Chapter summary

I covered a lot of ground in this chapter. But the context I provided here will be helpful for readers throughout the rest of this book. In this chapter, I introduced the cybersecurity fundamentals, the cybersecurity usual suspects, High Value Assets (HVAs), and other concepts, that I will relentlessly refer to throughout the rest of this book.

What is a cybersecurity strategy? There are at least two critical inputs to a cybersecurity strategy: your organization's HVAs, and the specific requirements, threats, and risks that apply to your organization, informed by the industry you are in, the place(s) in the world where you do business, and the people associated with the organization. If an HVA's confidentiality, integrity, or availability is compromised, the organization will fail or be severely disrupted. Therefore, identifying HVAs and prioritizing protection, detection, and response for them is critical. This does not give security teams permission to completely ignore other assets. Clarity on HVAs helps security teams prioritize, and to avoid extinction events.

There are only five ways that organizations get initially compromised, I call them the cybersecurity usual suspects. They include, unpatched vulnerabilities, security misconfigurations, weak, leaked, and stolen credentials, social engineering, and insider threat. Organizations that are very proficient at managing the cybersecurity fundamentals, make it much harder for attackers to be successful. After the initial compromise of an IT environment, there are many tactics, techniques, and procedures (TTPs) that attackers can use to achieve their illicit goals. Advanced cybersecurity capabilities can help security teams detect the use of TTPs and reduce response and recovery times. Don't confuse an attacker's motivations with their tactics. Since accurate attribution for attacks is so difficult to accomplish, it's unlikely most organizations will be able to determine who is attacking them and what their motivation is.

Whether the attacker is a purveyor of commodity malware or a nation state, the ways they will try to initially compromise their victims' IT environments are limited to the cybersecurity usual suspects. Being very proficient at the cybersecurity fundamentals makes it much harder for attackers, whether they are a nation state trying to steal intellectual property or an extortionist.

A cybersecurity strategy is required for success, but it is not sufficient by itself. Ingredients for a successful strategy include:

• Business objective alignment
• Cybersecurity vision, mission, and imperatives
• Senior executive and board support
• Understand the organization's risk appetite
• A realistic view of current cybersecurity capabilities and technical talent
• Compliance program and control framework alignment
• An effective relationship between cybersecurity and IT
• Security culture

Now that all this context has been introduced, I'll build on it in the chapters that follow. In the next few chapters, I'll explore how the threat landscape has evolved. I believe that CISOs can make better decisions when they understand how threats have changed over time. The three categories of threats that I'll dive into are the ones that CISOs have asked me about most frequently: vulnerabilities, malware, and internet-based threats like phishing and drive-by download attacks.