Bens Book of the Month Review of How to Manage Cybersecurity Risk

Posted on by Ben Rothke

With hard drive capacities continuously increasing, it is quite easy to underappreciate how much data is indeed available. Laptops now come standard with 1 terabyte hard drives. To put that into perspective, the entire Library of Congress contains but 15 terabytes of text. 


With that, firms are finding that they have massive data sets they need to secure. Compounded with the relatively low cost of hardware (especially when using the cloud), the importance of security and data risk management has never been more essential.


As its title states, How to Manage Cybersecurity Risk: A Security Leader's Roadmap with Open FAIR (Universal Publishers 978-1627342766), Christopher Carlson has written a helpful guide that can help the reader ensure their data is appropriately secured and managed. And that can be done by ensuring that the specific risks to the organization are understood and measured. 


The book is built around FAIR (factor analysis of information risk), a taxonomy of the factors that contribute to risk, and how they affect each other. A key FAIR driver is communications. Similar to what John Gray writes in Men Are from Mars, Women Are from Venus, miscommunication often stems from differences between the two groups. 


FAIR, and as the book in part shows, uses methods to ensure that the CSO, security manager, or whoever is tasked with security, can effectively communicate that to senior management and the executive board. 


A mistake security professionals make far too often is communicating to the board in the language of security. When, in fact, the language they only care about is that around profits and results; that being the language of business. To that, FAIR, and this book, details methods on how to communicate security items in terms that executives can appreciate and understand. And if that is done, they will also have significantly more confidence in their security teams and security management. 


While the book discusses communications, its essential message is around, as the title implies, cybersecurity risk. The book uses FAIR as a methodology to access, manage, and report on information and operational risk.


The book opens with an analogy to a hospital emergency room. Where emergency room doctors quickly move to triage the situation. The three main areas of this medical triage include: identifying injuries, prioritizing treatments, and to treat priority injuries.


In the world of information security and incident response, that correlates to identifying exploited vulnerabilities, prioritizing correction actions, and applying priority corrective actions. And an essential point to this is that a security manager can not begin any of these steps unless they have authority and resources delegated from the firms' executives. 


In the 32 chapters, Carlson details all of the key areas relevant to data protection and risk management. For those new to risk management, Carlson shows how to determine and measure risk. Without that quantitative approach, firms will mismanage data security. They will use the wrong tools and tactics, resulting in significant risks to their data. On the other hand, a far too aggressive approach will make access to that data unnecessarily more complicated and result in unneeded spending. Finding that balance is an art, which the book shows how to do. 


For those that are looking for an authoritative guide to FAIR, Measuring, and Managing Information Risk: A FAIR Approach, by Dr. Jack Freund and Jack Jones, is the definitive reference. 

What Carlson's book does provide is an excellent introduction and overview of the topic. 


Throughout the book, Carlson shares numerous anecdotes from his decades of industry experience. These short stories impart real-world examples to the sometimes abstract concept in risk management. 


For those looking for a thorough introduction to the topic, How to Manage Cybersecurity Risk is a good read. FAIR is one of the more unknown jewels in the world of formation security, and Carlson is to be applauded for bringing it to light in this helpful reference.

Ben Rothke

Senior Information Security Manager, Tapad

Mobile & IoT Security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs