Heuristic Risk Management: The Process
The next stage in the HRM journey involves all the documentation needed to get started
My book on Heuristic Risk Management (HRM) has now been out for almost a year and after receiving great reviews and feedback, it is now time to begin the next stage of the HRM journey. When I wrote HRM, my intent was to write a book of practical advice that would help security and business leaders create and manage an effective risk-based information security program that could tailored to the most likely threats to their business and industry.
I did so by framing this challenge in a context in which it has largely been ignored - that we (security leaders) are at war against determined adversaries ranging from nation-states, to well-organized criminal enterprises, to malicious insiders in our organization. These adversaries are seeking to steal, manipulate, or destroy the information and business operations of organizations in order to advance their monetary or political objectives. My experience, and that of countless others, is that attempting to defend against these threats by applying a one-size-fits-all framework such as ISO/IEC 2700x or NIST 800-53 is a recipe for failure.
The key to information security survival is to understand and act against these threats in the context of risk management. Understanding your risks and using a simple and effective risk management process to prioritize the most effective countermeasures is your only hope of success (other than dumb luck). In that light, it is now time to translate Heuristic Risk Management (the book) into the materials needed to make these concepts a reality.
HRM: The Process
As the next stage of the HRM implementation process, I am going to be compiling sample documentation, processes, registers, reports, checklists, meeting agendas, etc., that can be used and tailored by security leaders to implement the concepts I discuss in HRM. All materials will tie back to the relevant chapters of HRM so that readers can understand their proper use.
I will make these materials for download through some website yet to be determined, and all materials will be open-sourced and freely usable/modifiable by readers. My intent is that this site will be operational before the end of the year.
My ask to any readers is to send me your suggestions on what content you think would be helpful in illustrating how to apply HRM in an organization, using the email address below. Please do not send me existing frameworks or process documentation such as the NIST Risk Management Framework - my focus is on what is simple and what works, which I would say is the polar opposite of the RMF. Also, please do not send me process materials from your organization (unless they are publicly available without restrictions - in which case, send a link, not the document).
HRM: The Story
As a last step to the HRM journey, it is my intent to write a book, in the style of The Goal, by Eliyahu M Goldratt and Jeff Cox, or The Phoenix Project by Gene Kim, Kevin Behr, and George Spafford to help security leaders understand how to apply HRM concepts in their organization. The book will describe the journey of a new CISO joining an organization with significant information security challenges and risks, and how they applied HRM principles to build the program needed to protect their company and save the day when their organization was attacked.
For this stage of the journey, I am looking for an experienced writer and co-author to join me in writing this book, as I will be the first to admit that dialogue is the area where I have the least experience in writing. If you are interested, let’s talk and see if you are the right fit for the project.
Lastly, I am open to consider making this a joint effort with an organization that is focused on information security and risk management consulting and services, such as a Big 4 or a large MSSP. Doing so could provide a significant boost to your brand and your reputation, and will help promote your company as a thought leader in this space. Write me if you would like to discuss further.
If you would like to stay informed as this project progresses, please subscribe to the Heuristic Security, and you will receive email updates as things progress. My direct email address to write me regarding this project is michael.lines@heuristicsecurity.com. Happy 2025 and I look forward to helping everyone make it more secure for themselves and their organizations!