Managing Risk and Information Security: Protect to Enable (Anglais) Broché – 17 décembre 2012
|Neuf à partir de||Occasion à partir de|
Les clients ayant acheté cet article ont également acheté
Descriptions du produit
Présentation de l'éditeur
Aucun appareil Kindle n'est requis. Téléchargez l'une des applis Kindle gratuites et commencez à lire les livres Kindle sur votre smartphone, tablette ou ordinateur.
Pour obtenir l'appli gratuite, saisissez votre adresse e-mail ou numéro de téléphone mobile.
Détails sur le produit
En savoir plus sur l'auteur
Commentaires en ligne
Commentaires client les plus utiles sur Amazon.com (beta)
In Managing Risk and Information Security: Protect to Enable, author Malcolm Harkins deals with the inherent tension of information security - that between limitations and enablement.
Harkins, in his role as CISO at Intel, argues that a new and fresh approach to information security is called for and he outlines it in the book.
At under 150 pages, the book provides a good introduction and high-level overview of the fundamentals of information security risk and details numerous risk management strategies.
One of the books key points is that information security often has a disconnect to the underlying business needs that it is expect to secure. Harkins accurately notes that the only way to create an effective risk mitigation strategy is to ensure that the business and technical groups communicate.
As to Harkins new approach to managing risk; he writes that given the increasing role of technology and the resulting information-related business risk, a new approach to information security built on the concept of protecting to enable is needed. Because compromise is inevitable, managing risk and surviving compromise are the key elements of this strategy.
Harkins writes that this new approach should:
* incorporate privacy and regulatory compliance by design, to encompass the full scope of business risk
* recognize that people and information--not the enterprise network boundary--are the security perimeter
* be dynamic and flexible enough to quickly adapt to new technologies and threats
Harkins writes that we need to accomplish a shift in thinking, adjusting our primary focus to enable the business, and then thinking creatively about how we can do so while managing the risk.
Not only is this a good book, it is part of the Apress Open format and is available for free. Amazon also offers it as a free Kindle download.
The book doesn't propose a single definitive solution, as Harkins notes that information is a journey without a finish line. For those looking to commence on that journey, Managing Risk and Information Security: Protect to Enable is a great place to start.
I just don't get the reviews mentioning that this book only contains basic information. Either those readers need to boost their ego by downplaying everything the other say (we all know those individuals exist...) or they expected to find a detailed security architecture to copy and paste on their service proposal worth hundred of thousands of dollars. Come on, you know that no book provides you with that. In part because some information is confidential (we are talking security after all....), in part because some firms use security as a competitive advantage and quite possibly Intel is one of them. However I found particularly useful the description of their "protect to enable" security architecture. If you are not so familiar with context-aware computing, this reading will be a very stimulating introduction and an eye-opener of what a medium to large company should do to operate with a viable and justifiable balance between security-driven restrictions and the conflicting needs to share more and more information with multiple partners and with a workforce expected to be highly mobile and often using privately-owned devices to obtain and share such information.
Gone are the days in which the IT Security department was seen as the "party stopper": nowadays, with tighter margins driven down by global competition, corporation place productivity ahead of most other concerns as it becomes clear that the alternative is to lose customers and eventually shut down. Security professionals are no longer requested to make the firm as secure as possible, but rather to be enablers of business agility and productivity levels that cannot be reached by deciding to take no risk. We are also asked to prioritize and pick our battles and this book cleverly explains how one of the most successful organizations in the world faced the challenge. The security architecture they created is able to learn (just as the whole organization is expected to) and quickly react to new threats. You will understand through this book how that was accomplished and the more in depth you'll decide to go, the least trivial it will look like.
I also found quite informative the chapter dedicated to Emerging Threats, which has the stated goal of describing methods for discerning real security threats from rhetoric ones. What constitutes a real threat for you?
Read this book and I bet you will learn something worthy. I know I did.
The unusual perspective is to develop a culture that can accept more risk, however, this is not a blanket statement obviously. The challenge is to accept the responsibility of changing organizational culture to at the very least evolve the scope of risk beyond the boundaries of information systems to adapt to the massively changing threat landscape in the business as it now exists in a global market.
There are cited examples of personalization vs privacy mostly from abroad, but what is interesting to note that here in Canada, there is a reflection of a progressive approach by the Privacy by Design Centre of Excellence. The very popular paper, Privacy by Design, Dr. Ann Cavoukian starts privacy early on in the design of any organization, change, key initiatives - this is a massive shift that enables an IT organization's ability to help protect assets but not as an afterthought or bolt-on, thereby making risk management more seamless. Surprisingly, the term "user experience" shows up here. Who would have thought that good design incorporating governance right up front would lead to an improved user experience, but it does.
Recent discussion on people and information as a combined entity are leading to the personalization of privacy. A movement for users to carry and manage their own privacy is now showing up in various information management products and services. What is evident is that the new generation of users are much more comfortable sharing information than ever before and the inconvenience to accessible services is seen as a greater driver than loss of privacy. If this is the case, what does risk look like now for the enterprise? The author suggests how we perceive risk is greater than one would realize and also how we need to have this discussion very soon.
In the middle chapters, credibility, communication and partnership are emphasized - which is an opening of the kimono compared to traditional IT security practice. This recent Glasnost is also a reflection of the state of helplessness many security practitioners feel. This healthy discussion that traditional controls have failed to manage let alone anticipate threats cements the fact that security is a reactive practice until a mass change in leadership cultural behaviour takes place.
One common complaint I've heard in my few decades in the IT industry is that security is an afterthought based on budget and/or organizational assets. The governance of risk has never taken center stage and many have given in to the status quo.
Later on the author goes on to emphasize that the traditional borders of the enterprise are now people based and that risk management and governance are now critical to the future of an organization. Understanding this and cultivating this at the speed of disruptive trends with all partners, internal and external are a sound strategy. After all, the "enemy" knows the system and traditional controls are unlikely to keep them out given that social engineering tactics and social media have permanently eroded known perimeter defenses.
The later chapters focus on tactical approaches to architecture. Specific tools, techniques and processes are examined along with recommendations on evolved systems such as context-aware security and total integration across the spectrum of system design starting with recognition that leadership needs to understand broad business and people skills even more than ever. In particular, the security practitioner needs to understand how security affects business priorities, constraints and enablement along with deep technical skills.
The final emphasis returns to a focus on leadership, culture change and a positive sense that "Protect to Enable", or my preferred "Privacy by Design" perspective, are key to succeeding in managing during this disruptive, and accelerating time of change. In my day to day travels, I am beginning to see the evidence of such cultural change and leadership in risk management.
This is a welcome disruptive change itself.