Full Chapter Rational Cybersecurity For Business The Security Leaders Guide To Business Alignment Dan Blum PDF

Rational Cybersecurity for Business:
The Security Leaders' Guide to

Business Alignment Dan Blum
Visit to download the full and correct content document:
https://textbookfull.com/product/rational-cybersecurity-for-business-the-security-leade
rs-guide-to-business-alignment-dan-blum/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Navigating the new retail landscape : a guide for

business leaders First Edition Reynolds
https://textbookfull.com/product/navigating-the-new-retail-
landscape-a-guide-for-business-leaders-first-edition-reynolds/
Cybersecurity Program Development for Business: The

Essential Planning Guide 1st Edition Chris Moschovitis
https://textbookfull.com/product/cybersecurity-program-
development-for-business-the-essential-planning-guide-1st-
edition-chris-moschovitis/
Privacy, Regulations, And Cybersecurity: The Essential

Business Guide Chris Moschovitis
https://textbookfull.com/product/privacy-regulations-and-
cybersecurity-the-essential-business-guide-chris-moschovitis/
China’s Intellectual Property Regime for Innovation:

Risks to Business and National Development Dan
Prud’Homme
https://textbookfull.com/product/chinas-intellectual-property-
regime-for-innovation-risks-to-business-and-national-development-
dan-prudhomme/
Understanding personal security and risk : a guide for
business travelers 1st Edition Goslin
https://textbookfull.com/product/understanding-personal-security-
and-risk-a-guide-for-business-travelers-1st-edition-goslin/
Tribe Of Hackers Security Leaders: Tribal Knowledge

From The Best In Cybersecurity Leadership Marcus J.
Carey
https://textbookfull.com/product/tribe-of-hackers-security-
leaders-tribal-knowledge-from-the-best-in-cybersecurity-
leadership-marcus-j-carey/
Becoming a global chief security executive officer a

how to guide for next generation security leaders 1st
Edition Cloutier
https://textbookfull.com/product/becoming-a-global-chief-
security-executive-officer-a-how-to-guide-for-next-generation-
security-leaders-1st-edition-cloutier/
Strategic Communication in Business and the Professions

8th Edition Dan O'Hair
https://textbookfull.com/product/strategic-communication-in-
business-and-the-professions-8th-edition-dan-ohair/
The essential guide to business for artists designers

2nd Edition Alison Branagan
https://textbookfull.com/product/the-essential-guide-to-business-
for-artists-designers-2nd-edition-alison-branagan/
Rational
Cybersecurity
for Business
The Security Leaders’ Guide
to Business Alignment
―
Dan Blum
Rational Cybersecurity
for Business
The Security Leaders’ Guide
to Business Alignment
Dan Blum
Rational Cybersecurity for Business: The Security Leaders’ Guide to Business
Alignment
Dan Blum
Silver Spring, MD, USA
ISBN-13 (pbk): 978-1-4842-5951-1 ISBN-13 (electronic): 978-1-4842-5952-8

https://doi.org/10.1007/978-1-4842-5952-8
Copyright © 2020 by Dan Blum

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0
International License (http://creativecommons.org/licenses/by/4.0/), which permits use,
sharing, adaptation, distribution and reproduction in any medium or format, as long as you
give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license
and indicate if changes were made.
The images or other third party material in this book are included in the book’s Creative Commons license,
unless indicated otherwise in a credit line to the material. If material is not included in the book’s Creative
Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted
use, you will need to obtain permission directly from the copyright holder.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with
every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an
editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not
identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to
proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Susan McDermott
Development Editor: Laura Berendson
Coordinating Editor: Jessica Vakili
Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street,
6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-
sbm.com, or visit www.springeronline.com. Apress Media, LLC is a California LLC and the sole member
(owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a
Delaware corporation.
For information on translations, please e-mail rights@apress.com, or visit http://www.apress.com/
rights-permissions.
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook versions and
licenses are also available for most titles. For more information, reference our Print and eBook Bulk Sales
web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is available to
readers on GitHub via the book’s product page, located at www.apress.com/978-1-4842-5951-1. For more
detailed information, please visit http://www.apress.com/source-code.
Printed on acid-free paper
Table of Contents
About the Author�� xiii
About the Technical Reviewers��xv

Acknowledgments��xvii
Introduction��xix
Chapter 1: Executive Overview�� 1

1.1 Understand the Rational Cybersecurity Context�� 2
1.1.1 Risk and the Digital Business�� 3
1.1.2 Compliance and the Duty to Protect�� 5
1.1.3 Taking Accountability for Risk�� 7
1.1.4 A
ligning on Risk�� 9
1.2 Start the Rational Cybersecurity Journey�� 12
1.2.1 Define Rational Cybersecurity for Your Business�� 12
1.2.2 Gain Executive Support and Risk Ownership�� 13
1.2.3 Align Stakeholders on the Security Program�� 14
1.3 Set the Rational Cybersecurity Priorities�� 16
1.3.1 Develop and Govern a Healthy Security Culture�� 17
1.3.2 Manage Risk in the Language of Business�� 19
1.3.3 Establish a Control Baseline�� 20
1.3.4 Simplify and Rationalize IT and Security�� 21
1.3.5 Control Access with Minimal Drag on the Business�� 22
1.3.6 Institute Resilient Detection, Response, and Recovery�� 22
1.4 Scale Security Programs to your Organization Type�� 24
1.4.1 Size of the Organization�� 24
1.4.2 Complexity of the IT Infrastructure�� 25
1.4.3 S
ecurity Pressure�� 25
iii
Table of Contents
1.4.4 National and Industry Origins�� 26

1.4.5 Maturity�� 26
1.5 Call to Action�� 27
Chapter 2: Identify and Align Security-Related Roles�� 31

2.1 Recognize the People Pillars of Cybersecurity Defense�� 32
2.2 Understand Business and Security-Related Roles�� 34
2.2.1 Board-Level Oversight�� 34
2.2.2 Chief Executive Officers (CEOs)�� 36
2.2.3 Head of Security or CISO�� 37
2.2.4 Other Chief Executives (CXOs)�� 38
2.2.5 Audit, Compliance, and Other Security-Related Functions�� 38
2.2.6 C
orporate Administration�� 41
2.2.7 Line of Business (LOB) Executives�� 42
2.3 A
ddress Common Challenges�� 43
2.3.1 W
orking at Cross-Purposes�� 43
2.3.2 Cybersecurity Not Considered Strategic�� 44
2.3.3 Poor Coordination Between Security-Related Functions�� 45
2.3.4 Security Leaders Struggle with Stress and Overwhelm�� 46
2.3.5 Frustrated and Under-Resourced Security Teams�� 47
2.3.6 C
risis Conditions�� 49
2.3.7 B
ottom Line�� 49
2.4 Hire, Motivate, and Retain Key Security Staff�� 49
2.5 Make Engaging the Business the First Order of Business�� 52
2.6 Clarify Security-Related Business Roles�� 53
2.7 Earn Trust and Cooperation from Users�� 56
2.8 C
all to Action�� 58
Chapter 3: Put the Right Security Governance Model in Place�� 61

3.1 Address Common Challenges�� 62
3.1.1 Security Governance Model Not Aligned with Organizational Structure or Culture�� 62
3.1.2 Lack of Security Governance Maturity�� 62
iv
Table of Contents
3.1.3 Security Leadership Disengaged from Business Units�� 63

3.1.4 Perverse Incentives�� 63
3.2 Understand Security Governance Functions�� 64
3.3 Understand and Apply the Optimal Security Governance Model�� 65
3.3.1 C
entralized Models�� 66
3.3.2 D
ecentralized Models�� 67
3.3.3 T rade-offs�� 68
3.3.4 M
atrix Models�� 69
3.4 Reset (or Define) Security Governance�� 72
3.4.1 Choose the Appropriate Security Governance Model�� 72
3.4.2 Charter the Security Organization�� 73
3.4.3 Specify CISO Reporting�� 75
3.5 Institute Cross-Functional Coordination Mechanisms�� 77
3.5.1 Cross-Functional Security Coordination Function or Steering Committee�� 77
3.5.2 Risk Management Forums�� 79
3.5.3 Interaction with IT Projects and Other Security Processes�� 80
3.6 Manage Security Policy Libraries, Lifecycles, and Adoption�� 81
3.6.1 Types of Policy Documents�� 82
3.7 Budget in Alignment with Risk and the Governance Model�� 84
3.8 C
Chapter 4: Strengthen Security Culture Through Communications

and Awareness Programs�� 91
4.1.1 Business Executives Not Engaged at the Strategic Level�� 93
4.1.2 Business Units at Odds with IT and Security�� 93
4.1.3 Hard to Change Culture�� 94
4.1.4 Ineffective Security Communication Styles�� 95
4.1.5 Measuring Culture Is a Soft Science�� 96
4.2 Understand Security Culture and Awareness Concepts�� 97
4.2.1 Your Greatest Vulnerability?�� 98
4.2.2 Or Your Best Opportunity?�� 100
v
Table of Contents
4.2.3 Attributes of Security Culture�� 102

4.2.4 Security Culture Styles�� 103
4.3 Make Enhancing Communication a Top Security Team Priority�� 106
4.4 Use Awareness Programs to Improve Behaviors and Security Culture�� 109
4.4.1 Promote More Secure Behavior�� 110
4.4.2 Target Awareness Campaigns and Training Initiatives�� 111
4.4.3 Coordinate Awareness Messaging with Managers and Key Influencers in
Target Audiences�� 114
4.5 Commit to Improving Security Culture�� 116
4.6 Measure and Improve�� 117
4.6.1 Measure Your Ability to Improve Security-Related Communications�� 117
4.6.2 Measure the Effectiveness of Security Awareness Programs�� 118
4.6.3 Measure Security Culture Comprehensively�� 118
4.7 C
Chapter 5: Manage Risk in the Language of Business�� 123

5.1.1 Lack of Consistent Information Risk Terminology and Alignment with
Other Enterprise Risk Domains�� 124
5.1.2 Unrealistic Expectations and Ineffective Analysis Methods�� 125
5.1.3 Myopic Focus on Control Assessment While Ignoring Other Risk
Treatment Options�� 125
5.1.4 Analysis Paralysis and Uncertainty About Where to Start�� 126
5.2 Understand and Employ Risk Management Framework Standards�� 127
5.2.1 ISO 31000 Risk Management�� 127
5.2.2 Open Factor Analysis of Information Risk (FAIR)�� 127
5.2.3 Tiered Risk Assessment Process�� 129
5.3 Establish the Context for the Risk Program�� 130
5.3.1 Prepare Analysis of Business Risk Context�� 131
5.3.2 Outline a Proposed Risk Framework�� 132
5.3.3 O
btain Top-Level Sponsorship�� 132
5.3.4 Socialize Risk Framework for Broad Stakeholder Buy-in�� 133
5.3.5 Define Accountabilities, Risk Appetites, and Risk Processes�� 134
vi
Table of Contents
5.4 Implement Tiered Risk Assessment�� 135

