Acknowledgments
We are grateful to all the people who helped us bring this project to life.
We thank our families that encouraged us and took on responsibilities we could not in the early mornings, long nights, and weekends spent to realize this book. Thank you for reviewing our early drafts, providing your guidance on the logo and cover, and creating space week after week. Thank you for your empathy through the challenges we faced and the mounting stress as the deadline for our final manuscript approached. Thank you for your reassuring words, patience, and believing in this book as we conquered each new surprise. Most of all, thank you for your hugs and for your loving support. Without them, this book would not have been possible.
We thank the many individuals who invested their time to help review and refine the manuscript. The perspectives gained from CEOs, equity investors, industry analysts, consultants, MBA professors, and the many CISOs and cybersecurity professionals who contributed surely improved the accuracy and relevance of our content.
We want to express specific gratitude to Kenneth Ziegler, Brian Ahern, and Lisa Xu, who helped in reviewing various chapters, offering revisions and insights and examining content from a CEO's perspective. Karan Saberwal, Shaun Gordon, and Michael Lee were generous in extending their expertise as equity investors. Paul Proctor has been an inspiration for years. His work at Gartner continues to push the industry forward, and we were lucky enough to benefit from his passion and commitment to emphasize the most important ideas in our text. Timothy Galpin added his perspective with years in M&A consulting and more recently in academia as a professor and academic director. Dave Hannigan and Caroline Wong were reviewers of our book proposal as we pursued a publisher and later contributed as valued reviewers. Their perspectives as cloud and application security pioneers, experienced operators, and mentors have been invaluable. Malcolm Harkins's expertise as a successful Fortune 50 CISO and later entrepreneur has been a beacon, especially during our formative years in the profession. Marilyn Daly for her support in considering the impact of our words from a variety of unique perspectives. Demetrios Lazarikos for his generous time writing the foreword and being a dedicated mentor in cybersecurity and entrepreneurship. The Lean CISO group not already mentioned here: Philip Beyer, Russell Eubanks, Alex Kreilein, Sean Martin, and Jasper Ossentjuk for their friendship and for supporting physical and mental health throughout an unprecedented year.
We thank them all for their guidance and the time each individual invested as it doubtlessly improved our book.
We thank those who gave us permission to quote them, contributed graphics, extended our professional networks, and encouraged our work. Chris and Kristine Laping, Tage Tracy, Craig Fletcher, Stefan Peter Roos, Steven Martano, and Ryan Freilino: we thank you for your willingness to support this project.
We thank the authors and experts who came before us. In many cases, we merely extended their theories, research, and formulated thoughts or shared our experience putting their ideas to work throughout our careers. In most cases, we are bridging other's content into the world of cybersecurity. The Notes section at the end of each chapter does a great job capturing the people who inspired us in this regard. Without their deliberate contributions this body of work would not have been possible.
Finally, we thank Richard Seiersen for his introduction to our publisher. And we thank our team at John Wiley & Sons for seeing the potential of this project: Susan Cerra, Sheck Cho, Samantha Enders, Michael Isralewitz, Beula Jaculin, and the countless others behind the scenes.
In the foreword and preface we got aligned on the challenges our industry faces, our motivations for writing the book, and a bit about the authors. To help you use this book as reference in your day-to-day experience, we'll now review the structure of the book and offer a summary of each chapter.
First note that the book has three parts. So, if you plan to read the book front-to-back the flow is natural and the content is cumulative. Chapters at the back of the book assume you are capable of financial analysis, business cases, and other topics covered early on.
In our view, it was important to first establish requisite Foundational Business Knowledge in Part I. That is where you will learn key vocabulary, basic financial formulas, and business strategy tools. We will also review business decision models, valuation methodologies, and business case development. Each chapter (or class) includes one or more case studies to apply the knowledge you've learned. That's true throughout the book, and also true in any MBA program as well. What is different here is that our case studies are developed through the lens of the CISO, rather than a strict business perspective that surfaces in MBA curricula.
Equipped with a common foundation of business knowledge and clear examples of how to apply the core concepts we move on to Part II – Communication and Education. Here you can expect a review of how to leverage COSO, an enterprise risk management framework, to ensure cybersecurity risk fits into the broader context of business risk management. Remember, cybersecurity risk is another risk that needs to be addressed along with financial, operational, strategic, legal, and compliance risk. Just as market, credit, and liquidity risks are types of financial risk, there are subcategories of cyber risk too. So, Part II is the connective tissue that ensures cybersecurity risk is properly framed and prioritized.
Finally, assuming a foundation of business concepts and the proper governance structures for treating cybersecurity risk are in place, you need to lead a team and execute according to the priorities you have established and the projects you have funded. In Part III – Cybersecurity Leadership we review techniques for attracting and retaining talent, and finally negotiation skills that will help you navigate interactions with your employees, colleagues, investors, regulators, and outside vendors.
Now that you know how the book is structured, it's also important to understand how the chapters are structured throughout the book. Through personal stories we outline the opportunities we feel are most relevant at the very beginning of each chapter. Then we introduce theory or research in the Principle section. Next, each chapter extends theory with an Application section that features one or more illustrative case studies. In some cases, the names or details were adapted to protect the innocent. Finally, each chapter is summarized with a Key Insights section that draws out the salient lessons we hope you learn. There is also a Notes section provided at the end of each chapter that outlines supporting research and reference materials.
We recommend that before you read a chapter, you read the Key Insights and examine the Table of Contents. Since we cover many high-level frameworks quickly, this approach will be helpful to keep you oriented in the chapter and book. It's also a speed-reading technique. The following paragraphs provide a summary of each chapter.
Part I – Foundational Business Knowledge
Chapter 1 – Financial Principles. This chapter builds your knowledge of financial statements, reviews connections between each statement, offers free resources for further study, and features two case studies that relate cybersecurity operations to accounting rules and financial statements. Read this chapter to solidify your understanding of EBITDA, CapEx, OpEx, Retained Earnings, and Net Income along with other fundamental vocabulary and accounting concepts.
Chapter 2 – Business Strategy Tools. In the second chapter, we introduce business models, KPIs, and value chains. Other topics include board composition and systems theory. We provide a case study to demonstrate the use of the business model canvas. There are two additional case studies that feature value chain linkages to create competitive advantage. One case study features optimization while the second focuses on coordination. Read this chapter for tools that will help you dissect your business's strategy, understand the supply and demand dynamics of your company operations, connect to primary business measures, and optimally position cybersecurity as a source of competitive advantage.
Chapter 3 – Business Decisions. Our third chapter explores how business decisions are made. Decision-making can be improved with an awareness of the biases and noise that commonly afflict us as human beings. We cover a lightweight application of the scientific method to enhance learning. From there, we dive into decision science and choice architecture frameworks. We briefly examine the use of an influence model, and then we finish the chapter with two case studies. The first case study examines various applications of the decision science framework in the context of a hypothetical new CISO scenario. In the second case study we apply choice architecture to phishing defense.
Chapter 4 – Value Creation. The fourth chapter is all about business valuation. We naturally start by defining what we mean by value. Then, we examine the critical attributes of value. Next, we explore how those attributes surface in determining business valuations. Additionally, we examine investor types, means of return, valuation methodologies, and common value drivers. The application section covers the core concepts in a case study that applies security strategy in the context of business valuation for a hypothetical beverage manufacturer.
Chapter 5 – Articulating the Business Case. To get the fifth chapter started, we review several important cost concepts including incremental, opportunity, and sunk cost. From there we explore a communication framework, and two financial analysis methods: cost benefit analysis and net present value. Finally, we close out the chapter with three case studies. The first examines a successful budget request for password management, and the second applies cost benefit analysis to the same project. The final case study leverages a Monte Carlo simulation to examine possible net present value outcomes of a revenue-generating opportunity resulting from delivery of security services.
Part II – Communication and Education
Chapter 6 – Cybersecurity: A Concern of the Business, Not Just IT. In Part II, we will build upon Part I and introduce additional tools that transform cyber risk issues into enterprise risk dialogue. This chapter starts to break down the COSO framework. It lays the foundation for elevating cyber risk conversations to enterprise risk by focusing on the first two guiding principles of COSO:
· Governance and Culture
· Strategy and Objective Setting
At the end of this chapter, the case study relives one of the author's greatest regrets and warns of the consequences of failing to establish a robust governance structure.
Chapter 7 – Translating Cyber Risk into Business Risk. Chapter 6 discussed establishing a cyber risk management program's foundation using COSO's first two guiding principles. This chapter expands upon those foundations and focuses on executing the cyber risk program and rolling up cyber risk into a portfolio view of enterprise risk that executive leaders, and the board, can use to make business decisions. To do this, we will align with the final three risk management components of COSO:
· Performance
· Review and Revision
· Information, Communication, and Reporting
The case study reveals how the author helped an organization align its cybersecurity program to its enterprise risk management efforts. This ultimately highlighted previously unknown risks and secured additional funding from its board of directors.
Chapter 8 – Communication – You Do It Every Day (or Do You?). This chapter challenges you to examine how you communicate. It provides a structure to improve communication for the explicit purpose of advancing a cybersecurity program. We close this chapter by expanding upon the case study in Chapter 7. We take you into the boardroom to eavesdrop on the conversation between the author and the board of directors.
Part III – Cybersecurity Leadership
Chapter 9 – Relationship Management. You cannot operate in a vacuum. A robust cybersecurity program relies on individual technical skills and interpersonal relationships. Read this chapter to master the four key skills of relationship management: maintaining trust, indirect influence, managing through conflict, and professional networking. We conclude with two case studies. The first demonstrates how some humble pie is the remedy to establishing greater trust. The second case study shows the importance of a professional network as the author transitioned from being an operator to an entrepreneur.
Chapter 10 – Recruiting and Leading High Performing Teams. The cybersecurity skills gap is well documented yet hotly debated. However, as a leader, you must ensure you have the right people in the right roles at the right time. This chapter will dive into methodologies we utilized to attract, retain, and lead high-performing teams. The case study walks through the perils of combining a bureaucratic hiring process with an inability to implement the hiring practices we advocate for in this chapter. The same case study then walks through what it was like to get “baptized by fire” in servant leadership.
Chapter 11 – Managing Human Capital. Read this chapter for specific tools to baseline strengths, critical considerations in managing a multigenerational workforce, the importance of training, the criticality of diversity, and cognitive biases to be aware of that may rear themselves in our day-to-day jobs. The case study brings to bear a cost-benefit analysis technique outlined in Chapter 5 to demonstrate the actual value of training and the true cost of eliminating it from a constrained budget.
Chapter 12 – Negotiation. In this penultimate chapter, we focus on adapting the skills from Chris Voss (a former FBI hostage negotiator) as featured in his book Never Split the Difference: Negotiating As If Your Life Depended On It. There are countless negotiations you perform every day. If you can be successful in your negotiations while preserving your relationships, you have what it takes to generate cultural change. The chapter concludes with a case study on building security culture and application security using the negotiation techniques introduced.
Conclusion. We conclude the book with a heartfelt note of gratitude and an optimistic eye toward a brighter future. Engage us online at www.CISOEvolution.com