We are in a war, a cyberwar, and if you come away with anything from reading this book, I hope it will be the realization that every individual, business, and government agency is under attack from those who want to steal or harm their information, money, operations or reputation. Determining who your most likely adversaries are, preparing to defend against their attacks, and evolving your plan and defenses based on real-world events is what I hope to teach you in this book.
Properly assessing and managing risk is the foundation of all effective information security programs. There will always be more threats, more vulnerabilities, and more issues to be dealt with than any organization has the time or resources to address. Prioritizing where to direct your limited attention and funding is key to ensuring that what resources you have are directed toward delivering the most cost-effective risk returns.
Yet despite the increasing focus on cyber risk assessment and management over the past decade, massive information breaches continue to be reported daily, often traceable to failing to implement or administer the most common security controls. Clearly, something is not working. Either risk assessment and management are not being done properly, or they are not being done at all.
Risk assessment and management do not need to be hard to understand or implement, however, quantitative approaches such as FAIR and OCTAVE, combined with new government guidance from NIST 800–37, are making what should be a simple and intuitive task, both difficult to understand and implement. The result of this failure to use and apply risk is evident in the ever-increasing number of security breaches, especially for extortion due to ransomware.
If anything, the government’s default response to any significant cyber breach, passing more regulations, is making the problem significantly worse by burdening security leaders with ever-increasing prescriptive requirements. The result is a compliance hamster wheel, with security teams constantly running to keep up with the latest regulations, and as a result, all too often security fundamentals are what gets neglected.
The Heuristic Risk Management approach is my answer to this problem. In this book, I will define the method I have developed to solve this problem. It is easily understood by non-technical business leaders, simple to implement, and as effective in prioritizing action as any quantitative risk method.
About the Reader
If you are reading this, I suspect you are someone that thinks something is not right about how risk is used in cybersecurity. Perhaps it is because you are a security leader and you are concerned that you are doing the right things to protect your organization (or would like to know what are the right things to do). Perhaps it is because you are a risk professional who is tired of the endless debates, meaningless surveys, and tick the box mentality that never seems to produce actionable plans or measurable reductions in risk.
Or perhaps you are a business executive, CEO, or board member who is trying to make sense of what your risk department, your security leaders, or your outside consultants are telling you regarding the cyber risks to your organization. If you ask yourself after their presentations, “How can I know whether this is correct? Or even relevant?”, then the HRM approach will give you a way to determine this.
While this book is focused on small to medium companies who have not had a formal security program or leader, it is just as useful for larger organizations with established security programs, to help business executives confirm that their existing security program is driven by risk management principles and not just compliance to some controls framework.
The Heuristic Risk Management approach breaks risk management down into three levels that correspond to the three parts of this book. These are:
- Strategic Risk Management — Part One (Be Aware) sets the mission for the cybersecurity program by discussing how to identify your critical assets, who want them, and what are the most likely consequences of their attacks. These consequences (what I call strategic risks) form the foundation of the information security program.
- Tactical Risk Management — Part Two (Get Prepared) uses the strategic risks identified in Part One to assess your state of readiness to defend yourself against their attacks. This will lead to the development of your information security plan, which is your rolling 12–24 month road map for the development of your security program and organization.
- Operational Risk Management — Part Three (Defend Yourself) discusses how to run a risk-based information security organization. It will detail what risks to track, and how to use that information to evolve your program in real-time in response to the changing threat landscape.
Following the Heuristic Risk Management approach will not only ensure that you are effectively protecting your organization from cyber threats, but will also help you be seen as a business partner to your peers and leaders, and avoid the infamous (and common) label for most security leaders of being “Dr. No!”.
What if your business is required to comply with PCI, FISMA, HIPAA, FERPA, CMMC, NERC CIP, NY DFS, or some other mandated control framework simply because of the industry you are in? Since you are required to implement all the controls in the specified framework, how does the Heuristic Risk Management approach help?
While you may be required to fully implement a predetermined set of security controls, I would be surprised to find any controls framework that does not include risk assessment as an integral component. The reason it is there is that whether it is 40 or 400 controls that you MUST show compliance to, the order in which you implement them is up to you based on your evaluation of your risks.
The Heuristic Risk Management approach provides a way of making these determinations by prioritizing risk reduction, not just taking actions because they are the cheapest or easiest to implement. And, if you are required to implement 400 controls in the end anyway, doesn’t it make sense to do them in the order that lowers your company’s risk profile the fastest?
This is a draft of the content from my upcoming book on Heuristic Risk Management. The anticipated release is Q1 of 2022 and it will be available through all major book retailers in both print and ebook. Reference links are not included in these drafts, and all drafts will be removed from this forum when the book is published. Comments are welcome if there are areas that you feel are unclear or missing information. Since these are drafts, spelling and grammar issues are likely and will be corrected in the final release.