Most chief information security officers (CISOs)/security risk managers probably wouldn’t join a new organization during, or right after, a breach, hence readers may have to use their imagination to apply some of the advice. Having said that, How to manage cybersecurity risk is an easy-to-follow account of the author’s experiences with advising various organizations over the years. The book is clear about its target audience: small to midsize organizations that, for one reason or another, have not prioritized cybersecurity enough, but are now trying to fix this in light of an incident. The chapters follow the author’s advice to a new CISO, that is, the reader.

Broken into stages of maturity, the chapters are action plans categorized into react, plan, and manage phases. Part 1, “Reactive,” focuses on responding to the incident, assessing the current state, and making recommendations that also assess the organization’s risk appetite.

Part 2, “Planned,” walks readers through the various steps required to establish a comprehensive security program. The chapter on international coverage introduces readers to some key considerations when deploying various components of the program in jurisdictions around the world.

Finally, Part 3, “Managed,” describes the governance and assurance aspects required to make a program demonstrably compliant with applicable standards/regulations and sustainable.

Overall, this guide is a simple and succinct reference for security managers who want to add a bit of maturity to their security programs. Its introduction to one of the most widely adopted risk management frameworks in Open FAIR will help readers continue their journey beyond the book via a community of trainers, educational material, and peer networks.

More reviews about this item: Amazon