5.4.1 Use a Tiered Risk Assessment Process�� 135
5.4.2 Implement Asset Risk Profiling�� 136
5.4.3 Identify Issues That Could Bubble Up to Risk Scenarios�� 137
5.4.4 Use a Lightweight Method to Triage Risk Scenarios�� 138
5.4.5 Develop Risk Scenario Evaluation Processes�� 140
5.4.6 Perform Enterprise Risk Assessments to Identify Top Risk Scenarios�� 142
5.5 Treat Risks Holistically�� 144
5.5.1 Formalize Risk Acceptance and Risk Exception Processes�� 145
5.5.2 Educate the Business on Risks to Avoid�� 145
5.5.3 Share Responsibility, Outsource, or Obtain Insurance to Transfer Risk�� 146
5.5.4 Evaluate Business Changes and Controls for Risk Mitigation�� 147
5.6 Monitor Issues and Risks Continuously�� 148
5.7 Communicate Risk to Stakeholders Effectively�� 149
5.7.1 Business Staff and Associates�� 149
5.7.2 Explaining Risk to Business Risk Owners�� 150
5.7.3 B
oard Communication�� 151
5.8 C
Chapter 6: Establish a Control Baseline�� 157

6.1 Understand Control Baselines and Control Frameworks�� 158
6.2.1 Too Many Controls?�� 160
6.2.2 Difficulty Risk Informing Controls�� 162
6.2.3 Controls Without a Unifying Architecture�� 162
6.2.4 Lack of Structure for Sharing Responsibility with Third Parties�� 163
6.2.5 Controls Out of Line with Business Culture�� 163
6.3 Select a Control Baseline from the Essential Control Domains�� 164
6.3.1 Serve Up a Balanced Diet of Controls�� 167
6.3.2 Identify All Aspects of Situational Awareness�� 168
6.3.3 Protect Information Systems and Assets�� 172
6.3.4 Win the Race to Detect�� 178
vii
Table of Contents
6.3.5 Respond Effectively and Appropriately�� 181

6.3.6 Recover from Outages or Breaches�� 181
6.4 Develop Architectural Models and Plans for Control Implementation�� 183
6.4.1 Maintain Assessments, Target Architectures, and Implementation Road Maps�� 183
6.4.2 Use a Two or Three Lines of Defense Model for Control Assurance�� 184
6.4.3 Apply a Shared Responsibility Model to the Control Baseline�� 185
6.4.4 Tune Controls to Security and Business Needs�� 189
6.5 Scale and Align the Control Baseline�� 190
6.5.1 Scale to Business Size, Type, and Industry�� 190
6.5.2 Align Control Deployment and Business Functions�� 192
6.6 C
Chapter 7: Simplify and Rationalize IT and Security�� 199

7.1.1 IT Out of Alignment with Digital Business Initiatives�� 200
7.1.2 Complexity as the Enemy of Security�� 201
7.1.3 New DevOps or Agile Models Fielded Without Security Provisions�� 202
7.2 Help Develop a Strategy to Consolidate and Simplify IT�� 204
7.2.1 Understand How to Reduce Macro-Complexity by Consolidating or
Rationalizing Enterprise Applications�� 205
7.2.2 Understand How to Consolidate Core Infrastructure and Security Platforms�� 206
7.2.3 Understand How to Simplify Micro-Complexity by Adopting Consistent
Management Practices for the IT Environment�� 208
7.2.4 Discern the IT Strategy and Align the Security Road Map to It�� 209
7.2.5 Take Opportunities to Position Security as a Coordinating Function�� 210
7.3 Learn from Digital Initiatives�� 211
7.4 Provide Security for a Governed Multicloud Environment�� 211
7.4.1 Identify the Risk of Shadow IT�� 212
7.4.2 Align with the Evolution from IT-as-Provider to IT-as-Broker�� 213
7.4.3 Manage Cloud Risk Through the Third-Party Management Program�� 214
viii
Table of Contents
7.4.4 Collaborate with IT on Operationalizing Shared Security Responsibilities�� 215

7.4.5 Include Security Services in the IT Service Catalog�� 216
7.5 Upgrade IT Operations with DevSecOps and Disciplined Agile�� 217
7.5.1 Use Risk-Informed DevSecOps Practices�� 217
7.5.2 Embrace the Disciplined Agile Approach�� 221
7.6 Call to Action�� 223
Chapter 8: Control Access with Minimal Drag on the Business�� 227

8.1 Understand Access Control and Data Governance Models�� 228
8.2.1 Immature Data Governance and Access Management Processes�� 230
8.2.2 Outdated IAM Deployments Meet Generational Challenges with Cloud,
Privacy Rights, and Forced Digitalization�� 231
8.2.3 The Red-Headed Stepchild IAM Team�� 233
8.3 Build Up IAM Control Baseline Capabilities�� 233
8.4 Balance Access Control and Accountability�� 235
8.5 Modernize IAM to Enable Digital Business�� 238
8.5.1 Manage Digital Relationships�� 238
8.5.2 Take a Proactive Approach on Privacy�� 239
8.5.3 Enhance Identity Interoperability and Agility�� 240
8.6 Monitor Identity-Related Events and Context�� 242
8.7 Build Up Identity, Privilege, and Data Governance Services�� 243
8.7.1 Understand Identity Governance and Administration (IGA) Requirements�� 244
8.7.2 Understand Privileged Account Management (PAM) and Just-in-Time (JIT)
PAM Requirements�� 245
8.7.3 Develop a Hybrid IGA and PAM Architecture�� 246
8.7.4 Model Roles and Business Rules to Drive IGA�� 248
8.7.5 Risk-Inform Access Management Functions�� 249
8.8 Implement IAM and Data Governance in a Cross-Functional Manner�� 252
8.9 C
ix
Table of Contents
Chapter 9: Institute Resilience Through Detection, Response, and Recovery�� 259

9.1 Understand Cyber-Resilience Requirements�� 260
9.2 Address Common Resilience Challenges�� 261
9.2.1 Business Unpreparedness for Incident Response and Recovery�� 262
9.2.2 Lengthy Cyberattacker Dwell Time�� 263
9.2.3 Lack of Visibility or Access to All IT Systems�� 264
9.2.4 Difficulty Hiring and Retaining Skilled Staff�� 264
9.3 Identify Critical Business Assets, Risk Scenarios, and Contingency Plans�� 265
9.3.1 Perform Business Impact Analysis (BIA)�� 265
9.3.2 A
nalyze Top Risk Scenarios�� 266
9.3.3 Develop Contingency Plans and Cybersecurity Strategy for Resilience�� 267
9.3.4 Develop Business Continuity and Disaster Recovery Plans�� 270
9.4 Detect Cybersecurity Events Consistently and Promptly�� 271
9.4.1 Monitor Event Logs, Alerts, and Reports�� 272
9.4.2 Investigate and Triage Real-Time Alerts and Issues Found in Logs�� 276
9.4.3 Modernize and Scale Detection for Distributed Infrastructure�� 277
9.4.4 Hunt for Threats Proactively�� 278
9.4.5 Coordinate Detection with Users, Business Stakeholders, and External Parties�� 279
9.5 Respond to Incidents�� 284
9.5.1 Plan for Incident Response�� 284
9.5.2 Establish the IR Program�� 287
9.5.3 Evolve the IR Program for Cyber-Resilience�� 289
9.6 Recover from Incidents Caused by Cyberattacks and Operational Outages�� 290
9.6.1 Activate Business Continuity and Disaster Recovery Plans�� 292
9.7 C
Chapter 10: Create Your Rational Cybersecurity Success Plan�� 297

10.1 Scope Out Your Priority Focus Areas�� 298
10.2 Identify Stakeholders�� 298
10.3 Make a Quick Assessment of Current State�� 299
x
Table of Contents
10.4 Identify Improvement Objectives�� 304

10.4.1 Develop and Govern a Healthy Security Culture�� 304
10.4.2 Manage Risk in the Language of Business�� 306
10.4.3 Establish a Control Baseline�� 307
10.4.4 Simplify and Rationalize IT and Security�� 308
10.4.5 Control Access with Minimal Drag on the Business�� 309
10.4.6 Institute Resilient Detection, Response, and Recovery�� 310
10.5 Specify Metrics�� 310
10.6 Track Progress�� 311
10.7 This Is Not the End�� 311
10.8 This Is the Beginning of an Open Information Flow�� 312
Glossary of Terms and Acronyms�� 315

S
ecurity Concepts�� 315
Tools and Technical Capabilities�� 317
Governance or Process Capabilities�� 320
Index�� 325
xi
About the Author
Dan Blum is an internationally recognized cybersecurity and risk management
strategist. He provides advisory services to CISOs and security leaders and thought
leadership to the industry. Formerly, he was a Golden Quill award-winning VP and
Distinguished Analyst at Gartner and one of the founding partners of Burton Group.
He has over 30 years experience in IT, security, risk, and privacy. He has served as the
security leader for several startups and consulting companies, and has advised 100s of
large corporations, universities, and government organizations. He is a frequent speaker
at industry events and has written countless research reports, blog posts, and articles.
During his tenure at Burton Group and Gartner, Dan Blum filled multiple consulting
delivery and content leadership roles. He led consulting and research teams for Security
and Risk Management, Identity and Privacy, and Cloud Security. He co-authored and
facilitated Burton Group’s signature Identity and Security Reference Architectures. He
managed successive Program Tracks at the Catalyst conferences and spoke at Gartner’s
Security Summit and many other third party events.
A Founding Member of the Kantara Initiative’s IDPro group and honored as a
“Privacy by Design Ambassador”, Mr. Blum has also authored three books, written for
numerous publications, and participated in standards or industry groups such as ISACA,
the FAIR Institute, IDPro, CSA, OASIS, Open ID Foundation and others.
xiii
About the Technical Reviewers
Christopher Carlson finished his 39-year career at The Boeing Company as an Associate
Technical Fellow. He entered the computing security field in 1982, holding a variety
of technical and management positions. Management highlights include leading the
company-wide classified computing security program, creating the company’s security
control framework in 1991, and being the security manager for the 777 program and
chief security officer for the Sonic Cruiser program, forerunner of the 787. Selected
technical responsibilities include defining requirements for and leading implementation
of a role-based access management system, introducing secure application development
methods, system management of a governance, risk and compliance system, and leading
selection and implementation of a data security and insider threat detection system.
C T Carlson LLC was established to provide information security writings and
advisory services. His book How to Manage Cybersecurity Risk: A Security Leader’s
Roadmap with Open FAIR was published in December 2019. Chris also produces
writings related to FAIR for The Open Group Security Forum.
Chris has a Master of Science in Computer Science from Washington State
University. He is a Certified Information Systems Security Professional and is Open FAIR
Certified.
Andrew Yeomans is a Chief Information Security Officer for Arqit Limited, which is
leading a pan-European consortium building a secure quantum cryptography satellite
network.
Andrew was on the management board of the Jericho Forum, an international
thought leadership group solving the security issues of a collaborative deperimeterized
world.
Previously, Andrew led Information Security Engineering, Architecture, and Strategy
for Lloyds Bank, Commerzbank, and Dresdner Kleinwort Investment Bank for 18 years,
after leading IBM’s European technical sales for Internet security.
xv
Acknowledgments
To my wife, family, and friends who make life worth living and whose support and
encouragement make this work possible.
To all whom I’ve worked with over the years and interviewed for this book: Thank
you for the knowledge you’ve shared.
And thanks to the security, business, and IT leaders interviewed for the book. Your
stories and suggestions have enriched the work immeasurably.
Rational Cybersecurity Interview List
Security, Business, and IT Leaders
Adi Agrawal Rick Howard Tom Sinnott

Cathy Allen Debra Lee James Vaughn Sizemore
Iftach Ian Amit Joey Johnson James Tompkins
Dan Beckett Jack Jones Simon Wardley
Brad Boroff Steve Katz Tim Weil
Kirk Botula William Kasper Evan Wheeler
Kip Boyle Diana Kelley Mary Wujek
Craig Calle Robert Kistner Andrew Yeomans
Christopher Carlson Omar Khawaja
Robina Chatham Thom Langford
Anton Chuvakin Alex Lawrence
Rob Clyde Jamie Lewis
Fred Cohen Tim Mather
David Cross James McGovern
Johnathon Dambrot Rick Mendola
(continued)
xvii
Acknowledgments
Rational Cybersecurity Interview List
Security, Business, and IT Leaders
Deirdre Diamond Harshil Parikh

Michael Everall Joe Prochaska
Ed Ferrara Kai Roer
Randall Gamby Alex Rogozhin
Mike Gentile Gary Rowe
Rocco Grillo James Rutt
Doug Grindstaff Greg Schaffer
Malcolm Harkins David Sherry
Karen Hobert Paul Simmonds
xviii
Introduction
This book is a Security Leaders’ Guide to aligning with the business. If you are a Chief
Information Security Officer (CISO), Head of Security with a similar title, a security
manager, or a security team member providing leadership to the business, this book is
for you.
hy Security Leaders Must Get the Business Fully

W
Engaged
One of our Rational Cybersecurity interviews illustrated the challenge of a disengaged
business.
THE BREACH WAS PREDICTABLE
Not long ago, the former CISO of a large US company related this story:
“We had a flat network between all our credit card processing sites and some other serious
gaps. I went to my CIO with a request for funding, but here’s the response: ‘We’re expanding
into [an overseas location] next year and can’t afford the projects you’re proposing. In fact, we
need to cut your budget by 50%.’
After that, I put my resume on the market and left soon. The company retained an offshore
managed security service provider (MSSP) with advanced malware detection tools, but only
skeleton staff for security operations stateside. Within 6 months the alarms were ringing but
they keep hitting the snooze button.”
The rest is history as the company – a household name – suffered a bad breach and botched
its messaging to the public during incident response. Direct and indirect costs mounted to tens
and then hundreds of millions and the CEO resigned within 6 months.
xix
Introduction
I’ve seen way too many businesses with disengaged senior management like this. It
takes two basic forms:
1) Security’s not considered to be a priority.
2) Or, the organization has budgeted for security, hired staff, and
deems it “handled.” Executives delude themselves into thinking
they’ve put security first even if in practice it is routinely put way
behind other priorities.
We see the second, insidious, form of disengagement even at highly regulated
businesses. Staff, even in the security department, are afraid to do anything other than
put an optimistic spin on security issues reported up the chain.
Misalignment between security and the business can start at the top or happen at the
line of business, IT, development, or user level. It has a corrosive effect on any security
project it touches. As organizations transform themselves into “digital businesses,” they
fall under increasing IT-related risk and regulation. Aligning cybersecurity and IT with
business leaders and business processes becomes exponentially more important to
digital businesses.
The Rational Cybersecurity Journey

I chose to write Rational Cybersecurity for Business because, during my career as an
IT research analyst and consultant, I’ve learned that successful cybersecurity isn’t
just about the technology, it’s also about the people and organizations. I realized
midway through this project, however, that I could write the book for security leaders
as the primary audience or for business leaders, but not for both. Therefore, Table 1
summarizes what this book IS and IS NOT.
xx
Introduction
Table 1. What the Book Is For

THE BOOK IS IS NOT
Written for the security leader audience and NOT attempting to be an easy read for
informed by interviews with business and IT businesspeople without a background in IT
leaders
A leadership guide on how to align six Rational NOT a highly technical or comprehensive
Cybersecurity priorities to the business manual on everything in cybersecurity
Scaled to fit many types of businesses – from NOT intended for tiny organizations with
the very large organization down to ones that minimal security program needs
are small but still big enough to have a security
department
You won’t find many security professionals disagreeing about the need to align
security and the business. But although technical books on cybersecurity abound, there
are relatively few business-focused ones, and none that I’ve found written specifically
for security leaders with comprehensive and specific advice on how to align with the
business.
I feel strongly that if we can improve their business alignment, security programs can
be much more effective. A business’s security team will be adequately resourced. It will
have a seat at the table when IT or risk is part of any business decision or strategy and
will be brought in early to review new projects, vendor relationships, or system designs.
Security leaders won’t act like “Dr. No” when a potentially risky business proposal or IT
release lands on the table, and they won’t emit fear, uncertainty, and doubt (FUD) like
frightened octopuses spewing ink when challenged. Instead they’ll quantify the risks
and propose realistic alternatives. The security team can act as a coach to business or IT
managers and staff. Together, business and security leaders can make the secure way to
operate in the business also be the easy way.
Last but not least, I decided to open source the book’s digital editions because
cybersecurity-business alignment is such an important topic. I want to create an open
information flow. Look for the pointers at the end of Chapter 10 on how readers can
continue the discussion we’re about to begin here.
xxi
Introduction
How the Book Is Organized

Cybersecurity is a vast topic, and many kinds of businesses exist with different cultures,
drivers, missions, models, and products or services. Facing a general problem statement
of “How should security align with business?”, one could easily get lost in the matrix of
what to align with what.
It can be hard to stay focused on alignment while trying to explain just enough
detail about many cybersecurity topics and to share so many good security practices for
people, process, and technology. Therefore, this book applies the 80–20 rule (aka Pareto
Principlei) to cybersecurity as its organizing framework.
The Cybersecurity Pareto Principle

How can security leaders get 80% of the benefit by doing 20% of the work?
To this question, I ended up choosing six priority focus areas to cover in the book’s
chapters. They are: security governance and culture, risk management, control baseline,
IT and security simplification, access control, and cyber-resilience.
To stay focused on alignment within these areas, I also provide more than 50 specific
keys to alignment within the narrative. These keys are called out as follows in the text.
Buy into the need for business and security alignment and
get curious about what that means for security and business
stakeholders.
1
Less often, I cite numbered cybersecurity myths, starting with this one.
Cybersecurity is just a technical problem.
xxii
Introduction
C
hapter Summary
Although the book isn’t overly technical, it does require background in basic IT and
security terminology. However, if you run into a term you’re not familiar with or are
curious about how I’m using a term, please check on the Glossary provided at the end of
the book.
Here’s how the book’s ten chapters address the Cybersecurity Pareto Priorities:
• Chapter 1: Executive Overview. Defines Rational Cybersecurity,

summarizes the book, and describes the six cybersecurity priority
focus areas.
• Chapter 2: Identify and Align Security-Related Roles. Explains how

the people in the business each contribute to the secure operation of
the business and the various security-related roles they can fulfill.
• Chapter 3: Put the Right Security Governance Model in Place.

Contrasts basic security governance structures that businesses can
use and provides guidance on how to select one and make it work.
It describes core elements of the security program such as steering
committees and security policy lifecycle management. It also offers
guidance on where the CISO should report in an organization.
• Chapter 4: Strengthen Security Culture Through Communications

and Awareness Programs. Brings the cultural subtext that can make
or break a cybersecurity environment into the foreground. It analyzes
the components of security culture and provides guidance on how
to devise a security culture improvement process and measure its
effectiveness. User awareness, training, and appropriate day-to-
day engagement with the business can all play a part in forging a
constructive security culture.
• Chapter 5: Manage Risk in the Language of Business. Clarifies

why risk management must be the brains of the security program.
It must analyze, monitor, and communicate what potential losses
or circumstances constitute the business’s top risk scenarios. An
effective tiered risk analysis process can efficiently address myriad
xxiii
Introduction
risk issues from multiple sources, help apportion accountability and

responsibility, and prioritize controls or other risk treatments.
• Chapter 6: Establish a Control Baseline. Lists the 20 security control

domains security leaders must consider when creating a minimum
viable set and maps to control frameworks such as ISO 27001 and
the NIST Cybersecurity Framework. It also details which business
functions security leaders must align with to implement safeguards
within the control domains, how to scale and tune requirements
for different types of businesses, and how to share responsibility for
delivering the controls with third parties.
• Chapter 7: Simplify and Rationalize IT and Security. Argues that

security leaders have a stake in the IT strategy and provides guidance
on how security leaders – who don’t own IT – can still engage IT and
digital innovation leaders to help develop and deliver on the strategy.
• Chapter 8: Control Access with Minimal Drag on the Business.

Explains why access control is a critical balance beam for business
agility, compliance mandates, and the security program. It addresses
the need for information classification, data protection, and identity
and access management (IAM) controls to implement access
restrictions as required to reduce risk or attain regulatory compliance
but do so in a way that enables appropriate digital relationships and
data sharing with internal and external users.
• Chapter 9: Institute Resilience Through Detection, Response, and

Recovery. Guides readers on how to formulate contingency plans,
strategies, and programs for detection, response, and recovery which
together comprise cyber-resilience.
• Chapter 10: Create Your Rational Cybersecurity Success Plan.

