5. The Approach to Cybersecurity: Cyber Risk Management “There is no such thing as 100% security.” - Cybersecurity axiom Now that we have seen what hackers are capable of and identified the goals of cybersecurity, how do we go about implementing cybersecurity in practice? When we think of cybersecurity, we normally focus on technical approaches to keeping our computers and data safe (e.g., configuring a firewall, using strong passwords, etc.). The technical approaches are absolutely necessary, but to get the biggest bang for the buck, a prior decision must be made before they are implemented. Due to the asymmetry in cybersecurity where the attacker needs to only find one vulnerability but the defender needs complete protection, it is clear that the attack surface is vast and the protection resources are limited. Organizations need to figure out how to allocate their resources as efficiently as possible. Therefore, before implementing cyber defenses comes a business decision: how can we most efficiently allocate scarce protection resources across our cyber assets? In this chapter we look at cybersecurity from the business perspective. While some of the insights are applicable to personal cybersecurity as well, the focus is on organizational cybersecurity where cyber risk management must be thoughtfully and diligently performed. 5.1 Cybersecurity Governance Managing cybersecurity goes beyond any one organization. An organization’s cybersecurity posture obviously impacts the organization itself for good or bad, but it also impacts the organization’s constituents, and this makes cybersecurity a matter of public concern. Organizational leaders have outside accountability for the decisions they make, and they have external resources at their disposal to help guide them. Cybersecurity governance is the oversight of the security risks of an organization. It is performed by leaders who Chapter 5
RkJQdWJsaXNoZXIy MTM4ODY=