What do you think?
Rate this book
Cybersecurity: The Insights You Need from Harvard Business Review
No data is completely safe.
Cyberattacks on companies and individuals are on the rise and growing not only in number but also in ferocity. And while you may think your company has taken all the precautionary steps to prevent an attack, no individual, company, or country is safe. Cybersecurity can no longer be left exclusively to IT specialists. Improving and increasing data security practices and identifying suspicious activity is everyone's responsibility, from the boardroom to the break room.
The Insights You Need from Harvard Business Review brings you today's most essential thinking on cybersecurity, from outlining the challenges to exploring the solutions, and provides you with the critical information you need to prepare your company for the inevitable hack. The lessons in this book will help you get everyone in your organization on the same page when it comes to protecting your most valuable assets.
Cyberattacks on companies and individuals are on the rise and growing not only in number but also in ferocity. And while you may think your company has taken all the precautionary steps to prevent an attack, no individual, company, or country is safe. Cybersecurity can no longer be left exclusively to IT specialists. Improving and increasing data security practices and identifying suspicious activity is everyone's responsibility, from the boardroom to the break room.
The Insights You Need from Harvard Business Review brings you today's most essential thinking on cybersecurity, from outlining the challenges to exploring the solutions, and provides you with the critical information you need to prepare your company for the inevitable hack. The lessons in this book will help you get everyone in your organization on the same page when it comes to protecting your most valuable assets.
Audio CD
First published August 27, 2019
45 people are currently reading
143 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 20 of 20 reviews
August 26, 2021
This book is targeted to leaders who want to understand better why cybersecurity is a must topic for boards and top management of all companies, regardless of industry, region or size. High-level enough for non-security experts to read, although active defense and AI in cybersecurity chapters were bit out of place.
July 16, 2020
As an IT professional, I do not reside in the intended audience of this book. It is geared towards business leaders, not software developers. It provides a high-level and non-technical overview of the field of cybersecurity. Through several authors, it makes the case that cybersecurity cannot be overlooked by all C-suite executives, even in non-technology-based companies. That case is underscored by the direct impact cybersecurity has on a business’ bottom line.
Having in-depth technical experience in the field, I can see this book covers the right issues when it comes to cybersecurity. It does so mindfully, without becoming too technical. As expected from the brand of Harvard Business Review, it addresses the appropriate audience, the business community. Even for a developer like myself, it is helpful to think through how other people at the meeting table view these issues.
The book crescendos with the most interesting topics at the end – artificial intelligence (AI) and data privacy. While this book only devoted one chapter to AI, this chapter underscored the point that investment in AI by all sorts of businesses is becoming necessary to position for the quickly approaching future. In forthcoming editions of this book, I would like to hear more on this topic – or perhaps a separate HBR book.
Several chapters address data privacy concerns among businesses. These are real and present challenges that companies face. Many prominent companies have had to cough out huge payouts from privacy lapses, and prudent leadership would seek to mitigate these risks well. The so-called “right to be left alone” and other ethical issues also are summarized in this book. This field is actively discussed, and HBR hits most of the highlights.
This book is well-tailored to those in business leadership – especially those in non-IT companies. Like it or not, IT continues to become part and parcel of almost every company, and as is made clear in this text, these issues cannot be relegated simply to IT leadership. Cybersecurity is a company-wide issue and requires a company-wide response. IT folks will benefit from understanding how the business views relevant issues and gain financially informed perspective on what issues matter to the business. Nonetheless, business leaders – who can no longer dismiss cybersecurity’s relevance – will benefit the most from this concise yet power-packed summary.
Having in-depth technical experience in the field, I can see this book covers the right issues when it comes to cybersecurity. It does so mindfully, without becoming too technical. As expected from the brand of Harvard Business Review, it addresses the appropriate audience, the business community. Even for a developer like myself, it is helpful to think through how other people at the meeting table view these issues.
