Cybersecurity Metastrategy book

This is not an average book. It respects your time. Each page matters and provides a Return On Investment (ROI) for your time and effort.

It offers a radical idea that might be challenging for you to accept: pretty much everything you think you know and have been conditioned to believe about Information Security, is wrong.

This book is for you, whether you’re a business owner, C-level executive, board member, tech leader, or other kind of key business leader. By reading this book, you’ll give yourself the opportunity to avoid being misinformed about security. This is incredibly important.

Cybersecurity Metastrategy is offering the truth. You might not like it, but you need to hear it.

Available for purchase at the following online stores:,,,,,,,,

Here are some of the things you can discover:

  • The crucial difference between providing information and giving advice (page 2)
  • What Harry Houdini can teach you about securing your business? (page 3)
  • How to choose the right security strategies for your organization? (page 7)
  • Why long-term security plans are a colossal waste of time? (page 9)
  • What’s the difference between confidence and arrogance among security and business leaders? (page 12)
  • The real difference between InfoSec and cybersecurity? (page 13)
  • The hidden truth about the InfoSec industry that nobody talks about? (page 19)
  • How IT and cybersecurity vendors trick CISOs and leaders into buying their tools? (page 19)
  • How the stock market reacts to cyber breaches in public companies? (page 19)
  • Why have security certifications become an HR filter and why this is entirely wrong? (page 20)
  • Is there really a huge demand for talent in the industry? (page 21)
  • Why do most business leaders ignore security, and is it their fault? (page 21)
  • How do you recognize incompetent security leaders? (page 21)
  • Why do your third-party vendors love incompetent security leaders? (page 22)
  • Why is the ‘less is more’ principle especially important in cybersecurity? (page 22)
  • What can Michael Scott, Regional Manager at Dunder Mifflin, teach you about cybersecurity? (page 23)
  • Why do most cybersecurity companies treat symptoms, not problems? (page 23)
  • How are you wasting money and increasing security risks while thinking you’re improving security? (page 24)
  • How to deal with the problem of purchasing unnecessary or insecure software? (page 25)
  • What’s the key lesson: Companies get dumber as they grow, and how do you avoid this mistake? (page 28)
  • How do you drastically improve your procurement process and avoid third-party security risks? (page 30)
  • What is “security tax” and how do IT and cybersecurity vendors avoid it? (page 34)
  • Why are security questionnaires and Master Service Agreements poor security controls and only give you a false sense of security? (page 35)
  • What’s the simple secret to why your engineers aren’t securing your systems, your software developers aren’t writing secure code, and your product managers rarely prioritize product security, and how can you fix it easily? (page 36)
  • What’s the myth of security and compliance automation popularized by “become security compliant in weeks” platforms? (page 38)
  • Why are VC investors excited about the InfoSec industry—and why is this bad for you as the end user of security startups? (page 39)
  • Does SOC 2 have any real security value? How does it compare to ISO 27001? (page 40)
  • How should you correctly, precisely, and accurately think about the concept of security? (page 49)
  • How do cognitive biases act as filters of our reality and lead to decision-making problems? (page 50)
  • Why is security more complex than finance, legal, sales, or marketing—and how can you profit from this awareness? (page 51)
  • How do cognitive biases, logical fallacies, heuristics, and mental models influence decision-making, including your personal and organizational security decisions? (page 54)
  • How can you tell if you’re a rational, logical human being who sees the world as it really is, or if you’re lost in delusion? (page 55)
  • What is ADPC, how is it different from PDCA (Plan, Do, Check, Act) method, and why does it matter for your business’s security? (page 56)
  • What can Tolstoy teach you about building InfoSec programs and strategic cybersecurity roadmaps? (page 59)
  • What’s the trick a famous American businessman used to determine if executives aren’t very bright? (page 59)
  • Why are your organization, your business, and probably you—the business leader—prime targets for cybersecurity attacks? (page 60)
  • What are the two most dangerous applications your employees use daily in a security context? (page 61)
  • How do you calculate the probability of experiencing a cybersecurity incident within a minute—an original method published for the first time? (page 62)
