The Cybersecurity Manager’s Guide: The Art of Building Your Security Program

Why I Wrote this Book
    Conventions Used in This Book
    O’Reilly Online Learning
    How to Contact Us
    Acknowledgments
1. The Odds Are Against You
    Fact 1: Nobody Really Cares
    Fact 2: Nobody Understands
    Fact 3: Fear Drives Our Industry
    Conclusion 1: It’s All Up to You
    Conclusion 2: You’ll Always Be Under-Resourced
    Conclusion 3: Being Successful Requires Thoughtful Work
    Conclusion
2. The Science of Our Business:The Eight Domains
    Why Am I Commenting on the Eight Domains?
    Domain 1: Security and Risk Management
        IT Policies and Procedures
        Security Governance Principles
        Risk-Based Management Concepts
        The Other Areas in the First Domain
    Domain 2: Asset Security
    Domain 3: Security Engineering and Architecture
    Domain 4: Communications and Network Security
    Domain 5: Identity and Access Management
    Domain 6: Security Assessment and Testing
    Domain 7: Security Operations
    Domain 8: Software Development Security
    Conclusion
3. The Art of Our Business: The Seven Steps
    The Sumo Approach
    The Judo Approach
    The Seven Steps to Engage Your Organization
        Step 1: Cultivate Relationships
        Step 2: Ensure Alignment
        Step 3: Use the Four Cornerstones to Lay the Groundwork for Your Program
        Step 4: Create a Communications Plan
        Step 5: Give Your Job Away
        Step 6: Build Your Team
        Step 7: Measure What Matters
    Conclusion
4. Step 1: Cultivate Relationships
    Caution: The Nature of Our Work
    Making Relationships a Top Priority
    Your Program Will Be Only as Good as Your Relationships
    Relationships Aren’t Sexy
    Hiring Staff with Relationships in Mind
    Building Strong Relationships: It Takes a Plan
    Understanding the Value of Listening
    Reaping the Benefits of Relationships: Teamwork
    Fostering Special Relationships
        Legal
        Corporate Audit
        Corporate Security
        Human Resources
    Conclusion
5. Step 2: Ensure Alignment
    What I Mean by Alignment
    Choosing Where to Start on Alignment
    Seeing Alignment as the Starting Point
    Determining Your Company’s Risk Profile
    The Ideal Alignment
    Understanding Your Company’s Unique Risk Profile
    Creating Alignment Through Councils
        Security business council
        Extended security council
        Executive security council
    Recognizing Signs of Misalignment
    Conclusion
6. Step 3: Use the Four Cornerstones to Lay the Foundation of Your Program
    The Four Cornerstones
    Cornerstone 1: Documentation
        The Charter
            Where to begin and what to focus on
            How to pull it together
        Information Security Policy
            Where to begin and what to focus on
            Drafting and reviewing your policy
        Security Incident Response Plan
            Where to begin and what to focus on
            How to write the SIRP
        Takeaways
    Cornerstone 2: Governance
    Cornerstone 3: Security Architecture
        What Does Architecture Look Like?
        How to Put the Security Architecture Together
        What’s the Outcome of Developing the Security Architecture?
    Cornerstone 4: Communications, Education, and Awareness
        The Benefits of Training and Educating Others
    Conclusion
7. Step 4: Use Communications to Get the Message Out
    What Is a Communications Program?
    Why Is a Communications Program So Important?
    Communications Within the InfoSec Team
    The Goal and Objectives of the Communications Program
    Starting Your Communications Program
        Not All Departments Require Equal Levels of Communication
        Your Team’s Responsibilities
    Communications at Work
        Example 1: Training with Industry Experts
        Example 2: Collaborative Decision Making
        Example 3: InfoSec Campus Events
    Signs the Communications Plan Is Working
    Conclusion
8. Step 5: Give Your Job Away...It’s Your Only Hope
    Giving Your Job Away, a History Lesson
        The 1990s
        The Early 2000s
        The Late 2000s
        2010 to Today
    Understanding Your Challenge
    Relationships and the Neighborhood Watch
    The Need for Governance
    Understanding the Risks to Giving Your Job Away
        Risky Situation 1
        Risky Situation 2
        Risky Situation 3
    Working with Your New Neighbors
    Helpful Hints for Working with Other Teams
    Conclusion
9. Step 6: Organize Your InfoSec Team
    Identifying the Type of Talent You’ll Need
    Managing a Preexisting Team
    Where You Report in the Organization Matters
    Working with the Infrastructure Team
    Dealing with Toxic Security Leaders
    Turning Around an InfoSec Enemy
    Defining Roles and Responsibilities of Team Members
    Conclusion
10. Step 7: Measure What Matters
    Why Measure?
    Understanding What to Measure
    Recognizing Policy Violations
    The Mother of All Metrics: Phishing Tests
    Social Engineering and Staff Training
    Technology Versus Training
    Conclusion
11. Working with the Audit Team
    The Audit Team Needs Your Help to Be Effective in Cybersecurity
    A Typical Encounter with Auditors When Not Guided by InfoSec
    Partnering with the Audit Team to Influence Change
    Where Did Auditors Get Such License?
    Getting Value from an Audit
    Conclusion
12. A Note to CISOs
    Seeing the CISO as a Cultural Change Agent
    Keeping Your Sword Sharp
    Hiring Techies
    Utilising Lunches
        Free Lunch Fridays
        Lunches with Other Companies
    Holding Cybersecurity Conferences
    Meeting with Other CISOs
    Conclusion
Final Thoughts
    Where to Go from Here
    Conclusion
Index