How to Cheat at Managing Information Security
reviewed by Robert Pritchett, November 2006
Author: Mark Osborne http://www.loud-fat-bloke.co.uk/ Syngress http://www.syngress.com/catalog/?pid=4110 Released: July 17, 2006 Pages: 315 $40 USD, $52 CND, £23 GBP, 33,37€ Euro ISBN: 1597491101 Strengths: Take as a good hard look at security with a large dose of humor. Weaknesses: Some typos. Other reviews: Amazon.com – Ben Rothke |
|
What they say
“This is the only book that covers all the topics that any budding security manager needs to know! This book is written for managers responsible for IT/Security departments from mall office environments up to enterprise networks. These individuals do not need to know about every last bit and byte, but they need to have a solid understanding of all major, IT security issues to effectively manage their departments. This book is designed to cover both the basic concepts of security, non-technical principle and practices of security and provides basic information about the technical details of many of the products - real products, not just theory. Written by a well known Chief Information Security Officer, this book gives the information security manager all the working knowledge needed to:
Design the organization chart of his new security organization
Design and implement policies and strategies
Navigate his way through jargon filled meetings
Understand the design flaws of his E-commerce and DMZ infrastructure”
What I say
Mark Osborne is on the prowl and going after auditors. It is plain to see he has had some nasty experiences with them in the past – and it shows. Perhaps there is running joke in the book as he keeps the topics on course with his decidedly British humor. It is refreshing to see someone from the professional computer security environment that doesn’t take himself too seriously for a change. Sing with me; “A spoon full of sugar helps the medicine go down, the medicine go down, the medicine go down…”
And that is precisely what the book does. It provides a way of giving us some strong medicine with out feeling we’ve been over-medicated.
First off, Mark Osborne lets us decide where “Security” fits in, in an organization and provides scenarios for various “locations” along with what works and doesn’t in each case. I enjoyed reading Ben Rothke’s review over on Amazon.com as he fleshed out his excellent review of this book. You might want to go take a peek. I have a sneaky suspicion he to has “been there, done that”.
What I learned is that if the department of high-tech security is subservient and not autonomous, it will fail and always be in the role of the first to be hit in the blame game when stuff hits the fan – and becomes the “single point of failure” just by being there.
I appreciated the façade of security he presented in an installation that showed more “out front” kinds of overdone security while the back door essentially was open. And I also loved his irreverent job interview scenarios where he pretty much puts idiots in their places they try to hire him into their organizations. Having been through a number of similar situations, I just kept laughing at the clueless human resource filters. The difference is that I wasn’t in as secure a situation as he was. He has the knowledge, the know-how and the experience to put the so-called interviewers to shame. Simply wonderful!
The other gem in this book is how technology is used (or misused) – not to replace, but to enhance – and what happens if it isn’t implemented correctly.
And perhaps the best way to cheat at managing information security is to get people who have the right chops in to do the job, instead of gathering “yes men” or pretenders who can speak the speak but not walk the walk.
The book does have one or two typos, but overall it works as advertise. And call the auditor’s bluffs.