The author, Phil Zongo is Zimbabwean-born, but now resident in Australia. He is a well-regarded cyber security expert, strategic adviser and author.
He has been widely published in a variety of journals and has received numerous awards from ISACA and other professional bodies. In the past 14 years, Zongo has consulted widely with major corporations to assist with their cybersecurity strategies. This is his first book.
The book is meant to be a guide for cyber resilience, aimed at corporate senior executives.
- build a cyber-security strategy centred on high-value assets;
- put people at the centre of cybers ecurity strategies;
- bake cyber security into innovative programs;
- implement a risk-based assurance program over suppliers; and
- create highly effective, lean and efficient governance structures.
Perhaps Zongo's five anchors are somewhat "motherhood" in their scope, but he provides plenty of examples showing intrusions that would have been defeated if these anchors had been properly implemented.
The five main chapters of the book address the anchors and offer plenty of background and description along with what can go wrong. There is also useful guidance on an extensive implementation of each anchor.
The book's introduction addresses a brief history of cyber crime and very clearly explains how a total defeat of such a scourge is essentially impossible, instead it is important to assess and prioritise, and to be smarter about applying limited resources to the problem. While reading this section, I was reminded time and again of the quote attributed to one of the IRA leaders in reference to the late Margaret Thatcher during "The Troubles". He said, "You have to be lucky all the time, we only have to be lucky once."
It is within this context that Zongo stresses the need to manage a corporation's resources to identify the most important assets (anchor 1); to ensure the entire company is on-board (anchor 2); to seek innovative solutions to current problems, including IoT, Cloud, Blockchain etc. (anchor 3); to recognise that suppliers are a major intrusion channel and to protect that path (anchor 4) and to improve governance structures to remove turf wars and to optimise comprehension at the highest levels of an organisation (anchor 5).
Within the context of anchor 5, Zongo also notes that very few boards have members with cyber skills and worse, the information being passed to them from the C-suite, and below, is either obfuscating, unintelligible or 'baffling them with bulls**t' (as the vernacular goes).
The book is suitable for lay readers as it doesn't delve too deeply into technical language. It is strongly recommended as mandatory reading for any senior corporate manager or board member to assist in an understanding of the broader issues and also to frame the questions to be asked (of the experts within the organisation) and the problems that need to be addressed.
It will also give management a framework for optimising the use of their resources. "Five Anchors" should also be mandatory reading for CISOs to better prepare them for potentially difficult discussions that will be instigated by board members who have take the time to read and digest this book!
Of course no book, this one included, is capable of giving specific advice for an individual organisation, however there is plenty here to cause thought and reflection; and hopefully will lead to greater cyber-resilience. Recommended.