Takes readers through an exercise to create a personalized “Rational
Cybersecurity Success Plan” using the Success Plan Worksheet1 as a
template. This worksheet provides a template for readers to capture
their assessments and improvement objectives for their existing
1
“ Rational Cybersecurity Success Plan Worksheet,” Dan Blum, Security Architects LLC, May 2020,
accessed at https://security-architect.com/SuccessPlanWorksheet
xxiv
Introduction
security environment. It’s designed to be used over a 90-day period,

but readers can extend it or create additional copies for new periods.
How to Get the Most Out of the Book

To maximize the value from this book, readers can
• Read Chapter 1 for a detailed summary of the book and note areas of
immediate or special interest.
• Read or review all chapters for comprehensive guidance on the six

Rational Cybersecurity focus areas for security to business alignment.
• Select the chapter(s) that corresponds most closely to current

pain points or active projects as their priority topics for reading.
For example, someone working in data governance or enterprise
authorization for a financial service might concentrate their attention
early on to Chapters 3 (governance), 5 (risk), and 8 (access control
and data governance).
At the end of each chapter, a “Call to Action” section contains a quick summary
of core recommendations and instructions for completing the next part of your
personalized Rational Cybersecurity Success Plan Worksheet.
After completing the first nine chapters and/or your priority topics, turn to Chapter 10
and complete any parts of the worksheet that you haven’t tackled during the earlier
chapters.
C
all to Action
This book can be a powerful resource for security leaders who believe that business
engagement and alignment is one of their key performance indicators. Look back on
your career path and think of at least three times a lack of business alignment has been
a challenge for your security projects and also remember times when effective business
alignment has enabled your projects to succeed.
Buy into the need for business and security alignment and get curious about what
that means for security and business stakeholders.
xxv
Introduction
And then read on to Chapter 1 for a deeper dive into what cybersecurity-business
alignment means, an explanation of the six Rational Cybersecurity priority focus areas,
and an executive overview of the book. Consider how the six priority focus areas could
relate to your organization.
N
ote
i. “Pareto Principle,” Wikipedia, accessed at
https://en.wikipedia.org/wiki/Pareto_principle
xxvi
CHAPTER 1
Executive Overview
To even begin to achieve the promise of cybersecurity, security and business leaders
must align to rationalize cybersecurity. They must go beyond the myths – such as the
one that cybersecurity is just a technical problem – that still mislead many in the market.
Myths aside, basic concepts of Rational Cybersecurity are already conventional
wisdom. We’ve all heard that “Security is about people, process, and technology.” But
that can sound like overly general advice not calibrated to our type of IT environment or
business. And where do we begin? Conventional wisdom advises starting with a security
assessment and devising a plan for the security program.
Such conventional wisdom is fine as far as it goes, but security leaders need more
detail. I propose to provide that with specific guidance for aligning security programs to
the business through six priority focus areas
• Build a healthy security culture and governance model
• Manage risk in the language of the business
• Establish a control baseline
• Simplify and rationalize IT and security

• Govern and control access without creating a drag on the business
• Institute cyber-resilience, detection, response, and recovery
Although these priorities are a pretty good fit for most organizations, it’s important
to understand they’re not an ordered list and they need to be scaled for a business’s
industry, size, complexity, level of security pressure, and maturity level.
1
© The Author(s) 2020
D. Blum, Rational Cybersecurity for Business, https://doi.org/10.1007/978-1-4842-5952-8_1
Chapter 1 Executive Overview
This chapter provides an executive overview of the book’s content in the following
sections:
• Understand the Rational Cybersecurity context
• Start the Rational Cybersecurity journey (by defining security for

your business and beginning to gain executive support and align with
stakeholders)
• Set Rational Cybersecurity priority focus areas for the security program
• Scale security programs to your organization type
Let’s begin by understanding why cybersecurity-business alignment on a well-

defined, prioritized security program is so critical.
1.1 Understand the Rational Cybersecurity Context

As security leaders, you may not need a cybersecurity backgrounder. But stick with me:
I’ll keep it short, and I think we’ll find it worthwhile to get on the same page about our
overall challenge in defending the business and how it’s exacerbated by some “myths of
cybersecurity.”
Let’s start with the word “cybersecurity” on which our profession is founded. We
often use it synonymously with “IT security,” “information security,” or “security.” What’s
so special about it?
ǇďĞƌ ^ĞĐƵƌŝƚǇ
dŚĞĐŽŵďŝŶĂƟŽŶŽĨ &ƌĞĞĚŽŵĨƌŽŵƌŝƐŬŽƌ
ƉĞŽƉůĞĂŶĚŵĂĐŚŝŶĞƐ ĚĂŶŐĞƌ
Figure 1-1. Etymology of the Term “Cybersecurity”
The common dictionary definition of the root term “security” includes “freedom
from risk or danger.” Hmm… not likely in cyberspace, or in physical space. What about
the word “cyber”? It comes from the Greek term kybernḗtēs meaning “helmsman” or
“steersman.” Doesn’t that seem to connote forward-looking, or future-looking? “Cyber”
was also popularized from the word “cyberspace,” first coined by scifi writer William
Gibson in the book Neuromancer, which 30 years later is still a great read. Cyberspace
means the space where people and machines converge.
2
The words cyber and cybersecurity have been sensationalized by politicians and the
media for public consumption without much clarity. That’s why I’ve coined the term
Rational Cybersecurity, which I define as
Rational Cybersecurity “An explicitly-defined security program based on the

risks, culture, and capabilities of an organization that is endorsed by executives
and aligned with its mission, stakeholders, and processes.”
1.1.1 Risk and the Digital Business

As of 2019, much of the business world had been actively discussing the “digital
transformation” for well over 5 years. Gartner, Inc. (the world’s premier IT research and
advisory service and my former employer) calls this trend digitalization. According to
surveys from Gartner, more than 87% of senior business leaders say digitalization is a
company priority. But Gartner cautions that only 40% of organizations have brought
digital initiatives to scale.1
In early 2020, the global response to the COVID-19 pandemic forced most businesses
to send their staff home to “shelter in place” or shut down in-person operations
such as malls, movie theaters, or manufacturing plants entirely. A great many of the
business processes that continued operating did so only through digital processes and
telecommuting. As the crisis continues, not only are massive numbers of employees
working at home, but many business processes are shifting online in order to operate at
all. It is as if COVID-19 has pressed the gas pedal on the digital transformation.
Digital transformation demands more cybersecurity, not just because it means “more
IT” but also “riskier IT.” Newer technologies – such as mobile devices, social networks,
cloud computing, artificial intelligence (AI), and the Internet of Things (IOT) – are all
seeing accelerated adoption during the pandemic. Unfortunately, new technologies often
emerge without adequate security built in. Deeper blends of the virtual, physical, and
social worlds merge into something new, often with profound security implications. In
extreme cases, digital outages or cyberattacks could stop elevators, crash vehicles, start
fires, explode pipelines, or turn off medical devices.
1
“ Accelerate Digital Transformation,” Gartner, Inc., 2020, accessed at www.gartner.com/en/
information-technology/insights/digitalization
3
Cyberattackers can steal vital trade secrets and purloin personal identity records
from business databases for use in credit card fraud and identity theft exploits. They
also conduct extortion schemes, such as ransomware attacks which encrypt digital
information and demand payment for the key to unlock it. Even mature remote access
systems, web-based applications, and business processes can be highly vulnerable
when deployed without adequate testing, hardening, and procedural controls. The
early days of the COVID-19 crisis saw increased cyber-fraud as business processes
such as accounting or payroll underwent forced digitalization. For example, a member
of this book’s marketing team reported that his Head of Admin received a fake email
purportedly from him requesting a change to his direct deposit account number. Luckily,
she called his home office to verify the request rather than putting it through.
THE SURPRISING STORY OF NOTPETYA AND AN UNLIKELY DIGITAL BUSINESS
Imagine shipping containers piled on the docks of Hoboken, New Jersey, with nowhere to go.
During the NotPetya ransomware epidemic, global shipping giant Maersk discovered it literally
could not deliver or send on unloaded shipping containers without access to the electronic
manifests.2 You wouldn’t consider a maritime tanker company a digital business, but clearly it
is in part. Digital businesses cannot operate without IT.
Note The ransomware problem is getting worse since the NotPetya events of
2017. Many small or medium businesses (SMBs) in the United States affected by
ransomware have been forced to cease operations.3
Cybersecurity for the digital business addresses “information risk,” which includes
both “cyber-risk” (from attacks on IT) and “IT operational risk” (from IT errors, failures,
and outages). It’s the security leader’s job to propose controls or workarounds to protect
the business, whenever possible in a way that doesn’t impede or slow innovation. It is
the business leader’s job to work with security to balance opportunity and risk.
2
“ The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Andy Greenberg,
WIRED, September 2018, accessed at www.wired.com/story/notpetya-cyberattack-ukraine-
russia-code-crashed-the-world/
3
“Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack,” HIPAA
Journal, December 2019, accessed at: https://www.hipaajournal.com/wood-ranch-medical-
announces-permanent-closure-due-to-ransomware-attack/
4
1.1.2 Compliance and the Duty to Protect

Regulatory obligations also create digital business risk. They spell out duties to protect
personal privacy, health-care or financial information, critical infrastructure, and
more. Courts of law haggle over liability. For example, did a breached business follow
“reasonable” protection practices, did it even uphold its own policies, or should it have
invested more money in security?
What are your business’s protection objectives? See Table 1-1 for a list of some
regulations covering various vertical industries to give you some idea. Note that although
we tried to hit the main regulatory topics (privacy, critical infrastructure, health, finance,
and public company accounting), Table 1-1 shows only a small sampling. However,
it’s a safe bet that your business is subject to some of these or to similar regulations in
countries all over the world.
Table 1-1. A Small Sample of Compliance Regulations

