What do you think?
Rate this book
Stepping Through Cybersecurity Risk Management: A Systems Thinking Approach
Stepping Through Cybersecurity Risk Management Authoritative resource delivering the professional practice of cybersecurity from the perspective of enterprise governance and risk management.
Stepping Through Cybersecurity Risk Management covers the professional practice of cybersecurity from the perspective of enterprise governance and risk management. It describes the state of the art in cybersecurity risk identification, classification, measurement, remediation, monitoring and reporting. It includes industry standard techniques for examining cybersecurity threat actors, cybersecurity attacks in the context of cybersecurity-related events, technology controls, cybersecurity measures and metrics, cybersecurity issue tracking and analysis, and risk and control assessments.
The text provides precise definitions for information relevant to cybersecurity management decisions and recommendations for collecting and consolidating that information in the service of enterprise risk management. The objective is to enable the reader to recognize, understand, and apply risk-relevant information to the analysis, evaluation, and mitigation of cybersecurity risk. A well-rounded resource, the text describes both reports and studies that improve cybersecurity decision support.
Composed of 10 chapters, the author provides learning objectives, exercises and quiz questions per chapter in an appendix, with quiz answers and exercise grading criteria available to professors.
Written by a highly qualified professional with significant experience in the field, Stepping Through Cybersecurity Risk Management includes information
Threat actors and networks, attack vectors, event sources, security operations, and CISO risk evaluation criteria with respect to this activity Control process, policy, standard, procedures, automation, and guidelines, along with risk and control self assessment and compliance with regulatory standards Cybersecurity measures and metrics, and corresponding key risk indicators The role of humans in security, including the “three lines of defense” approach, auditing, and overall human risk management Risk appetite, tolerance, and categories, and analysis of alternative security approaches via reports and studies Providing comprehensive coverage on the topic of cybersecurity through the unique lens of perspective of enterprise governance and risk management, Stepping Through Cybersecurity Risk Management is an essential resource for professionals engaged in compliance with diverse business risk appetites, as well as regulatory requirements such as FFIEC, HIIPAA, and GDPR, as well as a comprehensive primer for those new to the field.
A complimentary forward by Professor Gene Spafford explains why “This book will be helpful to the newcomer as well as to the hierophants in the C-suite. The newcomer can read this to understand general principles and terms. The C-suite occupants can use the material as a guide to check that their understanding encompasses all it should.”
Stepping Through Cybersecurity Risk Management covers the professional practice of cybersecurity from the perspective of enterprise governance and risk management. It describes the state of the art in cybersecurity risk identification, classification, measurement, remediation, monitoring and reporting. It includes industry standard techniques for examining cybersecurity threat actors, cybersecurity attacks in the context of cybersecurity-related events, technology controls, cybersecurity measures and metrics, cybersecurity issue tracking and analysis, and risk and control assessments.
The text provides precise definitions for information relevant to cybersecurity management decisions and recommendations for collecting and consolidating that information in the service of enterprise risk management. The objective is to enable the reader to recognize, understand, and apply risk-relevant information to the analysis, evaluation, and mitigation of cybersecurity risk. A well-rounded resource, the text describes both reports and studies that improve cybersecurity decision support.
Composed of 10 chapters, the author provides learning objectives, exercises and quiz questions per chapter in an appendix, with quiz answers and exercise grading criteria available to professors.
Written by a highly qualified professional with significant experience in the field, Stepping Through Cybersecurity Risk Management includes information
Threat actors and networks, attack vectors, event sources, security operations, and CISO risk evaluation criteria with respect to this activity Control process, policy, standard, procedures, automation, and guidelines, along with risk and control self assessment and compliance with regulatory standards Cybersecurity measures and metrics, and corresponding key risk indicators The role of humans in security, including the “three lines of defense” approach, auditing, and overall human risk management Risk appetite, tolerance, and categories, and analysis of alternative security approaches via reports and studies Providing comprehensive coverage on the topic of cybersecurity through the unique lens of perspective of enterprise governance and risk management, Stepping Through Cybersecurity Risk Management is an essential resource for professionals engaged in compliance with diverse business risk appetites, as well as regulatory requirements such as FFIEC, HIIPAA, and GDPR, as well as a comprehensive primer for those new to the field.
A complimentary forward by Professor Gene Spafford explains why “This book will be helpful to the newcomer as well as to the hierophants in the C-suite. The newcomer can read this to understand general principles and terms. The C-suite occupants can use the material as a guide to check that their understanding encompasses all it should.”
