Understand, Manage, and Measure Cyber Risk
Understand, Manage, and Measure Cyber Risk, Apress
Practical Solutions for Creating a Sustainable Cyber Program
Von Ryan Leirvik, im heise Shop in digitaler Fassung erhältlich
Practical Solutions for Creating a Sustainable Cyber Program
Von Ryan Leirvik, im heise Shop in digitaler Fassung erhältlich
Produktinformationen "Understand, Manage, and Measure Cyber Risk"
When it comes to managing cybersecurity in an organization, most organizations tussle with basic foundational components. This practitioner’s guide lays down those foundational components, with real client examples and pitfalls to avoid.
A plethora of cybersecurity management resources are available—many with sound advice, management approaches, and technical solutions—but few with one common theme that pulls together management and technology, with a focus on executive oversight. Author Ryan Leirvik helps solve these common problems by providing a clear, easy-to-understand, and easy-to-deploy "playbook" for a cyber risk management approach applicable to your entire organization.
This second edition provides tools and methods in a straight-forward, practical manner to guide the management of a cybersecurity program. Expanded sections include the critical integration of cyber risk management into enterprise risk management, the important connection between a Software Bill of Materials and Third-party Risk Programs, and additional "how to" tools and material for mapping frameworks to controls.
PRAISE FOR UNDERSTAND, MANAGE, AND MEASURE CYBER RISK
What lies ahead of you in the pages of this book? Clean practicality, not something that just looks good on paper—brittle and impractical when exposed to the real world. I prize flexibility and simplicity instead of attempting to have answers for everything and the rigidity that results. This simplicity is what I find valuable within Ryan's book. TIM COLLYER, MOTOROLA SOLUTIONS
It seems that I have found a kindred spirit—a builder who has worked with a wide variety of client CISOs on their programs, gaining a deep understanding of how a successful and sustainable program should be constructed. Ryan's cyber work in the US Department of Defense, his McKinsey & Company consulting, and his advisory and survey work with IANS give him a unique global view of our shared passion. NICHOLAS J. MANKOVICH, PHD, MS, CISPP
WHO THIS BOOK IS FOR
CISOs, CROs, CIOs, directors of risk management, and anyone struggling to pull together frameworks or basic metrics to quantify uncertainty and address risk
RYAN LEIRVIK is a cybersecurity professional who has spent the better part of two decades enhancing information security programs at the world's largest institutions. With considerable US government and commercial sector experience, Ryan has employed his professional passion for cybersecurity at almost every level within an organization.
A frequent speaker on the topic of information security, Ryan fields several questions on “How do I make sure I have a sustainable cyber program?” This book was written to help answer that question.
Ryan has been the CEO of a cybersecurity research and development company, Chief of Staff and Associate Director of Cyber for the US Department of Defense, and a cybersecurity strategy consultant with McKinsey & Company. Ryan’s technology career started at IBM, and he has a master of IT degree from Virginia Tech, an MBA from Case Western Reserve University, as well as a bachelor of science from Purdue University. Ryan is also on the faculty at IANS.
INTRODUCTION
PART 1: THE PROBLEM
CHAPTER 1: THE SITUATION
CHAPTER 2: THE COMPLICATION
Information Technology or “IT” became pervasive near 1995, and after a quarter-century of IT in organizations, managers, engineers, and board-level oversight still speak different languages. The language divide creates a disconnect in the strategy-to-management-to-tactical thread that is critical for overall organizational risk management, not to mention overall business management. This complicates the ability for these functions to align on one language for managing cyber risk.
CHAPTER 3: THE RESOLUTION
One unified approach to cybersecurity:
· Be clear on identifying the risk
· Understand the risk
· Categorize the critical data at risk
· Determine the causes, consequences, and accountability of a data breach
· Identify the business impact of a breach
· Simplify how you manage the risk
· Apply a framework
· Structure the organization (i.e., staff and management)
· Prepare to respond (... and recover)
· Build feedback mechanisms to measure the risk
· Choose risk-informative metrics, Key Performance Indicators (KPI’s), and Key Risk Indicators (KPI’s
· Apply appropriate resources (e.g., measuring projects, overseeing initiatives)
PART 2: THE SOLUTION
CHAPTER 4: UNDERSTAND THE PROBLEM
Knowing what “problem” you are solving is the most critical part of problem solving. It is important to spend time exploring the main issue. This typically means asking others what they see as the problem, gathering facts and opinions (and knowing the difference between them), and then establishing a recommended problem to solve that categorically encompasses all the facts you have gathered. For example, the audit team will likely talk about the problem of fines and resources to remain in compliance. The contracts team will likely talk about the risks brought about by outside companies (aka Third Parties), and the tech teams will likely talk about the immediate risks to the network, applications, or endpoints. Each team is looking at their part of the enterprise risk, but are they all looking to one specific problem that aligns them all? Typically not. So, the solution becomes the one problem everyone is solving for and helps them focus on that. In this case, that might be: critical data and systems at risk. Communicating as one problem everyone is solving for has the benefit of pulling everyone together, instead of trying to manage everyone from within their view of the problem -- risk to critical data or systems. The solution here is to get them all focused on one problem so that managing the problem is much easier -- with everyone understanding that the problem is (i.e., keeping critical data and systems secure), the management of that becomes an easier tactical activity.
