How to Manage Cybersecurity Risk

Abstract

Protecting information systems to reduce the risk of security incidents is critical for organizations today. This writing provides instruction for security leaders on the processes and techniques for managing a security program. It contains practical information on the breadth of information security topics, referring to many other writings that provide details on technical security topics. This provides foundation for a security program responsive to technology developments and an evolving threat environment.

The security leader may be engaged by an organization that is in crisis, where the priority action is to recover from a serious incident. This work offers foundation knowledge for the security leader to immediately apply to the organization's security program while improving it to the next level, organized by development stage:
• Reactive--focused on incident detection and response
• Planned--control requirements, compliance and reporting
• Managed--integrated security business processes
The security leader must also communicate with the organization executive, whose focus is on results such as increasing revenues or reducing costs. The security leader may initially be welcomed as the wizard who applies mysterious skills to resolve an embarrassing incident. But the organization executive will lose patience with a perpetual crisis and demand concrete results. This writing explains how to communicate in terms executives understand.

WORDS OF PRAISE and REVIEWS

See Book review by Ben Rothke of RSA Cconference (2020-Feb-28)

Chris has a depth of knowledge and understanding with a rational approach to information security born from a career as a practitioner and leader. I really like his practical methodology to solving what appears to be a complex issue, simplifying the approach to identifying the challenges and presenting solutions. He outlines the necessity to fully understand the lifecycle of cyber security; identifying the issues, cataloguing your assets, defining responsibilities so that you can hold people to account, mapping your control frameworks, identifying your dependencies including your people and your third parties, exercising your crisis plans, then to reporting on the status. 'Plan--Do--Check--Act!'
Kevin Williams,Head of the International Information Integrity Institute

Chris offers practical instructions and real-world examples of how to approach, describe, and action the mystical world of cyber security. Leveraging his 35+ years of experience he shows cyber professional how to dissect problems into logical, achievable results for both technical staff and senior management. His conversational writing style, meaningful examples, and sequencing of actions allows the reader to define a roadmap that is tailored to their organizational maturity and structure. New cyber security professionals will welcome this how-to guide, while seasoned professionals will recognize the many deliverables they have left undone. Yet, the greatest gift for the reader is new insight on how good cyber practices allow you to quantify risk. Chris' introduction to the FAIR methodology de-mystifies the quantification of risk, empowers senior managers to make more informed decisions and defines critical priorities for the cyber teams.
Keith H. Herndon, VP of Cyber Security and Chief Information Security Officer, Baker Hughes

One of the hardest decisions a chief information security officer faces is defining the right problem solve. In this book, Chris describes the approach to solve the right problem, that of how to effectively manage the risk of information technology. He presents a refreshingly pragmatic approach ranging from immediate crisis management through cost benefit analysis of an information security strategy. In this way, he takes the CISO on a path of maturity from a novice incident fire fighter to a mature, strategic organizational leader. By reading and applying this book, information security professionals everywhere will learn tactical and strategic action they can take now to build more effective security organizations.
Mike Jerbic, Chair, The Open Group Security Forum

How to Manage Cybersecurity Risk" is a phenomenal resource for those people who want to do "risk management right." It is a wealth of experience from a passionate, seasoned professional who has tackled some of the industry's biggest risk scenarios and problems. It is a "must have" for both experienced GRC professionals as well as those new to this growing industry.
Alex Hutton, Security Executive

How to Manage Cybersecurity Risk is clearly written. By structuring it around three stages of cyber security maturity - Reactive, Planned, and then Managed - Chris ensures that security leaders at all levels will find it useful. He takes newly appointed security leaders of organizations mired in the Reactive stage firmly in hand, and guides them through the key steps required to stabilize the organization's security posture. For organizations in the Planned and Managed stages, Chris provides many valuable tools including excellent process templates for risk management, policy management, and more. He also discusses how to use quantitative Open FAIR risk analysis, even in the early stages, for security planning and risk analysis processes.
Dan Blum, Managing Partner and Principal Consultant, Security Architects, LLC

About the Author

Christopher Christopher T. Carlson is a pioneer, having arrived in his first computing security assignment at the dawn of the field in 1982. He created or substantially evolved practices in his security assignments including classified computing security, computing security policy and controls, security awareness, business unit security support, security assessments, access administration including role-based access, risk analysis and management, application security development life cycle, and international security. The goal of this writing is to provide lessons from the field so that those who follow need not start from scratch.