What do you think?
Rate this book
A Leader's Guide to Cybersecurity: Why Boards Need to Lead--and How to Do It
Companies are investing an unprecedented amount of money to keep their data and assets safe, yet cyberattacks are on the rise--and the problem is worsening. No amount of technology, resources, or policies will reverse this trend. Only sound governance, originating with the board, can turn the tide.
Protection against cyberattacks can't be treated as a problem solely belonging to an IT or cybersecurity department. It needs to cast a wide and impenetrable net that covers everything an organization does--from its business operations, models, and strategies to its products and intellectual property. And boards are in the best position to oversee the needed changes to strategy and hold their companies accountable. Not surprisingly, many boards aren't prepared to assume this responsibility.
In A Leader's Guide to Cybersecurity, Thomas Parenty and Jack Domet, who've spent over three decades in the field, present a timely, clear-eyed, and actionable framework that will empower senior executives and board members to become stewards of their companies' cybersecurity activities. This includes:
Understanding cyber risks and how best to control them
Planning and preparing for a crisis--and leading in its aftermath
Making cybersecurity a companywide initiative and responsibility
Drawing attention to the nontechnical dynamics that influence the effectiveness of cybersecurity measures
Aligning the board, executive leadership, and cybersecurity teams on priorities
Filled with tools, best practices, and strategies, A Leader's Guide to Cybersecurity will help boards navigate this seemingly daunting but extremely necessary transition.
Protection against cyberattacks can't be treated as a problem solely belonging to an IT or cybersecurity department. It needs to cast a wide and impenetrable net that covers everything an organization does--from its business operations, models, and strategies to its products and intellectual property. And boards are in the best position to oversee the needed changes to strategy and hold their companies accountable. Not surprisingly, many boards aren't prepared to assume this responsibility.
In A Leader's Guide to Cybersecurity, Thomas Parenty and Jack Domet, who've spent over three decades in the field, present a timely, clear-eyed, and actionable framework that will empower senior executives and board members to become stewards of their companies' cybersecurity activities. This includes:
Understanding cyber risks and how best to control them
Planning and preparing for a crisis--and leading in its aftermath
Making cybersecurity a companywide initiative and responsibility
Drawing attention to the nontechnical dynamics that influence the effectiveness of cybersecurity measures
Aligning the board, executive leadership, and cybersecurity teams on priorities
Filled with tools, best practices, and strategies, A Leader's Guide to Cybersecurity will help boards navigate this seemingly daunting but extremely necessary transition.
208 pages, Hardcover
First published December 3, 2019
31 people are currently reading
284 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 9 of 9 reviews
April 11, 2022
As an IT person who also does Cyber Security as part of my day to day, this book gives me the perspective of company leaders and what information they really need to be able to function. I will use this and other books I have read to make our company more secure, but also ready to face the crisis that Cyber Security represents to the modern enterprise.
February 24, 2020
It's a good book, a very good book in fact. Parenty and Domet know what they're talking about and have strong views on how any board member can step up and do the right thing. This book is well worth the read, whether you're a board member or not.
Duty of care
Though they make the point in diplomatic language, the authors assert, up front and unequivocally, that company directors are responsible for cybersecurity; the logic being that boards are responsible for their organizations' overall approach to risk and that technology vulnerabilities comprise a big and growing part of corporate risk.
Thus, your responsibilities as a director cannot be ignored, deferred or delegated. It's on you, now and in the future.
If you tell yourself that you can rely on the good work and recommendations of your IT staff and call it job done, then you are derelict in your duty as a director. If you decide to rely only or mostly on third-party tests, audits and certifications, then you are derelict. If you think that you can buy security by outsourcing key decisions to consultants or suppliers, then you are derelict. In short, if you think that you, as a board member, do not carry key, personal and ongoing responsibility for leadership in the cybersecurity of your company, then you need to think again.
It's about the framing
Some directors believe that cybersecurity is an information technology issue best left to experts. This is not surprising given that most board members are not IT security practitioners, computer system administrators or the like. They don't speak the language. They are not necessarily up to date on technical standards, hardware and software options, the latest news or industry best practices. Feeling out of their depth, some directors decide to leave it to the executive team or other board members to deal with company IT security policies and procedures.
This, the book says, is a mistake. Cybersecurity is not about IT issues per se. It's about risk, specifically the risk of interruptions to and failures of critical business functions. For example, Company X may have thorough and well documented back-up procedures but unless those procedures are regularly tried and tested, nobody knows how well they will stand up in an emergency. It's the board's job to ask, to see that meaningful tests are carried out and to make sure that lessons learned are incorporated into company operations.
