Background on me, why I am writing this book and how it will be developed and released online.
Part One. Strategic & Tactical Risk Management
This section discusses strategic and tactical risks management, what these processes are and how to perform them. The results of this exercise will form the basis for your security program.
Chapter 1. Choose your paradigm
Why cyber risk is different, and how this contributes to the problems of measurement, action and ineffective risk mitigation. The differences between Heuristic and Complex Risk Assessment Processes (CRAP). Medical vs insurance risk paradigms. Strategic/Tactical and Operational – what do they all mean. Timeframes involved. Strategic/Tactical and ERM.
Chapter 2. What are you trying to protect?
What are the assets of the organization? Beyond just “information”, you need to understand your organization, how it makes money and what technologies and processes are associated with that. Understanding your company’s brand, and the qualities of that brand which are integral to the company’s success.
Chapter 3. Who are you trying to protect your assets from?
Understanding threats in business terms, the threat actors behind these threats, and their motivations and means of attack. Building the foundation for prioritizing your risk appropriately. FELT, the big 4 threats.
Chapter 4. How will you protect your assets?
Once you understand the common means of attack from your threats, you are positioned to consider appropriate controls to mitigate your risks. Calculating your risk and evolving your controls and security program using frameworks is discussed. Crawl, walk, run concepts.
Chapter 5. How do you sell and monitor your plan?
Presenting your plan and measuring progress is discussed, including everything from KPI’s for tracking to board level presentation formats and pointers on how to talk with the board.
Part Two – Operational Risk Management
This section discusses operational risk management, and how it forms the basis for day to day management of risk covering everything from audit findings, to pen test results to your latest vulnerability scans.
Chapter 6. What to measure
What to measure. Use the example of the latest critical Microsoft vuln. Not using your risk register as a dumping ground but instead for exceptions to operational processes (unable to patch within required time frames, obsolete systems, etc).
Chapter 7. How to measure
How to calculate operational risk and justify the outcomes in business terms. How the heuristic operational risk method compares to other risk assessment methods and why it is better, faster and more understandable
Chapter 8. Putting it all work together
Integrating operational risk into your information security program. Who does what and how to report, escalate and track operational risk. How all the aspects of risk support the development and evolution of the overall security program.
This Table of Contents will evolve as the book develops but should represent the best current view of the book contents and direction.