Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
How to build a cyber-resilient organization
Shoemaker D., Kohnke A., Sigler K., CRC Press, Inc., Boca Raton, FL, 2019. 318 pp. Type: Book (978-1-138558-19-9)
Date Reviewed: Jul 17 2019

Today, cyberattacks on a nation’s infrastructure are an acceptable form of undercover activity. All nations engage in this form of espionage, and every year increasingly sophisticated tools are created and tested to breach private and public networks and services. While rogue nations engage in stealing intellectual property and/or breaching national security, rogue individuals engage in cyber fraud that results in stealing identity, breaching credit cards, disrupting work, and interrupting services. The consensus today is that cyberattacks and cyber fraud will continue and their frequency will increase.

While information technology (IT) has always structured its systems to protect and minimize the damaging impacts of known environmental hazards, today’s cyberattacks are of a “diverse nature, ranging from system level to application and network level” [1]; are more sophisticated, such as incubating viruses; have a much larger entry surface; and are both concentrated and widespread. Although traditional IT approaches--including cybersecurity standards and maturity models--are necessary, they are not sufficient to defend against today’s cyberattacks.

The thesis of this book is that “companies should strive to achieve systems that are resilient, meaning that they are able to absorb shocks without collapsing, to recover to a state where essential services are still provided” [1]. Specifically, this book outlines a step-by-step approach for structuring and ensuring an architecture that is cyber resilient. Hidden within the approach outlined in the book are two security risks of today’s hyper-connected world that shift the responsibility of cyber resilience from IT to the chief executive officer (CEO): one is a lack of transparency about what data passes through the system and how decisions are made, and the other is the large set of end users who are outside the command and control of IT, and who are less than optimal decision makers when it comes to reasoning about risk.

The steps in architecting a cyber-resilient infrastructure are: 1) identify and document all the business processes as a coherent baseline of things such as people, process flows, systems, and facilities; 2) for each process, document all known risks and brainstorm potential risks; 3) classify business processes in terms of the criticality of business operations; 4) design and deploy controls to mitigate risks and recover operational status; 5) assess control resiliency; 6) develop a nonpriority asset recovery process; and 7) establish a continuous cyber-resilient monitoring and change process.

The complexity lies in performing these steps. The book outlines tools and techniques for performing specific tasks. For example, it recommends the unified modeling language (UML) to document processes. Notwithstanding the difficulties of correctly modeling in UML, which is a rich modeling language that requires many years of study and experience, accurately constructing a business process that is hidden within software (like SAP) or runs through multiple inter- and intra-organizational entities is challenging.

Because the book lacks case studies and examples, the details presented are prescriptive. Someone with extensive business consulting experience in process and business reengineering will find the book useful for leading an organization-wide cyber resilience project.

Reviewer:  Don Chand Review #: CR146623 (1909-0339)
1) Khan, Y. I.; Al-Shaer, E.; Rauf, U. Cyber resilience-by-construction: modeling, measuring & verifying. In Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense ACM, 2015, 9–14 .
Bookmark and Share
 
Management Audit (K.6.4 ... )
 
 
Software Management (K.6.3 )
 
 
System Management (K.6.4 )
 
Would you recommend this review?
yes
no
Other reviews under "Management Audit": Date
Auditing the maintenance of software
Vallabhaneni S., Prentice-Hall, Inc., Upper Saddle River, NJ, 1987. Type: Book (9789780130509642)
Jan 1 1988
Auditing EDP systems
Watne D., Turney P., Prentice-Hall, Inc., Upper Saddle River, NJ, 1984. Type: Book (9780130516312)
Jan 1 1985
Software engineering risk analysis and management
Charette R., McGraw-Hill, Inc., New York, NY, 1989. Type: Book (9789780070107199)
Aug 1 1990
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy