I picked up this book with a clear goal: to build a better metrics program for managing cybersecurity risk. After all, how can you effectively manage what you can’t measure? The authors tackle this fundamental question head-on, offering insights into quantifying uncertainty and creating a framework for understanding the risks we face.
The book does a great job of breaking down complex ideas into digestible concepts. It challenges long-held beliefs in the industry and offers practical advice on how to measure what many consider intangible. The sections on Bayesian analysis and the “Rapid Risk Audit” stood out as particularly useful additions. These tools can help those of us navigating cybersecurity uncertainty take an informed first step.
However, as much as I appreciated the content, I found myself wishing for a more structured, step-by-step methodology. While the book provides a framework, it leans a bit high-level for those looking to dive directly into implementation. I wanted a clearer roadmap—something I could immediately follow and adapt to my organization.
That said, this book is a valuable resource for anyone looking to move beyond gut feelings and into data-driven decision-making. It’s ideal for professionals who want to understand the “why” behind the numbers and improve their approach to risk assessment. For me, it served as a thought-provoking guide, though I’ll need to supplement it with more hands-on tools to fully achieve my goals.
In the end, How to Measure Anything in Cybersecurity Risk pushes us to think differently about risk and measurement. It’s not just about the numbers; it’s about the mindset. For that alone, it’s worth a read.