Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Book Review: Cybersecurity Program Development for Business: The Essential Planning Guide

By Adam Schlagman
August 01, 2018

Many reports to business owners, executives and consumers on the subject of cybersecurity are prefaced with an array of statistics and news stories designed to induce fear and insecurity, while at the same time creating an awareness of the immediate need for action. While this approach can be effective at expressing the seriousness of the subject matter and opening the door to a dialogue, it's really less of a conversation than a sales pitch unless both sides have a requisite understanding of the issues, terminology and reasonable objectives they should be seeking.

Focusing on the commercial side, the problem is that while many business owners and executives understand that a data security problem/need exists, they do not have a baseline fluency in the concepts and alphabet soup that comprise the language of digital information security. Beyond that, they further do not comprehend other critical basics, such as: what are a business' digital assets; who and what are the cybercriminals they should fear; what are a business' vulnerabilities; and what are the practical options and strategies to protect against and rebound from a cyber attack.

To this extent, Chris Moschovitis' new book is an effective cybersecurity primer for the management community. It's not designed to transform a businessperson into a CISO, but it will help recognize the need to employ a CISO and what to look for when hiring one. The book will help identify, define and explain what an effective, practical and maintainable defensive strategy should look and feel like. This includes the appropriate controls for preventing, detecting, correcting or compensating against cyber risk as well as identifying and categorizing the various types of risk. In addition, the book works the reader through the necessary elements of an incident response plan.

Is this a comprehensive executive guide to cybersecurity? No. The book leaves out plenty and perhaps over-explains some basics at the expense of other important topics. For example, Moschovitis doesn't get into such matters as cyber insurance, which is probably a book of its own, but a chapter on the basics would have been helpful — at least enough information to establish a working knowledge of the essential terms and pitfalls for the unwary.

Nevertheless, Moschovitis does do an effective job of opening up the door to his cybersecurity workshop and walking the reader through the basic tools, describing and defining what they are and how they work. He describes the various systems in play, which individuals should properly be responsible for their administration, and how they can best use the tools at their disposal. In short, the book serves as its own tool for executives to understand the basic cybersecurity concepts and presents them with a sufficient basis and perspective to be able to make informed decisions about their companies' digital security.

Perhaps the greatest challenge in producing a practical primer of this nature lies in the author's ability to present real-world business and work-culture difficulties in relatable terms. One of Moschovitis' more effective techniques is his use of detailed case studies. These accounts walk the reader through various challenges and provide step-by-step discussions of the corrective steps taken, the results achieved and the lessons learned. The case studies are not self-congratulatory or promotional accounts, but rather useful mechanisms to illustrate Moschovitis' points in a way that should resonate with senior staff.

Ultimately, no one expects a business owner or executive to be cybersecurity expert, but in today's digital environment, they must be at least conversant in the nomenclature, as well as be able to grasp key cybersecurity issues and vulnerabilities. While there is no need for a business executive to have the dozens of security-specific acronyms available at the tip of their tongue, they should be able to identify and relate to the ones appropriate to their individual business environments. Reading Moschovitis' book and making a few notes will go a long way to helping the reader engage in meaningful and intelligent conversations about cybersecurity.

Cybersecurity Program Development for Business: The Essential Planning Guide

By Chris Moschovitis Wiley. ISBN: 9781119429517 (Hardcover)

*****

Adam Schlagman is the Editor-in-Chief of Cybersecurity Law & Strategy.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.