Ryan Leirvik - Understand, Manage, and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program

This Apress imprint is published by the registered company APress Media, LLC part of Springer Nature.

The registered company address is: 1 New York Plaza, New York, NY 10004, U.S.A.

Some of us love building from scratch. As children, we gather stones and sticks and construct little cities where our imaginations can roam. As apparent grownups, we often must build something from scratch, except there is no such thing as scratch. Everything has a history and a foundationsometimes of neatly pointed stone, sometimes of toothpicks and chewing gum.

Tasked with building/rebuilding a security organization, we are confronted with a formidable challenge that feels like building from scratch; however, be assured that the bits and pieces are thereonly strewn about in your organization.

After years as a scientist and research leader, my own security from scratch work ranged from building a product security organization, a privacy organization, and twice creating world-class information security organizations within Fortune 500 corporations. There was never a truly blank sheet. The foundations were there but ranged from sticks and stones to a few solid pillars.

In my story, I was three years into my teams great work in creating the first Philips information security organization when I began to appreciate how much I enjoyed the build phase and not so much the operational phase. So, after a change in CIO, I retired from Philips to start my own consulting company. My brief sojourn into private practice ended when I joined Beckton Dickinson to create another new CISO officeseeing a chance to build yet again and learn from a whole new set of mistakes. The new program at BD was firmly in place after four years, and I left to return to consulting, where I remain today.

Ryan Leirvik and I, for some time, have served as faculty at IANS Research (IANSResearch.com), a company providing its customers and the world with security insights from experienced practitioners. We did not meet there but were introduced by a colleague at McKinsey & Company and began a conversation about building InfoSec organizations. I quickly challenged Ryan to define risk. Although he looked a little startled, he did not hesitate to immediately provide a clear definition along with, By the way, I have just finished writing a book on building a strong security program that hinges on first defining risk. What followed was an exchange where each of us would make a statement or two about building a program, and the other would pause, wide-eyed, and say Exactly! It seems that I had found a kindred spirita builder who had worked with a wide variety of client CISOs on their programs, gaining a deep understanding of how a successful and sustainable program should be constructed. His cyber work at the US Department of Defense, his McKinsey consulting, and his advisory and survey work with IANS gave him a unique global view of our shared passion. My in-the-trenches build-work with Fortune 500 multinationals and my CISO advisory work had given me a similar pragmatic perspective.

I was delighted to read Ryans near-final copy of the book, and I jumped at the chance to provide this foreword. Ryan has assembled an extremely straightforward guide to building a strong risk-based cybersecurity program.

The world has significant problems with cybersecurity. We all appreciate the value provided by an ecosystem of pervasive, connected, smart things doing what we want and need. The problem is that while the complexity of hardware and software interconnection grows exponentially, so do the opportunities to exploit weaknesses. This can be quite rewarding for criminal and state actors seeking to illicitly profit or grow their power. On the cyber defense side, the complexity of what we must protect is astronomical. The landscape and its attack surface constantly grow, fold, and confound. This too often leads us to analysis (and solution) paralysis in addressing cybersecurity risk. Without due care, we can become reactive robots.

With an eye toward sustainable organizational success, Ryan begins his recipe with the development and propagation of shared definitions of risk, threat, critical, and other essential terms. This is the first of many step-by-step instructions on assembling the right elements, arranging them by priority, and establishing activities/projects to meet specific and measurable goals. Along the way, Ryan provides plenty of examples and small, simple rules, templates, and checklists to accelerate the first phases of the journey with emphasis on developing a short, meaningful list of targeted metrics. He provides a great way to start and grow your organizations risk management practice. Further, he emphasizes the takeaways by pointing out the pitfalls and providing meaningful examples of how a program might proceed.

I personally like to apply the Rumsfeldian lens to determine the completeness of a cybersecurity program, and this book hits all the marks. Ryans book addresses the known knowns by systematically creating an asset inventory using a simple top-down practice. The known unknowns materialize as articulated risks assembled into a simple risk registry that is used to build consensus on the potential for harm, thus driving the priority of activities and projects. The problematic unknown unknowns are addressed by creating an information security organization that adopts a framework like the NIST CSF, preparing for the unexpected by using frameworks to ensure we have skills across all the cyber disciplines. Holistically, the book emphasizes the need for balance, and Ryan lays out a discipline of regular top-down re-inspection to ensure the completeness of the program.