Building a Cyber Resilient Business

A cyber handbook for executives and boards

Dr. Magda Lilia Chelly

Shamane Tan

Hai Tran

BIRMINGHAM—MUMBAI

Building a Cyber Resilient Business

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Mohd Riyan Khan

Senior Editor: Shazeen Iqbal

Content Development Editor: Romy Dias

Technical Editor: Nithik Cheruvakodan

Copy Editor: Julie Kerr

Language Support Editor: Safis Editing

Project Coordinator: Neil Dmello

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Nilesh Mohite

Marketing Coordinator: Ankita Bhonsle

First published: October 2022

Production reference: 1051022

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-648-2

www.packt.com

To the Chelly and Laaksonen families … To my most fabulous husband, whom I cherish beyond words.

– Dr. Magda Lilia Chelly

To my dearest husband, your love and encouragement mean the world to me. I’m also thankful for my family and dear friends who’re always cheering me on—this is for you. Finally, to my trusted circle and community who have grown together with me, I’m grateful for your support.

– Shamane Tan

To Hai Tran, who passed away while this book was being finalized.

He’d love to have seen his idea for this book, of helping as many organizations as possible derive the best value from cybersecurity functions, come to fruition.

Rest in peace now, my love, knowing that your legacy and unparalleled passion for the industry will be carried on by the many professionals who will find value insights from this book.

– Natallia Tran (Hai Tran’s wife)

Contributors

About the authors

Dr. Magda Lilia Chelly is an award-winning global cybersecurity leader. She has been named one of the top 20 most influential cybersecurity personalities in 2017 and 2021 by ISFEC Global.

In her career, Magda has worn several hats, including Information Security Officer for multiple organizations. Magda co-founded a cybersecurity start-up in Singapore called Responsible Cyber Pte. Ltd.

Magda’s speaking engagements address topics on cyber risk quantification, bridging the gap between business and cybersecurity, cyber awareness, diversity and inclusion in the cybersecurity industry, and cybersecurity investments and entrepreneurship. Magda’s research around cybersecurity has been featured by IEEE, the RSA Conference, and the CYBER RISK LEADERS magazine.

I want to thank my husband for giving me the space and support I’ve needed to write this book, even while the COVID-19 global pandemic was raging around us. I’d also like to thank the Packt team for their support and patience for granting me the opportunity and time to complete this journey.

Many thanks for my Responsible Cyber team, and all my supporters throughout this journey.

Shamane Tan is the Chief Growth Officer at Sekuro, leading the security outreach strategy with the C-Suite and executives. Recognized by IFSEC as a Global Top 20 Cybersecurity Influencer and awarded ASEAN Top 30 Women in Security, the Cyber Risk Leaders and Cyber Mayday and the Day After author was listed in the 40 under 40 Most Influential Asian-Australians.

Awarded ARN Shining Star 2021 and AiSP Singapore’s Cybersecurity Professional, the TEDx speaker regularly chairs CxO thought leadership roundtables and serves on the Advisory Board for Black Hat Asia Executive Summit. Featured in World’s Leaders World’s 10 Most Influential Business Leaders in Cyber Security, Shamane is the founder of Cyber Risk Meetup, an international community and platform for cyber risk executives.

To God, my source of inspiration, vision, and passion—Psalm 106:1. To my dear husband, who constantly cheers me on; thank you for your joy, encouragement, and celebration of my passion and vision. Thank you to my family, who have always been so understanding and supportive. You are so precious to me. Thank you Sekuro for being an amazing company that aspires to lead by example and challenges boundaries of what is possible and what is excellence. Thank you to my industry friends for your mentorship, for your contributions, and for shaping our industry for the benefit of everyone’s growth and development. Finally, to my co-authors Magda and Hai, it has been such a journey the last few years bringing this together. We finally got there, although it is mixed with sadness to realize that this book has become a legacy that Hai leaves behind. To the whole Packt publishing team, it has been such a pleasure working together on this incredibly meaningful project. Thank you!

A business-oriented and accomplished CISO, Hai Tran sought to leverage his exceptional governance, stakeholder engagement, and project management skills to manage risk by aligning mitigation strategies with business objectives. Hai had extensive leadership experience across a broad range of industries, including five years as the inaugural CISO for the Western Australia Police Force. Hai’s strong focus on communication and transparency gained him respect and an outstanding reputation. He had a pragmatic and business-led approach to security in that it should be an enabler, company-wide, and frictionless. He was a strong, visible, and effective leader, keen to share his knowledge and empower industry professionals to reach their potential.

