Index

A

• Abdulmutallab, Umar Farouk, 178
• Administrators, locking out, 10
• Adversaries, 47–68
  • adversarial machine learning (AML), 164–165
  • airline industry's response to hijacking, 175–179
  • botnets, 77
  • cybersecurity hygiene importance and, 63–66
  • defense against, 54–59
  • employees' compliance as response for, 62–63
  • employees' need for awareness of, 59–61
  • hackers' motivation, 30–33
  • hacking example, 1–8, 82
  • personal responsibility for protection from, 14–17
  • phishing by, 53, 60, 61, 156–158
  • proactive response for, 61–62
  • ransomware threat, 31
  • ransomware vs. WannaCry, 132–133
  • social engineering, example, 48–52
  • social engineering, types, 53–54
  • spectators and influence on outcome, 17–19
  • taking precautions against, 8–13
  • W.I.S.D.O.M., defined, 19–21
  • worms, 132–133
• Advertising, paying directly for, 11–12
• Airline industry, 169–185
  • culture of security vs. past practices, 172–175
  • hijacking issues of past, 175–179
  • as modern-day mundane routine, 169–171
  • reaction to safety problems in, 182–184
  • safety checks performed by, 179–182
• Angelou, Maya, 124
• Animal behavior, herd instinct and, 187–190
• Apricorn, 29
• Artificial intelligence (AI)
  • adversarial machine learning (AML), 164–165
  • detection tools, 10
  • to identify threats, 163–166
  • used in social engineering, 62
• Audit, of third-party security practices, 144–145
• Automation, cybersecurity industry and, 33–38
• Automotive Edge Computing Consortium, 78
• Autonomous cars, weaponizing, 78–79
• Aviation Safety Network, 181
• AWS, 81

B

• Bed bug metaphor, 137–138
• Behavioral profiling, by airline industry, 177–179
• Ben-Gurion University, 29
• Berkland, Jim, 189
• Blake, Frank, 112–115, 124
• Bletchley Park code breaking operation, 93
• Boards of directors
  • cybersecurity as culture for, 166
  • integrated work with CISOs and, 25, 27, 41–43
  • shared vision with CISOs, 38–41, 149–153, 161–162, 167
• Boeing 737 Max 8 airplanes, 183–184
• Botnets, 77
• Brain Rules (Medina), 149
• Breach fatigue, 57
• Breach issues. See Crisis communication and preparedness
• Breach Level Index, 115
• Bring-your-own-device (BYOD) movement, 29
• Budgeting. See Finance professionals and financial considerations
• Bush, George H. W., 113

