Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The CISO Handbook", Mike Gentile/Ron Collette/Tom August

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKCISOHB.RVW 20060520 The CISO Handbook , Mike Gentile/Ron Collette/Tom August, 2006, 0-8493-1952-8, U$69.95/C$89.95 %A Mike Gentile %A Ron Collette %A
    Message 1 of 1 , Jun 22, 2006
    View Source
    • 0 Attachment
      BKCISOHB.RVW 20060520

      "The CISO Handbook", Mike Gentile/Ron Collette/Tom August, 2006,
      0-8493-1952-8, U$69.95/C$89.95
      %A Mike Gentile
      %A Ron Collette
      %A Tom August
      %C 920 Mercer Street, Windsor, ON N9A 7C2
      %D 2006
      %G 0-8493-1952-8
      %I Auerbach Publications
      %O U$69.95/C$89.95 800-950-1216 auerbach@... orders@...
      %O http://www.amazon.com/exec/obidos/ASIN/0849319528/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0849319528/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0849319528/robsladesin03-20
      %O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
      %P 322 p.
      %T "The CISO Handbook: A Practical Guide to Securing Your Company"

      The introduction states that there are generally two kinds of books on
      the security shelf--the "hack to secure" tomes and the exam
      preparation guides. (It may sometimes seem like the literature is
      restricted to those kinds of texts, although I would add a third that
      seems to be all too prevalent: poorly executed security management
      works. However, I fully sympathize with the authors' disdain for the
      "hacking" books, as well as their reasoning of the limited value of
      such manuals.) The authors also describe a standard structure for
      each chapter, as well as an overall design of the publication,
      following a fairly standard project management framework.

      Chapter one covers assessment. While this may not be a big surprise
      to those with the slightest familiarity with project management
      fundamentals, the authors provide a very complete description of the
      information that will be useful in appraising any situation in which
      you may find yourself. (The writing is generally clear and easy
      enough to read, but the point of the examples and illustrations is not
      always obvious or even intelligible. In some cases it seems the
      desire to entertain has overwhelmed exegetical utility.) A very
      complete checklist is given at the end of the chapter. Planning, in
      chapter two, does not fare as well. Much of the material reiterates
      the importance of obtaining information, or outlines organizational
      structures, personnel, and skills. (Rather ironically, the
      recommendations assume a fairly large corporation, budget, and staff,
      which was one of the complaints the authors made, in the introduction,
      about other security books.) Design is a difficult project to nail
      down, but chapter three doesn't really even try. Various aspects of
      security management, such as policy components, promotion to the rest
      of the company, and security reviews, are the major substance dealt
      with (some of the topics multiple times). Project management is
      covered in chapter four. Very detailed and complete project
      management, directed at creating a specific design and implementation,
      but applicable to any kind of project. (It is somewhat telling that
      the end-of-chapter checklists, which have been getting shorter, vanish
      entirely here.) Since the overall thread of the book has been to move
      through the phases of a large project, one could expect that the title
      of chapter five, "Reporting," refers to a report back to management on
      progress or completion. Not so: marketing of security to the
      enterprise, which has been a thread all the way through the book, now
      gets a chapter all its own. Chapter six repeats the outline of the
      book we received in the introduction.

      A work addressed to the CISO (Chief Information Security Officer) can
      be expected to be primarily concerned with management issues.
      However, with the exception of chapter one, very little in the book
      could not be equally applicable to any C-level executive. (It is
      interesting to note that, of the references, only two deal with
      security, twenty-seven are business books.) Indeed, even though
      Charles Sennewald wrote "Effective Security Management" (cf.
      BKEFSCMN.RVW) for those dealing with physical security, there is more
      practical advice for senior information security management in it than
      in "The CISO Handbook."

      While the authors have outlined definite structures for the chapters,
      these patterns are not always easy to determine or follow. I
      frequently found myself lost in the chapters, and while I could
      eventually realize where I was in the formation, the inconsistency and
      multiplicity of header formats certainly did not help matters any.

      Still, the work does have significant value. Those who rise through
      the ranks of computer security frequently lack management experience
      and knowledge, and this addresses, in some detail, the necessary
      skills. Not as directly, perhaps, as Fred Cohen in the "Governance
      Guidebook" (cf. BKCISOGG.RVW), but usefully nonetheless.

      copyright Robert M. Slade, 2006 BKCISOHB.RVW 20060520


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      This is primarily an investigative unit and I don't think we
      should get sidetracked into the finer details of technology.
      - Chief Superintendent Len Hynds
      head of the UK National Hi-Tech Crime Unit
      Dictionary Information Security www.syngress.com/catalog/?pid=4150
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.