About the reviewers

Faisal Hussain (Syd) is a veteran in the field of cybersecurity engineering and threat hunting. Currently, Syd is managing a cybersecurity program for Microsoft customer protection in the United Kingdom and EMEA as a Microsoft Security Response Center (MSRC) partner.

Syd works for Microsoft Corporation as a cybersecurity expert, specializing in cloud and enterprise security, advising C-level executives and field experts in detecting and preventing threats and response strategies across the industry.

Syd has peer-reviewed and developed IPs for Microsoft field security teams and presented at various conferences as a speaker. Syd is a regular presenter on security briefing calls hosted by Microsoft.

I would like to say thank you to Madiha (my wife), Mohib (my son), and Maheen (my daughter) for supporting me in reviewing this book during my uber-busy life at Microsoft. I would also like to congratulate the authors on producing this book at a time when the industry needs this knowledge the most.

Kevin Tham is a CISO leader in the Australian digital banking sector and a seasoned information security veteran in the financial services industry. Kevin’s practical approach to cyber security is often seen as pushing the boundaries and balance between user-centric design and effective controls.

Kevin began his career as an academic researcher in the late 90s, an educator, and a security engineer, developing and implementing security controls, when many organizations did not regard information security as a risk. Today, Kevin is the CISO of a fintech organization, which aims to make a difference to individuals through well-thought-out banking solutions and products.

During his spare time, Kevin devotes his time to volunteering and giving his time back to the security industry through his involvement with the ISACA Sydney Chapter. He served on the board for 8 years and is also a former President, dedicated to serving its over 1,600 chapter members.

Global Expert Takeaways

“Cybersecurity is perhaps the most challenging issue facing the modern boardroom – every organization has or will deal with a potentially devastating cyber incident, malicious or unintentional, and yet directors still find themselves struggling to understand whether their organization is effectively managing that risk. It doesn’t help that the constantly evolving threat landscape and the highly technical nature of cyber discussions can further alienate the board from understanding the right questions to ask. The result is often a sidelining of cyber risk to technical experts – the IT department and the CISO – which can lead to a potentially critical failure of effective cyber risk management.

Shamane, Magda, and Hai take a robust, straightforward response to this challenge, laying out a clear set of questions for both directors and C-suite executives. These go to the heart of effective cybersecurity risk management – are you communicating cybersecurity risk clearly, comprehensively, and effectively amongst the C-suite and to the board, and are you regularly monitoring your performance as an enterprise? Cyber is not an IT issue, it’s a business issue, which requires the whole business to be aligned and equipped to respond to, and that starts at the very top. As one director put it recently, “No one thinks a cyber-attack will happen to them until it does, and that’s when robust cyber governance shows its merit.” I would highly encourage any prospective and current board members or C-suite executives to read the chapter for boards in depth, and ask those very questions of their organization without delay.”

Nicholas Chilton, Head of Board Advisory – South Pacific, Nasdaq Center for Board Excellence

“Cyber risk is a live and dynamic topic in today’s boardroom discussions and decisions. The authors have presented a clear pathway for engagement with boards on cyber risk identification and management. Shamane’s six success criteria provide a useful checklist for boards in considering and discussing cyber risks. In the chapter for boards, the authors’ message to CISOs and other executives about how boards operate and how best to engage with boards is a valuable framework for ensuring the best outcomes for all businesses.”

Teresa Dyson, Non Executive Director and Audit & Risk Committee Chair on boards of listed companies and government entities across media, financial services, energy, legal and government sectors

“In my past career I’ve been a CIO for more than 20 years, a CISO for 3 years, and most recently, a Global Head of Technology and Cyber Risk, providing 2 Line oversight. As such, my perspective on the CIO and CISO is unique, as I understand their roles and responsibilities at a first-person level.

The CIO can be a powerful ally for the CISO. To understand this dynamic and harness this positively can be the key to an effective cybersecurity defense. Each leader has a critical role to play, and the chapter on CIOs provides some great insights into the potential challenges.

If we take a 10,000-foot view, then we can see the CIO has some conflicting requirements. They need to both innovate and drive digital change but do so in a manner that supports the customer experience. Conversely, the CISO passionately wants to protect the foundations, but they are aware that change can introduce new threats and vulnerabilities.

This book is a good guide for managers that want to understand and engage in protecting your enterprise.”

David Gee, former CISO at HSBC, current Global Head Technology (Cyber & Data Risk) at an Australian global financial services group, with more than two decades in the CIO field

“The World of the Board is an excellent chapter! Cybersecurity in any organization is the responsibility of the board and its members. Good cybersecurity protects the business’s ability to function, and ensures organizations can exploit the opportunities that technology brings. Cybersecurity is therefore central to an organization’s health and resilience, enabling its competitive advantage, and this places it firmly within the responsibility of the board.

