There are many books on cyber security – but most are from the technical perspective, leaving less technical managers and stakeholders, including directors, confused and unaware of the business risks that these threats pose.
We hear daily of high-profile cyber attacks, data breaches and GDPR (General Data Protection Regulation) violations. All businesses must protect themselves and their reputations regardless of their size and market sector, and their stakeholders need to take cyber security seriously.
A comprehensive cyber security stance is a key defence against malicious attacks, so it’s vital to have the right measures in place to protect your business. The board, and other major stakeholders, needs to understand the risks and evaluate their cyber control strategies.
Leadership commitment is key to successfully managing cyber governance, risk and compliance. Board members and senior management must understand the threat landscape and the strategies they can employ to establish, implement and maintain effective cyber resilience throughout their organisation.
In this blog, consultant, speaker and author Chris Wright discusses his book, How Cyber Security Can Protect Your Business – A guide for all stakeholders, which is intended to fill this gap.
Who is the book for?
How Cyber Security Can Protect Your Business – A guide for all stakeholders explains in non-jargonistic language the threats your organisation faces and the controls that can be implemented to address them.
The approachable tone, focusing on business issues makes this guide ideal for directors, helping them grasp key concepts quickly.
It’s also a helpful resource for anyone involved in communicating with this group who wants to understand the concepts on which cyber security depends.
Introduction to cyber security GRC
- Aligning cyber response with GRC (governance, risk and compliance) approach used for risk management for other areas (including “the three lines of defence model”)
Cyber security governance
- Considering the actions business leadership must take to improve cyber culture, threat and risk awareness and risk management. This includes their response to cyber incidents, and the key cyber security questions they should be asking.
Cyber security risk management
- Looking at risk management scoping, including process and control mapping, and the procedures for risk assessment, designing, testing and implementing cyber controls.
Cyber risks and controls
- How to identify cyber risks and controls, the special requirements for third-party service providers. Also considers protecting against cyber risks, such as access management, covering firewalls, security patching, vulnerability management, anti-malware and security by design.
Responding to an attack
- What business need to do in preparing for, detecting, and recovering from cyber attacks.
- Considers general cyber compliance requirements, including the need for a good IT (or information) security policy and cyber insurance. Also considers some specific compliance areas such as ISO 27001, the GDPR (General Data Protection Regulation), PCI DSS (Payment Card Industry Data Security Standard), Sarbanes-Oxley Act and third-party compliance.
To quote from the book:
It’s about balance: how do we continue to safely and confidently enjoy the benefits of our modern life – instant communication, and the ability to order goods and services whenever and wherever we want, having checked our bank balances and socially networked all of our friends to brag about our purchases.
Cyber governance, risk and compliance is about efficient policies and controls to ensure compliance obligations while not impacting the business need to be competitive in cyber world.
Good GRC processes should also provide assurance that significant risks that could impact the future viability and profitability of the organisation have been addressed.
I have aimed to make the book easy to understand for all and to emphasise that good cyber security is not just about the technology, but also about the “human firewall”.
This includes the behaviours and approach of everyone in an organisation to prevent, detect and react to significant potential cyber security incidents. In this way, the likelihood and impact of any attack should be reduced.
The human firewall should be seen as the front line of defence. All directors and senior management need to lead by example and provide good clear guidance on the behaviours and actions expected by the rest of the organisation.
Ignorance is no excuse – especially after reading this book. If you don’t believe me, ask any director whose organisation has seen the consequences of such attacks, then read this book and implement changes to improve your cyber governance risk and controls.
The book will help you to understand:
- The specific cyber risks and how they can be managed;
- How to provide governance and leadership on cyber security issues so that your organisation can still get the benefits from IT operations while reducing risk and being fully prepared to respond to attacks; and
- Be cyber compliant, thereby reducing the risk of fines or loss of reputation.
You can find Christopher Wright’s other publications on the ITGP website.