1st Edition
The Business of Cyber Why You Should Question What Your Security Team Are Telling You
This book examines the cybersecurity phenomenon, looking at the folklore, the hype, and the behaviour of its practitioners. A central theme is that the management of cybersecurity needs to be owned by the people running the organisation, rather than by the cybersecurity team, who frequently don’t have management as a core skill. In order to effect that change, managers need to have the background and detail to challenge what they are being told, enabling them to engage in a way that will result in more appropriate outcomes for the business. This book provides that background and detail. It debunks a number of cyber-myths, and calls out basic errors in the accepted thinking on cyber. The content is strongly rooted in available research and presented in an accessible manner, with a number of business-related case studies. Each chapter in the book takes a theme such as end-user behaviours and compares the available evidence with what the industry would like to have its customers believe. The conclusion is that there is definitely a problem, and we certainly need cyber defences. Just not the ones the industry is currently selling.
About the Author
1. The Current and Future State of Cyber
2. Security Culture Will Fix Things
3. If Only Users Would “Get It”.
4. Security = Confidentiality + Integrity + Availability
5. Security Is Best Done with Numbers
6. Security Is Treated as a Business Issue
7. The Enforcement of Compliance
8. Aggregated Case Studies
9. Summary and Future Work
Index
Biography
Peter Fagan has been working in the information security industry for well over twenty years, in a variety of roles and environments. About eight years ago, he asked himself the question “why isn’t this working?”. After all, if we’re selling security, surely after a while there ought to be less of a need for it? Asking that question kicked off a journey of personal research, academic research, and the hands-on practical implementation of contemporary approaches, based on the way people actually behave rather than the way security teams would like them to behave. That journey ultimately led to this book, which presents the argument that an industry focused on profit is more concerned with selling compliance than it is with selling protection. Along the way, the author draws upon formal business knowledge gained through an MBA and an MSc in organisational psychology.