The book crescendos with the most interesting topics at the end – artificial intelligence (AI) and data privacy. While this book only devoted one chapter to AI, this chapter underscored the point that investment in AI by all sorts of businesses is becoming necessary to position for the quickly approaching future. In forthcoming editions of this book, I would like to hear more on this topic – or perhaps a separate HBR book.
Several chapters address data privacy concerns among businesses. These are real and present challenges that companies face. Many prominent companies have had to cough out huge payouts from privacy lapses, and prudent leadership would seek to mitigate these risks well. The so-called “right to be left alone” and other ethical issues also are summarized in this book. This field is actively discussed, and HBR hits most of the highlights.
This book is well-tailored to those in business leadership – especially those in non-IT companies. Like it or not, IT continues to become part and parcel of almost every company, and as is made clear in this text, these issues cannot be relegated simply to IT leadership. Cybersecurity is a company-wide issue and requires a company-wide response. IT folks will benefit from understanding how the business views relevant issues and gain financially informed perspective on what issues matter to the business. Nonetheless, business leaders – who can no longer dismiss cybersecurity’s relevance – will benefit the most from this concise yet power-packed summary.
December 11, 2023
Lesson learned while reading book are:
1. We all have biases; when it comes to cybersecurity, avoid them.
2. Focus on risk management rather than on risk mitigation.
3. Boards aren't dealing with cyber threats properly; in fact, they should take more responsibility.
4. Focus on the right process and not just systems.
5. View vulnerabilities as victories, not failures.
6. Target the CEO once in a while through penetration testing to draw the company's attention to the risk of cyber threats (don’t do it without consent).
7. The defense role is much harder to play than offense; attackers only need to win once, while defender has to secure themselves from incidents all the time.
8. Major threats aren’t technological; they are human shortcomings.
9. Train employees on what to do when a breach occurs (also call active response).
10. Phishme is a fake email generator tool to sent a fake email to employees in the company. It sends emails on a regular basis, to check if employees will get lured or tempted to open a tailored email.
11. Employees are the weakest link when it comes to cyber threats, but they can also be a great defense if policies are tailored correctly.
12. An active defense strategy is needed, and hacking back is unethical. (I believe only governments follow this by hacking the hacker).
13. The Georgian government played a trick on a hacker; they named a file "Georgian nato agreement" that a Russian hacker stole from the government's computer. It contained malicious code that activated spyware on hacker’s machine, it took a photo of the hacker, and sent it back to the Georgian government.
14. 75% of Fortune 500 companies are technology companies.
15. The only computer that is fully secure is the one that no one uses.
16. It's better to have one national policy than to have different policies for different states.
17. You're not selling products; you are selling trust.
18. Use the power of AI.
1. We all have biases; when it comes to cybersecurity, avoid them.
2. Focus on risk management rather than on risk mitigation.
3. Boards aren't dealing with cyber threats properly; in fact, they should take more responsibility.
4. Focus on the right process and not just systems.
5. View vulnerabilities as victories, not failures.
6. Target the CEO once in a while through penetration testing to draw the company's attention to the risk of cyber threats (don’t do it without consent).
7. The defense role is much harder to play than offense; attackers only need to win once, while defender has to secure themselves from incidents all the time.
8. Major threats aren’t technological; they are human shortcomings.
9. Train employees on what to do when a breach occurs (also call active response).
10. Phishme is a fake email generator tool to sent a fake email to employees in the company. It sends emails on a regular basis, to check if employees will get lured or tempted to open a tailored email.
11. Employees are the weakest link when it comes to cyber threats, but they can also be a great defense if policies are tailored correctly.
12. An active defense strategy is needed, and hacking back is unethical. (I believe only governments follow this by hacking the hacker).
13. The Georgian government played a trick on a hacker; they named a file "Georgian nato agreement" that a Russian hacker stole from the government's computer. It contained malicious code that activated spyware on hacker’s machine, it took a photo of the hacker, and sent it back to the Georgian government.
14. 75% of Fortune 500 companies are technology companies.
