Understand, Manage, and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program

✍ Scribed by Ryan Leirvik

Publisher: Apress
Year: 2023
Tongue: English
Leaves: 239
Edition: 2
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

When it comes to managing cybersecurity in an organization, most organizations tussle with basic foundational components. This practitioner’s guide lays down those foundational components, with real client examples and pitfalls to avoid.

A plethora of cybersecurity management resources are available―many with sound advice, management approaches, and technical solutions―but few with one common theme that pulls together management and technology, with a focus on executive oversight. Author Ryan Leirvik helps solve these common problems by providing a clear, easy-to-understand, and easy-to-deploy "playbook" for a cyber risk management approach applicable to your entire organization.

This second edition provides tools and methods in a straight-forward, practical manner to guide the management of a cybersecurity program. Expanded sections include the critical integration of cyber risk management into enterprise risk management, the important connection between a Software Bill of Materials and Third-party Risk Programs, and additional "how to" tools and material for mapping frameworks to controls.

Praise for Understand, Manage, and Measure Cyber Risk

What lies ahead of you in the pages of this book? Clean practicality, not something that just looks good on paper―brittle and impractical when exposed to the real world. I prize flexibility and simplicity instead of attempting to have answers for everything and the rigidity that results. This simplicity is what I find valuable within Ryan's book. Tim Collyer, Motorola Solutions

It seems that I have found a kindred spirit―a builder who has worked with a wide variety of client CISOs on their programs, gaining a deep understanding of how a successful and sustainable program should be constructed. Ryan's cyber work in the US Department of Defense, his McKinsey & Company consulting, and his advisory and survey work with IANS give him a unique global view of our shared passion. Nicholas J. Mankovich, PhD, MS, CISPP

Who This Book Is For

CISOs, CROs, CIOs, directors of risk management, and anyone struggling to pull together frameworks or basic metrics to quantify uncertainty and address risk

✦ Table of Contents

Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
Foreword 1
Foreword 2
Introduction
Part I: The Problem
Keep in Mind
Chapter 1: What Is the Problem?
Introduction
Chapter 2: Why Is It Complicated?
Introduction
Technology Is Everywhere
Technology Is Complex
Technology Was Built on Trust
Technology Is an Opportunity for Misuse
The Fundamental Risk Is Not Always Understood
… and Business Leaders Need to Know What to Do
Keep in Mind
Lack of a Common Cybersecurity Risk Language
Unclear Answers for Proper Oversight
Oh, and Umm… Distractors
Chapter 3: How to Address This Problem
Introduction
Understand the Risk
Manage the Risk
Apply a Framework
Structure the Organization
Set a Review Frequency
Prepare to Respond (and Recover)
Measure the Impact of Risk Management
Keep in Mind
Choose Risk-Informative Measures
Apply Appropriate Resources
Drive for Value
Be Clear on What to Measure
Avoid Chasing “Perfect” (It’s Not That Valuable)
Part II: The Solution
Keep in Mind
Chapter 4: Understanding the Problem
Introduction
Rules to Follow
Be Clear About the Problem (Critical Assets Are at Risk)
Settle on a Definition of Risk
Settle on a Definition of Critical
Inventory and Categorize Critical Assets
How to Inventory and Categorize Critical Assets
Step 1. Acknowledge That Asset Management Is Hard
Keep in Mind
Step 2. Develop the Business Case
Step 3. Define Your Asset Classes
Step 4. Collect and Inventory in Each New Asset Class
Step 5. Identify the Most Critical Assets
Identify the Risks to These Critical Assets
How to Identify the Risks to These Critical Assets
Step 5a. Perform a Threat Analysis
How to Walk Through an Overview of a Threat Model
Step 5b. Discover Vulnerabilities
Step 5c. Anticipate the Business Impact of an Event
Step 5d. Pull It Together in the Risk Register and Keep It Updated
Step 5e. Know the Applicable Laws and Regulations
Step 5f. Connect Cybersecurity Risk to Enterprise Risk
Understanding the Problem: A Recap
Recent Examples
Example 1. Getting Started with a Program
Example 2. From Legacy “Perfection” to “Good Enough”
Example 3. Data Protection Strategy, Please
Example 4. What Risk?
Pitfalls to Avoid
Chapter 5: Manage the Problem
Introduction
General Observations and Guidelines for Managing the Risk
Observations
Guidelines
Rules to Follow
Focus on One Framework
Structure the Program Approach
How to Structure the Approach
Step 1. Set the Structure
Step 2. Align the Risk-Mitigating Activities
Step 3. Assign Roles and Responsibilities
Step 4. Identify Gaps and the Appropriate Activities to Fill Them
Step 5. Look Externally (Third-Party Risk Management)
How to Build Out the TPRM Questionnaire
Step 5a. Split the Questionnaire into Logical Columns
Step 5b. Build Each Column Upon the One Before
Step 5c. Directly Relate the Question to the Risk
Keep in Mind
How to Verify Your External Look
Step 5d. Link a Software Bill of Materials to the TPRM Program
Step 5e. Build a Feedback Mechanism for Vendors
Step 5f. Align to Procurement and Purchasing
Keep in Mind: Third-Party Risk Management
Step 6. Pick the Right Tools and Avoid Distraction
Set a Program Review Frequency
Prepare to Respond and Recover
Managing the Problem, a Recap
Recent Examples
Example 1. Addressing Too Many Frameworks
Example 2. Many TPRM Tools
Example 3. From Controls Focus to a Risk Strategy
Example 4. Third-Party Without a Checklist
Pitfalls to Avoid
Chapter 6: Get Ready for Measures
Introduction
Keep in Mind: Consider the Broad View of Risk for Measurement
Chapter 7: Measure the Problem
Introduction
Rules to Follow
Choose Informative Measures That Provide Actionable Values
How to Choose Informative Measures
Step 1. Choose Actionable Measures
Step 2. Define Clear Addressable Activities
Step 3. Provide Actionable Reviews
Research What Others Have Done (Measures That Have Worked)
Measures That Have Worked
Be Clear About the Math
Straight Math
Less-Than-Straight Math
Gain Buy-In from Stakeholders
Develop a Reporting Structure for Consistency
Allow Measures to Mature Over Time
Keep in Mind: Consider the Insights
Recent Examples
Example 1. Simple Measures, Anyone?
Example 2. Too Much Data, Not Enough Information
Pitfalls to Avoid
Chapter 8: Report Upward
Introduction
Rules to Follow
Rules to Follow: Report Upward
Choose a Consistent Reporting Structure
Provide Clear and Informative Measures
Keep in Mind: Consider the Value
Use Straightforward Terms
Provide Recommendations for All Problems
Pitfalls to Avoid
Chapter 9: Questions Boards Should Ask
Introduction
A Tear Sheet for Boards
Chapter 10: Conclusion
Introduction
First, Understand the Risk
Next, Manage the Risk
Then, Measure the Risk
Go Forth and Prosper
Appendix
Illustration
Illustration: Structured Approach
Step 1. Set the Structure
Step 2. Align the Risk-Mitigating Activities
Step 3. Assign Roles and Responsibilities
Step 4. Identify Gaps (Including Third Parties) and the Appropriate Activities to Fill Them
Step 5. Set the Action Plan
Index

📜 SIMILAR VOLUMES