Скачать книгу

and how to shape those all-important security-related facets of your organizational culture.

      Here's a quick breakdown of what's to come.

       Part I: Foundation

      Part I is all about building a foundational understanding of why security culture is a critical, got-to-pay-attention-to-it-now topic. We discuss the current issues with defining “security culture,” offer some hints to an ultimate definition (yeah, you'll have to wait a bit before we spill the beans on that one), and why security culture is a board-level imperative. We'll also provide some tie-ins with Perry's earlier work, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors.

      Part II: Exploration

      Part II is all about exploration. We focus on giving concrete examples of what a strong security culture looks like and what the consequences of a poor security culture can be. We'll put organizational culture and security culture under a microscope and examine the various subcomponents we find. Along the way, we will throw in some concepts from sociology, organizational culture management, and a few other disciplines. You'll also gain valuable insights from culture experts outside of the cybersecurity domain.

       Part 3: Transformation

      Here is where the proverbial rubber meets the proverbial road. Part III is about doing the work. It's about transformation. We'll walk you through the Security Culture Framework, a process that Kai developed over 15 years ago for getting a handle on security culture so that it can be improved. Since its creation, this process has been adopted by organizations and governments around the world. And, because anything worth managing is worth measuring, we'll take a deep dive into how to scientifically measure security culture across seven dimensions, and we'll give an overview of the Security Culture Survey, a tool that Kai and his team created over a decade ago. Since that time, it's been honed into a finely tuned scientific instrument that's been used to collect and analyze the largest security-culture-related dataset on earth. We'll also discuss culture-related gotchas, sticking points, and more. In the last bit of Part III, you'll hear from a number of security experts as they discuss security culture, and we'll leave you with some valuable tools and insights that so you can immediately leverage everything from this book. You'll be able to discuss security culture with confidence, measure maturity, gain executive support, and more.

      We've also created a resource site for this book where we'll upload new worksheets, research studies, and other useful security culture-related information. It's at SecurityCultureBook.com.

       How to Contact the Publisher

      If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

      In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission”.

       How to Contact the Authors

      We appreciate your input and questions about this book! Connect with Perry or Kai on LinkedIn at www.linkedin.com/in/perrycarpenter and www.linkedin.com/in/kairoer.

      Welcome to the journey! In Part I, we introduce the concept of security culture, why it is important, and (most importantly), the fact that you can measure and improve your culture. There's a lot to cover, so let's get started. But even before you turn to the first page of Chapter 1, we think it's important to give you a definition of security culture.

       Security Culture: The ideas, customs, and social behaviors of a group that influence its security.

       Chapter 1: You Are Here

       Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern

       Chapter 3: The Foundations of Transformation

      The greatest danger in times of turbulence is not the turbulence—it is to act with yesterday's logic.

       Peter Drucker

      “Security culture” has become a hot topic of late. If you are a cybersecurity or business leader, you've no doubt seen the term appear in online articles, security presentations, and even a few vendor pitches. It's become a buzzword (or buzz phrase, if you want to be picky) du jour. Unfortunately, most of the time it is little more than a phrase uttered with gravitas, but devoid of real meaning.

      Security culture is often confused with security awareness, the implementation of security processes, or even the use of security tools by end users. That initial misidentification becomes even more confusing because each of those things can feed into, or become an artifact of, security culture—but they are not in and of themselves security culture. Security culture is something different, something unique that is undeserving of the confusion that all too often surrounds it. And you know that; otherwise, you wouldn't be reading this book.

Скачать книгу