Book Review: Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework

I love hacking and penetration testing enough that merely to mention the words policies, standards, guidelines and frameworks is enough to put me to sleep. I want to hack. I want to see if I can break something. I want to see if I can break into something. And more importantly, I want to see if I can stop others who want to break in illegally. Policy bores me. I ignore it as much as I can.

But somewhere midway into my 34-year career, I finally realized that without enforced, thoughtful security policies, that you will never get good, consistent, computer security in any organization. A person may be able to best secure their own computers and maybe a dozen or so devices by sheer willpower, but taking care of lots of computers takes multiple people. And multiple people means policies are needed.

For example, I could make sure that I have up-to-date antivirus software running on all my own devices, but it takes policies, controls and enforcement checks to make sure that up-to-date antivirus software is running on hundreds and thousands of machines. One person with all the best intentions cannot do it all.

Still, I cannot say that I am overly excited any time I get drawn into a conversation about policies and guidelines. I would rather be doing almost anything else, even though I understand their critical importance.

So, I was pleasantly surprised and delighted by Cynthia Brumfield’s (with Brian Haugli’s help) recent released book entitled Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework (https://www.amazon.com/Cybersecurity-Risk-Management-Mastering-Fundamentals/dp/1119816289). If you have to do computer security policies and frameworks, this is one book you should get and use as your ultimate guide.

There are dozens of computer security frameworks you can choose from, but NIST’s Cybersecurity Framework seems to be becoming the most popular choice. And Cybersecurity Risk Management covers it very well. It is a short 142-page (with index), hard cover book, but reads even faster. It covers the topics in the order the NIST Cybersecurity Framework does, but goes into detail about each requirement, giving lots of examples. It is chocked full of very useful, real-world advice from both the authors and selected experts. Each section ends by linking each requirement to the other popular computer security requirement documents (e.g., COBIT, ISO 27001, CCS CSC, ISA 62443, etc.) to make incorporating its advice easier.

I am used to reading Brumfield’s excellent articles in CSO Online and both Brumfield and Haugli have years of experience teaching the NIST Cybersecurity Framework to others. You can feel it in the excellent writing. Brumfield was involved early on and attended all of the NIST workshops that led to the eventual first version, and subsequent releases. You can tell that they have been in boardrooms and classrooms teaching this material and answering questions. I found that most of my major concerns were covered in the text, and they brought up many more that I had not considered. They will help you catch more things and miss less. Overall, it is just really good, crisp writing, without a lot of unnecessary fat. You do not usually get that in a book about security policy.

If you are new to security policy frameworks and need to incorporate NIST’s Cybersecurity Framework into your organization, this is the book to start with. You will create a professional looking set of policies with the look of an experienced professional. Experienced professionals will come away with a ton of useful hints and look like more of an expert. I found this book a very easy read…and that is saying something since I do not like to read policy books. But anytime I get dragged into policy discussions, I am going to re-read this book. I will seem like a policy genius.?