C

• Chief executive officers (CEOs)
  • CISO and work of, 25, 41–43
  • culture of security for, 191
  • cybersecurity as culture for, 166
  • shared vision of boards and CISOs, 38–41, 149–153, 161–162, 167
  • See also Chief information security officers (CISOs)
• Chief financial officers (CFOs). See Finance professionals and financial considerations
• Chief human resource officers (CHROs). See Human resources
• Chief information security officers (CISOs), 23–45, 147–160
  • AI used for identifying threats by, 163–166
  • anonymity of, 23–26, 148
  • for automation and efficacy, 33–38
  • CIOs engaged with, 161–162
  • consumerization of IT and, 153–156
  • culture of security for, 198–199
  • cybersecurity as culture for, 166
  • cybersecurity cost and, 131, 133, 135–137, 139–146
  • cybersecurity hygiene as priority of, 158–161
  • employment duration of, 42
  • importance of, to team, 41–43
  • origin of cybersecurity and, 26–28
  • overview, 3
  • phishing simulation by, 156–158
  • rewards and recognition programs, 101–104
  • risk management response by, 30–33
  • shared vision with board, 38–41, 149–153, 161–162, 167
  • technology investment by, 162–163
  • transformation and response of, 28–30
• Cloud Access Security Brokers (CASB), 162
• Cloud Adoption and Risk Report (McAfee, 2019), 154
• Contact lists, 12–13, 158–159
• Crisis communication and preparedness, 109–126
  • asset risk of, 119–120
  • breach response and, 112–115, 124
  • crisis communication approaches, 116–118
  • empathy for victims and, 117–118, 121–124
  • employees included for, 123
  • fear and, 109–112
  • marketers/communicators, culture of security for, 193–194
  • practice and simulation for, 41–42, 123–124, 156–158
  • templates for, 120–122
  • third-party exposure and breach of security, 143–144
  • time for response, 115–119, 120, 122
• Culture of security, 187–199
  • airline industry as example of (See Airline industry)
  • for boards of directors, 166
  • for CEOs, 166, 191
  • for CIFOs, 198–199
  • for CISOs, 166
  • cybersecurity emphasized in, 166
  • for employees, 166, 191
  • for finance professionals, 166, 194–198
  • herd instinct and earthquake example, 187–190
  • for human resources, 89, 192–193
  • for marketers/communicators, 193–194
  • need for, 15–16, 106
  • for product developers, 192
  • risk management and, 166
• Cybercrime market, 128–132
• Cybersecurity hygiene
  • hand-washing metaphor, 63–64
  • locking out administrators, 10
  • origin of, 26–28
  • for passwords, 9, 64–65
  • for physical infrastructure, 65–66
  • as priority, 158–161
  • of shelfware, 159
  • of third-party partners, 137–142
  • See also Chief information security officers (CISOs)
• Cybersecurity industry, size of, 33–38
• Cybersecurity plan review, 6, 9–10

D

• Dark Web. See Adversaries
• Data Breach Investigations Reports (DBIR, Verizon), 59, 61
• Data requirements, defining, 83
• Data weaponization, 118–119, 160
• Deloitte, 25–26, 32, 40
• Deployment, of cybersecurity technology, 35–37
• Detection tools
  • confidentiality of, 11
  • machine learning for, 10
• Digital and malware forensics, outsourcing, 140
• Distributed denial of service (DDoS) attacks, 75–79
• Diversity, need for, 92–96
• Dwell time, 115–119
• Dyn attack, 74–79

E

• Earthquake example, 187–190
• Emotions, “hot,” 111
• Empathy, for victims, 117–118, 121–124
• Employees
  • awareness of adversaries by, 55–61 (See also Adversaries)
  • compliance by, 62–63
  • crisis communication plan and inclusion of, 123
  • culture of security for, 191
  • cybersecurity as culture for, 166
  • See also Human resources
• Empowerment. See Stop-the-line philosophy
• Enlistment, 97–101
• Enterprise Strategy Group (ESG), 35
• Ethics, accountability and, 82
• Ethiopian Airlines, 183
• European Union (EU), General Data Protection Regulation (GDPR), 58–59, 116

F

• Fear, preparation and, 109–112
• Federal Aviation Administration (FAA), 177–178, 183
• Fileless attacks, 31
• Finance professionals and financial considerations
  • auditing of third parties, 144–145
  • budgeting and resources, 40, 143
  • CFOs and cybersecurity culture, 166
  • CISOs engaged with, 142–143
  • culture of security for, 166, 194–198
  • cybersecurity cost and, 131, 133, 135–137, 139–146 (See also Third-party partners)
  • ROI vs. risk management, 133–137
  • third-party exposure and, 143–144
  • See also Third-party partners
• Forbes, 60
• Ford, Henry, 72
• Frost & Sullivan, 29

G

• Gartner, 54
• General Data Protection Regulation (GDPR), 58–59, 116
• General Motors (GM), 70–74
• Global Information Security Survey, 40
• Google, Rule of Four of, 98–99