318 pages, Kindle Edition
Published March 20, 2024
3 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 of 1 review
June 5, 2024
If you want flashy information security videos heavy on glitz and gibberish, you can spend your days on TikTok, where so-called security influencers abound. One person you won't find there is Dr. Jennifer Bayuk. She is one of the brightest people in the industry, having worked in information security leadership roles at storied firms such as Bear Stearns, Citi, JPMorgan Chase & Co., and more.
I've been a fan of Bayuk's writings for a while and reviewed a few of her books, including Financial Cybersecurity Risk Management: Leadership Perspectives and Guidance for Systems and Institutions and CyberForensics: Understanding Information Security Investigations.
In her latest book, Stepping Through Cybersecurity Risk Management: A Systems Thinking Approach (Wiley), Bayuk brings her decades of deep technical and business experience to the written page. She doesn't just theorize, but provides practical guidance on how to approach information security from the perspective of enterprise governance and risk management.
Economist W. Edwards Deming famously said, "If You Can't Measure It, You Can't Manage It." Yet when it comes to information security risk, far too many organizations don't even try to measure it but spend massive amounts of money on security hardware and software, often without knowing why.
The subtitle of the book, and the associated information detailed in the book, is perhaps more important than the title. Information security and risk professionals can better secure their organizations using a systems thinking approach. And by using that approach, they can often do it for less money. The book shows the reader how they can do that strategically. And by doing that, they can truly manage risk.
While there are numerous risk management tools available, the book stands out for its ability to provide a comprehensive understanding of information security risk. It equips the reader with a deep awareness of these areas, making it a valuable resource in the field.
One of the best methodologies (okay, it's really a taxonomy, not a methodology) around information security risk is Factor analysis of information risk (FAIR). So, I was surprised the book didn't at least mention FAIR. Developed by Jack Jones, it's a powerful tool that should be in every information security risk manager's playbook. Regarding FAIR, the book on the topic should be on your reading list.
As to Deming's observation, the truth is that there are things in information security that can't be measured, but they still need to be managed. And security risk managers need to make educated decisions about those things. The book does show how to deal with such scenarios that will come up in an enterprise setting.
Firewalking is the act of walking barefoot over a bed of hot embers or stones. For many, going through the risk management is akin to firewalking. In this valuable resource, Bayuk helps you successfully navigate that hotbed of information security risk. And shows how you don't have to get burned in the process.
I've been a fan of Bayuk's writings for a while and reviewed a few of her books, including Financial Cybersecurity Risk Management: Leadership Perspectives and Guidance for Systems and Institutions and CyberForensics: Understanding Information Security Investigations.
In her latest book, Stepping Through Cybersecurity Risk Management: A Systems Thinking Approach (Wiley), Bayuk brings her decades of deep technical and business experience to the written page. She doesn't just theorize, but provides practical guidance on how to approach information security from the perspective of enterprise governance and risk management.
Economist W. Edwards Deming famously said, "If You Can't Measure It, You Can't Manage It." Yet when it comes to information security risk, far too many organizations don't even try to measure it but spend massive amounts of money on security hardware and software, often without knowing why.
The subtitle of the book, and the associated information detailed in the book, is perhaps more important than the title. Information security and risk professionals can better secure their organizations using a systems thinking approach. And by using that approach, they can often do it for less money. The book shows the reader how they can do that strategically. And by doing that, they can truly manage risk.
While there are numerous risk management tools available, the book stands out for its ability to provide a comprehensive understanding of information security risk. It equips the reader with a deep awareness of these areas, making it a valuable resource in the field.
One of the best methodologies (okay, it's really a taxonomy, not a methodology) around information security risk is Factor analysis of information risk (FAIR). So, I was surprised the book didn't at least mention FAIR. Developed by Jack Jones, it's a powerful tool that should be in every information security risk manager's playbook. Regarding FAIR, the book on the topic should be on your reading list.
As to Deming's observation, the truth is that there are things in information security that can't be measured, but they still need to be managed. And security risk managers need to make educated decisions about those things. The book does show how to deal with such scenarios that will come up in an enterprise setting.
Firewalking is the act of walking barefoot over a bed of hot embers or stones. For many, going through the risk management is akin to firewalking. In this valuable resource, Bayuk helps you successfully navigate that hotbed of information security risk. And shows how you don't have to get burned in the process.
Displaying 1 of 1 review