Introduction

In the foreword and preface we got aligned on the challenges our industry faces, our motivations for writing the book, and a bit about the authors. To help you use this book as reference in your day-to-day experience, we'll now review the structure of the book and offer a summary of each chapter.

First note that the book has three parts. So, if you plan to read the book front-to-back the flow is natural and the content is cumulative. Chapters at the back of the book assume you are capable of financial analysis, business cases, and other topics covered early on.

In our view, it was important to first establish requisite Foundational Business Knowledge in Part I. That is where you will learn key vocabulary, basic financial formulas, and business strategy tools. We will also review business decision models, valuation methodologies, and business case development. Each chapter (or class) includes one or more case studies to apply the knowledge you've learned. That's true throughout the book, and also true in any MBA program as well. What is different here is that our case studies are developed through the lens of the CISO, rather than a strict business perspective that surfaces in MBA curricula.

Equipped with a common foundation of business knowledge and clear examples of how to apply the core concepts we move on to Part II - Communication and Education. Here you can expect a review of how to leverage COSO, an enterprise risk management framework, to ensure cybersecurity risk fits into the broader context of business risk management. Remember, cybersecurity risk is another risk that needs to be addressed along with financial, operational, strategic, legal, and compliance risk. Just as market, credit, and liquidity risks are types of financial risk, there are subcategories of cyber risk too. So, Part II is the connective tissue that ensures cybersecurity risk is properly framed and prioritized.

Finally, assuming a foundation of business concepts and the proper governance structures for treating cybersecurity risk are in place, you need to lead a team and execute according to the priorities you have established and the projects you have funded. In Part III - Cybersecurity Leadership we review techniques for attracting and retaining talent, and finally negotiation skills that will help you navigate interactions with your employees, colleagues, investors, regulators, and outside vendors.

Now that you know how the book is structured, it's also important to understand how the chapters are structured throughout the book. Through personal stories we outline the opportunities we feel are most relevant at the very beginning of each chapter. Then we introduce theory or research in the Principle section. Next, each chapter extends theory with an Application section that features one or more illustrative case studies. In some cases, the names or details were adapted to protect the innocent. Finally, each chapter is summarized with a Key Insights section that draws out the salient lessons we hope you learn. There is also a Notes section provided at the end of each chapter that outlines supporting research and reference materials.

We recommend that before you read a chapter, you read the Key Insights and examine the Table of Contents. Since we cover many high-level frameworks quickly, this approach will be helpful to keep you oriented in the chapter and book. It's also a speed-reading technique. The following paragraphs provide a summary of each chapter.

Part I - Foundational Business Knowledge

Chapter 1 - Financial Principles. This chapter builds your knowledge of financial statements, reviews connections between each statement, offers free resources for further study, and features two case studies that relate cybersecurity operations to accounting rules and financial statements. Read this chapter to solidify your understanding of EBITDA, CapEx, OpEx, Retained Earnings, and Net Income along with other fundamental vocabulary and accounting concepts.

Chapter 2 - Business Strategy Tools. In the second chapter, we introduce business models, KPIs, and value chains. Other topics include board composition and systems theory. We provide a case study to demonstrate the use of the business model canvas. There are two additional case studies that feature value chain linkages to create competitive advantage. One case study features optimization while the second focuses on coordination. Read this chapter for tools that will help you dissect your business's strategy, understand the supply and demand dynamics of your company operations, connect to primary business measures, and optimally position cybersecurity as a source of competitive advantage.

Chapter 3 - Business Decisions. Our third chapter explores how business decisions are made. Decision-making can be improved with an awareness of the biases and noise that commonly afflict us as human beings. We cover a lightweight application of the scientific method to enhance learning. From there, we dive into decision science and choice architecture frameworks. We briefly examine the use of an influence model, and then we finish the chapter with two case studies. The first case study examines various applications of the decision science framework in the context of a hypothetical new CISO scenario. In the second case study we apply choice architecture to phishing defense.

Chapter 4 - Value Creation. The fourth chapter is all about business valuation. We naturally start by defining what we mean by value. Then, we examine the critical attributes of value. Next, we explore how those attributes surface in determining business valuations. Additionally, we examine investor types, means of return, valuation methodologies, and common value drivers. The application section covers the core concepts in a case study that applies security strategy in the context of business valuation for a hypothetical beverage manufacturer.

Chapter 5 - Articulating the Business Case. To get the fifth chapter started, we review several important cost concepts including incremental, opportunity, and sunk cost. From there we explore a communication framework, and two financial analysis methods: cost benefit analysis and net present value. Finally, we close out the chapter with three case studies. The first examines a successful budget request for password management, and the second applies cost benefit analysis to the same project. The final case study leverages a Monte Carlo simulation to examine possible net present value outcomes of a revenue-generating opportunity resulting from delivery of security services.

Part II - Communication and Education

Chapter 6 - Cybersecurity: A Concern of the Business, Not Just IT. In Part II, we will build upon Part I and introduce additional tools that transform cyber risk issues into enterprise risk dialogue. This chapter starts to break down the COSO framework. It lays the foundation for elevating cyber risk conversations to enterprise risk by focusing on the first two guiding principles of COSO:

• Governance and Culture
• Strategy and Objective Setting

At the end of this chapter, the case study relives one of the author's greatest regrets and warns of the consequences of failing to establish a robust governance structure.

Chapter 7 - Translating Cyber Risk into Business Risk. Chapter 6 discussed establishing a cyber risk management program's foundation using COSO's first two guiding principles. This chapter expands upon those foundations and focuses on executing the cyber risk program and rolling up cyber risk into a portfolio view of enterprise risk that executive leaders, and the board, can use to make business decisions. To do this, we will align with the final three risk management components of COSO:

• Performance
• Review and Revision
• Information, Communication, and Reporting

The case study reveals how the author helped an organization align its cybersecurity program to its enterprise risk management efforts. This ultimately highlighted previously unknown risks and secured additional funding from its board of directors.

Chapter 8 - Communication - You Do It Every Day (or Do You?). This chapter challenges you to examine how you communicate. It provides a structure to improve communication for the explicit purpose of advancing a cybersecurity program. We close this chapter by expanding upon the case study in Chapter 7. We take you into the boardroom to eavesdrop on the conversation between the author and the board of directors.

Part III - Cybersecurity Leadership

Chapter 9 - Relationship Management. You cannot operate in a vacuum. A robust cybersecurity program relies on individual technical skills and interpersonal relationships. Read this chapter to master the four key skills of relationship management: maintaining trust, indirect influence, managing through conflict, and professional networking. We conclude with two case studies. The first demonstrates how some humble pie is the remedy to establishing greater trust. The second case study shows the importance of a professional network as the author transitioned from being an operator to an entrepreneur.

Chapter 10 - Recruiting and Leading High Performing Teams. The cybersecurity skills gap is well documented yet hotly debated. However, as a...