15. The only computer that is fully secure is the one that no one uses.
16. It's better to have one national policy than to have different policies for different states.
17. You're not selling products; you are selling trust.
18. Use the power of AI.
August 30, 2020
This booklet explores different aspects of cybersecurity in 14 short articles. It is mostly aimed at managers of big corporations who need to understand the big picture. But even with this intention, it could go deeper at times. I found many of the articles a bit too shallow.
Article 1: internet insecurity
Security is not possible. Cyber-Hygiene is only effective against automated and amateurish hacks. Sophisticated, patient, well-financed hackers will find a way into their target systems.
The author introduces an approach researched by the IDL, advocating for an apparent return to non-digital times by not using complex digital systems for the most vital parts of a business or system.
Article 2: Security Trends by the Numbers
The authors explore several metrics and look at charts from three major studies to generalize trends for the entire industry.
Article 3: Why Boards aren't dealing with Cyberthreats
Boards are mostly lacking the expertise to deal with Cybersecurity and should seek to spend more time on this topic.
Article 4: The behavioural economics of why executives underinvest in Cybersecurity
Mental models of Cybersecurity might not be accurate. Especially the thought of something that needs a finite amount of investment is dangerous. One way of achieving a new way of thinking about cyber is to target the CEO with an internally initiated attack.
Article 5: Why the entire C-Suite needs to use the same metrics for cyber risk
CEOs should bring together the entire management team to assess cyber risks from different perspectives while still being aware of the other perspectives. A company's culture should encourage employees to talk about risks and vulnerabilities. Attacks should be expected and prepared for.
Article 6: The best Cybersecurity investment you can make is better training
It is false to think that investing in good technology is sufficient to have a reasonable Cybersecurity. In the end, humans are the greatest risk factor and good training for all employees or people interacting with the system (contractors) is the best defense. Expect there will be a breach and train employees how to react.
Article 7: better Cybersecurity starts with fixing your employees' bad habits
Ways to fix bad habits of employees/people:
- have the default version as a very secure one as the default version tends to stick (aka VPN usage, two-factot authentication)
- when postponing updates, postpone to a specific point of time
- tell people what others (especially the best in regard to Cybersecurity) are doing as people tend to do what others are doing
- look at awareness training as a continual process instead of a once-a-year event
Article 8: The key to better Cybersecurity
Keep "best practices" simple.
- avoid overly complex rules as that leads to shortcuts (e.g. password generation)
- when testing the security, adapt it to the group or individual (spear phishing compared to the same phishing mail to all employees)
- avoid disconnections between IT/security and regular employees, especially avoid an adversarial mindset
Article 9: The avoidable mistakes executives continue to make after a data breach
- not notifying customers/stakeholders immediately after a breach (but waiting until the data is being sold on the dark net)
- no good customer service after breaches
- not being honest and authentic and not providing clear and frequent updates
- organizations, and especially upper management must accept accountability and responsibility for responses
Article 10: Active Defense and "Hacking Back"
Active defense goes beyond passive monitoring.
A working definition: "active cyber defense is a direct defensive action to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets.
Hacking back is another, more aggressive concept that should not be confused with active defense. It includes trying to access the attackers systems and is generally considered to be unethical and probably illegal.
Article 11: Cybersecurity is putting customer trust at the center of competition
Security cannot be proven on the level of whole organisations. That's why it has to be signaled. For costumers to trust corporations it must evident that these corporations are doing everything in their power to keep the customer's data secure. Companies must clearly communicate that breaches are to be expected.
Article 12: privacy and Cybersecurity are converging
Privacy and security, in the past, two separate things, one legal and one technical. Historically, unauthorized access to personal data was the biggest threat. Nowadays, machine learning enables the people with access to data to infer a lot of information.
Article 13: What countries and companies can do when trade and Cybersecurity overlap
In times of globalization, a lot of products (HW and SW) are being imported. The risk of a potential backdoor always exists as one can not examine every product. This article explores different options countries and private companies have in response to that.
Article 14: AI is the future of Cybersecurity, for better and for worse
AI is becoming more capable and will, of course, also be used in cybersecurity, both for hacking and defense.