Industry Regulations
All US public Sarbanes-Oxley Act (SOX) requires companies to report on internal controls
companies over accounting and other critical IT systems. The Securities and Exchange
Commission (SEC) guidance pushes companies to report material cybersecurity
risks to shareholders and potential investors.
All business in EU General Data Protection Regulation (GDPR) and various other countries’
personal data privacy regulations protect personal information; they require informed consent
for using the information along with other individual rights. US state laws require
organizations to report loss of sensitive personal or financial information and
offer victims free credit reporting services. Violating any of these regulations
leads to fines, liability, and reputation damage. The California Consumer Privacy
Act (CCPA) brings GDPR-style regulation to the USA.
All electronic The US Federal Rules of Civil Procedure (FRCP) sets requirements for retention
records and accessibility of electronic records for use in legal proceedings’ discovery or
evidentiary processes.
(continued)
5
Another random document with
no related content on Scribd:
towards captive Jacobites, the Earl of Perth, on a showing of the
injury his health was suffering from long imprisonment in Stirling
Castle, was liberated on a caution for five thousand pounds sterling,
being a sum equal to the annual income of the highest nobles of the
land.
William Livingstone, brother to the Viscount Kilsyth, and husband
of Dundee’s widow, had been a prisoner in the Edinburgh Tolbooth
from June 1689 till November 1690—seventeen months—thereafter,
had lived in a chamber in Edinburgh under a sentry for a year—
afterwards was allowed to live in a better lodging, and to go forth for
a walk each day, but still under a guard. In this condition he now
continued. The consequence of his being thus treated, and of his
rents being all the time sequestrated, was a great confusion of his
affairs, threatening the entire ruin of his 1692.
fortune. On his petition, the Council now
allowed him ‘to go abroad under a sentinel each day from morning to
evening furth of the house of Andrew Smith, periwig-maker, at the
head of Niddry’s Wynd, in Edinburgh, to which he is confined,’ he
finding caution under fifteen hundred pounds sterling to continue a
true prisoner as heretofore; at the same time, the sequestration of his
rents was departed from.
On the 19th April, Mr Livingstone was allowed to visit Kilsyth
under a guard of dragoons, in order to arrange some affairs. But this
leniency was of short duration. We soon after find him again in strict
confinement in Edinburgh Castle; nor was it till September 1693,
that, on an earnest petition setting forth his declining health, he was
allowed to be confined to ‘a chamber in the house of Mistress Lyell,
in the Parliament Close,’ he giving large bail for his peaceable
behaviour. This, again, came to a speedy end, for, being soon after
ordered to re-enter his strait confinement in the Castle, he petitioned
to be allowed the Canongate Jail instead, and was permitted, as
something a shade less wretched than the Castle, to become a
prisoner in the Edinburgh Tolbooth. On the 4th of January 1693, he
was again allowed the room in the Parliament Close, but on the 8th
of February this was exchanged for Stirling Castle. In the course of
the first five years of British liberty, Mr Livingstone must have
acquired a tolerably extensive acquaintance with the various forms
and modes of imprisonment, so far as these existed in the northern
section of the island.
Captain John Crighton, once a dragoon in the service of King
James, and whose memoirs were afterwards written from his own
information by Swift, was kept in jail for twenty-one months after
June 1689; then for ten months in a house under a sentinel; since
that time in a house, with permission to get a daily walk; ‘which long
imprisonment and restraint has been very grievous and expensive to
the petitioner (Crighton),’ and ‘has redacted him and his small family
to a great deal of misery and want, being a stranger in this kingdom.’
His restraint was likewise relaxed on his giving caution to the extent
of a hundred pounds to remain a true prisoner.
Soon after arose the alarm of invasion from France, and all the
severities against the suspected Jacobites were renewed. William
Livingstone was, in June, confined once more to his chamber at the
periwig-maker’s, and Captain John Crighton had to return to a
similar restraint. The Earl of Perth, so recently liberated from
Stirling Castle, was again placed there. At 1691.
that time, there were confined in Edinburgh
Castle the Earls of Seaforth and Home, the Lord Bellenden, and
Paterson, Ex-archbishop of Glasgow. In Stirling Castle, besides Lord
Perth, lay his relation, Sir John Drummond of Machany,[83] and the
Viscount Frendraught, the latter having only six hundred merks per
annum (about £34), so that it became of importance that his wife
should be allowed to come in and live with him, instead of requiring
a separate maintenance; to so low a point had civil broils and private
animosities brought this once flourishing family. Neville Payne lay a
wretched prisoner in Edinburgh Castle. Sir Robert Grierson of Lagg
was contracting sore ailments under protracted confinement in the
Canongate Jail. A great number of other men were undergoing their
second, and even their third year of confinement, in mean and filthy
tolbooths, where their health was unavoidably impaired.
On the 2d of June, Crighton gave in a petition reciting that he had
been again put under restraint, and for no just cause, as he had
always since the Revolution been favourable to the new government,
and on the proclamation of the Convention, had deserted his old
service in the Castle, bringing with him thirty-nine soldiers. He was
relieved from close confinement, and ordered to be subjected to trial.
On the 10th of June, he was ordered to be set at liberty, on caution.
Less than two months after, failing to appear on summons, his bond
for £100 was forfeited, and the money, when obtained from his
security, to be given to Adair the geographer.
On the 14th of June 1692, Captain Wallace represented that he had
now been three years a captive, ‘whereby his health is impaired, his
body weakened, and his small fortune entirely ruined.’ ‘Yet hitherto,
there has been no process against him.’ He entreated that he might
be liberated on signing ‘a volunteer banishment,’ and he would
‘never cease to pray that God may bless the nation with ane lasting
peace, of [which] he would never be a disturber.’ An order for a
process against him was issued.
It was difficult, however, even for the Scottish Privy Council to
make a charge of treason against an officer whose only fault was that,
being appointed by a lawful authority to defend a post, he had
performed the duty assigned to him, albeit at the expense of a few
lives to the rabble which he was 1692.
commanded to resist. Still, when the
solicitor-general, Lockhart, told them he could not process Captain
Wallace for treason ‘without a special warrant to that effect,’ they
divided on the subject, and the negative was only carried by a
majority.[84]
Happened an affair of private war and Apr. 25.

violence, supposed to be the last that took
place in the county of Renfrew. John Maxwell of Dargavel had ever
since the Reformation possessed a seat and desk in the kirk of
Erskine, along with a right to bury in the subjacent ground. William
Hamilton of Orbieston, proprietor of the estate of Erskine, disputed
the title of Dargavel to these properties or privileges, and it came to a
high quarrel between the two gentlemen. Finding at length that
Dargavel would not peaceably give up what he and his ancestors had
so long possessed, Orbieston—who, by the way, was a partisan of the
old dynasty, and perhaps generally old-fashioned in his ideas—
resolved to drive his neighbour out of it by force. A complaint,
afterwards drawn up by Dargavel for the Privy Council, states that
William Hamilton of Orbieston, George Maxwell, bailie of Kilpatrick,
Robert Laing, miller in Duntocher, John Shaw of Bargarran, Gavin
Walkingshaw, sometime of that ilk, came, with about a hundred
other persons, ‘all armed with guns, pistols, swords, bayonets, and
other weapons invasive,’ and, having appointed George Maxwell,
‘Orbieston’s own bailie-depute,’ to march at their head, they
advanced in military order, and with drums beating and trumpets
sounding, to the parish kirk of Erskine, where, ‘in a most insolent
and violent manner, they did, at their own hand, and without any
order of law, remove and take away the complainer’s seat and dask,
and sacrilegiously bring away the stones that were lying upon the
graves of the complainer’s predecessors, and beat and strike several
of the complainer’s tenants and others, who came in peaceable
manner to persuade them to desist from such unwarrantable
violence.’
Dargavel instantly proceeded with measures for obtaining redress
from the Privy Council, when his chief, Sir John Maxwell of Pollock,
a member of that all-powerful body, interfered to bring about an
agreement between the disputants. With the consent of the Earl of
Glencairn, principal heritor of the parish, Dargavel ‘yielded for
peace-sake to remove his seat from that 1692.
place of the kirk, where it had stood for
many generations;’ while Orbieston on his part agreed that Dargavel
‘should retain his room of burial-place in the east end of the kirk,
with allowance to rail it in, and strike out a door upon the gable of it,
as he should see convenient.’ This did not, however, end the
controversy.
The first glimpse of further procedure which we obtain is from a
letter of John Shaw of Bargarran, professing to be a friend of both
parties, though he had appeared amongst the armed party led by
Orbieston’s bailie-depute. He writes, 23d August, as follows to
William Cunningham of Craigends, a decided friend of Dargavel: ‘Sir
—The Laird of Orbieston heard when he was last here that Dargavel
was intendit to put through a door to his burial-place, which will be
(as he says) very inconvenient for Orbieston’s laft [gallery]; so he
desired me to acquaint you therewith, that ye wold deall with
Dargavel to forbear; otherways he wold take it very ill, and has given
orders to some people here to stop his design, if he do it not
willingly; wherefor, to prevent further trouble and emulation betwixt
the two gentlemen, ye wold do well to advyse him to the contrair
either by a lyn or advyse, as ye think most proper. I desyre not to be
seen in this, because they are both my friends, and I a weel-wisher to
them both. I thought to have waited on you myself; bot, being
uncertain of your being at home, gives you the trouble of this lyne,
which is all from, sir, your most humble servant, J. Shaw. Ye wold do
this so soon as possible.’
There are letters from Craigends to Dargavel, strongly indicating
the likelihood that violent measures would again be resorted to by
Orbieston, and advising how these might best be met and resisted.
But the remainder of the affair seems to have been peaceable.
Orbieston applied to the Privy Council for an order to stop Dargavel,
apparently proceeding upon the rule long established, but little
obeyed, against burying in churches; and the Council did send an
order, dated the 29th August, ‘requiring you to desist from striking
any door or breaking any part of the church-wall of Erskine, until
your right and Orbieston’s right be discusst by the judges competent
for preventing further abuse.’ Dargavel immediately sent a petition,
shewing how he was only acting upon an agreement with Orbieston,
and hereupon the former order was recalled, and Dargavel permitted
to have the access he required, however incommodious it might be to
Orbieston’s ‘laft.’[85]
The prisoners in the Canongate Tolbooth 1692. May 10.
forced the key from the jailer, and took
possession of their prison, which they held out against the
magistrates for a brief space. A committee of Privy Council was
ordered to go and inquire who had been guilty of this act of rebellion.
[86]
Viewing the manner in which jails were provided, there can be no
doubt that it was a rebellion of the stomach.
Under our present multiplication of May 17.