This kind of oversight brings immediate and powerful benefits. Companies whose back-up systems work well cannot be so easily brought to their knees by ransomware or related attacks, not to mention by the inevitable employee mistakes and equipment failures that all companies suffer at one time or another.
Tell me a story
Useful framing for board-level oversight often takes the form of narrative. The first step is to list the company's critical business functions. Then the board needs to start thinking about what might go wrong and who or what might be in position to make those things go wrong.
These steps are followed by thinking through “What if?” and “What next?” scenarios. If a critical business function goes down, what are the consequences? the company's responses? the possible costs? the timelines? the worst case? the communications process? — and more.
In the end, the board should be building collections of cybersecurity stories — each a fully developed narrative with a beginning, middle and end, a list of characters, their profiles and motives, plot and context, along with discussions and plans for corrective and preventive actions and policies.
The process is not unlike what happens when a team of writers sits down together to create scripts for a television series; they conceptualize the set-up and start writing episodes.
Not every story has to be written at once. Neither do the board's first attempts have to capture every possible consequence of a mishap to a critical business function. The point is to get started.
Aides-mémoire
The book, which shines when it comes to practical advice, includes tables, guides and plenty of war stories to focus the mind and point the way. It is clear that the authors' simple, practical advice is born of decades of work in the field. The result is an extended how-to, a handbook that manages to be both readable and easy to put to immediate use.
This is not a small accomplishment. 30 years ago IBM adopted a process called Component Failure Impact Analysis (CFIA), a framework that takes a hard look at the various parts of IT systems in which a single component failure might disrupt or destroy, well, everything.
IT project leaders still use CFIA methodology to assess the consequences of component failures and devise possible mitigations. But CFIA is not for everybody. It’s hard technical work.
CFIA provides tools for engineers to analyse IT systems while the book helps boards look at key and core business functions. Both methodologies look to assess the potential impact if and when an underlying process is disrupted, by a cyber-attack for example, and then think through what could be done to prevent or recover from the damage.
In short, the book achieves its aims by explaining, in simple, non-technical terms, how boards can go about assessing their own critical business function vulnerabilities and then build plans to protect those functions from failure and attack while creating a resilient, forward-looking corporate culture.
It's not that the authors have invented something entirely new but rather that they have distilled industry best practices and the lessons from their own hard-won experience into a useful primer for the non-technical board member. It’s impressive work.
Beyond the book
Board members have cybersecurity responsibilities that go beyond the core business functions of the company.
In many cases boards themselves needs better IT support. In fact, there is an argument for putting board work and communications on entirely separate, high-security systems. This would help shield the board from the risk of both external and internal breaches and allow the board to keep working even when the company’s own systems have been compromised.
A board member’s personal digital hygiene can usually benefit from an upgrade or two (or three). It is not difficult to start taking basic precautions. Every board member should do so.
There is also a case for top-level leadership in regard to increasing stakeholder data protection in the company itself along with an opportunity for public advocacy of better data protection rights in the broader community, both on a personal and full-board basis.
The list goes on but core company cybersecurity is a great place to start, arguably the best place to start, and this book is a great first step on the journey.
This review was written by Jay Shaw, Founder of Praxonomy
Duty of care
Though they make the point in diplomatic language, the authors assert, up front and unequivocally, that company directors are responsible for cybersecurity; the logic being that boards are responsible for their organizations' overall approach to risk and that technology vulnerabilities comprise a big and growing part of corporate risk.
Thus, your responsibilities as a director cannot be ignored, deferred or delegated. It's on you, now and in the future.
If you tell yourself that you can rely on the good work and recommendations of your IT staff and call it job done, then you are derelict in your duty as a director. If you decide to rely only or mostly on third-party tests, audits and certifications, then you are derelict. If you think that you can buy security by outsourcing key decisions to consultants or suppliers, then you are derelict. In short, if you think that you, as a board member, do not carry key, personal and ongoing responsibility for leadership in the cybersecurity of your company, then you need to think again.
It's about the framing
Some directors believe that cybersecurity is an information technology issue best left to experts. This is not surprising given that most board members are not IT security practitioners, computer system administrators or the like. They don't speak the language. They are not necessarily up to date on technical standards, hardware and software options, the latest news or industry best practices. Feeling out of their depth, some directors decide to leave it to the executive team or other board members to deal with company IT security policies and procedures.