Traditionally, cybersecurity wants to minimise successful attacks. Perfect security is not possible and can not be achieved.
In the age of superintelligent AIs, a single failure could be enough to destroy or seriously harm human life on a global scale.
Article 1: internet insecurity
Security is not possible. Cyber-Hygiene is only effective against automated and amateurish hacks. Sophisticated, patient, well-financed hackers will find a way into their target systems.
The author introduces an approach researched by the IDL, advocating for an apparent return to non-digital times by not using complex digital systems for the most vital parts of a business or system.
Article 2: Security Trends by the Numbers
The authors explore several metrics and look at charts from three major studies to generalize trends for the entire industry.
Article 3: Why Boards aren't dealing with Cyberthreats
Boards are mostly lacking the expertise to deal with Cybersecurity and should seek to spend more time on this topic.
Article 4: The behavioural economics of why executives underinvest in Cybersecurity
Mental models of Cybersecurity might not be accurate. Especially the thought of something that needs a finite amount of investment is dangerous. One way of achieving a new way of thinking about cyber is to target the CEO with an internally initiated attack.
Article 5: Why the entire C-Suite needs to use the same metrics for cyber risk
CEOs should bring together the entire management team to assess cyber risks from different perspectives while still being aware of the other perspectives. A company's culture should encourage employees to talk about risks and vulnerabilities. Attacks should be expected and prepared for.
Article 6: The best Cybersecurity investment you can make is better training
It is false to think that investing in good technology is sufficient to have a reasonable Cybersecurity. In the end, humans are the greatest risk factor and good training for all employees or people interacting with the system (contractors) is the best defense. Expect there will be a breach and train employees how to react.
Article 7: better Cybersecurity starts with fixing your employees' bad habits
Ways to fix bad habits of employees/people:
- have the default version as a very secure one as the default version tends to stick (aka VPN usage, two-factot authentication)
- when postponing updates, postpone to a specific point of time
- tell people what others (especially the best in regard to Cybersecurity) are doing as people tend to do what others are doing
- look at awareness training as a continual process instead of a once-a-year event
Article 8: The key to better Cybersecurity
Keep "best practices" simple.
- avoid overly complex rules as that leads to shortcuts (e.g. password generation)
- when testing the security, adapt it to the group or individual (spear phishing compared to the same phishing mail to all employees)
- avoid disconnections between IT/security and regular employees, especially avoid an adversarial mindset
Article 9: The avoidable mistakes executives continue to make after a data breach
- not notifying customers/stakeholders immediately after a breach (but waiting until the data is being sold on the dark net)
- no good customer service after breaches
- not being honest and authentic and not providing clear and frequent updates
- organizations, and especially upper management must accept accountability and responsibility for responses
Article 10: Active Defense and "Hacking Back"
Active defense goes beyond passive monitoring.
A working definition: "active cyber defense is a direct defensive action to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets.
Hacking back is another, more aggressive concept that should not be confused with active defense. It includes trying to access the attackers systems and is generally considered to be unethical and probably illegal.
Article 11: Cybersecurity is putting customer trust at the center of competition
Security cannot be proven on the level of whole organisations. That's why it has to be signaled. For costumers to trust corporations it must evident that these corporations are doing everything in their power to keep the customer's data secure. Companies must clearly communicate that breaches are to be expected.
Article 12: privacy and Cybersecurity are converging
Privacy and security, in the past, two separate things, one legal and one technical. Historically, unauthorized access to personal data was the biggest threat. Nowadays, machine learning enables the people with access to data to infer a lot of information.
Article 13: What countries and companies can do when trade and Cybersecurity overlap
In times of globalization, a lot of products (HW and SW) are being imported. The risk of a potential backdoor always exists as one can not examine every product. This article explores different options countries and private companies have in response to that.
Article 14: AI is the future of Cybersecurity, for better and for worse
AI is becoming more capable and will, of course, also be used in cybersecurity, both for hacking and defense.
Traditionally, cybersecurity wants to minimise successful attacks. Perfect security is not possible and can not be achieved.
