you?” That's the right question to ask of the board of directors, shareholders, and so on in determining risk appetite and crafting the right cybersecurity ...