If you want flashy information security videos that can be heavy on glitz and gibberish, you can spend your days on TikTok, where security influencers abound. But it’s worth noting that not all of the brightest people in the industry are all social media. One person you won't find on TikTok is Dr. Jennifer Bayuk, who has worked in information security leadership roles at storied firms such as Bear Stearns, Citi, JPMorgan Chase & Co., and more.
I've been a fan of Bayuk's writings for a while and reviewed a few of her books, including Financial Cybersecurity Risk Management: Leadership Perspectives and Guidance for Systems and Institutions and CyberForensics: Understanding Information Security Investigations.
In her latest book, Stepping Through Cybersecurity Risk Management: A Systems Thinking Approach (Wiley), Bayuk brings her decades of deep technical and business experience to the written page. She doesn't just theorize but provides practical guidance on how to approach information security from the perspective of enterprise governance and risk management.
Economist W. Edwards Deming famously said, "If you can't measure it, you can't manage it." Yet when it comes to information security risk, far too many organizations don't even try to measure it and instead spend massive amounts of money on security hardware and software, often without knowing why.
The subtitle of the book, and the associated information detailed therein, is perhaps more important. Information security and risk professionals can better secure their organizations using a systems thinking approach. And by using that approach, they can often do it for less money. The book shows the reader how they can strategically do more with less. And by doing that, they can truly manage risk.
While there are numerous risk management tools available, the book stands out for its ability to provide a comprehensive understanding of information security risk. It equips the reader with a deep awareness of these areas, making it a valuable resource in the field.
One of the best methodologies (okay, it's really a taxonomy, not a methodology) around information security risk is Factor Analysis of Information Risk (FAIR). So, I was surprised the book didn't at least mention FAIR. Developed by Jack Jones, it's a powerful tool that should be in every information security risk manager's playbook. Regarding FAIR, the book on the topic should be on your reading list.
As to Deming's observation, the truth is that there are things in information security that can't be measured, but they still need to be managed. And security risk managers need to make educated decisions about those things. The book does show how to deal with scenarios that will come up in an enterprise setting.
Firewalking is the act of walking barefoot over a bed of hot embers or stones. For many, going through risk management is akin to firewalking. In this valuable resource, Bayuk helps you successfully navigate that hotbed of information security risk and shows how you don't have to get burned in the process.