Home Links Podcasts Video About Contact Shopping Cart
Corporate Security
Government Security
Personal Finance
Business Continuity and Disaster Recovery
Business Technology
Government Technology
Privacy and Compliance
Supply Chain
 
Corporate Security > What They're Saying
Book Review
  By Laki Marangos,
Techworld (UK)

The subject of Security reminds me of the Lernean Hydra, a mythical monstrous serpent with nine heads, which was slain by Heracles (or Hercules), where for each chopped head two new ones, grew. Similarly, every time a security hole is plugged, at least two new ones seem to appear.

It is not suggested that the Herculean remedy be applied here, but a strategy is required to holistically address this subject, and that involves inevitable compromises. The Black Book tackles the subject by engaging multiple very credible authors (17) to give their knowledge and expertise in 14 diverse chapters. A bio and contact information is given for each author, as well as a Glossary and Resource Appendix (company profiles). Does it succeed?

I have reviewed the book as a non-expert in security, but as an associate professional having held responsible positions over many years in the management of the IT Infrastructure – the battleground of the security campaign.

Generally, I feel the book is aimed at the IT Managers/CIO and above, most importantly business line managers, the CFOs/CEOs and the executive management committee, although it would be useful for all staff to be encouraged to browse it. The foreword chapter prepares the reader on what follows and outlines the central theme of the book, that there is a need for new thinking about security in corporates.

All contributors reference the growing regulatory landscape, e.g. ISO17799 on assessment, the Gramm-Leach-Bliley act (GLBA), Sarbanes Oxley, the European Data Protection Act (EDPA), HIPAA for the Health sector, Basel II….. enough to put anyone off security for good.

The first four chapters provide high level views on the need to build a secure corporate environment, integrating security with risk management strategies in an extended enterprise model, which includes multiple partners. Most corporates have to view themselves as Virtual Organisations. I like the phrase… “Risk should not be regarded with fatalism and defeatism, but with alertness and preparation”. It is suggested using the ‘onion model’, generally accepted as the security model to follow where the levels are people, process and procedures, both physical and logical.

The need to understand Information Assets and their security brings in Corporate Governance. Planning and testing are essential and how true is the message: “hackers and terrorists plan ahead, so should you”.

Chapters 5 and 6 discuss some new ideas on Identity-Aware Business Service Management and Multi-Level Security in order to protect classification of data and enable the safe sharing of information. The focus is on resource effectiveness not efficiency.

Chapter 7 brings home the multiplicity of threats, such as viruses, worms, remote access Trojans, and even cookies occasionally. This probably is the most “technical” information in the book with explanations on “malicious code” and “phishing” attacks.

The use of “behavioural technology” is proposed for countering the threats, and in chapters 8 and 9 the suggestion is to focus on prevention rather than the cure. Help is available from information sharing & analysis centres (ISACs) in order to deal with “zero day” attacks.

Concerns over loss of intellectual property and the concept of the “enterprise without boundaries” highlight the need for content analysis techniques and the monitoring of the “asset” not the employee. Securing the company perimeter is no longer enough and attention is now switched to sources with respect to trust. Furthermore, network convergence expands security concerns to include voice applications, but the telecoms people may not be up too it.

The final chapter links security with business continuity and disaster recovery. Inevitably the 9/11 experience is used to emphasise the changing threat profile, from simple power failures and environmental incidents to the new term CBRNE (chemical, biological, radiological, nuclear, explosive). The author emphasises the need to validate assumptions and ensure testing of plans is done, hence the need for more active CEO involvement.

In conclusion, this is a well written and organised book, with sufficient gravitas to be accepted by company chiefs as essential guiding material. Will they act on it?		  
Infoconomy, July 2005
  By Pete Swabey Security threats to the business are multiplying faster than the technologies designed to counter them — as soon one virus has been identified and a solution established, two more come forward to take its place. Amid this rapidly evolving primordial soup of malware, phishing scams and other security threats, the simple reassurance of a perimeter firewall is no longer sufficient to keep business infrastructure out of harm’s way.

Instead a more holistic approach is needed. Not only is the technological sophistication of the threats advancing rapidly, but so too are the techniques designed to exploit human ignorance and inquisitiveness in order to breach infrastructure defences.

The stakes of the information security war are also escalating — with more banking details and credit information stored digitally than ever before, computer crime is no longer the preserve of the disaffected, computer-literate teenager, but is now another facet of organised crime.

To stay abreast of this expanding world of information security, it is not sufficient to focus on one area of expertise — a multidisciplinary viewpoint is essential. The Black Book on Corporate Security provides as broad a mix of experience and insight as could be hoped for in one volume, albeit predominantly from vendor representatives.

The book aims to plug the gaps in knowledge between security, technology and business experts, and there is content in it for readers from each discipline. Technological approaches, such as linking user identity management directly to business objectives through business service management, are introduced alongside business concerns such as protecting intellectual property — and each has a related case study.

