eBook - ePub
The Security Culture Playbook
An Executive Guide To Reducing Risk and Developing Your Human Defense Layer
Perry Carpenter, Kai Roer
This is a test
Buch teilen
- English
- ePUB (handyfreundlich)
- Über iOS und Android verfügbar
eBook - ePub
The Security Culture Playbook
An Executive Guide To Reducing Risk and Developing Your Human Defense Layer
Perry Carpenter, Kai Roer
Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben
Über dieses Buch
Mitigate human risk and bake security into your organization's culture from top to bottom with insights from leading experts in security awareness, behavior, and culture.
The topic of security culture is mysterious and confusing to most leaders. But it doesn't have to be. In The Security Culture Playbook, Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization's security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization.
The book offers:
- An expose of what security culture really is and how it can be measured
- A careful exploration of the 7 dimensions that comprise security culture
- Practical tools for managing your security culture program, such as the Security Culture Framework and the Security Culture Maturity Model
- Insights into building support within the executive team and Board of Directors for your culture management program
Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.
Häufig gestellte Fragen
Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist The Security Culture Playbook als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu The Security Culture Playbook von Perry Carpenter, Kai Roer im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Informatique & Cybersécurité. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.
Information
Part I
Foundation
Welcome to the journey! In Part I, we introduce the concept of security culture, why it is important, and (most importantly), the fact that you can measure and improve your culture. There's a lot to cover, so let's get started. But even before you turn to the first page of Chapter 1, we think it's important to give you a definition of security culture.
- Security Culture: The ideas, customs, and social behaviors of a group that influence its security.
- Chapter 1: You Are Here
- Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern
- Chapter 3: The Foundations of Transformation
Chapter 1
You Are Here
The greatest danger in times of turbulence is not the turbulence—it is to act with yesterday's logic.Peter Drucker
“Security culture” has become a hot topic of late. If you are a cybersecurity or business leader, you've no doubt seen the term appear in online articles, security presentations, and even a few vendor pitches. It's become a buzzword (or buzz phrase, if you want to be picky) du jour. Unfortunately, most of the time it is little more than a phrase uttered with gravitas, but devoid of real meaning.
Security culture is often confused with security awareness, the implementation of security processes, or even the use of security tools by end users. That initial misidentification becomes even more confusing because each of those things can feed into, or become an artifact of, security culture—but they are not in and of themselves security culture. Security culture is something different, something unique that is undeserving of the confusion that all too often surrounds it. And you know that; otherwise, you wouldn't be reading this book.
Our purpose here is to add precision and clarity to the topic. And, although we could easily fill several hundred pages with great content about security culture, that's not what this book is about. This book, dear reader, is a no-nonsense, (hopefully) no fluff, and (definitely) no BS guide to what security culture is, how to measure it, and how to shape and strengthen it within your organization.
Why All the Buzz?
For decades, security programs focused on diligently deploying technology-based defenses aimed at keeping cybercriminals at bay. The industry focused on firewalls, intrusion detection and prevention systems (IDSs/IPSs), endpoint protection platforms (EPPs), secure email gateways (SEGs), and more. In truth, the technology has gotten very good. Despite all the focus and spend on security tools, however, the data breach problem is not going away. In fact, it's accelerating faster than the industry can effectively manage via traditional approaches. Figure 1.1 analyzes the amount of money spent on security products since 2007 versus the number of data breaches that occurred each year. The conclusion is clear: The current industry approach is not working.
Figure 1.1 Organizations globally have invested massively on cybersecurity, yet breaches continue to increase.
And here's where the buzz about security culture comes in. Leaders are realizing two things:
- Technology-based defenses have gotten so good that attackers are being pushed to hack humans rather than spending weeks, months, or years researching and developing effective attacks to defeat technology-based defenses.
- Humans are now the primary attack vector. As such, it's imperative to strengthen the human layer of security.
These two realizations (illustrated in Figure 1.2) have led to a growing interest in human layer defense. This isn't to replace any of the technology-based layers—those are still needed. But this is to strengthen a much-needed additional defensive layer.
Figure 1.2 Hacking the human yields the highest ROI for attackers.
The Technology-Based Defense vs. Human-Based Defense Debate: A False Dilemma
You've undoubtedly been presented with this dilemma before. Someone says that it's worthless to focus on the human side of security because, no matter what, there will always be someone who will fall for a phishing email or make some other error. In short, their argument is that the human defense isn't 100 percent effective, so it can't be relied on and doesn't deserve an investment of time, energy, or funding.
You'll even hear some make claims to the effect of, “only technology will help an organization prevent security issues.” This type of thinking has been prevalent in security circles for decades and has led to the situation that we're in right now, where the human layer has been neglected.
A quote from the preface of Bruce Schneier's book Secrets and Lies is fitting here. Bruce ends the preface with these words, “[a] few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology” (Schneier, 2000).
The following is an excerpt from Perry's book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Carpenter, 2019). The excerpt does a good job summarizing why this is a false dichotomy. This shouldn't be presented as an either/or dilemma.
As an industry, we will always have to solve (and evolve) for both sides of the equation (technology and humanity). Not implementing standard and reasonable technology-based tools proven to improve an organization's security posture would be negligent. Similarly, not acknowledging that technology will never be 100 percent effective at preventing cybercriminals from creating well-crafted attacks targeting humans, such as emails or other messages that reach your end users, is also negligent. Neither approach is mutually exclusive of the other. And whenever we create stronger security protocols intended to help our organizations, there will be a group of employees who will intentionally or unintentionally find ways to bypass those controls. The human element must be a factor in the deployment of technology, and it should be understood as a security layer in and of itself. Your defense-in-depth security strategy should always account for the following:
- Determined human attackers who are continually probing for flaws within your security technologies (and that flaws will always exist)
- Unwitting employees who find themselves on the receiving end of a cybercriminal seeking to accomplish their goals by going around the technical layers of an organization's defenses, targeting humans instead
- Employees who negligently or intentionally circumvent technical controls
- Employees who negligently or intention...