Digital Resilience

Digital Resilience

Book written by Ray Rothrock

Book review by Ron Gula

 

Executive Summary

I recommend “Digital Resilience: Is Your Company Ready for the Next Cyber Threat” to smart people who need to rapidly learn the history and issues of cybersecurity, so they can make effective decisions and formulate strategies to manage cybersecurity today.

If you’ve recently been put in charge of IT or IT operations and didn’t grow up in cybersecurity over the past 20 years, this book is for you. This book is also equally useful for new CEOs, CFOs or board members who need to understand cyber risk without getting overwhelmed with IT technology or the defeatism of “hackers and nation states will always get in, so why bother”.

The book does a great job of giving some context to the rich history of cyber events and evolution of IT technology over the past few decades. It answers many of the “how did we get here” types of questions, and more importantly, “where are we going?”.

It does an equally good job of offering some prescriptive actions organizations should take to measure and increase their overall cyber security. It does this with basic common sense and a focus on resiliency than relying on compliance or security frameworks which can be very off-putting to first time cyber readers.

Ultimately, I found this book very welcoming and inviting to new cyber professionals. There is a very balanced approach to understanding that cyber security is about balancing your people, processes and technologies and communicating this to your management. These approaches will be valid for next generation of technologies and this book will still feel very fresh and modern even ten years from now.

 

 

Review

I recommend “Digital Resilience: Is Your Company Ready for the Next Cyber Threat” to smart people who need to rapidly learn the history and issues of cybersecurity, so they can make effective decisions and formulate strategies to manage cyber today.

If you’ve recently been put in charge of IT or IT operations and didn’t grow up in cybersecurity over the past 20 years, this book is for you. This book is also equally useful for new CEOs, CFOs or board members who need to understand cyber risk without getting overwhelmed with IT technology or the defeatism of “hackers and nation states will always get in, so why bother”.

The book does a great job of giving some context to the rich history of cyber events and evolution of IT technology over the past few decades. It answers many of the “how did we get here” types of questions, and more importantly, “where are we going?”.

It does an equally good job of offering some prescriptive actions organizations should take to measure and increase their overall cyber security. It does this with basic common sense and a focus on resiliency than relying on compliance or security frameworks which can be very off-putting to first time cyber readers.

The eight chapters take the reader on a walk through cyber with very good prescriptions.

Chapters one, two and three makes the case for why resilience is the best strategy. As an engineer, this really resonates with me. Unless you design security into things from the start, you are always patching and adding to your problem. The scope of how much we are already connected, even for on-premise networks and applications, is also discussed. The complexity of modern networks, their independency on each other and the large amount of cloud services and SaaS applications is discussed. More importantly, Ray suggests a variety of strategies in these chapters to help the reader come up to speed and be proactive.

The remaining chapters focus on building resilience and takes the reader into some very crucial concepts. The two hardest things for cyber professionals to do well is to speak to their management team effectively and to keep track of all of their assets. Ray does an excellent job of giving a variety of ideas for how executives should be briefed on cyber issues, as well as guidelines for presenting to boards. Ray also does a great job of suggesting that keeping track of your digital assets, both on premise and in the cloud, is step one. You can’t protect what you don’t know. I kept waiting for Ray to pitch the NIST cyber security framework or the Center for Internet Security 20 Critical Controls, but he did not. I’m a big fan of these frameworks, but I’ve struggled using these for first time cyber executive briefings. I felt Ray was very clever in presenting many of the same themes in these frameworks but worded in a commonsense fashion as compared to the necessarily detailed complexity of the frameworks.

Ray also has a chapter for measuring resilience. I was a fan of this chapter as it talks about what make good key metrics but stops short of claiming a grand unified theory of modeling cyber risk. While I was CEO at Tenable Network Security, I got exposed to many very smart solutions that took vulnerabilities and assets as input to a complex model that would measure risk. I found these models very suspect and felt organizations really needed to focus on simpler key metrics. Ray’s view on this is very similar to mine, in which I recommend that there are two levels of excellence for cyber – those organizations that can get to a point where they can adequately detect and expel hackers and those organizations that can do this, but also try to minimize cost and redundancy of their security stack. Basically, you can spend and be effective at cyber security and when you get there, you can try to be more efficient about it as well.

Ultimately, I found this book very welcoming and inviting to new cyber professionals. There is a very balanced approach to understanding that cyber security is about balancing your people, processes and technologies and communicating this to your management. These approaches will be valid for next generation of technologies and this book will still feel very fresh and modern even ten years from now.

 

 

Conclusion

I got into cyber security because I read books like Winn Schwartau’s “Information Warfare”, William Gibson’s “Neuromancer” and Cliff Stoll’s “Cuckoo's Egg”. These books gave me a very balanced view of what cybersecurity could be, even though no one called them cybersecurity in the 90s. Until I got Ray Rothrock’s book, “Digital Resilience” I didn’t have a book I was comfortable to suggest as a great first read to the next generation of cyber professionals.

More Books

Cybersecurity First Principles: A Reboot of Strategy and Tactics
Navigating the Cybersecurity Career Path
If It's Smart, It's Vulnerable