The Cybersecurity Manager’s Guide: The Art of Building Your Security Program
- Length: 168 pages
- Edition: 1
- Language: English
- Publisher: O'Reilly Media
- Publication Date: 2021-04-13
- ISBN-10: 149207621X
- ISBN-13: 9781492076216
- Sales Rank: #6538711 (See Top 100 Books)
If you’re a cybersecurity professional, then you know how it often seems that no one cares about–or understands–information security. Infosec professionals frequently struggle to integrate security into their companies’ processes. Many are at odds with their organizations. Most are underresourced. There must be a better way. This essential manager’s guide offers a new approach to building and maintaining an information security program that’s both effective and easy to follow.
Author and longtime chief information security officer (CISO) Todd Barnum upends the assumptions security professionals take for granted. CISOs, chief security officers, chief information officers, and IT security professionals will learn a simple seven-step process for building a new program or improving a current one.
- Build better relationships across the organization
- Align your role with your company’s values, culture, and tolerance for information loss
- Lay the groundwork for your security program
- Create a communications program to share your team’s contributions and educate your coworkers
- Transition security functions and responsibilities to other teams
- Organize and build an effective infosec team
- Measure your company’s ability to recognize and report security policy violations and phishing emails
Why I Wrote this Book Conventions Used in This Book O’Reilly Online Learning How to Contact Us Acknowledgments 1. The Odds Are Against You Fact 1: Nobody Really Cares Fact 2: Nobody Understands Fact 3: Fear Drives Our Industry Conclusion 1: It’s All Up to You Conclusion 2: You’ll Always Be Under-Resourced Conclusion 3: Being Successful Requires Thoughtful Work Conclusion 2. The Science of Our Business:The Eight Domains Why Am I Commenting on the Eight Domains? Domain 1: Security and Risk Management IT Policies and Procedures Security Governance Principles Risk-Based Management Concepts The Other Areas in the First Domain Domain 2: Asset Security Domain 3: Security Engineering and Architecture Domain 4: Communications and Network Security Domain 5: Identity and Access Management Domain 6: Security Assessment and Testing Domain 7: Security Operations Domain 8: Software Development Security Conclusion 3. The Art of Our Business: The Seven Steps The Sumo Approach The Judo Approach The Seven Steps to Engage Your Organization Step 1: Cultivate Relationships Step 2: Ensure Alignment Step 3: Use the Four Cornerstones to Lay the Groundwork for Your Program Step 4: Create a Communications Plan Step 5: Give Your Job Away Step 6: Build Your Team Step 7: Measure What Matters Conclusion 4. Step 1: Cultivate Relationships Caution: The Nature of Our Work Making Relationships a Top Priority Your Program Will Be Only as Good as Your Relationships Relationships Aren’t Sexy Hiring Staff with Relationships in Mind Building Strong Relationships: It Takes a Plan Understanding the Value of Listening Reaping the Benefits of Relationships: Teamwork Fostering Special Relationships Legal Corporate Audit Corporate Security Human Resources Conclusion 5. Step 2: Ensure Alignment What I Mean by Alignment Choosing Where to Start on Alignment Seeing Alignment as the Starting Point Determining Your Company’s Risk Profile The Ideal Alignment Understanding Your Company’s Unique Risk Profile Creating Alignment Through Councils Security business council Extended security council Executive security council Recognizing Signs of Misalignment Conclusion 6. Step 3: Use the Four Cornerstones to Lay the Foundation of Your Program The Four Cornerstones Cornerstone 1: Documentation The Charter Where to begin and what to focus on How to pull it together Information Security Policy Where to begin and what to focus on Drafting and reviewing your policy Security Incident Response Plan Where to begin and what to focus on How to write the SIRP Takeaways Cornerstone 2: Governance Cornerstone 3: Security Architecture What Does Architecture Look Like? How to Put the Security Architecture Together What’s the Outcome of Developing the Security Architecture? Cornerstone 4: Communications, Education, and Awareness The Benefits of Training and Educating Others Conclusion 7. Step 4: Use Communications to Get the Message Out What Is a Communications Program? Why Is a Communications Program So Important? Communications Within the InfoSec Team The Goal and Objectives of the Communications Program Starting Your Communications Program Not All Departments Require Equal Levels of Communication Your Team’s Responsibilities Communications at Work Example 1: Training with Industry Experts Example 2: Collaborative Decision Making Example 3: InfoSec Campus Events Signs the Communications Plan Is Working Conclusion 8. Step 5: Give Your Job Away...It’s Your Only Hope Giving Your Job Away, a History Lesson The 1990s The Early 2000s The Late 2000s 2010 to Today Understanding Your Challenge Relationships and the Neighborhood Watch The Need for Governance Understanding the Risks to Giving Your Job Away Risky Situation 1 Risky Situation 2 Risky Situation 3 Working with Your New Neighbors Helpful Hints for Working with Other Teams Conclusion 9. Step 6: Organize Your InfoSec Team Identifying the Type of Talent You’ll Need Managing a Preexisting Team Where You Report in the Organization Matters Working with the Infrastructure Team Dealing with Toxic Security Leaders Turning Around an InfoSec Enemy Defining Roles and Responsibilities of Team Members Conclusion 10. Step 7: Measure What Matters Why Measure? Understanding What to Measure Recognizing Policy Violations The Mother of All Metrics: Phishing Tests Social Engineering and Staff Training Technology Versus Training Conclusion 11. Working with the Audit Team The Audit Team Needs Your Help to Be Effective in Cybersecurity A Typical Encounter with Auditors When Not Guided by InfoSec Partnering with the Audit Team to Influence Change Where Did Auditors Get Such License? Getting Value from an Audit Conclusion 12. A Note to CISOs Seeing the CISO as a Cultural Change Agent Keeping Your Sword Sharp Hiring Techies Utilising Lunches Free Lunch Fridays Lunches with Other Companies Holding Cybersecurity Conferences Meeting with Other CISOs Conclusion Final Thoughts Where to Go from Here Conclusion Index
Donate to keep this site alive
How to download source code?
1. Go to: https://www.oreilly.com/
2. Search the book title: The Cybersecurity Manager’s Guide: The Art of Building Your Security Program
, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. Publisher resources
section, click Download Example Code
.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.