Author: Andrea Simmons
ISBN No: 9781 8492 87081
Review date: 28/04/2024
No of pages: 244
Publisher: IT Governance
Publisher URL:
http://www.itgovernance.co.uk/
Year of publication: 17/02/2015
Brief:
Once more unto the Breach
price
£29.95
The second edition of Once more unto the Breach is as refreshing and useful as the first, writes Mark Rowe.
The author describes the book as ‘an insider’s view of how many actual breaches (often seen as incidents) are going on all the time, but which do not get reported, either internally or externally’. Andrea Simmons tells a story, of working as an information security manager: how they work with colleagues, security specialists and not; do penetration testing; also cover physical security, for instance of laptops; and tackle such issues as passwords and remote workers.
She comes to the same conclusion as others in security – that you have to understand the business you are working in, besides knowing your specialism; you have to be alert to language and the organisation’s particular culture, and mirror it, if you want to change behaviour and gain support. You’re ‘always on’, and it’s a ‘constant uphill battle’ to persuade others. And you might not even have asked to be an information security manager; it may feel as she writes, ‘a poisoned chalice’. It’s a ‘mission’. As all of this suggests, infosec is about far more than the technology – the servers and firewalls.
As a public sector infosec manager, she addresses the bread and butter of workplaces, such as: other managers (in IT for example) may not pay attention to security ‘because their perception is that security is getting in the way’. Unfair, as she adds; security is little understood by IT. While it’s one thing to send staff on training, it’s another for them to know how to apply it; and while you may train staff to be more security-aware, are you ready for the reports of security failings they now feel informed enough to pass on?! While the infosec manager has the basics of inventory management (knowing what you have), patch management (keeping security software up to date) and vulnerability management (keeping IT kit from harm), you also may have the office politics of convincing people above and below that security is necessary and can save time and trouble (and money – why pay for software licences you never use?) and that your pet projects need a budget.
She writes: “The larger your organisation is, the harder it is to get the right message to everyone at the same time, unless you have a mandate to do so.” But as she says, managers might know little about security and not want to know either. Hence as she says, ‘mixed messages’ – Security might say, use encrypted USB sticks, but if you can’t afford them or you don’t know where to get them, staff might just buy them from a shop. At the least, this book might console you that you are not alone; other people, too, report IT security risks and committee meetings do nothing about them. An organisation, she admits, may make sweeping change (for the better?!) impossible, which means the security manager has to make little, slow changes, from the bottom up or the top down. If it sounds a hard life, and she concludes that information security will not become any easier, she urges managers to keep reading, ‘and never lose your sense of humour!’.
Once more unto the Breach – Managing information security in an uncertain world, second edition, by Andrea Simmons. Published 2014 by IT Governance Publishing, 244 pages, ISBN 9781 8492 87081. Visit www.itgovernance.co.uk.