This, the book says, is a mistake. Cybersecurity is not about IT issues per se. It's about risk, specifically the risk of interruptions to and failures of critical business functions. For example, Company X may have thorough and well documented back-up procedures but unless those procedures are regularly tried and tested, nobody knows how well they will stand up in an emergency. It's the board's job to ask, to see that meaningful tests are carried out and to make sure that lessons learned are incorporated into company operations.
This kind of oversight brings immediate and powerful benefits. Companies whose back-up systems work well cannot be so easily brought to their knees by ransomware or related attacks, not to mention by the inevitable employee mistakes and equipment failures that all companies suffer at one time or another.
Tell me a story
Useful framing for board-level oversight often takes the form of narrative. The first step is to list the company's critical business functions. Then the board needs to start thinking about what might go wrong and who or what might be in position to make those things go wrong.
These steps are followed by thinking through “What if?” and “What next?” scenarios. If a critical business function goes down, what are the consequences? the company's responses? the possible costs? the timelines? the worst case? the communications process? — and more.
In the end, the board should be building collections of cybersecurity stories — each a fully developed narrative with a beginning, middle and end, a list of characters, their profiles and motives, plot and context, along with discussions and plans for corrective and preventive actions and policies.
The process is not unlike what happens when a team of writers sits down together to create scripts for a television series; they conceptualize the set-up and start writing episodes.
Not every story has to be written at once. Neither do the board's first attempts have to capture every possible consequence of a mishap to a critical business function. The point is to get started.
Aides-mémoire
The book, which shines when it comes to practical advice, includes tables, guides and plenty of war stories to focus the mind and point the way. It is clear that the authors' simple, practical advice is born of decades of work in the field. The result is an extended how-to, a handbook that manages to be both readable and easy to put to immediate use.
This is not a small accomplishment. 30 years ago IBM adopted a process called Component Failure Impact Analysis (CFIA), a framework that takes a hard look at the various parts of IT systems in which a single component failure might disrupt or destroy, well, everything.
IT project leaders still use CFIA methodology to assess the consequences of component failures and devise possible mitigations. But CFIA is not for everybody. It’s hard technical work.
CFIA provides tools for engineers to analyse IT systems while the book helps boards look at key and core business functions. Both methodologies look to assess the potential impact if and when an underlying process is disrupted, by a cyber-attack for example, and then think through what could be done to prevent or recover from the damage.
In short, the book achieves its aims by explaining, in simple, non-technical terms, how boards can go about assessing their own critical business function vulnerabilities and then build plans to protect those functions from failure and attack while creating a resilient, forward-looking corporate culture.
It's not that the authors have invented something entirely new but rather that they have distilled industry best practices and the lessons from their own hard-won experience into a useful primer for the non-technical board member. It’s impressive work.
Beyond the book
Board members have cybersecurity responsibilities that go beyond the core business functions of the company.
In many cases boards themselves needs better IT support. In fact, there is an argument for putting board work and communications on entirely separate, high-security systems. This would help shield the board from the risk of both external and internal breaches and allow the board to keep working even when the company’s own systems have been compromised.
A board member’s personal digital hygiene can usually benefit from an upgrade or two (or three). It is not difficult to start taking basic precautions. Every board member should do so.
There is also a case for top-level leadership in regard to increasing stakeholder data protection in the company itself along with an opportunity for public advocacy of better data protection rights in the broader community, both on a personal and full-board basis.
The list goes on but core company cybersecurity is a great place to start, arguably the best place to start, and this book is a great first step on the journey.
This review was written by Jay Shaw, Founder of Praxonomy
This entire review has been hidden because of spoilers.
January 10, 2022
Random pick; I guess it might cover the basics for 'board member' level as there are no assumptions about previous knowledge, doesn't dumbify important aspects, highlights these who board members (as far as I know) have some influence over, etc
Would do with a bit more storytelling to put things in context as it's fairly dry. Solid stuff though
Would do with a bit more storytelling to put things in context as it's fairly dry. Solid stuff though
October 11, 2020
It's exactly what I expected. I hope this information is finding its way into the right people for their organization.
July 5, 2024
Good and pragmatic handbook for corporate cybersecurity leaders.
December 24, 2025
Could be a short white paper instead of a book
January 20, 2020
A Leaders Guide to Cybersecurity is aimed at raising the awareness of company board members to the urgent need for more involvement in the stewardship of digital assets of an organisation. This can be achieved through consideration of the digital impact on its critical business activities as opposed to the more often cited, direct scrutiny of in-place technologies. Presented in four main parts, the book takes the reader through problem evaluation, solution methodology, allocation of duties and finally provides assistance in applying the proposed methodology.
