Building a Cyber Resilient Business: A cyber handbook for executives and boards

I didn't know much about the business side of Cybersecurity going into this book, but it gave me a better understanding of how to talk to executives about Cyber risks and how to get more for the security program.

I recently had a look at Building a Cyber Resilient Business from Packt and written by Dr Magda Chelly, Shamane Tan, and Hai Tran. This is an excellent guide that aligns the responsibilities of cyber security and resilient to the various C-level roles within an organization. It goes beyond the typical frameworks and tools for a more practical understanding. There are even some roles within this book that you would not think about their responsibilities for cyber resilience. This book is easy to follow with practical guidance and helpful information throughout. A must have for people that are in a leadership position within a company.

I really like how the book touches upon various regional aspects; from different areas of focus to some of the shortcomings, and this is helpful to any level of reader – board, CEO, and the rest of the C-Suite.The chapter for boards is also an excellent read and simple to understand. I like that it provides key emphasis on how both the directors and management should be cyber aware, from their role in cybersecurity to helping board and non-cyber management understand cyber risk, to providing strategic direction in ensuring the organisation is cyber resilient.This is crucial especially in light of the release from the U.S. Securities and Exchange Commission (SEC) on their proposed new rules requiring U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise, which happens to also align nicely with one of the topics highlighted in the book, “The CISO’s Seat at the Table”. Great work authors!

How would you define and communicate cyber risk to the board in terms of business impacts? This book creates a roadmap for c-suite and board comms around cyber risk. The authors define the roles and collaborative responsibilities of c-suite actors in the context of defining communicating and managing cyber risks effectively to build resilience and sustainable policies, procedures, controls and training. Chapter 1 contextualises cyber risks as being not just the CISO’s job, but encourages CISOs and CEOs to regularly reflect on how broader economic, political, social and environmental trends are impacting the organisation’s strategy.The chapter on building a strong and positive security culture discusses shaping collaboration and understanding between developers, security teams, and operational teams by promoting security by design; secure coding practices and robustness of a secure software development lifecycle are fundamental to promoting a DevSecOps culture within the organisation. I’d love to read more about how the authors view the role of human risk management within this context. Some great recommendations given include avoiding ‘blame and shame’ comms. This is critical to building a positive and inclusive security culture and the authors explain how crucial the involvement of the CMO and CHRO are in promoting engagement and inclusion, especially in relation to privacy regulation and legislation, such as The GDPR.Dr Magda Chelly has spoken widely about inclusion and engagement, and I was really interested in what she says about interactive, gamification of security and awareness training, especially how role-play activities like phishing email writing can help staff identify red flags by playing the role of the attacker to enable empathy and proceduralisation of training objectives, rather than submitting staff to a one-size-fits-all security training package.The ’Questions to ask your CEO/CISO, COO….’ as well as ‘Questions to as yourself, as a CEO’ sections within each chapter are really useful tools to promote productive and empathetic communication around cyber resilience, and ones I will definitely be referring to.

This is an excellent book written for the executives and the board- who are accountable for their business' cyber resilience and hygiene. If there's a corporate team huddle of the CxOs on agreeing to doing their part in cyber scrutiny and handling cyber risks, this book is apt, concise and answers the Why, What, How, and also the what not to do! I wish the authors also included a self-evaluation questionnaire of the CxO role-specific cyber awareness and actionable insights in fortifying themselves so that their business is cyber resilient!