newspapers, a piece of false intelligence is
so quickly detected, that there is no temptation for the most perverse
politician to put such a thing in circulation. In King William’s days,
when the printed newspaper barely existed, and the few who were
curious about state-affairs had to content themselves with what was
called a news-letter—a written circular emanating from a centre in
London—a falsehood would now and then prove serviceable to a
party, particularly a depressed one.
We get an idea of a piece of the social economy of the time under
notice, from a small matter which came under the attention of the
Privy Council. William Murray kept a tavern in the Canongate. Each
post brought him a news-letter for the gratification of his customers,
and which doubtless served to maintain their allegiance to his butt of
claret. Just at this time, when there were alarms of an invasion from
France, a lie about preparations on the French shore was worth its
ink. The lord high chancellor now informed the Council that
Murray’s letter was generally full of false news; that he caused
destroy the one brought by last post, merely to keep Murray out of
trouble; and he had kept up the one just come, ‘in respect there is a
paper therein full of cyphers which cannot be read.’ Matters having
now become so serious, he had caused Murray to be brought before
the Council.
Murray declared before a committee ‘he knows not what person
writes the news-letter to him ... he never writes any news from this to
London ... he knows not what the cyphers in the paper sent in his
letter with this post does signify.’ They sent him under care of a
macer to the Tolbooth, to be kept there in close prison, and his
papers at home to be searched for matter against their majesties or
the government.
On the 2d of June, William Murray represented that he had now
been a fortnight in jail, and his poor family 1692.
would be ruined if he did not immediately
regain his liberty. The Council caused him to be examined about the
cypher-letter, and asked who was his correspondent. We do not learn
what satisfaction he gave on these points; but a week later, he was
liberated.
On the 15th November, the Privy Council ordered the magistrates
of Edinburgh to shut up the Exchange Coffee-house, and bring the
keys to them, ‘in respect of the seditious news vented in and
dispersed from the said coffee-house.’ A month after, the owners,
Gilbert Fyfe and James Marjoribanks, merchants, shewed that, some
of their news-letters having once before been kept up from them on
account of the offensive contents, they had changed their
correspondent, in order that the government might have no such
fault to find with them. Moved, however, by malice against them,
their old correspondent had addressed to them a letter sure by its
contents to bring them into trouble with the officers of state, and it
had been the cause of their house being shut up accordingly. Seeing
how innocently on their part this had come about, and how
prejudicial it was to their interest, the men petitioned for re-
possession of their house, which was granted, under caution that
they were to vent no news until it was approved of by their majesties’
solicitor, or whoever the Privy Council might appoint, ‘the reviser
always setting his name thereto, or at least ane other mark, as having
revised the same.’
Not long after, we find the Council in such trouble on account of
false news as to be under the necessity of considering some general
measure on the subject.
In December, one William Davidson, described as a ‘writer,’ was
taken up and put into the Tolbooth of Edinburgh, ‘for writing and
spreading of lies and false news;’ and the Privy Council issued an
order ‘for delivering of the said William to ane of the officers come
from Flanders, to have been carried there as a soldier.’ On its
appearing, however, that William ‘is but a silly cripple boy, having
had his leg and thigh-bones broke,’ they ordered the magistrates of
Edinburgh to banish him from their city, ‘in case they shall find him
guilty of the said crime.’
On the 12th of July 1694, we hear something more of this William
Davidson. For inadvertently adding to a news-letter a postscript
‘bearing some foolish thing offensive to the government, without
affirming whether it was true or false, but only that it was reported,’
he had been condemned to banishment from the city, and also
disinherited by a Whiggish father, now 1692.
deceased. He had since lived upon the
charity of his relations and acquaintances; but these were now weary
of maintaining him, and he was consequently ‘redacted to extream
misery.’ Having broken his thigh-bone six several times, he was
incapable of any employment but that of writing in a chamber, from
which, however, he was debarred by his banishment from
Edinburgh. He therefore craved a relaxation of his sentence, offering
‘to take the oath of allegiance and subscribe the assurance, to
evidence his sincerity towards the government.’ The poor lad’s
petition was complied with.[87]
Sir James Carmichael of Bonnyton, a July.
minor, was proprietor of the lands of
Thankerton, lying on the north side of the river Clyde, in the upper
ward of Lanarkshire. The Clyde had been the march between his
estate and those of the adjacent proprietors—Chancellor of
Shieldhill, and George Kellie in Quothquan; but ‘rivers are bad
neighbours and unfaithful boundaries, as Lucan says of the Po,’[88]
and there had happened a mutatio alvei about fifty years before, in
consequence of a violent flood, and now a part of Bonnyton lands
was thrown on the opposite side. Under the name of the Park-holm,
it had lain neglected for many years; but at length, in 1688, the
present laird’s father sowed and reaped it; whereupon the opposite
neighbours, considering it as theirs, resolved to assert their right to
it. At the date noted, they came eighty strong, ‘resolved to take
advantage of Sir James his infancy, and by open bangstry and
violence to turn him and his tenants out of his possession.’ Their
arms were ‘pitchforks, great staves, scythes, pistols, swords, and
mastive dogs.’ In a rude and violent manner, they cut down ‘the
whole growth of fourteen bolls sowing of corn or thereby,’ drove it
home to their own houses, and there made use of it in bedding their
cattle, or threw it upon the dunghills. Thus, ‘corns which would have
yielded at least nine hundred bolls oats at eight pounds Scots the
boll, were rendered altogether useless for man or beast.’ During the
progress of this plunder, the tenants were confined to their houses
under a guard. So it was altogether a riot and oppression, inferring
severe punishment, which was accordingly called for by the curators
of the young landlord.
The Council, having heard both parties, found the riot proven, and
ordained Chancellor of Shieldhill to pay three hundred merks to the
pursuer.[89] Afterwards (December 26, 1692.
1695), the Lords of Session confirmed the
claim of Bonnyton to the Park-holm.[90]
In this year died the Viscountess Stair—born Margaret Ross of

Balniel, in Wigtonshire—the wife of the ablest man of his age and
country, and mother of a race which has included an extraordinary
number of men of talent and official distinction. The pair had been
married very nearly fifty years, and they were tenderly attached to
the last. The glories of the family history had not been quite free of
shade; witness the tragical death of the eldest daughter Janet, the
original of Lucy Ashton in The Bride of Lammermoor.[91] Lady Stair
is admitted to have been a woman of a soaring mind, of great
shrewdness and energy of character, and skilled in the ways of the
world; and to these qualities on her part it was perhaps, in part,
owing that her family, on the whole, prospered so remarkably. The
public, however, had such a sense of her singular power over fortune,
as to believe that she possessed necromantic gifts, and trafficked
with the Evil One. An order which she left at her death regarding the
disposal of her body, helped to confirm this popular notion. ‘She
desired that she might not be put under ground, but that her coffin
should stand upright on one end of it, promising that, while she
remained in that situation, the Dalrymples should continue to
flourish. What was the old lady’s motive for the request, or whether
she really made such a promise, I shall not take upon me to
determine; but it’s certain her coffin stands upright in the aile of the
church of Kirkliston, the burial-place of the family.’[92]
A local historian attributes to her ladyship ‘one of the best puns
extant. Graham of Claverhouse (commonly pronounced Clavers) was
appointed sheriff of Wigtonshire in 1682. On one occasion, when this
violent persecutor had been inveighing, in her presence, against our
illustrious reformer, she said: “Why are you so severe on the
character of John Knox? You are both reformers: he gained his point
by clavers [talk]; you attempt to gain yours by knocks.”’[93]
The boy carrying the post-bag on its last Aug. 13.

stage from England was robbed by ‘a person
mounted on horseback with a sword about 1692.
him, and another person on foot with a
pistol in his hand, upon the highway from Haddington to Edinburgh,
near that place thereof called Jock’s Lodge [a mile from town], about
ten hours of the night.’ The robbers took ‘the packet or common mail
with the horse whereon the boy rode.’ The Privy Council issued a
proclamation, offering a reward of a hundred pounds for the
apprehension of the offenders, with a free pardon to any one of them
who should inform upon the rest.
The troubles arising from corporation Oct. 1.
privileges were in these old times incessant.
Any attempt by an unfreeman to execute work within the charmed
circle was met with the sternest measures of repression and
punishment, often involving great suffering to poor industrious men.
Indeed, there is perhaps no class of facts more calculated than this to
disenchant modern people out of the idea that the days of old were
days of mutual kindliness and brothership.
At the date noted, one William Somerville, a wright-burgess of
Edinburgh, was engaged in some repairs upon the mansion of the
Earl of Roxburgh, in the Canongate, when Thomas Kinloch, deacon
of the wrights of that jurisdiction, came with assistants, and in a
violent manner took away the whole of the tools which the workmen
were using. This was done as a check to Edinburgh wrights coming
and doing work in a district of which they were not free. Somerville,
two days after, made a formal demand for the restoration of his
‘looms;’ but they were positively refused. The Earl of Roxburgh was a
minor; but his curators felt aggrieved by Kinloch’s procedure, and
accordingly concurred with Somerville in charging the Canongate
deacon, before the Privy Council, with the commission of riot and
oppression in the earl’s house. Apparently, if the Roxburgh mansion
had been subject to the jurisdiction of the Canongate, the Council
could not have given any redress; but it so happened, that when the
earl’s ancestor, in 1636, gave up the superiority of the Canongate, he
reserved his house as to be holden of the crown; therefore, the
Canongate corporations had no title to interfere with the good
pleasure of his lordship in the selection of workmen to do work in his
house. The Council remitted this point of law to the Court of Session;
but meanwhile ordered the restoration of Somerville’s tools.[94]
As an example of the troubles connected 1692.
with mercantile privilege, it may be well to
introduce one simple case of the treatment of an interloper by the
Merchant Company of Edinburgh, the members of which were the
sole legalised dealers in cloth of all kinds in the city. In June 1699, it
was reported to the Company that one Mary Flaikfield, who had
formerly been found selling goods ‘off the mercat-day,’ and enacted
herself to desist from the practice, had been found sinning again in
the same manner. She was detected in selling some plaids and eight
pieces of muslin to a stranger, and the goods were seized and
deposited in the Merchants’ Hall.
The poor woman at first alleged that she had only been conversing
with this stranger, while the goods chanced to be lying beside her,
and the Company was wrought upon to give back her goods, all
except two pieces of the muslin, which they said they would detain
till Mary could prove what she alleged.
Presently, however, there was a change in their mood, for John
Corsbie came forward with information that Mary Flaikfield was
really a notable interloper. The very person she was lately detected in
dealing with, she had wiled away from Corsbie’s own shop, where he
was about to buy the same goods. She was accustomed to sell a good
deal to the family of Lord Halcraig. Then she had not appeared to
prove her innocence. ‘The vote was put: “Roup the two pieces of
muslin or not?” and it carried “Roup.” Accordingly, the muslin being
measured, and found to be twenty-two ells, and ane hour-glass being
set up, several persons bid for the same. The greatest offer made was
fourteen shillings per ell, which offer was made by Francis Brodie,
treasurer—the time being run—the said offer was three several times
cried out, and the said two pieces of muslin were declared to belong
to him for £15, 8s. [Scots]; but if she compear and relieve the same
before the next meeting, allows her to have her goods in payment of
the above sum.’
At the meeting of the ensuing week, Mary Flaikfield not having
come forward to redeem her muslin, the treasurer was instructed to
dispose of it as he should think fit, and be comptable to the Company
for £15, 8s. Two days later, however, there was another meeting
solely on account of Mary, when the Master, Bailie Warrender, and
his assistants, felt that Christian charity would not allow them to
proceed further. ‘Considering that Mary Flaikfield is a poor woman,
big with child, and has been detained here about a fortnight, they, in
point of pity and compassion for her, order 1692.
that her two pieces of muslin be given her
back upon payment of fourteen shillings to the officer.’ She was not
dismissed without a caution as to her future behaviour.[95]
Nov.
The stranding of whales in the Firth of Forth was of such natural
and frequent occurrence in early times, that a tithe of all cast ashore
between Cockburnspath and the mouth of the Avon, was one of the
gifts conferred by the pious David upon the Canons Augustine of
Holyrood. In modern times, it may be considered as an uncommon
event. At this time, however, one had embayed itself in the harbour
of Limekilns, a little port near Queensferry. A litigation took place
regarding the property of it, between the chancellor, the Earl of
Tweeddale, as lord of the regality of Dunfermline, and Mr William
Erskine, depute to the admiral, and the Lords finally adjudged it to
the chancellor, with seven hundred merks as the price at which it had
been sold.[96]
The Earl of Moray, being pursued at law Dec. 1.

