“Rational Cybersecurity for the Business,” my upcoming book, will help business and security leaders see through misinformation, FUD, and hype. It will explain how to think about our challenging problems rationally, enable bold digital business strategies, and substantially reduce risk.
The book’s premise is that business and security concerns are like two sides of the same coin, very closely related although they seem different. Amidst dark forecasts of breaches and rising protection costs, how do we crack the code to align business and security leaders around a healthy people-process-technology security program that enables the business to fully reach its digital transformation potential?
We’ll seek to dispel the myths that cybersecurity is primarily a technical problem, that architecture is futile in the age of agile, that your organization will always be the problem, and that there’s not much you can do about APTs anyway.
This isn’t just a book, it’s a project. It will give you – no doubt some of our best and brightest security and business leaders – an opportunity to help shape the thinking of an industry. I hope many of you will take me up on that and contact me for an interview. There’s much we can learn together.
Myth #1: Cybersecurity Is Just a Technical Problem
Many business and security leader still think of cybersecurity primarily as a technical problem, but that’s not so. Significantly, the NACD came out dispelling this myth in the highlighted quote from its Director’s Handbook on Cyber-Risk Oversight. However, I know many people that don’t get it. At the root of many consulting engagements, we still find a governance problem.
What do the other Myths have in common?
Cyber-Insecurity. Negativity. Defeatism.
#2 – Architecture is futile in the Age of Agile
#3 – Organizations (or People) will always be the Problem, never the Solution
#4 – Not much you can do about APTs anyway
Ok. There are challenges with organizations, with architecture, and yes, the advanced persistent threats (APTs) are out there. Why shouldn’t we just say:
#5 – Boohoo. It’s too hard…
Because that’s NOT what we’re Paid to Do
I’m sorry I can’t just wave a magic wand (or cite another NACD quote) to make these myths go away. Only we, the business and security leaders, can dispel them through diligent work. It could be hard, but we must attempt it.
Rational Cybersecurity Research Questions
What if there is a way to align business and security leaders around a healthy people-process-technology security program? To manage cyber-risk and uncertainty rationally and quantitatively? Enable the business to fully reach its digital competitive potential? Do 90% of the work for 10% of the effort that could otherwise have been required? To get a strong start in 90 days?
Call to Action
I’m currently interviewing business and security leaders to test and discover the best governance and technical strategies. Please contact the Rational Cybersecurity Project for an interview.