by Melanie Watson
Corporate information security is often hindered by a lack of adequate communication between the security team and the rest of the organization. Many consider information security an obstacle to reaching business goals, and view security professionals with suspicion if not outright hostility.
As a security professional, how can you get broader buy-in from your colleagues?
Mark Rowe, Editor at Professional Security Magazine, has reviewed one of ITGP’s information security titles which aims to address this issue, Information Security – A Practical Guide: Bridging the gap between IT and management.
One of the most impressive books from IT Governance Publishing.
Quick and dirty does it: we’ve reviewed several books on information and IT security published by IT Governance. The latest is one of the most impressive.
Tom Mooney begins this neat little book by recalling that he was struck when starting his career in information security how little he engaged with non-infosec people. IT would shy away from speaking to him, ‘as they feared security would stick its nose in’, and the business viewed security as a ‘dark art’. He likens security to brakes on a car: you would hardly drive a car without any, but you only use them when you have to, as a control. Without them, you will have an accident. As the book’s subtitle suggests, infosec is about ‘Bridging the gap between IT and management’.
Like many books, this would have been half as good if it had been twice as long. As it is, Mooney has provided non-security and indeed security people with a very high ratio of good sense that’s worthwhile to read.
“Offers more than the title suggests”
We’ve known for a while that it’s wisest to do computer security and physical security. In the old days, someone could walk out of a building with your server; now we have the Cloud, people can steal data even more simply, as Edward Snowden and others have. For a dozen years or more, that truth has been reflected in the British Standard for information security management, 27001, that covers the IT and physical sides. Books telling you how to do the two equally well have been hard to find; either the author is a tech guy, lacking know-how of electronic and personnel security; or the other way round. Information Security – A Practical Guide, by Tom Mooney, offers more than the title suggests.
It’s a short book, of ten chapters each of about ten pages each – and that’s something of merit, given how busy the likely reader is likely to be. I would suggest the reader who can learn from this is either the physical security and guarding person who wants to gen up on infosec, or an IT guy who likewise wants to tighten up security. Mooney keeps it plain and simple, in style and content, and again that is a compliment. A middle chapter, “Quick and dirty risk assessments” as the title suggests takes you through how to do a risk assessment, and as important to keep doing them. Besides the nuts and bolts of the work, Mooney arguably does us more of a service in the chapters such as “getting buy-in from your peers” because as in so many other parts of the workplace, it’s no good doing a decent or even excellent job if your non-security staff aren’t doing their bit, or aren’t funding it. “Often security is seen as a blocker or necessary evil at the end (some organizations are better than others.” Mooney advises building relationships; letting people know that their input is valued, and that they can help steer security. If you find yourself working for a place that doesn’t have a high regard for security, using some “fear, uncertainty and doubt” stories is a start, he suggests. Choose stories from the media, and again he advises explaining yourself in plain and simple English.
One observation rather than a criticism is that the author ought to have gone into more detail – but then he would not have written such a concise book. In fairness, he does introduce you to the necessary basics, such as the Senior Information Risk Owner (SIRO), a role often found in UK Government. Instead, Mooney points you in the right direction on such topics as penetration testing (again, with a physical and IT component) and information security policy; first knowing what the ‘risk appetite’ of your business is. While Mooney is writing for the information security professional, such is the spread of IT in the office and organization, this book can apply to anyone in security management. This book is well worth an hour of your time, whether as a refresher, or if you are finding yourself facing more work on the info security side. Recommended.
Reviewed by Mark Rowe, Editor at Professional Security Magazine
Covering everything from your first day at work as an information security professional to developing and implementing enterprise-wide information security processes, this book explains the basics of information security, and how to explain them to management and others so that security risks can be appropriately addressed.