Part One - The Problems - deals with how and why existing approaches to cybersecurity are failing in their attempts to prevent large scale cyber-attacks of the type reported almost daily in the press. It is claimed by the authors that failure is brought about by the disparity which exists between intended cybersecurity measures in place in an organisation and their actual effect. Too much emphasis is being placed by boards in trying to understand the technologies involved whilst at the same time, little consideration is given to their impact on the business.
Part Two – Principles - proposes four evaluation criteria for use when considering existing, new and especially unexpected, cyber issues arising in an organisation. In each case the measures provide a rule of thumb to assist in digital stewardship particularly where new circumstances arise in the organisation. They can also be employed to evaluate existing cyber related activities in an organisation. No expertise in cybersecurity is required in the application of the principles.
Part Three – Responsibilities - covers the security fundamentals an organisation must satisfy to deliver results i.e. business risk identification, seamless integration of cybersecurity activities within the business, leadership in the event of a cybersecurity crisis and the development of a remedial plan.
Part Four – Aide Prompts – Tables which provide guidance on the analysis of typical board level concerns around cybersecurity such as, risk, organisational capability, and leadership as a basis for strategy deployment and implementing controls.
Numerous real-life examples are spread throughout the book to emphasise the points under discussion or to lead into the principles and practices which follow. I found the book interesting and became quickly involved in extending my understanding of the main themes of the book. It also contains chapter by chapter references of use to anyone with a need to further deepen their thinking in a particular area. I award the book 7 out 10 for its original methodology and excellent references.
Review by Jim McGhie MBA, CEng, MBCS, CITP
Part One - The Problems - deals with how and why existing approaches to cybersecurity are failing in their attempts to prevent large scale cyber-attacks of the type reported almost daily in the press. It is claimed by the authors that failure is brought about by the disparity which exists between intended cybersecurity measures in place in an organisation and their actual effect. Too much emphasis is being placed by boards in trying to understand the technologies involved whilst at the same time, little consideration is given to their impact on the business.
Part Two – Principles - proposes four evaluation criteria for use when considering existing, new and especially unexpected, cyber issues arising in an organisation. In each case the measures provide a rule of thumb to assist in digital stewardship particularly where new circumstances arise in the organisation. They can also be employed to evaluate existing cyber related activities in an organisation. No expertise in cybersecurity is required in the application of the principles.
Part Three – Responsibilities - covers the security fundamentals an organisation must satisfy to deliver results i.e. business risk identification, seamless integration of cybersecurity activities within the business, leadership in the event of a cybersecurity crisis and the development of a remedial plan.
Part Four – Aide Prompts – Tables which provide guidance on the analysis of typical board level concerns around cybersecurity such as, risk, organisational capability, and leadership as a basis for strategy deployment and implementing controls.
Numerous real-life examples are spread throughout the book to emphasise the points under discussion or to lead into the principles and practices which follow. I found the book interesting and became quickly involved in extending my understanding of the main themes of the book. It also contains chapter by chapter references of use to anyone with a need to further deepen their thinking in a particular area. I award the book 7 out 10 for its original methodology and excellent references.
Review by Jim McGhie MBA, CEng, MBCS, CITP
September 28, 2019
In the age of digital transformation, the issues of cyber attacks and cyber security are getting more common. Governments and commercial institutions are taking some measures to handle these as many people’s lives will be affected if they don’t.
Although this book is written for board members of companies, the ideas and measures here will help company executives to prepare for what the risk of digital intrusions.
Board members will benefit greatly from the memory aids provided in this book si they would know what questions they need to ask themselves so they can deal with the preparation especially in the event that the cyber attack already happen.
This book will greatly help individuals who are looking to understand the implications if cyber attack and what needs to be done once the unfortunate event happen.
Although this book is written for board members of companies, the ideas and measures here will help company executives to prepare for what the risk of digital intrusions.
Board members will benefit greatly from the memory aids provided in this book si they would know what questions they need to ask themselves so they can deal with the preparation especially in the event that the cyber attack already happen.
This book will greatly help individuals who are looking to understand the implications if cyber attack and what needs to be done once the unfortunate event happen.
August 30, 2019
Great contents and very up to date. The topic of cyber security is extremely important in the age of digital transformation. Due to overwhelming processes and changes connected to technological advancements security of interaction with digital environment can be neglected. For those reasons and many others, recommend reading.
Displaying 1 - 9 of 9 reviews