Norman Marks on Governance, Risk Management, and Internal Audit

I am pleased to announce that my latest book is now available on Amazon (see below).

The intent is to help business leaders and information security practitioners discuss cyber risk in business rather than technical language, enabling executives and the board to make informed and intelligent business decisions.

It’s not enough to say that cyber risk is “high” when there are so many business risks to address. It’s not enough to follow standards from NIST, ISO, or FAIR when they don’t help you understand the risk to the achievement of enterprise objectives.

Leaders need to know whether to invest more of their scarce resources into cybersecurity or satisfy competing demands for those same resources from other sources of risk and opportunity[1].

Should they invest their last million dollars into cyber, a marketing program, product development, employee safety, customer satisfaction, compliance, new cloud systems, an upgrade to their network, an acquisition, or other area?

How much investment is enough?

This is what four eminent reviewers had to say:

“With Managing the Business Risk that is Cyber Norman Marks has written a practical guide to the elusive concept of cyber risk. Addressing cyber risk as business risk rather than IT risk is pivotal to ensure proper understanding, prioritization and handling – an approach described in both tangible and actionable terms in this book which I highly recommend to anyone involved with managing a business.” – Hans Læssøe, retired Chief Risk Officer and author of Prepare to Dare and Decide to Succeed“

“Cyber risk has become one of the most critical issues facing many organizations today.  It is vitally important that directors, executives and managers understand not only the potential risks they might face but also the overall context of where cyber risk fits within the organization’s business objectives and its many other priorities.  Norman Marks has provided a most important analysis in this book and sets out how cyber risk should be evaluated and dealt with in a comprehensive and considered manner.  It should be read by all business people who may be affected or are concerned about cyber risks.” – John Fraser, retired Chief Risk Officer and author of Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives

“Norman’s new book provides a clearly presented, thoughtful, and accessible message that will help Boards better oversee all risks, including cyber. It should also help management achieve its objectives by more effectively understanding and managing all risks (including cyber risk). The book provides practical advice (highlights key takeaways), is accessible to a generalist audience, and is an engaging read (includes nice context through “war stories”).” – Joshua Rosenberg, risk practitioner

“Framing information security risks with a business context that enables good decision making is difficult to do well — this book fabulously shows how to do this. I hope that all business and technology executives can follow his example, to the benefit of their organization and their customers.” – Gene Kim, bestselling author of The Unicorn Project and co-author of the award-winning The DevOps Handbook and The Phoenix Project

As they say, the book should help those leading the organization and those in charge of protecting information assets talk the same business language.

Surveys tell us that board members find cyber risk the #1 most difficult one to oversee.

At the same time, Information Security practitioners report that they are not getting through to either the board or to business leaders, and are not receiving the support and funding they need.

If leaders don’t understand the risk within the context of running the business, how can they make an informed and intelligent decision about addressing it?

Availability:

Amazon, for some strange reason that I have asked them to correct, have the Kindle and Hardcover available on one web page (here), and the Paperback on a different one (here). Please check your Amazon marketplace as this may change.

Unfortunately, the hardcover is not available in every marketplace yet. It is available now in the US and may be added to other areas later.

Based on feedback over the years, I recommend a printed copy (paperback or hardcover) so you can mark up and annotate the book as needed. There are also charts and tables that will be more easily consumed in a printed copy.

[1] ISO 31000 advocates will remind me that “risks” include “opportunities”. But I prefer to make sure everybody understands the point.