H

• Hackers, motivation of, 30–33. See also Adversaries
• Haggerty, Bill, 72
• Herd instinct and earthquake example, 187–190
• Hijacking, airline industry's response to, 175–179
• Hiring practices. See Human resources
• Home Depot, 112–115, 124
• Honesty, as corporate culture, 15–16
• Hopper, Grace, 93–94
• “Hot” emotions, 111
• HowSecureIsMyPassword.net, 65
• Human resources, 87–107
  • chief human resource officers (CHROs), vision of, 89
  • culture of security for, 192–193
  • diversity and, 92–96
  • key performance indicators (KPIs) and, 105–106
  • pledge walls, 87–89
  • recruitment and enlistment by, 97–101
  • rewards and recognition programs of, 101–104
  • talent shortage and, 90–92, 96–97
  • visionary CHROs for, 89
  • whistleblower programs by, 104–105
• Hygiene. See Cybersecurity hygiene

I

• IDG Enterprise, 153
• Industry of Anonymity (Lusthaus), 128
• Information technology (IT)
  • consumerization of, 153
  • cybersecurity departments and relationship to, 160–161
  • outsourcing of, 140–142
• Infrastructure-as-a-service (IaaS), 155
• INROADS, 171
• Intel, 79
• International Association of Privacy Professionals, 116
• Internet of Things (IoT), used as Internet of Terrorism, 77–79

K

• Key performance indicators (KPIs), 105, 162

L

• Lean Startup, The (Ries), 81
• Lee, Bruce, 71
• Loma Prieta earthquake (1989), 187–190
• Lovelace, Ada, 93
• Lusthaus, Jonathan, 128

M

• Machine learning. See Artificial intelligence (AI)
• Madrid, Rick, 72
• Managed security service providers (MSSPs), 141
• Marketers/communicators, culture of security for, 193–194. See also Crisis communication and preparedness
• McAfee
  • on AI, 165
  • Cloud Adoption and Risk Report (2019), 154
  • on cybercrime market, 129–130
  • cybersecurity preparation of, 21
  • hacking example, 1–8, 82
  • hiring practices of, 99
  • Intel spinout and, 1, 149
  • online ethnographic study, 47, 55–56, 169, 187
  • pledge walls of, 87–89
  • risk management statistics of, 30
• Medina, John, 149
• Minimum viable products (MVP), 81–86
• “Mr./Ms. Cellophane” metaphor, 23–26. See also Chief information security officers (CISOs)
• Multifactor authentication, 6, 9–10, 13

O

• Oak Ridge National Laboratory, threat to, 177–178
• Office of Personnel Management (OPM, U.S. government), 58
• Outsourcing. See Third-party partners

P

• Password management/hygiene. See Cybersecurity hygiene
• Penetration testing, outsourcing, 140
• Personal responsibility, importance of, 14–17. See also W.I.S.D.O.M. (What I'll Say and do Differently on Monday)
• Phishing
  • awareness of, 61
  • defined, 53
  • simulation exercises, 156–158
  • spear phishing, 60
  • See also Social engineering scams
• Platform-as-a-service (PaaS), 155
• Pledge walls, 87–89
• Ponemon, 115, 122, 139, 164
• Practice, of simulated attacks, 40–41, 123–124, 156–158
• Product developers and development, 69–86
  • culture of security for, 192
  • data requirements defined by/for, 83
  • Dyn attack and, 74–79
  • minimum viable products (MVP), 81–86
  • securing cloud and, 154–155
  • security as built in, 81–82
  • security ownership in product lifecycle, 83–85
  • shelfware and cybersecurity hygiene/investment, 143, 159
  • Toyota example, 70–74
  • understanding customers' requirements for cybersecurity, 80–81
• “Pwned,” 4–5

R

• Ransomware
  • threat of, 31
  • WannaCry vs., 132–133
• Recruitment, 97–101
• Red team (attackers)/blue team (defenders), in simulated attacks, 41, 123
• Reid, Richard, 178
• Return on investment (ROI)
  • budgeting and cybersecurity issues, 131–132
  • risk management vs., 133–137
• Ries, Eric, 81
• Risk management
  • asset risk and communication plans, 119–120
  • cybersecurity as culture, 166
  • growing need for, 30–33
  • risks and costs of data breach, 59
  • ROI vs., 133–137
  • shared language of, between boards and CISOs, 151–153
  • third-party partners and, 132–137
  • transformation of technology and response, 28–30
  • updating risk assessment for CEO/board, 40–41
  • See also Chief information security officers (CISOs)
• RSA, 66
• Rule of Four (Google), 98–99