for a tradesman’s account, which was
referred to his oath, craved the Court of Session to appoint a
commission to take his oath at Dunnibrissle, on the ground that, if
he were obliged to come to Edinburgh for the purpose, he should
incur as much expense as the whole amount of the alleged debt. As
Dunnibrissle is visible from Edinburgh across the Firth of Forth, this
must be looked upon as an eccentrically economical movement on
his lordship’s part. The court granted the commission, but ordained
his lordship to pay any expense which might be incurred by the
debtor, or his representative, in travelling to Dunnibrissle to be
present at the oath-taking.[97]
The court had occasionally not less whimsical cases before it. In
February 1698, there was one regarding a copper caldron, which had
been poinded, but not first taken to the Cross to be ‘appreciate.’ The
defenders represented that they had done something equivalent in
carrying thither a part of it—the ledges—as a symbol; following here
a rule applicable with heavy movables, as where a salt-pan was
represented by two nails; nay, a symbol not homogeneous, as a wisp
of straw for a flock of sheep, fulfilled the law. The defence was
sustained, and the poinding affirmed.[98]
The Privy Council had under its hands 1692. Dec.
three Protestant clergymen—namely, Mr
John Hay, late minister at Falkland; Mr Alexander Leslie, late
minister at Crail; and Mr Patrick Middleton, late minister at Leslie—
in short, three of the ‘outed’ Episcopal clergy—for not praying for
William and Mary. They acknowledged that they prayed ‘only in
general terms’ for the king and queen, and were therefore discharged
from thereafter exercising any clerical functions, under severe
penalties. Soon after, the Council judged, in the case of Mr Alexander
Lundie, late minister of Cupar, who stated that, ‘having a mixed
auditory, he prayed so as might please both parties.’ This style of
praying, or else the manner of alluding to it, did not please the Privy
Council, and Mr Lundie was ordered ‘to be carried from the bar, by
the macers, to the Tolbooth, there to remain during the Council’s
pleasure.’ Having lain there four days, far from all means of
subsistence, while his wife was ill of a dangerous disease at home,
and his family of small children required his care, Mr Lundie was
fain to beg the Council’s pardon for what he had said, and so
obtained his liberation also, but only with a discharge from all
clerical functions till he should properly qualify himself according to
act of parliament.
On the 22d of May 1693, Mr David Angus, minister of Fortrose,
was before the Council on a charge that, although deprived for not
praying for their majesties in terms of the act of parliament, ‘he has
publicly preached and exercised the ministerial function within his
own house, and parish where the same lies, and elsewhere, without
qualifying himself by signing the oath of allegiance.’ So far from
evidencing the sense he ought to have had of the grievous
circumstances from which the nation had been relieved, by reading
the proclamation of estates, he had neglected it, and prayed for King
James, thus stirring up the disaffected in opposition to their
majesties’ government, and discouraging their loyal subjects. These
were ‘crimes which ought to be severely punished for the terror of
others.’ The Lords, therefore, finding him unable to deny the alleged
facts, and indisposed to engage for a different behaviour in future,
confirmed his deprivation, and discharged him from preaching or
exercising any ministerial function within the kingdom.
As a specimen of the equivocating prayers—Mr Charles Key, one of
the ministers of South Leith, was charged, in September 1694, with
using these expressions, ‘“That God would bless our king and queen,
and William and Mary,” or “our king and 1692.
queen, William and Mary, and the rest of the royal family.”’[99]
A great number of recruits were now Dec. 31.

drawn together to be sent to Flanders, but
the vessels for their transportation were not ready. The Privy Council
therefore ordered their distribution throughout the jails of Lothian
and Fife, sixty, eighty, a hundred, and even more, to each tolbooth,
according to its capacity—for example, two hundred and forty-four to
the jails of Musselburgh, Haddington, and Leith—there to be
furnished with blankets to lie on by the various magistrates. When it
is known that two Jacobite gentlemen had lately petitioned for
liberation from Musselburgh jail, on the ground that it did not
contain a fireroom, and their health was consequently becoming
ruined, it will not seem surprising that a competent troop of horse
and foot had to be ordered ‘to keep guard upon the said recruits, and
take care that none of them escape.’
That a good many, induced either by the hardships of their
situation, or the enticements of disaffected persons, did desert the
service, is certain: a strict proclamation on this subject came out in
April 1694. At the same time, John M‘Lachlan, schoolmaster in
Glasgow, was before the Privy Council on a charge of having induced
a number of soldiers in the regiments lying at that city to desert.
‘Being disaffected,’ it was said, ‘to their majesties’ government, he
has, so far as possible for thir three or four years past, made it his
business to weaken the government, and to instigate and persuade
several soldiers to run away.’ He did ‘forge passes for them.’ In
particular, in January last, he did ‘persuade John Fergusson and
John M‘Leod, soldiers in Captain Anderson’s company in Lord
Strathnaver’s regiment, then lying at Glasgow, to run away and
desert ... telling them that they were but beasts and fools for serving
King William, for that he was sure that the late King James would be
soon here again.... He had given passes to several of the regiment
formerly in garrison at Glasgow, and offered to go with them to a
gentlewoman’s house without the Steeple-green port, who was a
cousin of his, who would secure them and receive their clothes, and
furnish them with others to make their escape; and told them they
were going to Flanders, and would be felled there, and so it was best
for them to desert, and that he would hide their firelocks
underground, and give them other coats 1692.
and money, and a pass to carry them safe
away.’
The Council, having called evidence, and found the charge proven,
sentenced M‘Lachlan to be whipped through the city of Edinburgh,
and banished to the American plantations. They afterwards altered
the sentence, and adjudged the Jacobite schoolmaster, instead of
being whipped, to stand an hour on the pillory at Edinburgh, and an
hour on the pillory at Glasgow, under the care of the hangman, with
a paper on his brow, with these words written or printed thereon
—‘John M‘Lachlan, schoolmaster at Glasgow, appointed to be set on
the pillory at Edinburgh and Glasgow, and sent to the plantations,
for seducing and debauching soldiers to run away from their colours,
and desert their majesties’ service.’
Two days later, the Privy Council recommended their majesties’
advocate to prosecute M‘Lachlan before the committee anent pressed
men, ‘for the disloyal and impertinent speeches uttered by him
yesterday while he stood upon the pillory of Edinburgh.’ What came
of this, we do not learn; but on the 3d of July there is a petition from
M‘Lachlan, setting forth that, after a nineteen weeks’ imprisonment,
he is sinking under sickness and infirmity, while his family are
starving at home, and craving his liberty, on giving assurance that he
shall not offend again against the government. His liberation was
ordered.
James Hamilton, keeper of the Canongate Tolbooth (July 16,
1696), represented to the Privy Council that it had been customary
for him and his predecessors to receive two shillings Scots per night
for each recruit kept in the house, with a penny sterling to the
servants (being 3d. sterling in all), and their lordships, in
consideration of his ‘great trouble in keeping such unruly prisoners
in order’—he ‘being liable to the payment of ten dollars for every man
that shall make his escape’—had authorised him to take
‘obleisements’ from the officers for the payment of these dues, till
lately when the authority was withdrawn. This had led to loss on the
part of the petitioner, who had now spent all his own means, and
further run into debt, so that, ‘through continual hazard of captions,’
he was threatened with becoming a prisoner in his own jail. He
entreated payment of some arrears for General Mackay’s recruits, as
well as these recent arrears, and likewise for the proper allowance for
‘the coiners and clippers,’ latterly an abundant class of prisoners, on
account of the tempting condition of the coin of the realm for
simulation. The Lords recommended 1693.
Hamilton to the treasury for payment of the
monies due to him.[100]
Though Scotland had long enjoyed the Feb. 2.

services of four universities, the teaching of
any of the natural sciences was not merely unknown in the country,
but probably undreamed of, till the reign of Charles II. The first faint
gleam of scientific teaching presents itself about 1676, when, under
the fostering care of Dr (afterwards Sir) Robert Sibbald, a botanic
garden was established near the Trinity College Church, as a means
of helping the medical men of Edinburgh to a better knowledge of
the pharmacopœia. It was put under the care of James Sutherland,
who had been a common gardener, but whose natural talents had
raised him to a fitness for this remarkable position. In his little
garden in the valley on the north side of the city, he taught the
science of herbs to students of medicine for small fees, receiving no
other encouragement besides a salary from the city of twenty
pounds, which did not suffice to pay rent and servants’ wages, not to
speak of the cost of new plants. At the time of the siege of Edinburgh
Castle in the spring of 1689, it had been thought necessary, for
strategic reasons, to drain the North Loch, and, as the water ran
through the Botanic Garden, it came to pass that the place was for
some days under an inundation, and when left dry, proved to be
covered with mud and rubbish, so that the delicate and costly plants
which Sutherland had collected were nearly all destroyed. It had cost
him and his assistants the work of a whole season to get the ground
cleared, and he had incurred large charges in replacing the plants.
At this date, the Privy Council, on Sutherland’s petition, took into
consideration his losses, his inadequate salary, and the good service
he was rendering, ‘whereby not only the young physicians,
apothecaries, and chirurgeons, but also the nobility and gentry, are
taught the knowledge of the herbs, and also a multitude of plants,
shrubs, and trees are cultivated which were never known in this
nation before, and more numerous than in any other garden in
Britain, as weel for the honour of the place as for the advantage of
the people.’ They therefore declared that they will in future allow Mr
Sutherland fifty pounds a year out of fines falling to them, one half
for expenses of the garden, and the other half by way of addition to
his salary.[101]
Mr Stephen Maxwell, ‘alleged to be a 1693. Apr. 13.
Romish priest,’ prisoner in Blackness
Castle, Mr George Gordon, Mr Robert Davidson, and Mr Alexander
Crichton, ‘also alleged to be popish priests,’ and prisoners in the
Edinburgh Tolbooth, were ordered to be set at liberty, provided they
would agree to deport themselves from the kingdom ‘in the fleet now
lying under convoy of the man-of-war lying in the Road of Leith,’ and
give caution to the extent of a hundred pounds that they would never
return. On the 17th, Mr James Hepburn, ‘alleged to be a popish
priest,’ was ordered to be liberated from the Canongate Tolbooth on
the same terms. All of these gentlemen had been for many months
deprived of their liberty.
There still lay in Blackness Castle one John Seaton, who had been
apprehended in December 1688, on suspicion of being a priest, and
confined ever since, being four and a half years. He had been offered
the same grace with the rest; but he was prevented by his personal
condition from accepting it. According to his own account, he was
seventy years of age. He ‘has not only spent any little thing he had,
but his health is likewise entirely ruined, beyond any probability of
recovery.’ He was most willing to have gone abroad, ‘where he might
have expected better usage for ane in his condition than he can
reasonably propose to himself anywhere in this kingdom;’ but ‘when
the rest went away above a month ago, finding his health so totally
broken by sickness, old age, and imprisonment, and his infirmity still
growing worse,’ he was ‘necessitat to continue prisoner, rather than
hazard a long sea-voyage, whereby he could expect no less than an
unavoidable painful death, the petitioner, when formerly in health
and strength at sea, being still in hazard of his life.’ John Seaton
further represented that he had never, during his long
imprisonment, received any support from the government, but been
maintained by the charity of his friends. He now prayed the Council
that they would take pity on him, and ‘not permit him, ane old sickly
dying man, to languish in prison for the few days he can, by the
course of nature and his disease, continue in this life,’ but let him
retire to ‘some friend’s house, where he may have the use of some
help for his distressed condition, and may in some measure mitigate
the affliction he at present lies under by old age, sickness, poverty,
and imprisonment.’
The Council ordered Seaton to be liberated.[102]
For some time past there had been an 1693. Apr.
unusual and alarming number of highway
robberies. One case, of a picturesque character, may be
particularised. William M‘Fadyen, who made a business of droving
cattle out of Galloway and Carrick to sell them in the English
markets, had received a hundred and fifty pounds sterling at
Dumfries, and was on his way home (December 10, 1692), about four
miles from that town, when at sunrise he was joined by two men,
‘one in a gentleman’s habit, mounted on a dark-gray horse, with a
scarlet coat and gold-thread buttons. He was of extraordinary
stature, with his own hair, sad-coloured, ane high Roman nose,
slender-faced, thick-lipped, with a wrat [wart] above one of his eyes
as big as ane nut, and the little-finger of his left hand bowed towards
his loof’—a peculiarity, by the way, which the Duke of Lauderdale
believed to denote a man who would come to some sad and untimely
end. ‘The other appeared to be his servant, and was also mounted
upon ane dark-gray horse, and carried a long gun.’ ‘After they had
travelled about half a mile on the way, the servant said he was going
through the muir, and desired [M‘Fadyen] to go along with him,
which he refused; whereupon he beat [M‘Fadyen] with the but-end of
his gun, and said he would make him go. Immediately thereafter, the
other came up, and presented a pistol to his breast; and so, after he
had made what defence he was able, and had received several
wounds, they carried him about a quarter of a mile off the way, and
cut the cloak-bag from behind his saddle, and carried away his
money.’
Among other steps taken by the Privy Council in consequence of
this daring robbery, was to ‘recommend Sir James Leslie,
commander-in-chief for the time of their majesties’ forces within this
kingdom, to cause make trial if there be any such person, either
officer or soldier, amongst their majesties’ forces, as the persons
described.’ They sent the same recommendation to the Earl of Leven
with regard to ‘the officers which are come over from Flanders to levy
recruits.’
This seems to have put the military authorities upon their mettle,
and they engaged a certain Sergeant Fae, of Sir James Leslie’s
regiment, as a detector of the robbers, ‘upon his own expenses,
except five pounds allowed him by the [Privy Council].’ The sergeant,
an enterprising fellow, with ‘a perfect abhorrence of such villainies,’
went into the duty assigned him with such zeal and courage, that he
soon, at the hazard of his life, made seizure of several robbers, of
whom two were convicted. Three months of 1693. Apr. 5.
this work having, however, exhausted his
means, he was obliged to petition for further encouragement, and the
Privy Council ordered him ten pounds for the past service, and five
pounds for every robber whom he might apprehend, and who should
be convicted in future.[103]
A great number of the smaller lairds of Apr. 11.

