How to Cheat at Managing Information Security

Mark Osborne doesn't like auditors. In fact, after reading this book, one gets the feeling he despises them. Perhaps he should have titled this book 'How I learned to stop worrying and hate auditors'. Of course, that is not the main theme of How to Cheat at Managing Information Security, but Osborne never hides his feeling about auditors, which is not necessarily a bad thing. In fact, the auditor jokes start in the preface, and continue throughout the book. The subtitle of the book is 'Straight talk from the loud-fat-bloke who protected Buckingham Palace and ran KPMG's security practice'. Essentially, the book is Osborne's reminiscence of his years in information security; including the good, the bad, and more often then not, the ugly. The book is written for someone looking to develop an information security program, or strengthen an existing program, to ensure that all of the critical technology areas are covered. The thirteen chapters of the book cover the main topics that an information security manager needs to know to do their job. The author candidly notes that this book is not the most comprehensive security book ever written, but contains most of the things a security manager needs to get their job done. The author also observes that information security is different from other disciplines in that there are many good books about disconnected subjects. The challenge is getting the breadth of knowledge across these many areas, which is quite difficult. The challenge of information security is to effectively operate across these many areas. Chapters 1 and 2 deal with the information security organization as a whole, and the need for information security policy. Chapter 1 details the various areas where a security group should be placed, and describes the pros and cons of each scenario. As one of the scenarios which place information security below the head of audit, Osborne notes that 'if you have any sort of life, you don't want to spend it with the auditors, I promise you'. Wherever the security group is placed in an organization, its ultimate success or failure is likely to be determined by its level of autonomy and independence. Unfortunately, in far too many organizations, information security is not given that liberty. It is often placed in a subservient role to groups with opposing interests. Any security group or security manager placed in such a situation should likely start working on their resume. The scenario is described in 'Practical Unix and Internet Security' where author Professor Gene Spafford spells out Spaf's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'. Spaf's principle is a cruel reality faced by many of those responsible for information security. Between those chapters and a few more auditor jokes, Osborne

Security isn't just something you "turn on". Security is a mindset, a set of systems and practices that affect all aspects of your work environment. And implementing security practices--especially in an organization devoid of such--is a daunting task. I found this to be an excellent book in that the author obviously understands security. He's dedicated his life keeping privileged information safe. More importantly, this book is laid out in such a way that it will lead the uninitiated, newly appointed security expert at any organization through the process of implementing a security framework. Firewalls, Intrusion Detection Systems, and the like are only as good as the policies that govern them. The first step in implementing security is to define an information security policy. The author leads the reader through identifying business risks and creating an action plan to mitigate those risks. In addition to the expected "what does a firewall do, and how should you use it" type of information, the author does an excellent job cutting to the chase on a wide variety of security issues. He provides examples of how find the right people to implement your security framework, what types of systems might be required in your environment, and how to perform periodic penetration testing, to see if your security framework keeps the bad guys out. I really see this book being of great benefit to the newly appointed security expert, who is perhaps a bit overwhelmed with his/her new responsibilities. This book is an easy read, very interesting, and very useful for the individual responsible for all aspects of a company's security infrastructure.

This book fits the bill for me!!. And it is enjoyable I have a number of other handbook style books - one that cost nearly six times more but was really a collection of articles written by a dozen different people (some with obviously conflicting views) bound under the same cover. What I liked: This book simply sets out the things I need to know about Organisations, Strategies and Audits then progresses into firewall design and security testing. And it is so funny - the cover is right this man does make security light going. What could be better: The guy is obviously technical so at the end some of it is a bit hard going - just I had to skip bits. But each chapter is laid out so that the chapter gets more complex at the end so this wasn't a problem. I would have liked more on Virus technology and Wireless security - especially as after work on Google, I understand that the fat-bloke was a leading researcher in wireless security Overall conclusion: Great.