Understand, Manage, and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program 2/e

When it comes to managing cybersecurity in an organization, most organizations tussle with basic foundational components. This practitioner's guide lays down those foundational components, with real client examples and pitfalls to avoid.

A plethora of cybersecurity management resources are available--many with sound advice, management approaches, and technical solutions--but few with one common theme that pulls together management and technology, with a focus on executive oversight. Author Ryan Leirvik helps solve these common problems by providing a clear, easy-to-understand, and easy-to-deploy "playbook" for a cyber risk management approach applicable to your entire organization.

This second edition provides tools and methods in a straight-forward, practical manner to guide the management of a cybersecurity program. Expanded sections include the critical integration of cyber risk management into enterprise risk management, the important connection between a Software Bill of Materials and Third-party Risk Programs, and additional "how to" tools and material for mapping frameworks to controls.

Praise for Understand, Manage, and Measure Cyber Risk

What lies ahead of you in the pages of this book? Clean practicality, not something that just looks good on paper--brittle and impractical when exposed to the real world. I prize flexibility and simplicity instead of attempting to have answers for everything and the rigidity that results. This simplicity is what I find valuable within Ryan's book. Tim Collyer, Motorola Solutions

It seems that I have found a kindred spirit--a builder who has worked with a wide variety of client CISOs on their programs, gaining a deep understanding of how a successful and sustainable program should be constructed. Ryan's cyber work in the US Department of Defense, his McKinsey & Company consulting, and his advisory and survey work with IANS give him a unique global view of our shared passion. Nicholas J. Mankovich, PhD, MS, CISPP

Who This Book Is For

CISOs, CROs, CIOs, directors of risk management, and anyone struggling to pull together frameworks or basic metrics to quantify uncertainty and address risk

當談到組織中的資訊安全管理時，大多數組織都在基礎組件上掙扎。這本實踐指南介紹了這些基礎組件，並提供了真實的客戶案例和需要避免的陷阱。

有許多資訊安全管理資源可供使用，其中許多提供了實用的建議、管理方法和技術解決方案，但很少有一個共同主題將管理和技術結合起來，並專注於高層監督。作者Ryan Leirvik通過提供清晰、易於理解和易於部署的“手冊”，來解決這些常見問題，以應用於整個組織的資訊安全風險管理方法。

這本第二版以直接實用的方式提供工具和方法，指導資訊安全計劃的管理。擴展的部分包括將資訊安全風險管理與企業風險管理的重要整合，軟體物料清單與第三方風險計劃之間的重要聯繫，以及將框架映射到控制措施的其他“如何”工具和材料。

對於《了解、管理和衡量資訊安全風險》的讚譽：

“這本書的內容將為你帶來什麼？實用性，而不僅僅是在紙上看起來好的東西，在現實世界中卻脆弱且不實用。我重視靈活性和簡單性，而不是試圖對所有問題都有答案和由此產生的僵化性。這種簡單性是我在Ryan的書中發現的有價值之處。” - Tim Collyer, Motorola Solutions

“看來我找到了一個志同道合的人 - 一個與各種客戶的資訊安全主管合作建立他們的計劃的建設者，深入了解成功和可持續計劃應該如何構建。Ryan在美國國防部的資訊安全工作、麥肯錫公司的咨詢工作以及與IANS的咨詢和調查工作使他對我們共同的熱情有了獨特的全球視角。” - Nicholas J. Mankovich, 博士, MS, CISPP

這本書適合以下讀者：

CISOs、CROs、CIOs、風險管理總監以及任何努力整合框架或基本指標以量化不確定性和應對風險的人。

Ryan Leirvik is a cybersecurity professional who has spent the better part of two decades enhancing information security programs at the world's largest institutions. With considerable US government and commercial sector experience, Ryan has employed his professional passion for cybersecurity at almost every level within an organization.

A frequent speaker on the topic of information security, Ryan fields several questions on "How do I make sure I have a sustainable cyber program?" This book was written to help answer that question.

Ryan has been the CEO of a cybersecurity research and development company, Chief of Staff and Associate Director of Cyber for the US Department of Defense, and a cybersecurity strategy consultant with McKinsey & Company. Ryan's technology career started at IBM, and he has a master of IT degree from Virginia Tech, an MBA from Case Western Reserve University, as well as a bachelor of science from Purdue University. Ryan is also on the faculty at IANS.

Ryan Leirvik 是一位資訊安全專業人員，他在全球最大機構中花了近二十年的時間來增強資訊安全計畫。憑藉著豐富的美國政府和商業領域經驗，Ryan 在組織中的幾乎每個層級都運用了他對資訊安全的專業熱情。

Ryan 經常在資訊安全主題上發表演講，他回答了許多關於「如何確保我擁有可持續的網路安全計畫？」的問題。這本書就是為了幫助回答這個問題而寫的。

Ryan 曾擔任過一家資訊安全研究和開發公司的首席執行官，美國國防部的總幕僚和網路安全副主任，以及麥肯錫公司的資訊安全策略顧問。Ryan 的科技職業生涯始於 IBM，他擁有維吉尼亞理工大學的資訊科技碩士學位，凱斯西儲大學的工商管理碩士學位，以及普渡大學的理學士學位。Ryan 也是 IANS 的教職員工。