2018-05-25
A brief but comprehensive introduction to business cybersecurity for tech newbs. Business executives commonly find cybersecurity a daunting subject—complicated and gloomily obsessed with nightmarish catastrophe. Debut author Moschovitis, a professional cybersecurity analyst, provides a pragmatically minded and accessible primer on the subject that won't transform readers into experts but will allow them to engage in informed conversations with those who are. The study proceeds without any assumptions of prior knowledge, beginning with a basic introduction to the nature of risk and how to assess it, what precisely needs protecting, what kinds of threats and defensive strategies are possible, and an overview of best practices and a means to measure success. And in case all that planning fails nevertheless, the author also discusses incident-response plans. Moschovitis helpfully includes a focus on the culture where such issues are bureaucratically managed and explains the place cybersecurity occupies within the overall IT ecosystem. He builds a running glossary over the course of the book—helping facilitate conversation between executive managers and their cybersecurity experts—and furnishes numerous case studies to illustrate his principal points. He approaches these terminological clarifications in the spirit with which the entire work is composed in an effort to produce the kind of "meaningful definition we can pin to our monitors, consult frequently, and easily understand." Moschovitis has a talent for translating the technically inscrutable into plain, informal prose. Cybersecurity is a maddeningly complex subject, and he manages to provide a remarkably synoptic introduction with admirable concision. This is more than just a catalog of conceptual elucidations—the author also gives an account of the stakes in devising a cybersecurity strategy. In other words, he gives inexpert executives the necessary knowledge to make their own decisions about what counts as an acceptable risk and which assets are the companies' most important and therefore in need of the most vigilant protection. Moschovitis does sometimes meander too far, and when he does, he is prone to precisely the kind of tedious, gratuitously technical prose he decries: "Governance is the collective set of principle-guided actions that when applied guide a company to the fulfillment of its goals." The chief difficulty isn't the writing, though it seems as if computer jargon has been replaced by equally banal business-management jargon. (Is there a set that isn't "collective"?) The real problem here is that while executives might be wholly ignorant of the basic principles of cybersecurity, it's unlikely they need a quick course in business administration as well. It's probably safe to assume that the kind of senior staff tasked with managing cybersecurity concerns doesn't need an explanation of governance, especially one so anodyne. Notwithstanding his tendency to overexplain, Moschovitis impressively achieves his intended goal—a comprehensive account of cybersecurity that makes intelligent strategic collaboration between experts and nonexperts possible. A valuable resource for executives concerned with the protection of vital technological property.