“Digital Resilience: Is Your Company Ready for the Next Cyber Threat?” (2018) by Ray A. Rothrock. Book Reviewed by Helen Patton.
Good Niche Book. I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
Ray A. Rothrock has written a book that is targeted towards company leaders who do not otherwise have a background in security:
“The purpose of this book is to persuade managers, C-suite executives, and boards of directors that the default environment in which their highly connected businesses, institutions, and government agencies operate are in crisis”.
There is a lot of good information in here, and the book is a solid foundation for company leaders to understand the current security environment. For most security practitioners, this book will be too high-level to be useful, and the information in it is already widely shared in the security community. However, I recommend this as a “niche book” – a book for non-security people who want to better understand how to think about and respond to information and technology risk.
Rothrock begins by taking the reader through a number of security events, from the Target breach to the Mirai botnet attacks. He uses the events to describe the insecure state of technology and provides recommendations for ways to immediately take action to address the weaknesses. He then moves to discussing the technologies involved in supporting companies – mostly networks, and how to think about securing those technologies. He focuses on six areas:
- Resilient and non-resilient systems
- The theory of networks
- Digital networks
- How digital networks can be visualized, modeled and dynamically monitored.
- How resilience of networks can be measured and scored
- Formulating a resilient response
He ends with 26 action steps to take to promote resilience.
The structure is a good one for people without a security background. It gives real world examples, in non-technology speak. It leads the reader to explore technology trends in slightly more depth, and then gives suggestions for useful actions. Throughout, the author sprinkles the language of security – risk, resiliency, threat, response – in a consumable way.
What I Liked About the Book
I like Rothrock’s approach to the topic. He defines “Digital Resiliency” as “about how you do business in today’s intensively interconnected environment”. He stresses that Digital Resilience is a “whole business strategy”. He recognizes that there is a need to balance effectiveness and security.
Throughout the book Rothrock continues to offer immediate actions – knowing inventory, etc. He emphasizes paying attention to data, and to not make assumptions about how secure our technology really is. His constant use of real-world examples, and side paths into history, will appeal to his intended audience.
He gives recommendations to other resources for leaders to reference. These other references go beyond just network security and will provide opportunities for further learning.
What I Liked Less About the Book
There is too much focus on networks and network security, and not enough balance with other pieces of digital resiliency. He also uses the book to sell his own product; which, not surprisingly, works to dynamically map networks. He should have made mention of this very early in the book; instead he leaves you to discover this more than half way through.
I would have liked Rothrock to give more attention to the non-technology influences on risk. He does note that there is more to resiliency than technology, but I don’t think he gives senior leaders enough human factors/culture/policy issues to think about. He draws a lot of parallels between the digital and physical worlds, and between digital and human networks; but he just doesn’t offer many non-technical solutions to the digital problems.
Rothrock gives only short mention to emerging technologies. While reasonable, given the time of the writing, it makes the advice less useful. He notes that networks extend to where the data is, which is great, but still leaves a lot of potential action items on the table by focusing on traditional networks.
There is not a lot in here about how to engage with security leadership to improve resiliency. I believe there is much improvement needed in the way senior leaders view their security professionals, and vice versa. However, Rothrock does note the need to speak “a mutually intelligible language” and suggests that learning how networks work is the basis for this common understanding. I would like to see more about understanding risk and how technology fits into other business risks, rather than expecting leaders to understand network layers.
Ray Rothrock has written a book that is aimed at non-technical senior leaders, to help them understand the need for digital resilience, and how to achieve it. I commend the book to anyone who fits that demographic, with some comments. The book gives a good overview of history up to 2016 and is helpful to give context to why resiliency is important. The recommended action items are very good; although you will need to refer to other resources to learn how to put those actions into practice. There is a heavy focus on network-based security, which skews the focus on the recommendations.
Overall, this is a useful book for the target audience, but, know that the recommendations don’t provide useful information about the human/non-technical elements of digital resilience. Therefore, this book is a starting point but not a comprehensive guide.
Title: Digital Resilience: Is Your Company Ready for the Next Cyber Threat? Author(s): Ray A. Rothrock Reviewer: Helen Patton