In the age of superintelligent AIs, a single failure could be enough to destroy or seriously harm human life on a global scale.
This entire review has been hidden because of spoilers.
February 9, 2024
Need to explore the idea of active defense not just in cybersecurity but in other areas, interesting idea to apply to other fields.
Important takeaways:
1. awareness training for employees and comparative notifications/messages for users are effective to create stronger cybersecurity systems(i.e. your neighbors/other users are doing this, so do this)
2. employees or user mistakes are what result in cybersecurity breaches, not a big planned cyberattack
3. cyberattacks are getting more costly, despite higher success rates at stopping them more code means more places where backdoors and errors can allow hackers into the systems.
4. too many steps for security/overcomplexity, such as frequently requried complex password changes can result in employees not doing the said actions, or not paying attention to suggestions at all.
- so, have to make training customized to departments and specific, just like hackers do when hacking.
-too much employee guidance--> overwhelm, overtraining not effective esp. when its too general.
5. Create better relationship b/w IT and other departments, make sure they interact regularly, can hold weekly office hours for IT where others can come to them with issues.
-it department can't be seen as a hindrance for people to achieve goals, should not be compliance adverseries.
6. consider adopting active cyberdefense techniques
- but not active "hacking back", illegal in some cases but sometimes the government might allow it if there are substantial risks to allow the hack or bug to remain unsolved.
Important takeaways:
1. awareness training for employees and comparative notifications/messages for users are effective to create stronger cybersecurity systems(i.e. your neighbors/other users are doing this, so do this)
2. employees or user mistakes are what result in cybersecurity breaches, not a big planned cyberattack
3. cyberattacks are getting more costly, despite higher success rates at stopping them more code means more places where backdoors and errors can allow hackers into the systems.
4. too many steps for security/overcomplexity, such as frequently requried complex password changes can result in employees not doing the said actions, or not paying attention to suggestions at all.
- so, have to make training customized to departments and specific, just like hackers do when hacking.
-too much employee guidance--> overwhelm, overtraining not effective esp. when its too general.
5. Create better relationship b/w IT and other departments, make sure they interact regularly, can hold weekly office hours for IT where others can come to them with issues.
-it department can't be seen as a hindrance for people to achieve goals, should not be compliance adverseries.
6. consider adopting active cyberdefense techniques
- but not active "hacking back", illegal in some cases but sometimes the government might allow it if there are substantial risks to allow the hack or bug to remain unsolved.
July 29, 2025
This book is focused toward business... and mostly toward business executives. They must make decisions to spend money on security and to choose amongst various strategies. But how can they do that without a reasonable idea of what the problems are? This book gives that general overview so that executives don't fall into the normal errors most businesses do... buy some new technology, check off the boxes and forget about it. Cybersecurity is an ongoing and adaptive process.
Any problems with this book? Yes. It is a little dated in terms of the references used, but this is such a high level overview that it doesn't make much difference. The issues remain the same regardless of what technology is in use. Response to a break in remains the same then and now. This is still a useful book.
I might read it again.
Any problems with this book? Yes. It is a little dated in terms of the references used, but this is such a high level overview that it doesn't make much difference. The issues remain the same regardless of what technology is in use. Response to a break in remains the same then and now. This is still a useful book.
I might read it again.
November 2, 2025
This book does an excellent job explaining why cybersecurity isn’t just an IT issue but a full-scale organizational responsibility. The authors emphasize that data protection, risk awareness, and proactive defense need to be understood from the top management down to every employee, a perspective many businesses still overlook.
I found it especially relevant to how companies like https://www.nsocit.com approach cybersecurity blending technical expertise with strategic management to build resilient digital infrastructures. The mix of research insights, real-world examples, and executive-level guidance makes this book a valuable resource for leaders and IT professionals alike.
A concise yet powerful read for anyone looking to strengthen their organization’s security mindset.
I found it especially relevant to how companies like https://www.nsocit.com approach cybersecurity blending technical expertise with strategic management to build resilient digital infrastructures. The mix of research insights, real-world examples, and executive-level guidance makes this book a valuable resource for leaders and IT professionals alike.
