REVIEW: "The CISO Handbook", Mike Gentile/Ron Collette/Tom August
- BKCISOHB.RVW 20060520
"The CISO Handbook", Mike Gentile/Ron Collette/Tom August, 2006,
%A Mike Gentile
%A Ron Collette
%A Tom August
%C 920 Mercer Street, Windsor, ON N9A 7C2
%I Auerbach Publications
%O U$69.95/C$89.95 800-950-1216 auerbach@... orders@...
%O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P 322 p.
%T "The CISO Handbook: A Practical Guide to Securing Your Company"
The introduction states that there are generally two kinds of books on
the security shelf--the "hack to secure" tomes and the exam
preparation guides. (It may sometimes seem like the literature is
restricted to those kinds of texts, although I would add a third that
seems to be all too prevalent: poorly executed security management
works. However, I fully sympathize with the authors' disdain for the
"hacking" books, as well as their reasoning of the limited value of
such manuals.) The authors also describe a standard structure for
each chapter, as well as an overall design of the publication,
following a fairly standard project management framework.
Chapter one covers assessment. While this may not be a big surprise
to those with the slightest familiarity with project management
fundamentals, the authors provide a very complete description of the
information that will be useful in appraising any situation in which
you may find yourself. (The writing is generally clear and easy
enough to read, but the point of the examples and illustrations is not
always obvious or even intelligible. In some cases it seems the
desire to entertain has overwhelmed exegetical utility.) A very
complete checklist is given at the end of the chapter. Planning, in
chapter two, does not fare as well. Much of the material reiterates
the importance of obtaining information, or outlines organizational
structures, personnel, and skills. (Rather ironically, the
recommendations assume a fairly large corporation, budget, and staff,
which was one of the complaints the authors made, in the introduction,
about other security books.) Design is a difficult project to nail
down, but chapter three doesn't really even try. Various aspects of
security management, such as policy components, promotion to the rest
of the company, and security reviews, are the major substance dealt
with (some of the topics multiple times). Project management is
covered in chapter four. Very detailed and complete project
management, directed at creating a specific design and implementation,
but applicable to any kind of project. (It is somewhat telling that
the end-of-chapter checklists, which have been getting shorter, vanish
entirely here.) Since the overall thread of the book has been to move
through the phases of a large project, one could expect that the title
of chapter five, "Reporting," refers to a report back to management on
progress or completion. Not so: marketing of security to the
enterprise, which has been a thread all the way through the book, now
gets a chapter all its own. Chapter six repeats the outline of the
book we received in the introduction.
A work addressed to the CISO (Chief Information Security Officer) can
be expected to be primarily concerned with management issues.
However, with the exception of chapter one, very little in the book
could not be equally applicable to any C-level executive. (It is
interesting to note that, of the references, only two deal with
security, twenty-seven are business books.) Indeed, even though
Charles Sennewald wrote "Effective Security Management" (cf.
BKEFSCMN.RVW) for those dealing with physical security, there is more
practical advice for senior information security management in it than
in "The CISO Handbook."
While the authors have outlined definite structures for the chapters,
these patterns are not always easy to determine or follow. I
frequently found myself lost in the chapters, and while I could
eventually realize where I was in the formation, the inconsistency and
multiplicity of header formats certainly did not help matters any.
Still, the work does have significant value. Those who rise through
the ranks of computer security frequently lack management experience
and knowledge, and this addresses, in some detail, the necessary
skills. Not as directly, perhaps, as Fred Cohen in the "Governance
Guidebook" (cf. BKCISOGG.RVW), but usefully nonetheless.
copyright Robert M. Slade, 2006 BKCISOHB.RVW 20060520
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
This is primarily an investigative unit and I don't think we
should get sidetracked into the finer details of technology.
- Chief Superintendent Len Hynds
head of the UK National Hi-Tech Crime Unit
Dictionary Information Security www.syngress.com/catalog/?pid=4150