Book Review: The Cyber-Elephant in the Boardroom: Cyber-Accountability with the Five Pillars of Security Framework
The Cyber-Elephant in The Boardroom: Cyber-Accountability with the Five Pillars of Security Framework. By Mathieu Gorge. Forbes Books; https://books.forbes.com/; 288 pages; $29.99.
One might think that information security is simply a matter of buying hardware and software and letting those tools do their jobs. If only it were so easy. In The Cyber-Elephant in the Boardroom: Cyber-Accountability with the Five Pillars of Security Framework, author Mathieu Gorge and a number of contributors show that effective information security is much more than that.
Gorge is a veteran in the information security space and wrote the first half of the book. The second half has contributions by numerous experts and leaders in the field on topics such as human resources risk, strategic questionnaires, cyber risk impact on the board, and more.
Much of the book deals with a framework around the five pillars of security. This is meant to help organizations understand their security risk environment and organize their security risk management roles and protocols. By doing so, organizations can better understand their information security risks and develop a strategy to mitigate them. This is critical given recent increases in industry and government regulations around security. Senior managers who don’t have a strategy to mitigate their risks place their entire organization in danger. In fact, a single data breach could have devastating effects due to predatory lawyers with their class-action lawsuits, even if the organization was not at fault.
The five pillars the book enumerates are physical security, people security, data security, infrastructure security, and crisis management. Putting these in place can assist a firm in mitigating its risks both from technological and legal perspectives. The core of the book focuses on understanding how data works in your organization and placing controls around it. Since data is the lifeblood of an organization, a lack of control over your data is a significant risk.
Control the data, and most of the risks can be controlled accordingly.
Security and risk are indeed the cyber-elephants in the boardroom. It is far too late to pretend they are not there. The book provides readers with a high-level methodology of what they need to do to secure their organizations. The role of a security leader is to ensure that their CEO is in the Wall Street Journal to announce good news, not that they have been the victim of a data breach. This book is a great resource to help those leaders do just that.
Reviewer: Ben Rothke, CISSP, CISM, CISA, is a New York City-based senior information security manager with Tapad, and he has more than 20 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography, and security policy development. He wrote Computer Security—20 Things Every Employee Should Know.