A concise yet powerful read for anyone looking to strengthen their organization’s security mindset.
September 22, 2019
Compared to a decade ago, many of organizations today need to be more concerned about cybersecurity. Maybe that is the reason why you stumbled upon this book to see what’s going on about this topic.
You made the right decision! This book provides the foundational understanding of cybersecurity and how it affects the world of business. These collection of essays are written by the latest thinkers on this subject drawn from their respective researches and experiences.
If you are someone who is looking for fast yet strong foundation of the issues that surrounds the safety of living in a digital world, this book will be a great asset.
You made the right decision! This book provides the foundational understanding of cybersecurity and how it affects the world of business. These collection of essays are written by the latest thinkers on this subject drawn from their respective researches and experiences.
If you are someone who is looking for fast yet strong foundation of the issues that surrounds the safety of living in a digital world, this book will be a great asset.
August 24, 2020
Another great book by Harvard Business Review Press, as always.
I especially like the chapter about cyberattack trends by industries and costs incurred. Basically any company in any industry can be the next victim of cyberattack. But it’s alarming that Boards and management are generally not well prepared for dealing with this challenge.
Cybersecurity is no longer the remit of IT and risk specialists, but the Board’s responsibilities. I hope more business leaders can pick up and read this book - it’s an easy read that can be finished in a good few hours.
I especially like the chapter about cyberattack trends by industries and costs incurred. Basically any company in any industry can be the next victim of cyberattack. But it’s alarming that Boards and management are generally not well prepared for dealing with this challenge.
Cybersecurity is no longer the remit of IT and risk specialists, but the Board’s responsibilities. I hope more business leaders can pick up and read this book - it’s an easy read that can be finished in a good few hours.
October 29, 2023
There are only a few HBR books that I like. The reason for dislike typically is disjoint stories forced into a book to make it book worthy. In most cases there is no relation between the articles. This one is a tad bit different. The one piece that I liked is the chapter on emerging trends and challenges in cybersecurity, such as artificial intelligence, blockchain, active defense, and data privacy.
The authors use clear and simple language, case studies, and practical recommendations to illustrate their points and motivate readers to take action.
The authors use clear and simple language, case studies, and practical recommendations to illustrate their points and motivate readers to take action.
February 17, 2020
This book was so watered down that it might as well have been waterlogged.
Zero explanation or attempts at trying to correlate current risk frameworks to business impact. Elementary analysis of board buy in for cybersecurity initiatives.
You'd be better off reading Equifax's 10-k, or scrolling through shodan for an hour.
Zero explanation or attempts at trying to correlate current risk frameworks to business impact. Elementary analysis of board buy in for cybersecurity initiatives.
You'd be better off reading Equifax's 10-k, or scrolling through shodan for an hour.
July 23, 2021
Provides some basic information that will help business leaders understand about the importance of Cybersecurity, Cyber Risks & a few potential actions that should be taken. Some of the ideas mentioned in the book seemed less practical & more idealistic / academic.
February 20, 2020
Quite informative. To be honest, the last few chapters about the future of cybersecurity and AI were pretty scary.
April 19, 2021
a bit shallow for technical folks but for business leaders a good read on essentials of cybersecurity with great takeaways at the end of each chapter/article.
June 12, 2021
Good intro for cybersecurity for executives
January 17, 2022
wat te algemeen om echt nuttig te zijn
June 23, 2022
The book is a lit dated in some areas, but a lot of topics in the book are still important to know and understand.
It’s a short book and worth the read.
It’s a short book and worth the read.
February 16, 2024
Only reading this book for work purpose, but I found it boring.
December 23, 2024
Sound insights. It ends by saying we need AI to defend the hackers using AI. It’s gonna be a terrific future.
March 9, 2024
Very basic. General knowledge that covers all aspects of cyber security.
Highly informative for a beginner.
Highly informative for a beginner.
Displaying 1 - 20 of 20 reviews