REVIEW: "Enterprise Security for the Executive", Jennifer L. Bayuk
- BKESCFTE.RVW 20110323
"Enterprise Security for the Executive", Jennifer L. Bayuk, 2010,
%A Jennifer L. Bayuk www.bayuk.com
%C 130 Cremona Dr., P.O. Box 1911, Santa Barbara, CA 93116-1911
%G 978-0-313-37660-3 0-313-37660-3
%I ABC-CLIO, LLC/Praeger
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 175 p.
%T "Enterprise Security for the Executive: Setting the Tone from the
In the introduction, Bayuk argues against security planning based on
FUD (Fear, Uncertainty, and Doubt) and piecemeal implementation of
security tools, and for a holistic and systemic approach to security.
She also recommends the promotion of a security culture in the top
ranks of management, setting the "tone at the top" to consider
security in a rational and realistic manner.
In chapter one, the author stresses that every organization has a
culture, and that the actions (and particularly consistency of
actions) by senior management set it, regardless of formal statements.
She also raises interesting points, such as that separation of
security from the operational units creates perceptions which may be
at odds with the security policy. (I appreciate her championing of
"no exceptions," although I would argue that a formal exception policy
could work as well.) The discussion of threats and vulnerabilities,
in chapter two, is weaker (and the questionable etymology of the term
"patch" does not increase confidence in Bayuk's technical background):
ultimately it just seems to day that there are threats. The title
"Triad and True," for chapter three, may refer to "protect, detect,
correct" or the more conventional confidentiality, integrity, and
availability. In fact there are a number of other "triads" mentioned,
and the text raises a number of good security concepts generally
related to safeguards, but is somewhat scattered and incomplete.
Chapter four talks about risk management, but the process of using it
to define a security program remains unclear. Security factors
related to organizational governance structure are examined in chapter
five. Standards, compliance and audit issues are discussed in chapter
six. Chapter seven reviews monitoring, incident response, and
investigation. Requirements for candidates for the position of CSO
(Chief Security Officer) are noted in chapter eight. A template job
description is included, but the document is perhaps too narrowly
specified to be applicable in many situations.
A fictional case study concludes the book. (In the introduction, the
author promised that all "security horror stories" would be true, but
I assume reality is less important in case studies.) This
recapitulates, in narrative form, much of the content of the work.
There is much of value in the text, and it is useful to present that
content as it relates to senior management. Senior management support
is, after all, the single most important factor in a successful
security program. However, as noted above, much important material is
missing, along the way, and the volume appears to be focussed at a
particular type of industry or corporation, and so be less useful to
those outside that sphere.
copyright, Robert M. Slade 2011 BKESCFTE.RVW 20110323
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
I used to know the answer, but I've forgotten.
- Hillel the Elder, Jerusalem Talmud, 1911