Stepping Through Cybersecurity Risk Management - by Jennifer L Bayuk (Hardcover)

Book Synopsis

Stepping Through Cybersecurity Risk Management

Authoritative resource delivering the professional practice of cybersecurity from the perspective of enterprise governance and risk management.

Stepping Through Cybersecurity Risk Management covers the professional practice of cybersecurity from the perspective of enterprise governance and risk management. It describes the state of the art in cybersecurity risk identification, classification, measurement, remediation, monitoring and reporting. It includes industry standard techniques for examining cybersecurity threat actors, cybersecurity attacks in the context of cybersecurity-related events, technology controls, cybersecurity measures and metrics, cybersecurity issue tracking and analysis, and risk and control assessments.

The text provides precise definitions for information relevant to cybersecurity management decisions and recommendations for collecting and consolidating that information in the service of enterprise risk management. The objective is to enable the reader to recognize, understand, and apply risk-relevant information to the analysis, evaluation, and mitigation of cybersecurity risk. A well-rounded resource, the text describes both reports and studies that improve cybersecurity decision support.

Composed of 10 chapters, the author provides learning objectives, exercises and quiz questions per chapter in an appendix, with quiz answers and exercise grading criteria available to professors.

Written by a highly qualified professional with significant experience in the field, Stepping Through Cybersecurity Risk Management includes information on:

• Threat actors and networks, attack vectors, event sources, security operations, and CISO risk evaluation criteria with respect to this activity
• Control process, policy, standard, procedures, automation, and guidelines, along with risk and control self assessment and compliance with regulatory standards
• Cybersecurity measures and metrics, and corresponding key risk indicators
• The role of humans in security, including the "three lines of defense" approach, auditing, and overall human risk management
• Risk appetite, tolerance, and categories, and analysis of alternative security approaches via reports and studies

Providing comprehensive coverage on the topic of cybersecurity through the unique lens of perspective of enterprise governance and risk management, Stepping Through Cybersecurity Risk Management is an essential resource for professionals engaged in compliance with diverse business risk appetites, as well as regulatory requirements such as FFIEC, HIIPAA, and GDPR, as well as a comprehensive primer for those new to the field.

A complimentary forward by Professor Gene Spafford explains why "This book will be helpful to the newcomer as well as to the hierophants in the C-suite. The newcomer can read this to understand general principles and terms. The C-suite occupants can use the material as a guide to check that their understanding encompasses all it should."

From the Back Cover

Authoritative resource delivering the professional practice of cybersecurity from the perspective of enterprise governance and risk management.

Stepping Through Cybersecurity Risk Management covers the professional practice of cybersecurity from the perspective of enterprise governance and risk management. It describes the state of the art in cybersecurity risk identification, classification, measurement, remediation, monitoring and reporting. It includes industry standard techniques for examining cybersecurity threat actors, cybersecurity attacks in the context of cybersecurity-related events, technology controls, cybersecurity measures and metrics, cybersecurity issue tracking and analysis, and risk and control assessments.

The text provides precise definitions for information relevant to cybersecurity management decisions and recommendations for collecting and consolidating that information in the service of enterprise risk management. The objective is to enable the reader to recognize, understand, and apply risk-relevant information to the analysis, evaluation, and mitigation of cybersecurity risk. A well-rounded resource, the text describes both reports and studies that improve cybersecurity decision support.

Composed of 10 chapters, the author provides learning objectives, exercises and quiz questions per chapter in an appendix, with quiz answers and exercise grading criteria available to professors.

Written by a highly qualified professional with significant experience in the field, Stepping Through Cybersecurity Risk Management includes information on:

• Threat actors and networks, attack vectors, event sources, security operations, and CISO risk evaluation criteria with respect to this activity
• Control process, policy, standard, procedures, automation, and guidelines, along with risk and control self assessment and compliance with regulatory standards
• Cybersecurity measures and metrics, and corresponding key risk indicators
• The role of humans in security, including the "three lines of defense" approach, auditing, and overall human risk management
• Risk appetite, tolerance, and categories, and analysis of alternative security approaches via reports and studies

Providing comprehensive coverage on the topic of cybersecurity through the unique lens of perspective of enterprise governance and risk management, Stepping Through Cybersecurity Risk Management is an essential resource for professionals engaged in compliance with diverse business risk appetites, as well as regulatory requirements such as FFIEC, HIIPAA, and GDPR, as well as a comprehensive primer for those new to the field.

Review Quotes

"Stepping Through Cybersecurity Risk Management: A Systems Thinking Approach" by Jennifer L. Bayuk. FIVE STARS (or whatever the highest rating is) I have to admit that I usually don't get excited when a new cybersecurity book comes out, but this one was different. First, the focus is extremely important in today's environment: a systems thinking approach. The importance of this topic cannot be overstated. In an era where cyber threats are becoming increasingly sophisticated, a systems thinking approach provides the necessary framework to build resilient and robust security measures. Bayuk's ability to distill complex concepts into practical advice makes this book not only intriguing but also incredibly valuable for cybersecurity professionals at all levels. As a cybersecurity consultant for over 25 years, a lack of systems thinking is, perhaps, one of the most prevalent reasons for the host of breaches and incidents we are seeing. But most importantly, the author's credibility is what led me to rush to get a copy. Jennifer L. Bayuk is an esteemed professional in cybersecurity with a wealth of experience as an academic, consultant, and industry executive. She is extremely well-known in this space, especially in the Metro-NY area, so when Dr. Bayuk writes a book on cybersecurity, it behooves professionals in this space to read it. As such, "Stepping Through Cybersecurity Risk Management: A Systems Thinking Approach" is a must-read for anyone serious about understanding the intricacies of cybersecurity and how to deploy cybersecurity principles. The book reads like a graduate school textbook on the topic, with each chapter delving into various topics, such as threats, controls, assessments, risks, etc. I found this format quite useful and used it as a reference guide, where I can quickly jump to the chapter covering the topic of interest. For example, I was preparing for a client meeting to discuss Risk Appetite and used some of her examples to discuss the topic with the company executives better. In another situation, trying to help a younger teammate understand the concept and value of Risk and Controls Self-Assessment (RCSA), I lent him the book, and he quickly brought himself up to speed. Ultimately, this book does more than highlight the challenges and risks of cybersecurity; it provides a roadmap for navigating these challenges. A cybersecurity program built around the systems thinking principles outlined in this book would surely be one a company could confidently invest in. Further, her authoritative voice and clear, insightful guidance make this book an essential addition to the library of anyone involved in the cybersecurity field. Review done by Jim Ambrosini

About the Author

Jennifer L. Bayuk is a cybersecurity due diligence expert with a MS in Computer Science and a PhD in Systems Engineering. She has been a Global Financial Services Technology Risk Management Officer, a Wall Street Chief Information Security Officer, a Big 4 Information Risk Management Consultant, a Manager of Information Technology Internal Audit, a Security Architect, a Bell Labs Security Software Engineer, a Professor of Systems Security Engineering, and a Private Cybersecurity Investigator and Expert Witness