Alan Calder on Cyber Resilience

An interview with an award-winning author.

Alan Calder, the CEO of GRC International Group PLC, IT Governance’s parent company, was recently awarded the Best Cyber Book of the Year award at The Real Cyber Awards 2023 for his new book Cyber Resilience – Defence-in-depth principles.

To mark the occasion, we sat down with him for this special interview.

Many congratulations on your book award! How do you feel?

Thank you. It was a very exciting moment, and of course, I’m absolutely delighted about the win. But I’m also very proud of the team. Writing a good book requires a team effort, and I particularly want to credit ITGP [IT Governance Publishing] for all their hard work behind the scenes.

What gave you the idea for the book?

It’s long been clear to me that cyber attacks are multi-pronged. The idea that you can repulse them with a single line of defence is just barmy. Millennia of human history teach that attackers will find their way through multiple lines of defence, and that survival – or what we call ‘resilience’ in business and cyber terms – depends on having more lines of defence than an attacker can overcome.

Furthermore, cyber attacks aren’t focused simply on overcoming technical defences, so defence in depth has to be based on a GRC [governance, risk and compliance] approach. Many years ago, the way to get into a well-defended, multi-walled fortress was to subvert a gatekeeper to let you in. Even further back, the tactics involved a wooden horse – and understanding the need for an intelligent, risk-based approach to cyber security drives my view that cyber defence in depth is the secret to survival.

Can you tell us a bit more what your book is about?

It’s really intended as a sound introduction to cyber resilience and defence in depth, predominantly focusing on core principles, particularly in the first part of the book. This includes discussing key concepts related to these topics, especially risk assessment and management.

To support those principles, the second part of the book discusses 19 good-practice controls – again, at a fairly high level – ranging from basic technical and organisational controls like malware protection and asset management, to governance-type controls such as internal audits that may be better suited to organisations that already have the basics in place.

Who is the book meant for?

My book simply offers readers a solid foundation – it isn’t intended to be an implementation guide, but something that offers readers a good starting point in their cyber implementation projects. As such, I made a point of writing it in plain English, so it’s suitable for anyone tasked with improving the security in their organisation without necessarily having the right technical background to know what concrete actions they should take.

It can also be a good companion for people with some experience in implementing basic security – Cyber Essentials-style measures, for example – but with little to no background in implementing cyber resilience. In other words, they might be familiar with implementing measures that should prevent most common attacks, but not with measures that are designed to detect potential incidents or enable the organisation to quickly recover from a successful attack.

So what’s next for you? Do you have more books in the pipeline?

Actually, yes. The eighth edition of IT Governance – An international guide to data security and ISO 27001/ISO 27002, which I’ve written with Steve Watkins, is now available for pre-order, and will likely be published in February next year. This is the recommended textbook for The Open University’s postgraduate information security course.

I’m also working on the second edition of The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks. This is a good follow-up read to Cyber Resilience – Defence-in-depth principles, as it also covers cyber resilience and defence in depth, but goes into much more detail on specific controls, including a significant amount of implementation guidance.

Cyber Resilience – Defence-in-depth principles

Cyber Resilience – Defence-in-depth principles will give you a good understanding of the fundamentals of cyber security and resilience, without tying them to specific standards, frameworks or solutions, and provide an excellent starting point for any cyber resilience implementation project.

To celebrate Alan’s win, we’re offering a 15% discount until the end of November, so get your copy of this award-winning book today. The discount is automatically applied at the checkout.