S

• Safety culture of airlines. See Airline industry
• Seattle Seahawks, 12th man example of, 18–19
• Security operations centers (SOC)
  • outsourcing, 140
  • understanding, 35
• Security ownership, building into product lifecycle, 83–84
• Semmelweis, Ignaz, 63–64
• Service level agreements (SLAs), 162
• Shelfware
  • cybersecurity hygiene of, 159
  • cybersecurity investment for, 143
• Signature, 31
• Simulated attacks, 40–41, 124
• Skills, transferable, 99
• Social engineering scams, 47–68
  • defense against, 54–59
  • example, 48–52
  • McAfee online ethnographic study, 47, 55–56
  • types of, 53–54
  • W.I.S.D.O.M for employees, 59–67
• Software-as-a-service (SaaS), 155
• Software development. See Product developers and development
• Spear phishing, 60
• Spectators, influence of, 17–19
• “Stealing thunder,” 116–117
• Stop-the-line philosophy, 69–86
  • Dyn attack and, 74–79
  • at Toyota, 70–74
  • W.I.S.D.O.M for product developers, 80–86
• Stuxnet, 66

T

• Talent shortage, in cybersecurity industry, 33–34, 37, 90–92, 96–97, 165. See also Human resources
• Technology, investing in, 162–163
• Templates, communication, 120–122
• Third-party partners, 127–146
  • cybercrime market and, 128–132
  • cybersecurity hygiene of, 137–142
  • financial considerations and, 142–146
  • outsourcing to, 140–142
  • risk management and, 132–137
  • security of, 12
• Threat intelligence, outsourcing, 140
• 3–1–1 requirement, by airlines, 178
• Time issues
  • for preventive measures, 62–63
  • response to phishing campaigns, 61
  • for response to security breach, 115–119, 120, 122
  • tick-tock schedule, 122
• Time (magazine), 175
• Toyoda, Tatsuro, 70
• Toyota, 70–74
• Transformation of technology, responding to, 28–30
• Transportation Security Administration (TSA), 174, 178, 180–181
• Trust
  • between cybercriminals, 128–132
  • expectations for, 53–54
• 12th man example, 18–19

U

• United Auto Workers, 71
• United States Geological Survey (USGS), 188
• Urban legends, fear and, 109–112
• U.S. Department of Health and Human Services, 83
• USB devices
  • attack vectors and, 29
  • Stuxnet attack and, 66

V

• Verizon, 59, 61, 100, 102
• Victims, empathy for, 117–118, 121–124
• Virtual private networks (VPN), 66
• Vision, shared, 149–153

W

• WannaCry, 132–133
• Whaling, 60
• Whistleblowers, 104–105
• WiFi, security issues of public networks, 66
• W.I.S.D.O.M. (What I'll Say and do Differently on Monday)
  • AI used for identifying threats, 163–166
  • CIOs engaged with CISOs, 161–162
  • for culture of security, 191–199
  • cybersecurity as culture, 166
  • cybersecurity hygiene as priority, 158–161
  • defined, 19–21
  • financial considerations and, 142–146
  • key performance indicators (KPIs) and, 105–106
  • personal responsibility, 14–17
  • recruitment and enlistment, 97–101
  • rewards and recognition programs of, 101–104
  • shared vision for, 38–41, 149–153, 161–162, 167
  • simulations for, 156–158
  • social engineering scams and, 59–67
  • stop-the-line philosphy and, 80–86
  • talent shortage and, 96–97
  • technology investment and, 162–163
  • whistleblower programs by, 104–105
  • See also Boards of directors; Chief executive officers (CEOs); Crisis communication and preparedness; Employees; Finance professionals and financial considerations; Human resources; Product developers and development; Risk management
• Worms, 132–133

Y

• Young, Chris, 149, 157

Z

• Zombie servers, 159
• Zyklon, 133