This large work begins with an introductory preface that provides historical perspective on cybercriminals and introduces the authors and the basic tenets of the book. The work is divided into two broad parts: the first gives detailed descriptions, root cause analyses, and key lessons learned for several of the largest data breaches of the recent past; and the second part provides advice on how to achieve effective security for information and communications technology (ICT) systems. Crucially, the language of the book aims to be understood by general management, and not just technical specialists.
Chapter 1 discusses the high-level root causes and attack methods used in recent major data breaches that have allowed criminals to break into so many organizations, and covers both systemic organizational issues and technical issues. The following seven chapters of Part 1 each describe, in some detail, large recent cyberattacks, including the Capital One breach of 2019, the Marriott breach of 2018, and the Equifax breach of 2017, along with successful attacks on Facebook, Yahoo, Target, JPMorgan Chase, and the US Office of Personnel Management. In each case, the vulnerabilities and mechanisms that led to the successful breaches are discussed; importantly, the root causes are succinctly reduced in simple terms. Details of what was stolen and the overall impact of the attacks are explained, along with discussion of how the attacks may have been prevented. The discussion is interesting and in particular notes that, at the time of the attack, the victim organizations were largely compliant to industry security standards.
The nine chapters of Part 2 provide Daswani and Elbayadi’s recommendations on processes and habits to help organizations secure their data assets, similar to the recommendations of Sloan and Warner . Technology, processes, and simple routine habits that can help protect ICT systems are discussed. Chapter 9 describes seven habits that, in the authors’ opinion, can deliver highly effective security. Chapter 10 provides advice to board-level management on security risk management, largely without the use of technical jargon, while chapter 11 provides similar advice for technology and security leaders. Chapters 12 and 13 discuss technical defenses against malware and phishing attacks, focusing on addressing the root causes of breaches. The need for assessing the security posture of suppliers, secure software development practices, the patching and updating of software, and vulnerability management processes are covered, along with the need for security education for employees. Chapter 14 broadens the focus to look at recent security investment trends and suggests areas of future funding. Chapter 15 provides advice to consumers, whether they are simply using online data or providing their personal information to organizations. Defensive habits are discussed, including password selection and management, multi-factor authentication, anti-malware, and the need for regular software updates on consumer devices. A minor editorial slip: the synopses of chapters 14 and 15 in the introductory chapter are reversed.
Chapter 16 discusses potential careers in the field of cybersecurity and describes the structure, management, and governance of an example cybersecurity function within an organization. Chapter 17 provides an excellent, short recap of the entire book, including simple tables to highlight the key points of each chapter. There is a detailed table of contents and good index, and chapters conclude with succinct summaries. In essence, Daswani and Elbayadi have brought Fowler’s 2016 work  up to date. This is an excellent reference for anyone working in the area of ICT cybersecurity. Management in particular will find it useful, as the authors have tried to keep technical jargon to a minimum while explaining the steps that can be taken to protect and minimize the impact of cyberattacks on organizations.
More reviews about this item: Amazon