Welcome to the SecAware blog

I spy with my beady eye ...

11 Mar 2021

NBlog Mar 11 - book review on "Cyber Strategy"



Cyber Strategy

Risk-driven Security and Resiliency

Authors: Carol A. Siegel and Mark Sweeney

Publisher: Auerbach/CRC Press

ISBN: 978-0-367-45817-1

Price: ~US$100 + shipping from Amazon



Outline

This book lays out a systematic process for developing corporate strategy in the area of cyber (meaning IT) security and resilience.  


Pros

  • An in-depth exposition on an extremely important topic
  • It emphasises risks to the business, to its information, and to its IT systems and networks, in that order
  • Systematic, well structured and well written, making it readable despite the fairly intense subject matter
  • Lots of diagrams, example reports and checklists to help put the ideas into action
  • Treating strategy development as a discrete project is an intriguing approach


Cons

  • Describes a fairly laborious, costly and inflexible approach, if taken literally and followed STEP-by-STEP
  • Implies a large corporate setting, with entire departments of professionals specializing and willing to perform or help out in various areas 
  • A little dogmatic: alternative approaches are not only possible but sufficient, appropriate or even better under various circumstances, but strategic options and choices are seldom mentioned
  • As described, the strategy planning horizon is very short
  • A defensive risk-averse strategic approach is implied, whereas more proactive, even offensive strategies can take things in a different direction: sometimes risks should not just be accepted but relished!
  • Little mention of architectural approaches e.g. business, information and IT architectures with risk and security implications and opportunities


Conclusion

Despite being described as a sequence of six STEPS (all in capitals, for some reason), there are of course way more than six activities to perform, and some are parallel or overlapping rather than sequential.

Reading, thinking about and implementing the ideas in this book should result in a soundly-constructed cyber strategy, generating far more value than the book's purchase price.  However, studying a book, even one as well-written as this one, is not sufficient to turn just anyone into a cyber strategist!  This stuff is hard.  The book makes it a little easier.

No comments:

Post a comment