Cybersecurity Risk Management. Cynthia Brumfield
70 46
71 47
72 48
73 49
74 50
75 51
76 52
77 53
78 54
79 55
80 56
81 57
82 58
83 59
84 60
85 61
86 62
87 63
88 64
89 65
90 66
91 67
92 68
93 69
94 70
95 71
96 72
97 73
98 74
99 75
100 76
101 77
102 78
103 79
104 80
105 81
106 82
107 83
108 84
109 85
110 86
111 87
112 88
113 89
114 90
115 91
116 92
117 93
118 94
119 95
120 96
121 97
122 98
123 99
124 100
125 101
126 102
127 103
128 104
129 105
130 106
131 107
132 108
133 109
134 110
135 111
136 112
137 113
138 114
139 115
140 116
141 117
142 118
143 119
144 120
145 121
146 122
147 123
148 124
149 125
150 126
151 127
152 128
153 129
154 130
155 131
156 132
157 133
158 134
159 135
160 136
161 137
162 138
163 139
164 140
165 141
166 142
Academic Foreword
As a professor who has developed cybersecurity education programs for industry, academia, and the government, I know first-hand how difficult it can be for even advanced IT professionals to grasp the complex concepts in cybersecurity. In my role as Executive Director of the Center for Information Assurance and Cybersecurity at the University of Washington in Seattle, among other positions I hold, I have seen even the best and brightest of the nation’s high-tech sector struggle when it comes to this still-new discipline. The difficulty is compounded by the varied missions that public, private, and academic organizations pursue.
My center at the University of Washington is a Center of Academic Excellence in both Cybersecurity Education and Research, so designated by the National Security Agency and the Department of Homeland Security. This honor means that we are well placed to help bridge the cybersecurity communications gaps that exist across crucial sectors of society: government, industry, and academia.
At the University of Washington, we take a pragmatic approach to equipping our students with the skills they need to enter the cybersecurity workforce. We emphasize critical thinking along with information management and technical skills so that we graduate ‘breach-ready’ students. Since there is no system that is 100% secure, we ingrain in our students the importance of having risk management tools in their toolkit, so they are equipped to make rational choices about what to protect and where to spend scarce cybersecurity dollars. We’ve found that the NIST Cybersecurity Framework is highly useful in conveying concepts in risk management.
The Framework does not offer step-by-step instruction on installing a firewall, for example, nor does it recommend any specific technology for, say, managing patch updates. Instead, it offers a way to comprehensively manage cybersecurity risks by drawing on the best-of-breed conceptual thinking from other risk management frameworks, informed by prevailing standards. It teaches our students how to think about solving a cybersecurity problem and that there is no ‘one-size-fits-all’ solution.
More importantly, NIST designed the Framework as a cybersecurity management tool to foster better communications among internal and external stakeholders. As a result, it bridges the communication gaps among silos, helping to create a common language to solve the growing number of cybersecurity problems. This book, with its practical approach to applying the Framework, should help students at all levels – undergraduate,