A review of Singh, A. (2021). Cyber Strong! A Primer on Cyber Risk Management for Business Managers. Sage, 261 pages, $20.00
The increasing severity and frequency of cyber-attacks underline the importance of managing cyber risks. To effectively mitigate this risk, business leaders, managers, and board members must be actively involved in assessing cyber risks, formulating policies, procedures, and controls to safeguard their information assets, and establishing governance structures to comply with regulatory requirements.
Cyber Strong … aims to demystify a complex technical subject for business and organizational leaders to comprehend and enable them to integrate cyber risk management with their business strategies. The book is organized into three sections: Identifying Cyber Threats and Vulnerabilities, Understanding Cyber Risks, and Managing Cyber risks. With over three decades of experience in the IT industry, Singh provides valuable insights into understanding and managing cybersecurity risks.
Identifying Cyber Threats and Vulnerabilities
The rapid growth of the use of information technology (IT) has transformed every sector of the economy and has changed the way we live and work. While IT has helped increase the productivity and profitability of organizations, it has also brought many security threats and risks. Singh argues for comprehensive proactive management of cyber threats given that organizations today are regularly exposed to cyberattacks sometimes crippling their operations and destroying their businesses financially. The reputation and financial consequences have been explained in some detail with illustrative case studies.
Section 1 of the book provides an overview of the cyber threat environment and elaborates on the different types of threats and vulnerabilities with illustrative examples. Working from home has made organizational IT systems even more vulnerable to cyber threats. The book stresses the need for organizations to keep a constant vigil on cyber-threats and to be prepared when a breach occurs to recover the affected data promptly. It suggests mechanisms for detecting and recovering data from cyber-attacks. The various motives of cybercriminals are presented well along with the types of information they are after to meet their objectives.
Understanding Cyber risks
Cyber risks are dynamic by nature and cyber risk strategies need to be adaptable and refined periodically. Singh believes that it is time for a shift in focus from cybersecurity to cyber resilience. Organizations must develop mechanisms for preventing cyber-attacks, but they must be fully prepared when an attack occurs to get back on track. Singh explains several steps that an organization can take towards cyber resilience. He also underscores the importance of the human element in cybersecurity, the types of human errors, and online behaviors that are associated with cyber vulnerabilities from employees both within and outside the organization. Organizations need to identify, understand, and prioritize their cyber risks to be able to direct their time and resources to protect their most valuable assets.
Managing Cyber risks
Singh suggests managing cyber risks is not just a technology game; the role of people and processes and regulations must get the share of attention that they deserve. The book examines the role of technology in cybersecurity detailing existing new and emerging technologies that could be deployed now and in the future. The discussions on the use of automated approaches to managing cyber-threats, authentication, authorization, and encryption technologies are very informative. There is also an overview of laws and regulations enacted around the world. Per Singh, organizational leadership needs to play an active role in establishing a security culture that involves all employees and levels of management. It is the responsibility of the Board of Directors to define priorities, establish governance systems, and provide oversight. Collaboration between policymakers, technologists, industry bodies, law enforcing authorities, and nation-states is the future of cybersecurity. The author strongly recommends the use of frameworks and standards provided by such as National Institute of Standards and Technology, International Organization for Standardization, and industry-specific standards to help institutionalize cybersecurity efforts and to ensure that all aspects of cybersecurity, from business objectives to cyber risk strategy to execution, are aligned. Organizations must implement best practices that are an integral part of these frameworks and standards to constantly improve and enhance their security posture to assure all stakeholders. Cybersecurity is a journey and not a destination.
Meticulously researched, Cyber Strong… can help organizations protect their information assets by addressing their cyber threats—the key is to integrate cyber risk management with existing business strategy. The book contributes to a better understanding of a wide spectrum of cyber threats and risks and offers implementable solutions for building appropriate response systems. With new technologies come new threats, and consequently, I hope to see periodically updated editions of the book detailing new approaches to cybersecurity and cyber resilience. All in all, Cyber Strong is an empowering read for all professionals!