Drive cybersecurity strategy, investment, and culture.

Your success depends on cyber-readiness. Both depend on you.

Being a cyber leader does not require technical expertise, but rather an ability to change the culture of your organization. Reducing your organization’s cyber risks requires awareness of cybersecurity basics. 

As a leader, you need to drive your organization’s approach to cybersecurity as you would any other hazard (e.g. how you identify risk, reduce vulnerabilities, and plan for contingencies). This requires an investment of time and money as well as the collective buy-in of your management team. Your investment drives actions and activities, and these build and sustain a culture of cybersecurity.

Cybersecurity begins with strong physical security. 

An employee accidentally leaves a flash drive on a coffeehouse table. When he returns hours later to get it, the drive - with hundreds of social security numbers saved on it - is gone.

Another employee throws stacks of old company bank records into a trash can, where a criminal finds them after business hours.

A burglar steals files and computers from your office after entering through an unlocked window.

Lapses in physical security can expose sensitive company data to identity theft, with potentially serious consequences.

The United States’ reliance on networked systems and the high costs associated with cyberattacks have led many leaders in the US government and the Department of Defense (DOD) to prioritize protecting our critical networked infrastructure. Part of that focus is trying to develop a strategy for deterring adversaries from attacking our networks in the first place. 

This effort has led to much debate around the question of whether cyber deterrence is possible. Answering this question is difficult since the number of adversary groups capable of attacking US networks is large and our ability to deter each group will vary based on its motives and levels of risk tolerance. 

The United States should not expect a cyber deterrence strategy to achieve the kind of results seen with our nuclear deterrence strategy during the Cold War. However, a limited US cyber deterrence strategy is possible. 

To be effective, this strategy must be multilayered and use all instruments of US national power. The strategy employed against one adversary group (e.g., criminal actors) will be different than that against another group (e.g., state or state-sponsored actors). 

This book explores: 

1. The difficulties of deterring unwanted cyber activities by each group of cyber threats
2. Realistic expectations for a deterrence strategy
3. Proposals to help mitigate the problems

For additional resources, visit CISA.gov/Cyber-Essentials or email CISAEssentials@cisa.dhs.gov.