Navigating The Digital Age is sponsored by Palo Alto Networks and Forbes. I reviewed the 88 page printed version which is also available as a PDF, and is provided in exchange for contact details. Note that this shares most of its title with a similar work from Palo Alto in 2015, but only shares the format and style, none of the text.
You're so busy you probably don't have time to read this entire review - in the same way all you want from the meteorologist after the news is "Umbrella? Yes/No". So should you hand over a little personal data to get hold of this work, and some personal time to work through it? Yes, definitely yes.
Overall it's refreshingly optimistic, and each section gives concrete advice about the challenges you face. For technical practioners it's a useful insight into how non-technical defenders think, for experienced cyber professionals it contains quotable supporting text combined with reassurance that the industry is finally changing.
In a little more detail...the Forbes webpage nicely summarizes the attitude of the book: “New EU legislative opportunities provide a genuine opportunity for your business to re-architect your critical systems, to build state-of-the-art cybersecurity for today that will be scalable for your future.”
The book is very much looking to what you can do, and provides pertinent advice in easy to digest chunks. I would certainly recommend just reading it one section at a time, as each part is bound to illuminate an ongoing discussion in your own organization, and equip you with quotes to support your point of view. As each section is stand-alone they can be read and distributed independently, taking five minutes to traverse at most.
It begins with Sir Iain Lobban summarizing GCHQs "10 Steps to Cyber Security", which itself is a useful summary and reference, and from there each section begins with a few bullet points summarizing their content, from dealing with upcoming legislation through to the responsibilities of the board and how to deal with a crisis. I'll illustrate how useful this can be with those examples that struck a chord with me:
- Need to explain to the C-Suite that they must have an understanding of technology. Sir Michael Rake of BT and WorldPay from page 25: “The next generation of leaders, who understand technology, will be the butress we create to maintain secure systems, data, and information”;
- Need to advocate for diversity of staff. Ian West, chief of cyber security for NATO, on page 22: “Build a team from a variety of different experiences and backgrounds to provide strength”;
- Need to encourage your security staff to speak the C-Suite's language. Conrad Prince on page 28: “Convey cyber risk clearly and succinctly -- in a way boards can relate to and which enables them to make decisions", and justify it with Edward M. Stroz from page 63: “If cyber risk is not being explained in clear language that makes sense to you and your colleagues, then you are probably not being served properly";
- Need to explain how to make the most of cyber insurance by using it as an external party's judgement of your risk. Mark Weil of Marsh Ltd on page 66: “The insurer will have seen more cases and hold more data on this than any individual firm”;
- Need to warn your executives about whaling attacks. Ryan Kalember of Proofpoint covers all the opposite points from page 31: “CEOs hold the keys to the kingdom -- and have a persona that, when impersonated, can automatically supersede security processes and policies”;
- Need to encourage your C-Suite to take part in wargaming possible attacks. Alan Jenkins and Greg Day explain all that you need to say on pages 57 and 58: “Such 'mock' exercises can do much to ensure the business is capable of responding to a full-scale crisis”. Richard Meredith and George Little have a great set of questions to ask before or as a breach becomes known on pages 71 onwards, from "do you have a crisis team?" to "are you comfortable with how you will respond to criticism online?"
Jargon is used liberally but appropriately, and only to succinctly describe a complex idea to peers. All of the authors are sufficiently senior that they want to share what they've learnt, rather than merely demonstrate how much they know.
Unlike much cybersecurity discussion it's all forward thinking. Greg Day of Palo Alto Networks states: “It may be a hackneyed expression, but cybersecurity should enable, not inhibit, the business”. This is at the end of a piece advocating GDPR as an opportunity more than a threat.
It may be a sign of the company I keep or the work I follow, but it's a refreshing change to see this attitude within every section of the book. For example, a section by Lee Barney, head of information security for Marks and Spencer, on how to operate the security of an agile business with a massive attack surface, but with a pro-business focus.
Overall this book is well written, a useful guide to have to hand, and most importantly, well worth your time.
"Overall it's refreshingly optimistic, and each section gives concrete advice about the challenges you face."