Fife were Jacobite; among the rest, David
Boswell of Balmouto. On the other hand, the Earl of Leven, one of
the nobility of the county, stood high in office under the Revolution
government. Besides a general quarrel with the earl on this ground,
Balmouto had probably some private cause of offence to exasperate
him; but on this point we only have conjecture.
At the date noted, there was a horse-race at the county town,
Cupar; and both gentlemen attended. It is alleged that Balmouto first
waited near a house in the town where the earl was, in expectation of
his coming forth, but afterwards went away to the raceground. There,
as the earl was quietly riding about, Balmouto came up to him
behind his back, and struck him twice or thrice over the head and
shoulders with a baton. On his lordship turning to defend himself,
the assailant struck the horse on the face, and caused it to rear
dangerously. Balmouto then fired a pistol at the earl without effect,
and was immediately seized by the bystanders, and prevented from
doing further mischief.
In a debate before the Privy Council on this case, after hearing
representations from both parties, it was held that the earl’s
complaint was proved, while an attempt of Balmouto to make out a
counter-charge of assault against Lord Leven was declared to have
failed. Balmouto was obliged to beg the earl’s pardon on his knees,
and, on pain of imprisonment, give caution for future good-
behaviour.
On the ensuing 13th of March 1694, Balmouto is found
representing to the Council that ‘his misfortune has been so great,
that his friends are unwilling to interest themselves in his liberation,
whereby his family is in hazard to be ruined, and himself to die in
prison;’ and he craved that they would accept his personal obligation,
and allow him his liberty. The Earl of Leven having concurred in
desiring this, the petition was complied with.[104]
A broadside published this month at 1693. JUNE.
Glasgow, under the title of the Scottish
Mercury, ‘by Mr John Stobo, student in astrologophysick,’ being
dated, however, ‘from Kirkintilloch, where I dwell,’ makes us aware
that the almanac-making charlatanry was not unknown in Scotland.
We learn from it that the French nation are near a sad calamity; that
there were fears of conspiracies about Rome and Milan; and
Constantinople not likely to be free from tumultuous uproars of the
soldiery. ‘The conjunction of Venus with Jupiter relates to some
great lady’s marriage.’ The author professes to ground upon natural
causes, but not to conclude positively about anything—‘that belongs
to God’s providence.’ Finally, there is an advertisement informing
the world that John Stobo, as is known in many parts of this
kingdom, cures infallibly all diseases, couches cataracts, amputates,
&c., working for the poor gratis, and imposing upon the rich ‘as little
cost as may be.’
To promote the making of linen in June 14.

Scotland, an act was passed in 1686,
ordaining that ‘no corps of any persons whatsoever be buried in any
shirt, sheet, or anything else, except in plain linen,’ the relatives of
deceased persons being obliged, under heavy penalties, to come to
their parish minister within eight days of the burial, and declare on
oath that the rule had been complied with.[105] Another act was now
passed, ordaining that, for the same end, no lint should be exported
from the kingdom; that lint imported should be duty free; and
making sundry arrangements for a uniformity in the breadth of the

Full Chapter Rational Cybersecurity For Business The Security Leaders Guide To Business Alignment Dan Blum PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Full Chapter Rational Cybersecurity For Business The Security Leaders Guide To Business Alignment Dan Blum PDF

Uploaded by

Copyright:

Available Formats

Rational Cybersecurity for Business:

The Security Leaders' Guide to

Navigating the new retail landscape : a guide for

Cybersecurity Program Development for Business: The

Privacy, Regulations, And Cybersecurity: The Essential

China’s Intellectual Property Regime for Innovation:

Tribe Of Hackers Security Leaders: Tribal Knowledge

Becoming a global chief security executive officer a

Strategic Communication in Business and the Professions

The essential guide to business for artists designers

ISBN-13 (pbk): 978-1-4842-5951-1 ISBN-13 (electronic): 978-1-4842-5952-8

Copyright © 2020 by Dan Blum

About the Technical Reviewers�������������������������������������������������������������������������������xv

Chapter 1: Executive Overview��������������������������������������������������������������������������������� 1

Chapter 2: Identify and Align Security-Related Roles�������������������������������������������� 31

Chapter 3: Put the Right Security Governance Model in Place������������������������������� 61

3.1.3 Security Leadership Disengaged from Business Units������������������������������������������������� 63

Chapter 4: Strengthen Security Culture Through Communications

4.2.3 Attributes of Security Culture������������������������������������������������������������������������������������� 102

Chapter 5: Manage Risk in the Language of Business���������������������������������������� 123

5.4 Implement Tiered Risk Assessment������������������������������������������������������������������������������������ 135

Chapter 6: Establish a Control Baseline��������������������������������������������������������������� 157

6.3.5 Respond Effectively and Appropriately����������������������������������������������������������������������� 181

Chapter 7: Simplify and Rationalize IT and Security�������������������������������������������� 199

7.4.4 Collaborate with IT on Operationalizing Shared Security Responsibilities����������������� 215

Chapter 8: Control Access with Minimal Drag on the Business��������������������������� 227

Chapter 9: Institute Resilience Through Detection, Response, and Recovery������ 259

Chapter 10: Create Your Rational Cybersecurity Success Plan���������������������������� 297

Glossary of Terms and Acronyms������������������������������������������������������������������������� 315

Rational Cybersecurity Interview List

Security, Business, and IT Leaders

Adi Agrawal Rick Howard Tom Sinnott

Rational Cybersecurity Interview List

Security, Business, and IT Leaders

Deirdre Diamond Harshil Parikh

 hy Security Leaders Must Get the Business Fully

THE BREACH WAS PREDICTABLE

1) Security’s not considered to be a priority.

The Rational Cybersecurity Journey

Table 1. What the Book Is For

How the Book Is Organized

The Cybersecurity Pareto Principle

Cybersecurity is just a technical problem.

• Chapter 1: Executive Overview. Defines Rational Cybersecurity,

• Chapter 2: Identify and Align Security-Related Roles. Explains how

• Chapter 3: Put the Right Security Governance Model in Place.

• Chapter 4: Strengthen Security Culture Through Communications

• Chapter 5: Manage Risk in the Language of Business. Clarifies

risk issues from multiple sources, help apportion accountability and

• Chapter 6: Establish a Control Baseline. Lists the 20 security control

• Chapter 7: Simplify and Rationalize IT and Security. Argues that

• Chapter 8: Control Access with Minimal Drag on the Business.

• Chapter 9: Institute Resilience Through Detection, Response, and

• Chapter 10: Create Your Rational Cybersecurity Success Plan.

security environment. It’s designed to be used over a 90-day period,

How to Get the Most Out of the Book

• Read or review all chapters for comprehensive guidance on the six

• Select the chapter(s) that corresponds most closely to current

• Build a healthy security culture and governance model

• Manage risk in the language of the business

• Establish a control baseline

• Simplify and rationalize IT and security

• Institute cyber-resilience, detection, response, and recovery

About the Technical Reviewers��xv

Chapter 1: Executive Overview�� 1

Chapter 2: Identify and Align Security-Related Roles�� 31

Chapter 3: Put the Right Security Governance Model in Place�� 61

3.1.3 Security Leadership Disengaged from Business Units�� 63

Chapter 4: Strengthen Security Culture Through Communications

4.2.3 Attributes of Security Culture�� 102

Chapter 5: Manage Risk in the Language of Business�� 123

5.4 Implement Tiered Risk Assessment�� 135

Chapter 6: Establish a Control Baseline�� 157

6.3.5 Respond Effectively and Appropriately�� 181

Chapter 7: Simplify and Rationalize IT and Security�� 199

7.4.4 Collaborate with IT on Operationalizing Shared Security Responsibilities�� 215

Chapter 8: Control Access with Minimal Drag on the Business�� 227

Chapter 9: Institute Resilience Through Detection, Response, and Recovery�� 259

Chapter 10: Create Your Rational Cybersecurity Success Plan�� 297

Glossary of Terms and Acronyms�� 315

hy Security Leaders Must Get the Business Fully

The Rational Cybersecurity Journey

How the Book Is Organized

How to Get the Most Out of the Book

Let’s begin by understanding why cybersecurity-business alignment on a well-

1.1 Understand the Rational Cybersecurity Context

1.1.1 Risk and the Digital Business

1.1.2 Compliance and the Duty to Protect