Foreword

Not long ago, I was the Director of Cybersecurity Policy at the U.S. Department of Homeland Security (DHS). In that role, I routinely met with the department’s staff responsible for cyber security operations. In one such meeting, focused on cyber risk management and metrics, we were having a bit of a difficult time seeing one another’s perspectives on a related issue. At one point a senior member of the operations staff looked across the table at me and opined, “You actually think policy ought to drive operations?”

Beyond the obvious dysfunction behind his question, it pointed to some of the core themes this book attempts to address: cyber security policy’s importance, its relation to both strategy and operations, its relevance to a very diverse set of stakeholders and decision makers, and the inevitable controversy and debate it engenders. These are very much the issues of our time, but they are not issues for the timid.

Perhaps to my DHS colleague’s chagrin, in fact, policy does and should drive operations. As the authors clearly point out, policy necessarily drives decisions at many different levels. How many of us have not heard the President of the United States include these words in a speech, “it is the policy of my administration. … ”? His job is (with Congress) to set national policy, approve appropriate implementation activities to carry out that policy, and then ensure that policy is properly enforced or adjusted as circumstances dictate. Executives at other levels have similar responsibilities.

In the evolution of all things cyber, however, policy has not been a driver. Rather, it has been an afterthought. The authors make this very point in several ways, and in so doing, they raise a vitally important issue: should cyber security policy always be reactive? The obvious answer is “no;” or else the operations and standards it drives will also always be reactive, leading to an inherently untenable situation in which cyber security efforts always lag the attacks they are meant to prevent. If this situation sounds all too familiar, it is because cyber security practitioners have been on this treadmill far too long, with no sign of it ending.

The great problem, of course, is that the setting of proactive cyber security policy is, at least in any democratic environment, an extremely difficult and time-consuming task. Even the simplest perusal of Chapter 6 of this book will be sufficient to inform the reader that the ground on which almost any cyber security policy is contested is muddy ground indeed.

As a general rule, when one is most muddled with the complexity of building a particular system correctly, it is best to take a big step back—and then elevate oneself to see the larger picture. Only then can one ask the all-important question framed in this book, “Am I building the right system?” In my own experience, the too frequent answer to this question is “no.” It is incredibly painful for those who are building the wrong system, but building it correctly, and therefore deeply invested in it, to hear that answer.

All of which points, I believe, to the raison d’etre for a Cyber Security Policy Guidebook such as this. If read with an unjaundiced eye, it will help the reader to see the bigger cyber security picture and its vitally important policy setting, no matter the vantage point. This cannot help but be an aide.

It is a very happy circumstance that the authors of this book are highly regarded professionals, experts in their respective niches, and that they bring many years of experience to the topic. As they point out, the topic is incredibly expansive—a natural result of the ubiquity of “cyber” anything in today’s networked world. Indeed, if the topic were not so incredibly important and relevant, it might be silly even to attempt to get one’s arms around it.

But to anyone for whom national security, business operations, or anything related to the Internet is important, and that covers most of us, understanding some measure of the topic is critical. To that end, this book is most useful.

Andy Cutts
Former Director of Cybersecurity Policy at the U.S. Department of Homeland Security