Book introduction - Real life cybersecurity: How program building actually works.

Below is the introduction section from my upcoming book, titled "Real life cybersecurity: How program building actually works". It details my reasons for writing it, both personal and general, as well as a value proposition for you to know what you might be getting from reading it. You can find the book at this link: https://a.co/d/eRudF4m

It's currently only available for pre-order as a Kindle ebook version, with the release date set to December 31st 2023, and the paperback version upcoming on January 31st 2024. Enjoy.

Alright, I guess we can’t completely skip over the formalities. Let’s set up our premise.

This introduction is deliberately shorter than what you typically find in most books. It’s just a personal preference that I find myself wishing for while reading, especially when it comes to technical books. I usually want to get into the thick of the action and start learning as soon as possible, so I’m implementing the change I wish to see in the world. Perhaps it’s just me? Do let me know, find me on LinkedIn and tell me what you think if you’re reading this.

Anyway, why am I even writing this book? I suppose it's because I'm very frustrated. It's literally annoying to work in an environment where we try to tackle a very complex ecosystem like cybersecurity with naive and ineffective tactics. I'm frustrated about the immense lack of understanding when it comes to fundamentals, and the culture around security engineering. We cut too many corners, we fall in love with buzzwords, we do things in the complete wrong order, we focus on what doesn't matter, and we get the basics very wrong.

It's not that I blame engineers for the problem. If I did, I wouldn't be writing this book. After all, you don't get to be a security engineer if you're a dummy. You do know better. You do understand what to protect. You probably already are protecting it. What nobody taught you was how to formalize this protection and make it consistent, and how this all fits in the bigger picture.

So, what gives? What's the issue we're actually facing?

Well, there's a much more systemic problem going on, one that centers around communicating the aforementioned fundamentals, and being ashamed of spending time on the basics at the risk of sounding banal and looking like a rookie. I'm unapologetically trying to teach you the basics that you didn't learn, and telling you to be proud of discussing them. If you read for long enough, you will hopefully notice that those basics are not so basic after all, that cutting corners will inevitably catch up with you, and that you now understand cybersecurity at a much deeper level that will enable you to grow.

In fact, this book is mostly for you, yes, you, the engineer trying to make something out of nothing in a chaotic environment. If you're trying to figure out this compliance thing that has been thrown in your lap, this book is for you. If you don't understand what risk management is, this book is for you. If you can implement DevSecOps tools like a champ but you're hearing about acceptable use for the first time ever, this book is for you. If you struggle to explain why a certain security measure is necessary when challenged by disgruntled users, this book is definitely for you. Next time, instead of saying it's "for security reasons", you'll be equipped with the right set of tools in your toolbox to answer more accurately and decisively when asked about that MFA thing that was recently implemented and what it's for anyway.

I will use that toolbox analogy as a springboard to tell you about my approach to writing this book. If you’re familiar with my writings (LinkedIn and magazine articles, this is my first book), you’ll know that I will use and abuse a good analogy to drive a point across. This book dials it up to 11. We will mark each chapter with a new tool, explain the concept, and provide an example of how this tool would help us in the real world. Hopefully, we will have a full toolbox by the end of the book, and we will be ready to give IKEA a run for its money. I want to help you furnish the most beautiful and sustainable house that you can possibly fathom.

Let’s explore some more, I want you to really understand the value you’re getting out of this. Back to the beginning, we’re here for the not-so-basic basics, the fundamentals if you will.

So, what are those fundamentals I keep rambling about? And what exactly is the problem? Well, I have one word for you: dependencies. Simply put, there's a certain order to do things. More precisely, if you decide to mess with this order, you need a set of guardrails to make sure you don't create a mess that leaves you worse off than when you started.?

How do we make mistakes and do things in the wrong order? Good question, let's talk about it.

It really grinds my gears when I witness people put the controls carriage in front of the risk assessment horse. That's just one example of a fundamental and immensely painful mistake, but it's such a prevalent one that I will use it as my launch pad. So what's the damn problem (again)? And why do we make that mistake so often? We simply don't know any better. We don't understand risk assessment, simply because nobody has ever taught us. I'm here to fix that problem.

This book is a no nonsense attempt at understanding cybersecurity. We won't be vague or avoidant, we won't dance around the problem and hide behind industry jargon, and we most definitely won't cut corners. Instead, we will show working examples, we will provide ourselves with the necessary knowledge, and we will build that cybersecurity program.

There is no single right way to read this book, but there are some wrong ways. If you read only one chapter in this book, as much as I hope you'll read more, make sure it's chapter 0. It really does show you how the sausage is made. I will show you in tear-inducing detail how it all works and what the big picture looks like. I will tell you where to start, and how to reach the goal of protecting your assets in a systematic and fundamentally sound way. For those of you who are a little bit seasoned and already know the terminology, I will show you how to reach a point where you can enumerate and design controls.

After that, we will move on to explaining each step of the process, while sticking to our toolbox analogy. With each new tool, we will learn concepts, walk through examples, and gain a fuller understanding of when to acquire this tool and what to use it on. "Don't strike a hammer with another hammer", that's what we often hear. Well, I'm here to help you master the use of said hammer.

The book is also divided into 3 parts. The first part is all about process-related concepts, and how the step by step approach works to get you to the destination. This may sound straightforward and basic, but as mentioned earlier, we will delve into the intricate details of each element of our toolbox, and we will find out how devilish the details can truly be. The second part will show you a few tricks to expedite the process in a clean and sustainable way. If you want to bootstrap a program to protect assets quickly, and you have no idea where it all begins or ends and how much money to spend, this section is for you. The third part will show some wider technology and cybersecurity concepts, sometimes expanding on something we mention in one of the previous chapters, and will serve as a pocket reference for you to come back to in times of need.

It's time to learn how things work in real life, where there's no free lunch, and where cutting corners is all too similar to technical debt: it'll come back to bite you in the rear end. This is actually the inspiration behind the cover. The top half is a nice and orderly dark blue representation of the night sky, one you might encounter in paintings or books. The bottom half is a photograph I took at an undisclosed location in Germany, a long exposure of the night sky showing it in its real authentic glory, clouds and all. This is often how nuanced things are in the real world. You will never have a uniform and beautiful canvas. You will always have to navigate some clouds and background elements. Equipped with the right tools in your toolbox, you will learn what it's like to do real life cybersecurity.

Enjoy the ride. I'm looking forward to watching it all click for you.