The CYBER MARKET PULSE is a series of informative pieces from IR Global’s Strategic Partner for cybersecurity eosedge Legal. eosedge Legal offers data privacy and data protection services, including consulting, training, incident response, and compliance. See a Profile here. In this piece, Stephen Campbell reviews a new book on cyber risk, Fire Doesn’t Innovate.
Cyber Security is a Business Problem, Not an IT problem.
Stephen H. Campbell, CISSP
Cyber Security Consultant
“Cyber security is a business problem, not an IT problem”. This message is starting to resonate with busy executives in the professional services community. The problem is that there is still a disconnect between those with fiduciary duty and those in charge of information security. A new book that addresses this issue head-on is Kip Boyle’s Fire Doesn’t Innovate.
Fire Doesn’t Innovate is really two books: an executive primer on cyber risk and a methodology for assessing the maturity of security controls or countermeasures. It is worth buying the book for the primer alone, which is very easy to understand. Its primary lesson is that, unlike dealing with the risk of fire, managing cyber risk is a continuously evolving journey in which we must adapt to innovative adversaries.
Fire Doesn’t Innovate gives non-technical executives enough knowledge to understand today’s most effective controls and to probe their staff with the right questions. It explains the all-important legal concept of “reasonable security”, the benefits of purchasing a cyber insurance policy that comes with “breach coaching”, and the use of attorney-client privilege to protect against claims of negligence.
The author has a wonderful way of explaining cyber risk in non-technical terms using anecdotes from real-world breaches and analogies from the physical (e.g. fire) and biological (e.g. germs) worlds. Any time he uses a buzzword he explains it in simple terms. Sentences are short. It’s a joy to read and I found myself whipping through it at a rapid clip.
The second part describes CRO/Cyber Risk Opportunities’ top-down facilitated self-assessment. It’s a good way to build awareness of good cyber hygiene and accountability for cyber risk management amongst middle management. It comes with a free Google Sheet to evaluate your controls and helpful YouTube videos to guide you. The approach to calculating a 3-year Total Cost of Ownership for each control is simple and effective.
One thing to be aware of: the assessment measures your mid-level managers’ PERCEPTIONS of their departments’ cyber maturity rather than ACTUAL cyber maturity. The mantra is “build a culture of cyber risk management from the top” and the details will follow. There is a lot of truth to this. But if your goal is to conduct a comprehensive gap analysis of your actual control maturity, you may need to complement the CRO approach with a bottom-up assessment like CyberGaps™ from eosedge Legal that gets into the nitty gritty of individual policies, procedures and technologies.
All in all, I thoroughly recommend this book. It encapsulates decades of wisdom and yet is up-to-the minute with its guidance. And it is remarkably easy to read. You no longer have an excuse. Don’t leave cyber security to the “IT Guy”. Take charge of your firm’s cyber risk management program today.