book

The Cybersecurity Manager's Guide

Name: The Cybersecurity Manager's Guide
Author: Todd Barnum
ISBN: 9781492076216

by Todd Barnum

March 2021

Beginner

176 pages

4h 54m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Why I Wrote this Book
Conventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
1. The Odds Are Against You
Fact 1: Nobody Really CaresFact 2: Nobody UnderstandsFact 3: Fear Drives Our IndustryConclusion 1: It’s All Up to YouConclusion 2: You’ll Always Be Under-ResourcedConclusion 3: Being Successful Requires Thoughtful WorkConclusion
2. The Science of Our Business:The Eight Domains
Why Am I Commenting on the Eight Domains?Domain 1: Security and Risk ManagementIT Policies and ProceduresSecurity Governance PrinciplesRisk-Based Management ConceptsThe Other Areas in the First DomainDomain 2: Asset SecurityDomain 3: Security Engineering and ArchitectureDomain 4: Communications and Network SecurityDomain 5: Identity and Access ManagementDomain 6: Security Assessment and TestingDomain 7: Security OperationsDomain 8: Software Development SecurityConclusion
3. The Art of Our Business: The Seven Steps
The Sumo ApproachThe Judo ApproachThe Seven Steps to Engage Your OrganizationStep 1: Cultivate RelationshipsStep 2: Ensure AlignmentStep 3: Use the Four Cornerstones to Lay the Groundwork for Your ProgramStep 4: Create a Communications PlanStep 5: Give Your Job AwayStep 6: Build Your TeamStep 7: Measure What MattersConclusion
4. Step 1: Cultivate Relationships
Caution: The Nature of Our WorkMaking Relationships a Top PriorityYour Program Will Be Only as Good as Your RelationshipsRelationships Aren’t SexyHiring Staff with Relationships in MindBuilding Strong Relationships: It Takes a PlanUnderstanding the Value of ListeningReaping the Benefits of Relationships: TeamworkFostering Special RelationshipsLegalCorporate AuditCorporate SecurityHuman ResourcesConclusion
5. Step 2: Ensure Alignment
What I Mean by AlignmentChoosing Where to Start on AlignmentSeeing Alignment as the Starting PointDetermining Your Company’s Risk ProfileThe Ideal AlignmentUnderstanding Your Company’s Unique Risk ProfileCreating Alignment Through CouncilsSecurity business councilExtended security councilExecutive security councilRecognizing Signs of MisalignmentConclusion
6. Step 3: Use the Four Cornerstones to Lay the Foundation of Your Program
The Four CornerstonesCornerstone 1: DocumentationThe CharterInformation Security PolicySecurity Incident Response PlanTakeawaysCornerstone 2: GovernanceCornerstone 3: Security ArchitectureWhat Does Architecture Look Like?How to Put the Security Architecture TogetherWhat’s the Outcome of Developing the Security Architecture?Cornerstone 4: Communications, Education, and AwarenessThe Benefits of Training and Educating OthersConclusion
7. Step 4: Use Communications to Get the Message Out
What Is a Communications Program?Why Is a Communications Program So Important?Communications Within the InfoSec TeamThe Goal and Objectives of the Communications ProgramStarting Your Communications ProgramNot All Departments Require Equal Levels of CommunicationYour Team’s ResponsibilitiesCommunications at WorkExample 1: Training with Industry ExpertsExample 2: Collaborative Decision MakingExample 3: InfoSec Campus EventsSigns the Communications Plan Is WorkingConclusion
8. Step 5: Give Your Job Away...It’s Your Only Hope
Giving Your Job Away, a History LessonThe 1990sThe Early 2000sThe Late 2000s2010 to TodayUnderstanding Your ChallengeRelationships and the Neighborhood WatchThe Need for GovernanceUnderstanding the Risks to Giving Your Job AwayRisky Situation 1Risky Situation 2Risky Situation 3Working with Your New NeighborsHelpful Hints for Working with Other TeamsConclusion
9. Step 6: Organize Your InfoSec Team
Identifying the Type of Talent You’ll NeedManaging a Preexisting TeamWhere You Report in the Organization MattersWorking with the Infrastructure TeamDealing with Toxic Security LeadersTurning Around an InfoSec EnemyDefining Roles and Responsibilities of Team MembersConclusion

10. Step 7: Measure What Matters
Why Measure?Understanding What to MeasureRecognizing Policy ViolationsThe Mother of All Metrics: Phishing TestsSocial Engineering and Staff TrainingTechnology Versus TrainingConclusion
11. Working with the Audit Team
The Audit Team Needs Your Help to Be Effective in CybersecurityA Typical Encounter with Auditors When Not Guided by InfoSecPartnering with the Audit Team to Influence ChangeWhere Did Auditors Get Such License?Getting Value from an AuditConclusion
12. A Note to CISOs
Seeing the CISO as a Cultural Change AgentKeeping Your Sword SharpHiring TechiesUtilising LunchesFree Lunch FridaysLunches with Other CompaniesHolding Cybersecurity ConferencesMeeting with Other CISOsConclusion
Final Thoughts
Where to Go from HereConclusion
Index

Content preview from The Cybersecurity Manager's Guide

Final Thoughts

I hope I wasn’t too much of a blowhard throughout the course of this book. I do get passionate about InfoSec and feel strongly about the seven steps I’ve laid out. However, not all of the steps are of equal importance. So if you have time to do only a few of them, focus on the following steps, for which anything less than excellent execution spells trouble for you and your program.

First, step 1, cultivating relationships, will determine the quality of the program you build, as you will be allowed to build only the program your relationships permit you to build. Let this point sink in. Relationships will, by and large, determine your tenure and your success at work. Those who don’t think highly of you are most likely actively undermining you. Your job is hard enough when everyone supports you, so having detractors will make the job grueling. If you have poor relationships with anyone, I recommend pulling out all the stops to mend those as soon as possible.

The next focus area should be step 2, ensuring alignment. If you’re not properly aligned with the company’s culture for risk, or the company’s ability to support your function, then you’re probably building a program the company doesn’t want or need. Being this misaligned will lead to heartache and pain for you and your team. Do your best to realign quickly, following the few simple suggestions I provided in Chapter 5.

Third is the importance and value of having a communications program, step 4. This area cannot ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492076209Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The Cybersecurity Manager's Guide

by Todd Barnum

Final Thoughts

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.