Book Review: Building an Effective Cybersecurity Program

For me, when choosing a technical book to read, the author’s credentials carry significant weight. I usually spend some time researching their previous publications and work history. I want to know they are an expert in the field, or at least have sufficient knowledge to warrant considering their ideas and opinions. 

The author of Building an Effective Cybersecurity Program, 2nd Edition, Tari Schreider, C|CISO, CRISC, ITIL® Foundation, MCRP, SSCP, is well-credentialed. Tari is a nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. He is an instructor for EC-Council, where he teaches advanced CISO certification and risk management courses. 

For those readers that like getting right to the point and dislike reviews that hide the final recommendation somewhere near the end of the article, let me say that I recommend reading this book — if. I recommend reading this book if you want to be the smartest person in the room, even if new to cybersecurity, when discussing your organization’s cybersecurity program. This book will become your go-to-field manual to guide or affirm your decisions about the organization’s program. 

 In the preface, Schreider identifies three reasons why this book is needed:

  1. Few managers have ever had to build a cybersecurity program from the ground up. This deficit has resulted in programs based on “insular opinions” rather than sound architecture and design principles. 
  2. The cybersecurity skills gap has created a generation of managers ill-equipped to build a cybersecurity program.
  3. To help inexperienced managers avoid falling under the spell of what he calls “security theater” — succumbing to cybersecurity technologies proffered by the thousands of vendors and consultants with little regard for cybersecurity basic blocking and tackling. 

This work contains seven chapters, an appendix, and an index — not to mention a preface, foreword, introduction, and dedication. Schreider has not scrimped on content in this book. At over 340 pages, don’t expect to rush from one cover to the other. Most readers will want to take their time getting through it once and then use it as a reference source after that.

With about an equal amount of attention paid to each, the primary sections of the book cover:

  1. Designing a cybersecurity program
  2. Establishing a foundation of governance
  3. Building a cyber threat, vulnerability detection, and intelligence capability
  4. Building a cyber risk management capability
  5. Implementing a defense-in-depth strategy
  6. Applying service management to cybersecurity programs
  7. Cybersecurity program design toolkit

Employing a fairly casual, yet endearing, first-person narrative style, Schreider lays out each chapter with a useful roadmap, checklists, and self-study questions. These stylistic tools enable the easy consumption of what could otherwise be technical and dry material. 

Adopting and applying the characteristics of a journey, Schreider guides the reader through the mileposts of building a cybersecurity program, start to finish. Even so, the book is organized so it can easily be used as a reference guide, providing detailed information for any point along the route. 

This book includes ample visual graphics to illustrate the complex ideas addressed in the text. These graphical representations help the reader to comprehend and retain the information presented. It should be noted that there are a large number of hyperlinks in this book. Many readers will find a digital copy with active hyperlinks most useful.

Sprinkled throughout the book are helpful tips, such as “Never be that person who is unable to provide me with a blueprint of your cybersecurity program.” These tips are a useful device to help the reader take stock of their strengths and weaknesses and serve to illustrate where more information is needed to guide their learning. 

Many readers will find reassurance in Schreider’s insistence that a sound cybersecurity program must be based on the firm foundation of tried and tested policies and procedures. Throughout the book, he reinforces his conviction that even the best programs cannot predict every situation and that at some point, every organization must rely on their employees to do the right thing consistently.  

The technologies employed by cybersecurity vendors are evolving at an ever-increasing speed. With hyper-focus on everything from artificial intelligence and machine learning to new philosophies like integrating security practices within the DevOps process, basic security principles can easily be overlooked or even pushed aside. With this book, Tari Schreider is an essential voice in that he provides a blueprint for designing and implementing a sound cybersecurity program. Something that should not be overlooked, short-circuited or abbreviated.

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.