The Cybersecurity Manager's Guide

Book description

If you're a cybersecurity professional, then you know how it often seems that no one cares about (or understands) information security. InfoSec professionals frequently struggle to integrate security into their companies' processes. Many are at odds with their organizations. Most are under-resourced. There must be a better way. This essential manager's guide offers a new approach to building and maintaining an information security program that's both effective and easy to follow.

Author and longtime chief information security officer (CISO) Todd Barnum upends the assumptions security professionals take for granted. CISOs, chief security officers, chief information officers, and IT security professionals will learn a simple seven-step process for building a new program or improving a current one.

  • Build better relationships across the organization
  • Align your role with your company's values, culture, and tolerance for information loss
  • Lay the groundwork for your security program
  • Create a communications program to share your team's contributions and educate your coworkers
  • Transition security functions and responsibilities to other teams
  • Organize and build an effective InfoSec team
  • Measure your company's ability to recognize and report security policy violations and phishing emails

Publisher resources

View/Submit Errata

Table of contents

  1. Why I Wrote this Book
    1. Conventions Used in This Book
    2. O’Reilly Online Learning
    3. How to Contact Us
    4. Acknowledgments
  2. 1. The Odds Are Against You
    1. Fact 1: Nobody Really Cares
    2. Fact 2: Nobody Understands
    3. Fact 3: Fear Drives Our Industry
    4. Conclusion 1: It’s All Up to You
    5. Conclusion 2: You’ll Always Be Under-Resourced
    6. Conclusion 3: Being Successful Requires Thoughtful Work
    7. Conclusion
  3. 2. The Science of Our Business:The Eight Domains
    1. Why Am I Commenting on the Eight Domains?
    2. Domain 1: Security and Risk Management
      1. IT Policies and Procedures
      2. Security Governance Principles
      3. Risk-Based Management Concepts
      4. The Other Areas in the First Domain
    3. Domain 2: Asset Security
    4. Domain 3: Security Engineering and Architecture
    5. Domain 4: Communications and Network Security
    6. Domain 5: Identity and Access Management
    7. Domain 6: Security Assessment and Testing
    8. Domain 7: Security Operations
    9. Domain 8: Software Development Security
    10. Conclusion
  4. 3. The Art of Our Business: The Seven Steps
    1. The Sumo Approach
    2. The Judo Approach
    3. The Seven Steps to Engage Your Organization
      1. Step 1: Cultivate Relationships
      2. Step 2: Ensure Alignment
      3. Step 3: Use the Four Cornerstones to Lay the Groundwork for Your Program
      4. Step 4: Create a Communications Plan
      5. Step 5: Give Your Job Away
      6. Step 6: Build Your Team
      7. Step 7: Measure What Matters
    4. Conclusion
  5. 4. Step 1: Cultivate Relationships
    1. Caution: The Nature of Our Work
    2. Making Relationships a Top Priority
    3. Your Program Will Be Only as Good as Your Relationships
    4. Relationships Aren’t Sexy
    5. Hiring Staff with Relationships in Mind
    6. Building Strong Relationships: It Takes a Plan
    7. Understanding the Value of Listening
    8. Reaping the Benefits of Relationships: Teamwork
    9. Fostering Special Relationships
      1. Legal
      2. Corporate Audit
      3. Corporate Security
      4. Human Resources
    10. Conclusion
  6. 5. Step 2: Ensure Alignment
    1. What I Mean by Alignment
    2. Choosing Where to Start on Alignment
    3. Seeing Alignment as the Starting Point
    4. Determining Your Company’s Risk Profile
    5. The Ideal Alignment
    6. Understanding Your Company’s Unique Risk Profile
    7. Creating Alignment Through Councils
      1. Security business council
      2. Extended security council
      3. Executive security council
    8. Recognizing Signs of Misalignment
    9. Conclusion
  7. 6. Step 3: Use the Four Cornerstones to Lay the Foundation of Your Program
    1. The Four Cornerstones
    2. Cornerstone 1: Documentation
      1. The Charter
      2. Information Security Policy
      3. Security Incident Response Plan
      4. Takeaways
    3. Cornerstone 2: Governance
    4. Cornerstone 3: Security Architecture
      1. What Does Architecture Look Like?
      2. How to Put the Security Architecture Together
      3. What’s the Outcome of Developing the Security Architecture?
    5. Cornerstone 4: Communications, Education, and Awareness
      1. The Benefits of Training and Educating Others
    6. Conclusion
  8. 7. Step 4: Use Communications to Get the Message Out
    1. What Is a Communications Program?
    2. Why Is a Communications Program So Important?
    3. Communications Within the InfoSec Team
    4. The Goal and Objectives of the Communications Program
    5. Starting Your Communications Program
      1. Not All Departments Require Equal Levels of Communication
      2. Your Team’s Responsibilities
    6. Communications at Work
      1. Example 1: Training with Industry Experts
      2. Example 2: Collaborative Decision Making
      3. Example 3: InfoSec Campus Events
    7. Signs the Communications Plan Is Working
    8. Conclusion
  9. 8. Step 5: Give Your Job Away...It’s Your Only Hope
    1. Giving Your Job Away, a History Lesson
      1. The 1990s
      2. The Early 2000s
      3. The Late 2000s
      4. 2010 to Today
    2. Understanding Your Challenge
    3. Relationships and the Neighborhood Watch
    4. The Need for Governance
    5. Understanding the Risks to Giving Your Job Away
      1. Risky Situation 1
      2. Risky Situation 2
      3. Risky Situation 3
    6. Working with Your New Neighbors
    7. Helpful Hints for Working with Other Teams
    8. Conclusion
  10. 9. Step 6: Organize Your InfoSec Team
    1. Identifying the Type of Talent You’ll Need
    2. Managing a Preexisting Team
    3. Where You Report in the Organization Matters
    4. Working with the Infrastructure Team
    5. Dealing with Toxic Security Leaders
    6. Turning Around an InfoSec Enemy
    7. Defining Roles and Responsibilities of Team Members
    8. Conclusion
  11. 10. Step 7: Measure What Matters
    1. Why Measure?
    2. Understanding What to Measure
    3. Recognizing Policy Violations
    4. The Mother of All Metrics: Phishing Tests
    5. Social Engineering and Staff Training
    6. Technology Versus Training
    7. Conclusion
  12. 11. Working with the Audit Team
    1. The Audit Team Needs Your Help to Be Effective in Cybersecurity
    2. A Typical Encounter with Auditors When Not Guided by InfoSec
    3. Partnering with the Audit Team to Influence Change
    4. Where Did Auditors Get Such License?
    5. Getting Value from an Audit
    6. Conclusion
  13. 12. A Note to CISOs
    1. Seeing the CISO as a Cultural Change Agent
    2. Keeping Your Sword Sharp
    3. Hiring Techies
    4. Utilising Lunches
      1. Free Lunch Fridays
      2. Lunches with Other Companies
    5. Holding Cybersecurity Conferences
    6. Meeting with Other CISOs
    7. Conclusion
  14. Final Thoughts
    1. Where to Go from Here
    2. Conclusion
  15. Index

Product information

  • Title: The Cybersecurity Manager's Guide
  • Author(s): Todd Barnum
  • Release date: March 2021
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492076216