In The Sixth Sense, Cole Sear says, "I see dead people." When it comes to risk, a cybersecurity professional will see risk everywhere. Risk is built into the very fabric of information technology. In fact, if one does not understand risk, they can’t be a competent Information Security professional.

But risk is not limited to information systems; it's part of every part of our lives, from the water we brush our teeth with in the morning to the transportation we take to work, the food we eat at lunch, and the mattress we sleep on at night. It’s an inevitable part of life.

Sometimes, people think they can have a zero-tolerance approach to risk, but that is a fundamentally flawed idea. Jack Jones notes that the notion of zero risk tolerance is fundamentally, logically flawed because it can never be achieved.

Jones knows a thing or two about risk. He's chairman of the FAIR Institute, one of the foremost authorities in information risk management, and a co-author of Measuring and Managing Information Risk: A FAIR Approach, a seminal book about risk management.

For example, if an organization handles even one sensitive customer record, there will always be some potential for that record to become compromised. In fact, Jones argues that setting a policy to have zero risk tolerance may increase liability because an organization is automatically and inevitably out of compliance with that policy.

According to Jones, if he were involved in prosecuting that organization after a breach, he would use the existence of that policy against them, both from a noncompliance perspective and as evidence that they don't know what they're talking about.

Authors Jason Edwards and Griffin Weaver have written The Cybersecurity Guide to Governance, Risk, and Compliance (Wiley), a single-volume guide that provides a comprehensive overview of not just Information Security risk, but also governance, risk, and compliance (GRC).

Edwards is a principal security director at Amazon Web Services (AWS), and Weaver is a legal director at Dell. Together, they have written a book that is a good mix of technical, business, and legal information.

While Information Security has existed for generations, GRC is a relatively new concept. Scott Mitchell of OCEG defines GRC as "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity." Those 19 words create a significant amount of work, which is why many enterprise organizations have large Information Security teams.

A background in security is not required to benefit from the book. The good news is that after finishing, the reader will have a very solid understanding of all of the major concepts around GRC.

While not an official Certified Information Systems Security Professional (CISSP) study guide, the book is a good reference for those studying for the CISSP exam.

There is no filler in the 31 chapters, leaving no topic unearthed. Each chapter comes with a case study, and there are real-world scenarios throughout the book. The amount of information covered is significant, and this is far from a single-seat book.

While the book contains a lot of theories, the authors provide plenty of actionable advice that the reader can implement. 

For those looking for a robust and serious guide on GRC, The Cybersecurity Guide to Governance, Risk, and Compliance may have an underwhelming title, but it certainly makes up for it with excellent content.