It is important for board members to understand the right questions to ask their CISO/cybersecurity experts to have a strategic conversation. Ideally, the board structure should have a board member with CISO/cybersecurity expertise and credentials, and have an operational CISO reporting directly to them, and not to an intermediate C-suite executive.

The book gives an excellent insight into the traditional significance of the board’s role versus the executive C-suite role, classifying the individual responsibilities within “Regulatory Governance” peripheries. The reader concludes that the common sense approach to good governance, risk, and compliance for the sake of the organization, is for the board and the C-suite to ensure they have a good line of communication and professional trust, and that recommendations or advice conveyed can be understood.

Clr. Jeff Whitton, FAICD, CDPSE, local Government Councilor, Orange City Council, and industry veteran of forty years in the IT and cybersecurity domain as a CEO, Chair and board member

“Congratulations on producing a publication that is resourceful for all of us! I must stress that cybersecurity is not merely an IT issue; it is everyone’s responsibility. The board of directors, top management, and all employees must step forward to take full responsibility to overcome issues the at stake, and ensure collective and significant decisions.

As emerging threats are now highly sophisticated and disastrous, and have the potential to cause severe risks and challenges, cybersecurity risk management strives to enhance cyber-resiliency to prevent and detect threats, and to minimize business disruption and financial losses.

The implementation of a holistic approach is critical as it involves people, processes, and technology in order to decrease the risk of cyber-attacks and prohibit the unauthorized exploitation of systems, networks, and technologies.”

Dato’ Ts. Dr Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia

“Very well done! There is so much good stuff in this book. I enjoy the clarity of the explanations and the straightforward guidance that will serve many CEOs, COOs, and the rest of the executive team very well. I love the fact that Shamane, Magda, and Hai’s advice stresses the importance of the CEO as the champion of creating the culture which considers cyber risk the risk to the business operation. These days, investors as well as customer are less likely invest or put their money into a company that does not put cyber risk at the top priority. Cybersecurity (or “data care”) no longer applies to experts, it belongs to us all– including CEOs. I love the questions posed to the executives in the chapters, as they prompt us to check whether the right security measures are in place.

Also mentioned in the chapter for COOs is that it is absolutely critical to test both the business continuity plan and disaster recovery plan, because assuming that they will work can put the company in a very difficult situation, and even put it out of business. I worked for the “California Earthquake Authority”, where both plans were considered a high priority because of the unpredictability of earthquakes, which can not only ruin businesses but also cause the loss of life if not smoothly executed.

I remember us testing both business continuity and incident recovery by running thorough a mock test from A to Z every 6 months. There were many manual procedures, but at least we knew we could complete them both. In real life, there are no do-overs when a disaster strikes. From the continuous process improvement perspective, it is important to do what you call the PIR or Post-Implementation Review, because it is our best chance to learn from what has gone well, and what we must improve before the next incident. Continuous improvement is the key to having a great cyber risk plan, and post-mortems are where the suggestions come from.”

Carmen Marsh, CEO, United Cybersecurity Alliance | Intelligence, Board Member

“This is a good book and I liked it a lot. The overall articulation is a great way to convey the differences between the CIO and CISO roles, but also how they complement each other in enabling important business outcomes for the organization. The priorities may differ and the authors call out the need for clear communication and common goals. I particularly like the section where the authors articulated the role of a CIO in supporting cyber resilience. I found the narrative quite practical and of great value to everyone who reads it.”

Abhishek Singh, Chief Information Officer, UNICEF

“Reputation risk is an intangible balance sheet that’s hard to quantify. But a data breach can be devastating, and it’s going to fall on the CMO to manage and recover brand trust. I highly recommend all CMOs read the chapter on the CMO and CPO – Convergence between Privacy and Security. It’s in a simple and easy to digest form, but raises issues of utmost importance.”

Brent Annells, Chief Marketing Officer, Smart Token Labs, formerly with Uber and Facebook

“This is a book that I would highly recommend for cybersecurity leaders navigating a complex business environment. I especially enjoyed the chapter on building a strong security culture. It is important to understand that cybersecurity is not a pure technical issue; shaping human behavior is one of the important elements of a cyber-resilient organization. Empowering employees to be first defense and to share the same values, philosophy, and behavior is extremely important to sustain a good cybersecurity posture in any organization.

This book provides a holistic view of different perspectives, from technical, business, to cultural aspects, which will build up your business to be more cyber-resilient through partnership and collaboration.”

Christopher Lek, Director, Cyber Security, Centre for IT Services, Nanyang Technological University, Singapore (NTU)

“Cybersecurity is a real-world challenge, and we all must have a fair understanding of the what and how at each level of the organization to manage a crisis when it erupts. This book outlines the areas for each group of executives to know the challenges and potential ways to deal with them.

In one of the chapters, it was great to see a fair comparison of a CIO versus CISO’s roles and responsibilities; it’s commendable how both perspectives were stitched in to demonstrate that both leaders need to collaborate to deliver the customer objective. The debate on who should report to who will continue, but it’s vital that both executives play a collaborative role in working together to deliver the same best customer experience, and keep the organization safe, which is a win for everyone.

The authors have produced thought-provoking work, and while reading this book you will find yourself changing your hats to gain both sides’ perspective.”

Amit Chaubey, Chair, Australian Information Security Association (AISA), Sydney

“Shamane, Magda, and Hai have a gift for demystifying the role of the CISO with context, logic, and meaningful illustrations. The role of the CISO is greatly misunderstood by many organizations, as reflected in their own corporate structure reporting lines, responsibilities, and accountabilities. The emphasis made on using business risk language to engage non-technical audiences is correctly put into perspective for continued success. Cybersecurity is highly dynamic and therefore never stops nor goes to sleep at night. Chapter 5 provides excellent tips for cyber risk quantification and board interaction for CISOs.

The chapter on The World of the Board also presents great insights, including the need for business acumen and financial understanding to successfully articulate the enterprise cyber risk exposure to the board of directors. Speaking the board’s language is presented as a critical skill for building rapport and for getting the voice of the CISO heard with authority, trust, and respect. The insights that the authors bring in this chapter makes this book a must have for any cyber practitioner’s professional library.”

Marco Figueroa, former Group CISO for New South Wales Department of Customer Service cluster and current Senior Manager for Cyber Security, Risk and Compliance at the Australian Institute of Company Directors

“Shamane, Magda, and Hai have aptly put across key business digital concerns at the board, CEO, and CISO/CSO levels, and key risk governance approaches to adopt. The approaches, illuminated through the experiences of the authors and experts interviewed in the book, resonate well with ISACA’s Risk IT Framework. The chapters are a real pleasure to read, succinct, and practical for anyone in these key business roles to follow. Without a doubt, I would recommend any aspiring board director, CEO, or CISO/CSO to pick this up early and have a good read, avoid major mindset pitfalls, and save yourself and your business future heartaches!”

Steven Sim Kok Leong, President, ISACA Singapore Chapter; Chair, OT-ISAC Executive Committee and Global CISO, Global Logistics Multinational Corporation

“Cybersecurity is often seen as a technology issue. Given that this perspective has been transitioning to being seen as a business issue, this book brings across many key factors in very basic terms to the reader. There are many relevant principles that are more management, board, and CEO-focused, which is exactly how it should be to truly make a business cyber-resilient. I really like how the book touches upon various regional aspects; from different areas of focus to some of the shortcomings, and this is helpful to any level of reader – board, CEO, and the rest of the C-suite. The chapter for boards is also an excellent read and simple to understand. I like that it provides key emphasis on how both the directors and management should be cyber aware, from their role in cybersecurity to helping board and non-cyber management understand cyber risk, to providing strategic direction in ensuring the organization is cyber-resilient. This is crucial, especially in light of the release from the U.S. Securities and Exchange Commission on their proposed new rules requiring U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise, which happens to also align nicely with one of the topics highlighted in the book, The CISO’s Seat at the Table. Well done Shamane, Magda, and Hai!”

Prashant Haldankar, Co-Founder and CISO, Sekuro | Privasec Asia | Co-Founder, DroneSec

“The roles of the executive team are well established in every organization, but to know what motivates them and how to use this motivation to spearhead cybersecurity goals and outcomes can be tricky. This book works almost like a cheat sheet for any new or established CISO to better understand their executive team and colleagues. This book contains invaluable insights that will accelerate the execution of any security strategy.”

Kevin Tham, CISO, Avenue Bank, ISACA Sydney Chapter Past President

“Great work, authors! I especially enjoyed the chapter on the secret recipe and building security culture. I liked the idea of all the questions that were included at the end of the chapters, as well as how a CISO should engage at all levels of the organization. Asking the right kind of questions is something I’m pretty passionate about. It’s only through asking the right provocative questions that we can identify the problems worth solving, and invite thought leadership and discussion.“

Tim Wenzel, Head of Global Security Protective Intelligence, Fortune 50 Technology Company | Co-Founder, The Kindness Games