CHAPTER 5: MANAGE THE PROBLEM
· Guidelines up front: Settle on one approach (i.e., Framework) that best fits the business
· Complication is that no one framework fits any one organization’s risk profile perfectly
· Key is to pick a framework as a starting point and modify it to the organization (and as cyber risk management matures)
· Key to resolving this is to assign roles (e.g., an adversary, a manager, a third party); remember, there is a person at the center of the problem you are trying to manage
CHAPTER 6: MEASURE THE PROBLEM
· Guidelines up front: Board-level metrics are strategic, supported by tactical measures.
· Objective is to communicate three things: (1) Understand what is at risk; (2) Manage that risk; and (3) Measure your management through feedback metrics
· Educate the Board on what you are doing to reduce the risk
· Communicate the value of your programs: provide insightful measures
· Mature measures: measure what you can measure now, with a focus on what you want to measure
CHAPTER 7: CONCLUSION
* BE CLEAR ON IDENTIFYING THE RISK
· Understand the risk
· Categorize the critical data at risk
· Determine the causes, consequences, and accountability of a data breach
· Identify the business impact of a breach
* SIMPLIFY HOW YOU MANAGE THE RISK
· Apply a framework
· Structure the organization (i.e., staff and management)
· Prepare to respond (... and recover)
* BUILD FEEDBACK MECHANISMS TO MEASURE THE RISK
· Choose risk-informative metrics, Key Performance Indicators (KPI’s), and Key Risk Indicators (KPI’s
· Apply appropriate resources (e.g., measuring projects, overseeing initiatives)
APPENDIX: COMMON QUESTIONS (TBD)
APPENDIX: ILLUSTRATIONS (TBD)
A plethora of cybersecurity management resources are available—many with sound advice, management approaches, and technical solutions—but few with one common theme that pulls together management and technology, with a focus on executive oversight. Author Ryan Leirvik helps solve these common problems by providing a clear, easy-to-understand, and easy-to-deploy "playbook" for a cyber risk management approach applicable to your entire organization.
This second edition provides tools and methods in a straight-forward, practical manner to guide the management of a cybersecurity program. Expanded sections include the critical integration of cyber risk management into enterprise risk management, the important connection between a Software Bill of Materials and Third-party Risk Programs, and additional "how to" tools and material for mapping frameworks to controls.
PRAISE FOR UNDERSTAND, MANAGE, AND MEASURE CYBER RISK
What lies ahead of you in the pages of this book? Clean practicality, not something that just looks good on paper—brittle and impractical when exposed to the real world. I prize flexibility and simplicity instead of attempting to have answers for everything and the rigidity that results. This simplicity is what I find valuable within Ryan's book. TIM COLLYER, MOTOROLA SOLUTIONS
It seems that I have found a kindred spirit—a builder who has worked with a wide variety of client CISOs on their programs, gaining a deep understanding of how a successful and sustainable program should be constructed. Ryan's cyber work in the US Department of Defense, his McKinsey & Company consulting, and his advisory and survey work with IANS give him a unique global view of our shared passion. NICHOLAS J. MANKOVICH, PHD, MS, CISPP
WHO THIS BOOK IS FOR
CISOs, CROs, CIOs, directors of risk management, and anyone struggling to pull together frameworks or basic metrics to quantify uncertainty and address risk
RYAN LEIRVIK is a cybersecurity professional who has spent the better part of two decades enhancing information security programs at the world's largest institutions. With considerable US government and commercial sector experience, Ryan has employed his professional passion for cybersecurity at almost every level within an organization.
A frequent speaker on the topic of information security, Ryan fields several questions on “How do I make sure I have a sustainable cyber program?” This book was written to help answer that question.
