The Management and Cyber Security course was one of the more interesting courses in my Master's program. I was particularly impressed by our textbook author Peter Drucker, who, in my opinion, is one of the most transformational leaders in the history of Management. His book, "Management: Tasks, Responsibilities, Practices" was written well before the Internet was common place, but his insights into how the world would function, nearly fifty years later, proved both accurate and insightful because of an incredible understanding of human psychology, technological developments, and business strategy.
Using and studying his book in the context of Cyber Security helped me to change focus of my professional development. My focus was transformed from that of a sole technical focus towards a blended technical, business goals, and strategy focus; effectively marrying the two to great success. As a cyber security professional, I am both ethically bound to protect information from unauthorized disclosure by implementing the appropriate safeguards and security controls. Yet, at the same time, as a corporate employee I must also ensure that we do not over allocate resources. Thus it is necessary to balance our approaches to protect information and information systems and risk against that of over allocating company resources. This balancing act has been the frustration of many technically adept cyber security professionals, including myself, as I lacked the expertise and understanding required by management to ensure that a business can survive and thrive and at the same time reducing information security risks to acceptable levels. This course gave me a top down perspective and a way to speak to the business leaders. It also made me a better business leader with regards to paths forward for corporate cyber security.
In addition to Drucker's book, another book provided a solid course of action for functioning as a senior executive and also for cyber security roles to strategically emphasize cybersecurity's importance to senior executives so that they can ensure the appropriate protections are in place, and that the risks are well understood by the executives. Cybersecurity for Executives by Touhill, G., and Touhill C., proved to be valuable from both an ethical standpoint and professional standpoint as an executive. One the quotes Greg Touhill shares in the book is from Mike Rogers, Chairman of the House Intelligence Committee when he said, "There are two kinds of companies. Those have been hacked, and those that have been hacked but don't know it yet" (Touhill & Touhill, 2014). This quote highlights the first Cyber Security Chief of the United States' perspective and understanding of the cyber warfare world we live in today. It keeps reminds me to be humble, and also helps me to remember that my professional duty is not to bring in tools, and insert processes to be blindly followed without providing a business reason. I can't just ask for software and systems to address cyber risks and call "cyber" done, but rather, I must ensure that we create a living system and perform constant monitoring, detection and response processes. This allows us to address breaches, failures, and lack of availability as these can and will happen as they are inevitable.
Reducing the costs of implementing and operating tools, and ensuring I understand the organizations risk appetite and that our executives understand the true risks to the business are now my standard mantra in work. I've created presentations and delivered them to my fellow cyber security professionals in my company to ensure that they understand the business aspects and a path toward reducing costs and capturing more business through strategic cyber security investments. There's little doubt that this course drove the business centric view and allowed me to create a better way to address risks in my organization.
References
Using and studying his book in the context of Cyber Security helped me to change focus of my professional development. My focus was transformed from that of a sole technical focus towards a blended technical, business goals, and strategy focus; effectively marrying the two to great success. As a cyber security professional, I am both ethically bound to protect information from unauthorized disclosure by implementing the appropriate safeguards and security controls. Yet, at the same time, as a corporate employee I must also ensure that we do not over allocate resources. Thus it is necessary to balance our approaches to protect information and information systems and risk against that of over allocating company resources. This balancing act has been the frustration of many technically adept cyber security professionals, including myself, as I lacked the expertise and understanding required by management to ensure that a business can survive and thrive and at the same time reducing information security risks to acceptable levels. This course gave me a top down perspective and a way to speak to the business leaders. It also made me a better business leader with regards to paths forward for corporate cyber security.
In addition to Drucker's book, another book provided a solid course of action for functioning as a senior executive and also for cyber security roles to strategically emphasize cybersecurity's importance to senior executives so that they can ensure the appropriate protections are in place, and that the risks are well understood by the executives. Cybersecurity for Executives by Touhill, G., and Touhill C., proved to be valuable from both an ethical standpoint and professional standpoint as an executive. One the quotes Greg Touhill shares in the book is from Mike Rogers, Chairman of the House Intelligence Committee when he said, "There are two kinds of companies. Those have been hacked, and those that have been hacked but don't know it yet" (Touhill & Touhill, 2014). This quote highlights the first Cyber Security Chief of the United States' perspective and understanding of the cyber warfare world we live in today. It keeps reminds me to be humble, and also helps me to remember that my professional duty is not to bring in tools, and insert processes to be blindly followed without providing a business reason. I can't just ask for software and systems to address cyber risks and call "cyber" done, but rather, I must ensure that we create a living system and perform constant monitoring, detection and response processes. This allows us to address breaches, failures, and lack of availability as these can and will happen as they are inevitable.
Reducing the costs of implementing and operating tools, and ensuring I understand the organizations risk appetite and that our executives understand the true risks to the business are now my standard mantra in work. I've created presentations and delivered them to my fellow cyber security professionals in my company to ensure that they understand the business aspects and a path toward reducing costs and capturing more business through strategic cyber security investments. There's little doubt that this course drove the business centric view and allowed me to create a better way to address risks in my organization.
References
- Drucker, P. F. (1985). Management: Tasks, Responsibilities, Practices. New York: Harper Business.
- Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for Executives: A Practical Guide. John Wiley & Sons.