Sutton's law states that when diagnosing, one should first consider the obvious. It’s named after the infamous bank robber Willie Sutton, who when asked why he robbed banks, replied “because that's where the money is”. Whether Sutton actually said it is a separate discussion.

One should first consider the obvious in pretty much every endeavor. When it comes to information security for financial services firms, it is eminently clear that it’s an area that must be of extreme importance. In Financial Cybersecurity Risk Management: Leadership Perspectives and Guidance for Systems and Institutions (Apress 978-1484241936) authors Paul Rohmeyer and Jennifer Bayuk take their extensive experience in the financial services sector and have written a pragmatic and actionable guide to make sure that information security gets done.

When it comes to financial services security, the major players (Morgan Stanley, Chase, Citi, Goldman Sachs, et al) have world-class information security program. But for every Morgan Stanley, there 100 smaller banks and credit unions that struggle to keep up with information security. This is a book that is of value though, to all of the aforementioned organizations.

Far too many books focus on hardware and tools. Rohmeyer and Bayuk don’t fall into that trap, and instead focusing on understanding and mitigating risk. They detail topics such as scenario analysis, which makes an organization focus on various scenarios that they’ll fact in the real world. All the security hardware and software won’t amount to much if a firm does not understand in what specific scenarios, they are expected to protect the organization.

Topics such as information risk and operational risk play a large part in the book. Only by understanding these areas can a firm even get close to truly dealing with information security, regulation, risk and more.

Towards the end of the book, the authors exhort the reader to get real about planning for information security and risk.  They note that security is not a domain that tolerates theoretical attribution based on project plans. Rather enterprise capabilities are only relevant when applied to real-world conditions.

The book shows the reader those real-world conditions, and how to effectively deal with security and risk. This is a serious book meant for a serious reader. There are no simple answers to the complex arena of financial services security and risk. For the reader looking to get equally serious about dealing with it, Financial Cybersecurity Risk Management is a worthwhile and tactical guide that can certainly help them on their journey.

Contributors: