Cybersecurity Canon Book Review: “The Cybersecurity Playbook: How every leader and employee can contribute to a culture of security” (2019) by Allison Cerra
Cybersecurity Canon Book Review: “The Cybersecurity Playbook: How every leader and employee can contribute to a culture of security,” (2019) by Allison Cerra,
Book Reviewed by: Helen Patton
I am always on the lookout for advice on how to move the culture needle – how to encourage people to become more aware of security, and how a security can leader can implement strategies to change culture. So I was excited to see a relatively new book on the subject “The Cybersecurity Playbook: How every leader and employee can contribute to a culture of security” by Allison Cerra. It was published by Wiley in 2019, and the front cover promises it “fills a gap in the literature to offer a practical, non-technical guide for boards, executives, managers, and employees”.
Ms. Cerra was the Chief Marketing Officer at McAfee and starts by acknowledging that she is not a long-time security professional. I thought this was an interesting angle from which to write this book, and I looked forward to learning how to engage with non-technical executives. She recommends sharing her book with our “non-technical brethren”. Each chapter explores a topic, then recommends action items someone can immediately do in their own company. Modeled after a practice at McAfee, she uses W.I.S.D.O.M. (What I’ll Say (and do) Differently On Monday) items to provide practical guides for the reader.
Her writing style is easy to read, and she is a storyteller, which makes the topics very consumable. She opens the book with a common scenario – her company website being defaced – which is a great way to jump into the topic. She applies each chapter to a different constituent:
• The Board/CEO
• The Employee
• The Product Developer
• HR Professionals
• Finance Professional
• The Cybersecurity Professional
For each chapter, there is a story, a discussion, then W.I.S.D.O.M. actions. The book is easy to read, and clearly achieves its objective “to engage every layperson on your importance in a cybersecurity game that is always in play.”
I liked the format of the book and the topics she discussed. The problem was that I found myself disagreeing with a lot of her recommended actions. They were obviously written by someone who had never tried to run a security practice. For example:
• Recommending that the CEO/Board insist on the CISO reporting on the outcome of red-teaming exercises. This is way too detailed/tactical for a board, and if a board is spending time there, instead of a higher level of threats and program oversight, they have missed the point.
• Recommending employees “do not fall for social engineering campaigns.” If it were that easy, I would be out of a job!
• Recommending communications people “design a tick-tock schedule for every attack scenario.” I did a double take on this. She is suggesting the marketing team have a minute-by-minute schedule for each attack vector. I cannot even begin to imagine what that would look like, or how much effort it would take to keep something like this current.
• Recommending to the cybersecurity professional that “cybersecurity hygiene is non-negotiable.” Great in theory, and I do not know one security group anywhere that can absolutely control this.
It is difficult to take a subject as nuanced as cybersecurity and translate it for non-technical people. But the lack of nuance makes for bad recommendations and will make non-technical people give up before they even begin. The intent is good, the delivery is good. The content is questionable.
I was excited to buy this book and learn more about how to engage non-technical people in cybersecurity. The approach of taking a non-technical person to write a book about cybersecurity is interesting and worth exploring further. This is not a book for cybersecurity professionals and does not profess to be. I would also suggest that it should not be shared with non-technical people either. While there are interesting stories which, if the book were to be updated, could certainly be explored further, the conclusions Ms. Cerra draws, and the advice she gives to others, is simplistic and lacks practical application. I would not recommend this book as a candidate for the Cybersecurity Canon.
This is the format guide for writing book reviews for the Cybersecurity Canon Project. It contains the names of key elements to include in your review, the format for those key elements, and examples of what a typical entry would look like. Use this format. Write your book review in a text document, a Microsoft Word Document, or a Google Docs document and send it to Helen Patton: firstname.lastname@example.org
You will hear from a Canon Committee member within five business days that they received the review.