Foreword
Not long ago, I was the Director of Cybersecurity Policy at the U.S. Department of Homeland Security (DHS). In that role, I routinely met with the department’s staff responsible for cyber security operations. In one such meeting, focused on cyber risk management and metrics, we were having a bit of a difficult time seeing one another’s perspectives on a related issue. At one point a senior member of the operations staff looked across the table at me and opined, “You actually think policy ought to drive operations?”
Beyond the obvious dysfunction behind his question, it pointed to some of the core themes this book attempts to address: cyber security policy’s importance, its relation to both strategy and operations, its relevance to a very diverse set of stakeholders and decision makers, and the inevitable controversy and debate it engenders. These are very much the issues of our time, but they are not issues for the timid.
Perhaps to my DHS colleague’s chagrin, in fact, policy does and should drive operations. As the authors clearly point out, policy necessarily drives decisions at many different levels. How many of us have not heard the President of the United States include these words in a speech, “it is the policy of my administration. … ”? His job is (with Congress) to set national policy, approve appropriate implementation activities to carry out that policy, and then ensure that policy is properly enforced or adjusted as circumstances dictate. Executives at other ...
Get Cyber Security Policy Guidebook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
