That's what I love to do: take useful information, share it in simple language, and break it down into manageable little bites. This book won't make your brain hurt. You can read one chapter at a time, or even just a few pages at a time, and glean useful insight that you can use in your everyday lives—as long as working in a business is part of your everyday life.
This book is based on the research I've done and knowledge I've acquired through years of work as a cybersecurity news and information scribe. And my knowledge is augmented with the insight of many of the world's top CISOs and other business leaders in security. It was a great pleasure for me to interview all these people and pick their brains a little bit for your benefit. This book is further enhanced with the findings of business security research studies and the aftermath of some of the most notable business security incidents. Mistakes become valuable when we make sure we learn from them!
Let's summarize the topics I cover in this book. Chapters 1 through 8 cover what this book is all about: 8 Steps to Better Security. Each of those chapters is one of those steps. Chapter 9 will show you how to put it all together.
Chapter 1, “Step 1: Foster a Strong Security Culture”: This is where everything starts—not with an audit or a security budget, but with how to make sure everyone in your organization takes security seriously, from your janitor to your CEO. Policy is vital, but it's useful only if it influences people's behavior. The best information security policies in the world become ineffective if people don't abide by them and enforce them. I'm fascinated by psychology and sociology, and these areas are a lot more important to cybersecurity than laypeople assume. This chapter will explain how you can begin to foster a strong security culture, whether you're a new startup or a 50-year-old company. If you do something more than three times, it'll become a habit. Making sure your habits and attitudes are good will set the foundation for everything your business does with regard to cybersecurity. Effective information security is paramount in the 21st century, regardless of your company's industry or size. So, let's get off to the best possible start. This chapter will show you how.
Chapter 2, “Step 2: Build a Security Team”: If your company is medium-sized or larger, you'll benefit from having staff who work on cybersecurity as their full-time job. If your company is smaller, your one to five IT specialists will need to be tasked to manage your business's information security, even if your IT specialist is the nerd who comes into your little shop once a week to make sure your point-of-sale works properly. How your company builds a security team will vary according to your size and industry. The principles and advice in this chapter are designed to be useful for businesses of all kinds. The buck must stop somewhere. Make sure the buck stops with people who are ready to security-harden your company and rise to the challenge of any potential security incidents. This chapter includes tips on what sort of experience and credentials people should have in particular roles, so you can hire and delegate intelligently
Chapter 3, “Step 3: Regulatory Compliance”: In business-speak, this is a major “pain point” for most companies. Pretty much all companies of all sizes and in all industries must comply with your region's general data privacy regulations. On top of that, if your company is in the medical field, there are usually regulations specific to healthcare data that must be complied with. If your company is in finance, there are usually financial-sector data privacy regulations as well. On top of that, if your company is in or deals with the public sector, there is often another whole set of regulations that are also crucial to abide by. Some audits are random and unpredictable, some may be scheduled, and some may occur in response to a data breach or similar incident. This chapter will help you take an inventory of which specific regulations apply to your business. From there, I offer tips to help you make sure you're set up for compliance so your business can continue to comply every day your business operates. Cybersecurity experts debate over how useful regulations are when it comes to preventing or mitigating security incidents. But we all agree that compliance is a must because the hefty fines for violations can really hurt your bottom line. The reputation damage can be immense too. Customers and clients need to feel that you take the security of their data seriously if they're going to be comfortable with spending money on your company's products and services.
Chapter 4, “Step 4: Frequent Security Testing”: You absolutely cannot know how well secured your company's networks, computers, and applications are without frequent security testing. Having your assets security tested isn't simply a matter of emailing a third-party security firm and saying, “I need a security test.” Cybersecurity testing comes in many different forms. The kind of testing you need will vary according to many different factors, including but not limited to the types of networks you have, how large they are, and which industry your business is in. So, knowing where to start when it comes to security testing will take this entire chapter, at the least. But don't be dismayed. This book is designed for businesspeople, not computer nerds. By the time you're done reading the chapter, you'll be ready to initiate the security testing your company needs in order to face the ever-evolving cyber threat landscape with confidence. The security testing your company needs can be a combination of internal red team specialists and third-party penetration testers. They may need to test once per year or every time your network changes in a significant way. Don't know what a red team or penetration testing is? Then this chapter is definitely for you!
Chapter 5, “Step 5: Security Framework Application”: A cybersecurity framework is a set of standards that companies can base their security policies and procedures on. The most popular cybersecurity frameworks focus on how your business should prepare for and respond to cybersecurity incidents. Often companies can choose which framework is most useful for their organization. Unlike security regulation compliance, using a cybersecurity framework is optional, but highly recommended nonetheless. Also, unlike security regulation compliance, cybersecurity frameworks aren't usually tied to a particular state, province, or nation. The same frameworks are used by organizations around the world in many different countries and industries.
The NIST Cybersecurity Framework is the most widely implemented framework, and other frameworks have been inspired by it. Some of the other frameworks I cover in this chapter include ISO 27000 Cybersecurity Framework Series, CIS Cybersecurity Framework, and COBIT Cybersecurity Framework. I explain the basics of each of these frameworks and share what cybersecurity experts believe are their strengths and weaknesses. No matter what, though, your organization must have policies and procedures for preparing for and responding to security incidents. With proper preparation, cyber incidents will do much less harm to your organization, and you will save money in the long run.
Chapter 6, “Step 6: Control Your Data Assets”: Every bit of your organization's data is stored on at least one computing device. Whether your network is on the premises, on the cloud, or on a hybrid network. Whether your company has a bring-your-own-device policy or not. Whether your workers work in the corporate office or from their homes. Your organization must first determine where all of your data resides, how it's transmitted, and which entities own the devices, and then design policies and procedures for securing all of those devices.
These data assets not only contain intellectual property and sensitive data (such as login credentials and financial information), but also keep your business running each and every day. A retail business needs a constantly operating point-of-sale СКАЧАТЬ