Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Enterprise Security for the Executive", Jennifer L. Bayuk

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKESCFTE.RVW 20110323 Enterprise Security for the Executive , Jennifer L. Bayuk, 2010, 978-0-313-37660-3 %A Jennifer L. Bayuk www.bayuk.com %C 130
    Message 1 of 1 , Sep 29 3:46 PM
    • 0 Attachment
      BKESCFTE.RVW 20110323

      "Enterprise Security for the Executive", Jennifer L. Bayuk, 2010,
      978-0-313-37660-3
      %A Jennifer L. Bayuk www.bayuk.com
      %C 130 Cremona Dr., P.O. Box 1911, Santa Barbara, CA 93116-1911
      %D 2010
      %G 978-0-313-37660-3 0-313-37660-3
      %I ABC-CLIO, LLC/Praeger
      %O CustomerService@...
      %O http://www.amazon.com/exec/obidos/ASIN/0313376603/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0313376603/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0313376603/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 175 p.
      %T "Enterprise Security for the Executive: Setting the Tone from the
      Top"

      In the introduction, Bayuk argues against security planning based on
      FUD (Fear, Uncertainty, and Doubt) and piecemeal implementation of
      security tools, and for a holistic and systemic approach to security.
      She also recommends the promotion of a security culture in the top
      ranks of management, setting the "tone at the top" to consider
      security in a rational and realistic manner.

      In chapter one, the author stresses that every organization has a
      culture, and that the actions (and particularly consistency of
      actions) by senior management set it, regardless of formal statements.
      She also raises interesting points, such as that separation of
      security from the operational units creates perceptions which may be
      at odds with the security policy. (I appreciate her championing of
      "no exceptions," although I would argue that a formal exception policy
      could work as well.) The discussion of threats and vulnerabilities,
      in chapter two, is weaker (and the questionable etymology of the term
      "patch" does not increase confidence in Bayuk's technical background):
      ultimately it just seems to day that there are threats. The title
      "Triad and True," for chapter three, may refer to "protect, detect,
      correct" or the more conventional confidentiality, integrity, and
      availability. In fact there are a number of other "triads" mentioned,
      and the text raises a number of good security concepts generally
      related to safeguards, but is somewhat scattered and incomplete.
      Chapter four talks about risk management, but the process of using it
      to define a security program remains unclear. Security factors
      related to organizational governance structure are examined in chapter
      five. Standards, compliance and audit issues are discussed in chapter
      six. Chapter seven reviews monitoring, incident response, and
      investigation. Requirements for candidates for the position of CSO
      (Chief Security Officer) are noted in chapter eight. A template job
      description is included, but the document is perhaps too narrowly
      specified to be applicable in many situations.

      A fictional case study concludes the book. (In the introduction, the
      author promised that all "security horror stories" would be true, but
      I assume reality is less important in case studies.) This
      recapitulates, in narrative form, much of the content of the work.

      There is much of value in the text, and it is useful to present that
      content as it relates to senior management. Senior management support
      is, after all, the single most important factor in a successful
      security program. However, as noted above, much important material is
      missing, along the way, and the volume appears to be focussed at a
      particular type of industry or corporation, and so be less useful to
      those outside that sphere.

      copyright, Robert M. Slade 2011 BKESCFTE.RVW 20110323


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      I used to know the answer, but I've forgotten.
      - Hillel the Elder, Jerusalem Talmud, 1911
      victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
      http://blogs.securiteam.com/index.php/archives/author/p1/
      http://twitter.com/rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.