Ryan has been the CEO of a cybersecurity research and development company, Chief of Staff and Associate Director of Cyber for the US Department of Defense, and a cybersecurity strategy consultant with McKinsey & Company. Ryan’s technology career started at IBM, and he has a master of IT degree from Virginia Tech, an MBA from Case Western Reserve University, as well as a bachelor of science from Purdue University. Ryan is also on the faculty at IANS.
INTRODUCTION
PART 1: THE PROBLEM
CHAPTER 1: THE SITUATION
CHAPTER 2: THE COMPLICATION
Information Technology or “IT” became pervasive near 1995, and after a quarter-century of IT in organizations, managers, engineers, and board-level oversight still speak different languages. The language divide creates a disconnect in the strategy-to-management-to-tactical thread that is critical for overall organizational risk management, not to mention overall business management. This complicates the ability for these functions to align on one language for managing cyber risk.
CHAPTER 3: THE RESOLUTION
One unified approach to cybersecurity:
· Be clear on identifying the risk
· Understand the risk
· Categorize the critical data at risk
· Determine the causes, consequences, and accountability of a data breach
· Identify the business impact of a breach
· Simplify how you manage the risk
· Apply a framework
· Structure the organization (i.e., staff and management)
· Prepare to respond (... and recover)
· Build feedback mechanisms to measure the risk
· Choose risk-informative metrics, Key Performance Indicators (KPI’s), and Key Risk Indicators (KPI’s
· Apply appropriate resources (e.g., measuring projects, overseeing initiatives)
PART 2: THE SOLUTION
CHAPTER 4: UNDERSTAND THE PROBLEM
Knowing what “problem” you are solving is the most critical part of problem solving. It is important to spend time exploring the main issue. This typically means asking others what they see as the problem, gathering facts and opinions (and knowing the difference between them), and then establishing a recommended problem to solve that categorically encompasses all the facts you have gathered. For example, the audit team will likely talk about the problem of fines and resources to remain in compliance. The contracts team will likely talk about the risks brought about by outside companies (aka Third Parties), and the tech teams will likely talk about the immediate risks to the network, applications, or endpoints. Each team is looking at their part of the enterprise risk, but are they all looking to one specific problem that aligns them all? Typically not. So, the solution becomes the one problem everyone is solving for and helps them focus on that. In this case, that might be: critical data and systems at risk. Communicating as one problem everyone is solving for has the benefit of pulling everyone together, instead of trying to manage everyone from within their view of the problem -- risk to critical data or systems. The solution here is to get them all focused on one problem so that managing the problem is much easier -- with everyone understanding that the problem is (i.e., keeping critical data and systems secure), the management of that becomes an easier tactical activity.
CHAPTER 5: MANAGE THE PROBLEM
· Guidelines up front: Settle on one approach (i.e., Framework) that best fits the business
· Complication is that no one framework fits any one organization’s risk profile perfectly
· Key is to pick a framework as a starting point and modify it to the organization (and as cyber risk management matures)
· Key to resolving this is to assign roles (e.g., an adversary, a manager, a third party); remember, there is a person at the center of the problem you are trying to manage
CHAPTER 6: MEASURE THE PROBLEM
· Guidelines up front: Board-level metrics are strategic, supported by tactical measures.
· Objective is to communicate three things: (1) Understand what is at risk; (2) Manage that risk; and (3) Measure your management through feedback metrics
· Educate the Board on what you are doing to reduce the risk
· Communicate the value of your programs: provide insightful measures
· Mature measures: measure what you can measure now, with a focus on what you want to measure
CHAPTER 7: CONCLUSION
* BE CLEAR ON IDENTIFYING THE RISK
· Understand the risk
· Categorize the critical data at risk
· Determine the causes, consequences, and accountability of a data breach
· Identify the business impact of a breach
* SIMPLIFY HOW YOU MANAGE THE RISK
· Apply a framework
· Structure the organization (i.e., staff and management)
· Prepare to respond (... and recover)
* BUILD FEEDBACK MECHANISMS TO MEASURE THE RISK
· Choose risk-informative metrics, Key Performance Indicators (KPI’s), and Key Risk Indicators (KPI’s
· Apply appropriate resources (e.g., measuring projects, overseeing initiatives)
APPENDIX: COMMON QUESTIONS (TBD)
APPENDIX: ILLUSTRATIONS (TBD)
Artikel-Details
- Anbieter:
- Apress
- Autor:
- Ryan Leirvik
- Artikelnummer:
- 9781484293195
- Veröffentlicht:
- 13.06.23