Table of Contents, Foreword, Preface, and Acknowledgments ( FREE ACCESS PREVIEW )

The goal of this book is to align cybersecurity leaders on the business challenges our industry faces. To tackle this goal, the book is organized into thirteen chapters grouped into three parts.:

Part 1: Foundational Business Knowledge

• Chapter 1 – Financial Principles:  This chapter builds your knowledge of financial statements, reviews connections between each statement, offers free resources for further study, and features two case studies that relate cybersecurity operations to accounting rules and financial statements.  Read this chapter to solidify your understanding of EBITDA, CapEx, OpEx, Retained Earnings, and Net Income along with other fundamental vocabulary and accounting concepts.    

• Chapter 2 – Business Strategy Tools:  In the second chapter, we introduce business models, KPIs, and value chains.  Other topics include board composition and systems theory.  We provide a case study to demonstrate the use of the business model canvas.  There are two additional case studies that feature value chain linkages to create competitive advantage.  One case study features optimization while the second focuses on coordination.  Read this chapter for tools that will help you dissect your business’ strategy, understand the supply and demand dynamics of your company operations, connect to primary business measures, and optimally position cybersecurity as a source of competitive advantage. 

• Chapter 3 – Business Decisions  Our third chapter explores how business decisions are made.  Decision making can be improved with an awareness of the biases and noise that commonly afflict us as human beings.  We cover a lightweight application of the scientific method to enhance learning.  From there, we dive into decision science and choice architecture frameworks.  We briefly examine the use of an influence model, and then we finish the chapter with two case studies.  The first case study examines various applications of the decision science framework in the context of a hypothetical new CISO scenario.  In the second case study we apply choice architecture to phishing defense. 

• Chapter 4 – Value Creation:  The fourth chapter is all about business valuation.  We naturally start by defining what we mean by value.  Then, we examine the critical attributes of value.  Next, we explore how those attributes surface in determining business valuations.  Additionally, we examine investor types, means of return, valuation methodologies, and common value drivers.  The application section covers the core concepts in a case study that applies security strategy in the context of business valuation for a hypothetical beverage manufacturer.  

• Chapter 5 – Articulating the Business Case:  To get the fifth chapter started, we review several important cost concepts including incremental, opportunity, and sunk cost.  From there we explore a communication framework, and two financial analysis methods: cost benefit analysis, and net present value.  Finally, we close out the chapter with three case studies.  The first examines a successful budget request for password management, and the second applies cost benefit analysis to the same project.  The final case study leverages a Monte Carlo simulation to examine possible net present value outcomes of a revenue generating opportunity resulting from delivery of security services. 

Part 2: Communication and Education

• Chapter 6 – Cybersecurity: A Concern of the Business, Not Just IT: In Part 2, we will build upon Part 1 and introduce additional tools that transform cyber risk issues into enterprise risk dialogue. This chapter starts to break down the COSO framework. It lays the foundation for elevating cyber risk conversations to enterprise risk by focusing on the first two guiding principles of COSO: Governance and Culture and Strategy and Objective Setting. At the end of this chapter, the case study relives one of the author's greatest regrets and warns of the consequences of failing to establish a robust governance structure.

• Chapter 7 – Translating Cyber Risk into Business Risk: Chapter 6 discussed establishing a cyber risk management program's foundation using COSO's first two guiding principles. This chapter expands upon Chapter 6’s foundations and focuses on executing the cyber risk program and rolling up cyber risk into a portfolio view of enterprise risk that executive leaders, and the board, can use to make business decisions. To do this, we will align with the final three risk management components of COSO: Performance, Review and Revision, and Information, Communication, and Reporting. The case study reveals how the author helped an organization align its cybersecurity program to its enterprise risk management efforts.  This ultimately highlighted previously unknown risks, and secured additional funding from its board of directors.

• Chapter 8 – Communication – You Do it Every Day (or Do You?): This chapter challenges you to examine how you communicate.   It provides a structure to improve communication for the explicit purpose of advancing a cybersecurity program.  We close this chapter by expanding upon the case study in Chapter 7. We take you into the boardroom to eavesdrop on the conversation between the author and the board of directors.

Part 3: Cybersecurity Leadership

• Chapter 9 – Relationship Management: You cannot operate in a vacuum.  A robust cybersecurity program relies on individual technical skills and interpersonal relationships.  Read this chapter to master the four key skills of relationship management: maintaining trust, indirect influence, managing through conflict, and professional networking.  We conclude with two case studies. The first demonstrates how some humble pie is the remedy to establishing greater trust. The second case study shows the importance of a professional network as the author transitioned from being an operator to an entrepreneur.

• Chapter 10 – Recruiting and Leading High Performing Teams: The cybersecurity skills gap is well documented yet hotly debated. However, as a leader, you must ensure you have the right people in the right roles at the right time. This chapter will dive into methodologies we utilized to attract, retain, and lead high-performing teams. The case study walks through the perils of combining a bureaucratic hiring process with an inability to implement the hiring practices we advocate for in this chapter. The same case study then walks through what it was like to get “baptized by fire” in servant leadership.

• Chapter 11 – Managing Human Capital: Read this chapter for specific tools to baseline strengths, critical considerations in managing a multi-generational workforce, the importance of training, the criticality of diversity, and cognitive biases to be aware of that may rear themselves in our day-to-day jobs. The case study brings to bear a cost-benefit analysis technique outlined in Chapter 5 to demonstrate the actual value of training and the true cost of eliminating it from a constrained budget.

• Chapter 12 – Negotiation:  In this penultimate chapter, we focus on adapting the skills from Chris Voss (a former FBI hostage negotiator) as featured in his book Never Split the Difference: Negotiating as if Your Life Depended on It.  There are countless negotiations you perform every day.  If you can be successful in your negotiations while preserving your relationships, you have what it takes to generate cultural change.  The chapter concludes with a case study on building security culture and application security using the negotiation techniques introduced.

• Chapter 13 – Conclusion ( FREE ACCESS PREVIEW ):  We conclude the book with a heartfelt note of gratitude, and an optimistic eye toward a brighter future. 

Index ( FREE ACCESS PREVIEW )