Professor Salvatore Stolfo of Columbia University writes of the need for companies to unite in their efforts to thwart the spread of malware, in his chapter entitled ‘Collaborative Security’. Until businesses and network service providers collaborate, he argues, it will be impossible to eradicate novel worms before significant damage is done.

John Seanor, security consulting manager at communications systems and services vendor Avaya, explains the security concerns associated with converged voice and data networks. Seanor calls on IT practitioners to realise the lure that Internet Protocol voice networks will have for hackers, and warns of the danger in letting ‘political’ divisions in management responsibility compromise total security coverage.

Verisign’s Maria Cirino references military strategies in describing the pre-emptive stance businesses must take against security threats. The ‘data-war’, as Cirino describes it, will not be won with a series of fire fighting battles, but instead by an ongoing programme of vulnerability management. This stance involves not only technological rigour, but also strict enforcement of security policies among personnel.

If there is an over-arching message throughout the many testimonies, it is that businesses can no longer treat security risk as solely the concern of the IT department or chief security officer (CSO). Awareness and understanding of security issues must permeate all decisions taken by the business.

“[Management] needs to get the ‘business of security’ built into the business process and understand the security implications of their business strategies,” writes Howard Schmidt, former chairman of the US president’s critical infrastructure protection board and now CSO for eBay, in his foreword.

For both business management looking to develop their understanding of the ‘business of security’ and IT management exploring the links between security and business continuity, this broad book has plenty of material. While the quality of writing may vary between contributors, each adds a valid perspective to a collection of essays as comprehensive as the security strategy it recommends.		  
Steve Katz, former CISO, Citigroup
  “This book is unique in that it provides practical knowledge, guidance and direction from the top thought leaders in the information security community. The authors have had ‘hands-on’ experience in all facets of information security and the content is useful to all levels of a company, from the boardroom to business and operations management. This is definitely a book that will be kept close at hand, with chapters being read more than once.”  
William F. Pelgrin, Director, New York State Office of Cyber Security and Critical Infrastructure
  “The Black BookTM on Corporate Security provides an in-depth examination of many of the current information security issues confronting us today, and establishes a blueprint for addressing those issues. This body of work from subject matter experts has a broad application that can extend to the technical staff as well as the corporate board room.”  
Rich Baich, CISSP, CISM, Managing Director of PwC, former CISO of ChoicePoint and author of “Winning as a CISO”
  “For those interested in dismantling organizational stovepipes and creating a unified approach to security, The Black BookTM on Corporate Security provides readers what they need most: a starting point from which to build a foundation.”  
David Kirkpatrick, Senior Editor, Internet and Technology, FORTUNE Magazine
  “The Black BookTM on Corporate Security has uniquely assembled many of the world’s leading computer security experts to explain in ordinary language what’s going on with threats to your technology and your company. I know of no better book you can read to understand the big issues in tech and security.”  
SC Magazine
  “The Black BookTM on Corporate Security is a very good read for anyone trying to balance the demands of management and security.”  
Laki Marangos, Techworld
  “This is a well-written and organized book, with sufficient gravitas to be accepted by company chiefs as essential guiding material.”  
Andrew Briney, Publisher, Information Security Magazine
  “The Black BookTM is spot-on in its approach to information security. It’s often said that security is a process, not a product. But the fact is it’s actually both... and much more. The authors of this work embrace that reality by boiling down security’s complexities and offering a clear picture of the not-too-distant future, when security will be less about bolt-on technologies and more about operational risk.”  
Edward Tyler, Publisher/President, GSN: Government Security News - A World Business Media, LLC Publication
  “The Black BookTM on Corporate Security will become the teaching aid for the future. When will The Black BookTM on Government Security become available to the government security decision makers of the future?”  
Timothy Garon, Founder and former publisher of Information Security Magazine
  “Compelling and comprehensive, The Black BookTM on Corporate Security should have a place on every infosecurity practitioner’s bookshelf.”  
Dow Williamson, CISSP, Director of Corporate Development, (ISC)2
  “Effective information security professionals today can no longer be just computer security ‘geeks.’ They must possess both the technical savvy and business skills that allow them to effectively contribute at the highest levels of corporations and governments. The Black Book’s authors not only illustrate this point, but generously provide insider expertise that you won’t find anywhere else.”  
Rhonda MacLean, President, MacLean Risk Partners, LLC
  “This book is an excellent source for C-level executives who want to know the who, what, when and how to ensure an effective security program.”  
Ross Johnson, Security Management, July 2005.
  “….Jim Kennedy’s chapter, “Business Continuity and Disaster Recovery,” deserves special mention because it is an excellent overview of the changes to traditional disaster planning brought about by the World Trade Center attacks….”