Post

The Cybersecurity Manager's Guide

Review of The Cybersecurity Manager's Guide by Todd Barnum

The Cybersecurity Manager's Guide

Review: Todd Barnum - The Cybersecurity Manager’s Guide

Background

I have been picking up a few books related to cybersecurity recently to broaden my perspective, and one of them is The Cybersecurity Manager’s Guide, Todd Barnum, 2021. This book is aimed at cybersecurity professionals who want to establish an InfoSec program, whether from scratch or improving an existing one. It covers a wide range of topics, from managing teams to dealing with incidents. In this review, I will be looking at my key takeaways from the book and how it gives me direction in my cybersecurity journey.

The Odds Are Against You

The book wastes no time and punches you in the face with the sobering reality that “Nobody Really Cares”, “Nobody Understands”, and “Fear Drives Our Industry”. Having worked in environments where we had no support, and slightly above average support, I can see where the author is coming from. Ultimately, this means that you have to work with fewer resources and less support than you would like, but that doesn’t mean you can’t succeed.

The Science of Our Business

With reference to the CISSP’s 8 domains, the author details the science of our business that we, as cybersecurity professionals, need to have exposure, if not expertise in. All these are the technical aspects of cybersecurity that we will be expected to understand to some degree, and having gone through the CISSP myself, I think the author has laid out good groundwork for how important parts of these domains can be implemented on a high level.

The Art of Our Business

The author likens the art of our business to our ability to apply the science of our business in a way that is effective. This includes things like developing relationships, alignment with company culture and goals, developing the cornerstones of our program, communication and education, particularly with non-technical staff, delegation of responsibilities, building a team, and measuring impact. Ultimately, we can have all the technical knowledge (science) in the world, but if we can’t apply it effectively (art), our program will not be successful.

This is where the author introduces the 7 steps to ensure a successful program:

  1. Cultivate Relationships
  2. Ensure Alignment
  3. Use the Four Cornerstones to Lay the Groundwork for Your Program
  4. Create a Communications Plan
  5. Give Your Job Away
  6. Build Your Team
  7. Measure What Matters

Cultivate Relationships

For cybersecurity to succeed, we need to cultivate relationships with other teams. This is something I know all too well from my time in the industry, and I have heavily alluded to this in my Start Up Scale Up series. Only with such a strategy can we ensure that everyone wins.

Ensure Alignment

As much as we have our own goals, objectives, and preferred security level, we need to ensure that these are aligned with the company’s goals, objectives, and preferred security level. The author does correctly recognize that system and data owners do want to improve security on their own, and that a cybersecurity team coming down hard on them to force their way will not be successful. Let them take the driver’s seat, and we can guide them in the right direction.

Use the Four Cornerstones to Lay the Groundwork for Your Program

The four cornerstones are Documentation, Governance, Security Architecture, and Communication. These are the foundation of our program, and the author goes into detail on how to implement these cornerstones effectively.

Documentation

The first cornerstone provides direction and guidance for the program, and the author is right that this begins when management signs off on the roles and responsibilities of the InfoSec team. This is the first step in ensuring alignment with senior management’s goals and objectives. The author also recommends that other teams be involved in this process, which will make the documentation more effective.

Governance

The second cornerstone provides guidance on the management of decision making. The author again recommends that other teams be involved in this process, which promotes openness and transparency. Through this approach, we can ensure technical leads, representatives from lines of business, and executives, are all involved in the success of the program.

Security Architecture

The third cornerstone provides guidance on the technical aspects of the program. The author recommends the documentation of security controls in a way that is easy to understand, even for non-technical management. This also helps both system owners and data owners develop their own roadmaps for improving security, which is what management wants to see before they fund the initiative.

Communication

The fourth cornerstone provides guidance on how to communicate the program to the rest of the organization. The author recommends that every staff member be reached out to, so everyone understands their responsibilities in ensuring good cybersecurity hygiene. Although this is difficult, it is something I have seen in practice with topics like phishing exercises and cybersecurity training. Role-specific training is also recommended, which ties in to the earlier point about security architecture and governance.

Create a Communications Plan

The author views this as the most critical part of the program, and he dedicates a full-time resource to ensuring this is done effectively. This also involves things I have not seen, such as inviting industry experts, or running a cybersecurity conference. While I have not seen these specific things in practice, I can agree that the importance lies in ensuring that people of different technical levels understand, and are engaged in, cybersecurity and our program.

Give Your Job Away

The author recommends that security responsibilities be delegated to system and data owners, which I have seen to be the case in practice. The author does note that leadership still has the impression that the cybersecurity team is still both responsible and accountable for security, which is ultimately due to the lack of understanding of cybersecurity. While we work with these system and data owners, we also need to understand that they need to be acknowledged whenever they do something right, and that we should prioritize working with teams who welcome our involvement.

Build Your Team

The author correctly recognizes that many cybersecurity people need to wear multiple hats due to lack of resources. The author also emphasizes the importance of hiring technical people who have good interpersonal skills, which is something that I see every company wants, but is still ultimately in short supply. Given the author’s emphasis on the importance of relationships, I can see why this is important.

Measure What Matters

The author understands that measuring how effective our program is, is important for management to keep investing in it. It is important to measure the right things, and the author provides two simple metrics that easily reflect the security awareness of staff throughout the organization. I am inclined to agree, seeing how I believe that people are both the weakest link and the strongest asset in cybersecurity.

Working With the Audit Team

The author makes an insightful point about how auditors are generally unaware of how to audit the InfoSec space, and most auditors ultimately focus on things that do not matter, and do not really improve security. This is something I feel strongly about, having worked with auditors in the past, and that will merit a separate post in the future. The author recommmends that we work with the audit team to ensure that they understand what is important, and that they focus on the right things. The author recognizes the audit team as the last resort, used to influence a system owner who would not otherwise listen to the cybersecurity team.

A Note to CISOs

The author details his unique approaches towards the above topics, such as hosting lunches and developing hiring criteria. All of this is aimed at making sure that the CISO is set up as a driver of cultural change across the organization through education and communication. While I am not in a leadership role and cannot really relate to this, I can see how his unique approaches would be effective in a leadership role to achieve the goal of cultural change.

Conclusion

The Cybersecurity Manager’s Guide is a great book for cybersecurity professionals to help understand how a cybersecurity program can be established, and how it can be successful. The author provides a good mix of technical and non-technical aspects of cybersecurity, and how they can be applied effectively. While I am not in a leadership role, I find it important to understand how a leader thinks, and how they can establish rapport and garner support. I would recommend this book to anyone in cybersecurity who is either an existing leader, or who wants to be a leader in the future.

1
2
nicholaschua@youread.me:~$ exit
logout

References

  1. The Cybersecurity Manager’s Guide, Todd Barnum, 2021

Return to Top

This post is licensed under CC BY 4.0 by the author.