  • What’s the case study on how a simple human mistake led to a security incident in production infrastructure, which, by pure luck, wasn’t exploited by the attacker—and if it was, it would have cost my client millions? (page 63)
  • Why are most statistics in the InfoSec industry mostly BS, and how do you actually get valuable data? (page 64)
  • What’s the biggest security risk to your organization and business, why can’t you identify it alone, and even if your security leader knows about it (most don’t), why would they be afraid to bring it up to you? (page 65)
  • How do you identify projects with the “Watermelon status” and ensure they are successfully completed without harming your organization’s safety and security? (page 67)
  • What is the overconfidence bias, and why is it the most important bias for executives to be aware of? (page 67)
  • Why is it your responsibility to take care of your organization’s security? (page 75)
  • How do you tell if your organization suffers from a fire-fighting culture, what are the negative consequences, and how do you fix it? (page 76)
  • What is the secret to dealing with politically sensitive and culturally complex matters such as changing organizational culture, based on the author’s experience with dozens of companies? (page 77)
  • What should you know about cybersecurity risks and their relation to business risks? Or what do NIST, ENISA, SEC, and the European Central Bank agree on regarding cybersecurity risk, and why must you be aware of it? (page 83)
  • Why can’t Information Security be achieved using IT alone? (page 84)
  • What’s the difference in approach to work in organizations that frequently have security issues versus those that don’t, and what can you learn from it? (page 86)
  • How can your organization easily avoid the majority of security issues and risks, and why is no one telling you about this? (page 86)
  • Why is “Security is everyone’s job” a misleading and incorrect statement and approach to security? (page 87)
  • What do companies hit by ransomware have in common, and how can you minimize your chances of becoming one? (page 94)
  • How can you protect your organization from ransomware in an easy and almost cost-free way? (page 95)
  • Is there really a huge lack of talented people in the Information Security industry? (page 98)
  • How does a bad promotion strategy negatively impact the security of your entire organization? (page 99)
  • How and why do companies end up with incompetent security leaders (most make the same mistake, which is easily avoidable!)? (page 100)
  • What is the Core Competency Factor, and why is it crucial when hiring any leader or asking for their advice? (page 102)
  • What can Dwight Schrute, Assistant (to the) Regional Manager, Dunder Mifflin, teach you about hiring security leaders? (page 104)
  • How can you detect and identify incompetent security leaders who “fake it until they make it”? (page 104)
  • Why can’t HR detect incompetence in security leaders, and what can you do about it as a business leader? (page 103)
  • Can security really be a business enabler, and if so, how can you achieve it? (page 109)
  • Why is it impossible to calculate the Return on Investment (ROI) for security, and what can you do instead? (page 112)
  • How do you stop people from stealing from your business—whether it’s office equipment, money, proprietary data, or intellectual property? (page 117)
  • What are the three conditions that, if met, will encourage people who tend to lie or steal to engage in such activities in your organization, and which one can you control? (page 118)
  • How do you ensure that your CISO or any other business leader isn’t taking bribes or engaging in unethical behavior? (page 120)
  • What’s the main reason your employees don’t respect your security policies, and how can you fix this problem easily as a business leader? (page 121)
  • Why is developing a security culture the most important strategy for most organizations, and how can you implement it with minimal financial costs? (page 125)
  • Why is changing organizational values the wrong place to start if you want to change the organizational culture, and what should you do instead? (page 127)
  • Why is knowledge from experience a crucial characteristic of a world-class security leader? (page 130)
  • Why is the “less is more” principle especially important in cybersecurity, and how can your business profit from it? (page 135)
  • Understand the most important aspect of security risk management within a minute, with this specific example (page 136)
  • What does it mean to operate at the “speed of trust,” and how can you achieve it in your business? (page 140)
  • What’s the core difference between a strategy and a metastrategy, and why is it crucial for your organization’s safety and security? (page 143)
  • What are the two key factors of any strategy, and which single factor causes most strategies to fail? (page 144)

and much, much more…

Available for purchase at the following online stores:,,,,,,,,