Practical guide that can be used by executives to make well-informed decisions on cybersecurity issues to better protect their business
* Emphasizes, in a direct and uncomplicated way, how executives can identify, understand, assess, and mitigate risks associated with cybersecurity issues
* Covers 'What to Do When You Get Hacked?' including Business Continuity and Disaster Recovery planning, Public Relations, Legal and Regulatory issues, and Notifications and Disclosures
* Provides steps for integrating cybersecurity into Strategy; Policy and Guidelines; Change Management and Personnel Management
* Identifies cybersecurity best practices that executives can and should use both in the office and at home to protect their vital information
Autorentext
Gregory J. Touhill, CISSP, is a Cybersecurity and
Information Technology consultant, academic and author with nearly
30 years of experience creating, sustaining, and defending
information technology solutions that are effective, efficient, and
secure. An experienced CIO and certified professional
director, his team was awarded the 2012 Rowlett Award by the
National Security Agency. An adjunct professor at Washington
University in St. Louis' College of Engineering and Applied
Science graduate programs in Cybersecurity and Information
Management, he is engaged in several research projects with
industry and academic partners, focusing on Cybersecurity
issues.
C. Joseph Touhill is a successful CEO, board member, and
senior executive. He is highly experienced in creating and
managing companies, both large and small. He has been a
corporate officer for 41 years, 29 years of which he has been a
CEO. Additionally, he has had extensive board and high-level
committee experience.
Inhalt
Foreword xiii
Preface xvii
Acknowledgments xxiii
1.0 Introduction 1
1.1 Defining Cybersecurity 1
1.2 Cybersecurity is a Business Imperative 2
1.3 Cybersecurity is an Executive-Level Concern 4
1.4 Questions to Ask 4
1.5 Views of Others 7
1.6 Cybersecurity is a Full-Time Activity 7
2.0 Why Be Concerned? 9
2.1 A Classic Hack 9
2.2 Who Wants Your Fortune? 12
2.3 Nation-State Threats 13
2.3.1 China 13
2.3.2 Don't Think that China is the Only One 17
2.4 Cybercrime is Big Business 20
2.4.1 Mercenary Hackers 20
2.4.2 Hacktivists 25
2.4.3 The Insider Threat 26
2.4.4 Substandard Products and Services 29
2.5 Summary 36
3.0 Managing Risk 37
3.1 Who Owns Risk in Your Business? 37
3.2 What are Your Risks? 38
3.2.1 Threats to Your Intellectual Property and Trade Secrets 38
3.2.2 Technical Risks 42
3.2.3 Human Risks 47
3.3 Calculating Your Risk 54
3.3.1 Quantitative Risk Assessment 55
3.3.2 Qualitative Risk Assessment 63
3.3.3 Risk Decisions 71
3.4 Communicating Risk 77
3.4.1 Communicating Risk Internally 78
3.4.2 Regulatory Communications 79
3.4.3 Communicating with Shareholders 86
3.5 Organizing for Success 89
3.5.1 Risk Management Committee 89
3.5.2 Chief Risk Officers 90
3.6 Summary 91
4.0 Build Your Strategy 95
4.1 How Much Cybersecurity Do I Need? 95
4.2 The Mechanics of Building Your Strategy 97
4.2.1 Where are We Now? 99
4.2.2 What do We have to Work with? 103
4.2.3 Where do We Want to be? 104
4.2.4 How do We Get There? 107
4.2.5 Goals and Objectives 108
4.3 Avoiding Strategy Failure 111
4.3.1 Poor Plans, Poor Execution 111
4.3.2 Lack of Communication 113
4.3.3 Resistance to Change 114
4.3.4 Lack of Leadership and Oversight 117
4.4 Ways to Incorporate Cybersecurity into Your Strategy 118
4.4.1 Identify the Information Critical to Your Business 119
4.4.2 Make Cybersecurity Part of Your Culture 119
4.4.3 Consider Cybersecurity Impacts in Your Decisions 119
4.4.4 Measure Your Progress 120
4.5 Plan For Success 121
4.6 Summary 123
5.0 Plan For Success 125
5.1 Turning Vision into Reality 125
5.1.1 Planning for Excellence 127
5.1.2 A Plan of Action 128
5.1.3 Doing Things 131
5.2 Policies Complement Plans 140
5.2.1 Great Cybersecurity Policies for Everyone 140
5.2.2 Be Clear about Your Policies and Who Owns Them 188
5.3 Procedures Implement Plans 190
5.4 Exercise Your Plans 191
5.5 Legal Compliance Concerns 193
5.6 Auditing 195
5.7 Summary 196
6.0 Change Management 199
6.1 Why Managing Change is Important 199
6.2 When to Change? 201
6.3 What is Impacted by Change? 205
6.4 Change Management and Internal Controls 209
6.5 Change Management as a Process 214
6.5.1 The Touhill Change Management Process 215
6.5.2 Following the Process 216
6.5.3 Have a Plan B, Plan C, and maybe a Plan D 220
6.6 Best Practices in Change Management 220
6.7 Summary 224
7.0 Personnel Management 227
7.1 Finding the Right Fit 227
7.2 Creating the Team 229
7.2.1 Picking the Right Leaders 230
7.2.2 Your Cybersecurity Leaders 233
7.3 Establishing Performance Standards 237
7.4 Organizational Considerations 240
7.5 Training for Success 242
7.5.1 Information Every Employee Ought to Know 242
...