The idea is simple (you just have to accept it): any cybersecurity defense that you may build to protect your organization will (eventually) fail. Period. The optimal way to proceed beyond that simple fact is to anticipate it by design, and build a security approach that will accept the failure and a security methodology that will detect the failure. Then respond to the detected failure (if you detect it early, you will probably be able to successfully minimize its negative effects), and eventually improve the protective dimension that failed (being hardware, process, policy, firewall, perimeter, software, person, and so on). Then (persistently) repeat. The cybersecurity journey is never ending, as the environment inside and outside your organization is dynamic and continuously changing (I am talking about the threats of course); therefore, your approach, as the authors clearly explain, must have structure, methodology, and clear governance, and also be culture-changing. It must put people--and failure--in the center.

All these themes are very well presented in this book that in my opinion will become a classic. The cybersecurity and cyberwarfare concepts are explained and analyzed in clear, balanced, and understandable language. Don’t misread me here. This book is not an extended newspaper article. It is a book presenting complex notions and methodologies in an exact, analytic, but very readable manner. More than this, the authors offer clear advice on many security issues and methodologies in a down-to-earth, realistic, and doable way. They try consciously and persistently to remove all the hype around the security incidents that they discuss and to explain exactly what failed, to empower their readers at the end with a sense of perspective and a sense of reality. This alone puts the book in the top ranks.

I believe that this book should be read by all CxOs (chief executive officers (CEOs), chief information officers (CIOs), and chief operations officers (COOs)), other executives, ICT professionals, ICT security professionals, security students, and many other people holding corporate or government roles. Everybody will benefit from reading the book, because they will understand clearly what security is about, and where exactly people’s roles are positioned in the security landscape.

The authors do not discuss the micromechanics of security, but the systemic mechanisms of it. They discuss how and why a comprehensive security program must appropriately balance focus and effort (and money) around three principal axes: protection, detection, and response. Protection is an obvious place to put money and effort, but if left alone, as is frequently the case in many organizations, it is mostly a waste of money, and will fail. Detection is a principal axis because, when some protective measures fail, you may resolve the incident successfully if you detect the failure early, especially if you are as strong in the third axis: response. The authors present a structured, well-prepared, and organized response methodology that not only takes care of the technology issues, failures, and parameters, but also the business, legal, people, customers, and other dimensions. But for these three axes to work successfully, they must be governed by well-defined policies, roles, and processes, and they must involve appropriate interconnected technology.

In the end, effective cybersecurity is also a people issue and a governance issue--not just a technology issue. If you are well organized and you systematically work and rework these nine work packages (protect, detect, and respond multiplied by policies, roles and processes, and technology), then you practice a good approximation of what the two authors describe as advanced persistent security. I have a strong feeling that their proposition of advanced persistent security will echo in the most successful security programs for years to come.

More reviews about this item: Amazon