- Author:
- Malcolm W. Harkins
This updated version describes, at a high level, the evolving enterprise security landscape and provides guidance for a management-level audience about how to manage and survive risk. While based primarily on the authors experience and insights at major companies where he has served as CISO and CSPO, the book also includes many examples from other well-known companies. Managing Risk and Information Security provides thought leadership in the increasingly important area of enterprise information risk and security. It describes the changing risk environment and why a fresh approach to information security is needed. Because almost every aspect of an enterprise is now dependent on technology not only for internal operations but increasing as a part of product or service creation, the focus of IT security must shift from locking down assets to enabling the business while managing and surviving risk. This edition discusses business risk from a broader perspective, including privacy and regulatory considerations. It describes the increasing number of threats and vulnerabilities and offers strategies for developing solutions. These include discussions of how enterprises can take advantage of new and emerging technologiessuch as social media and the huge proliferation of Internet-enabled deviceswhile minimizing risk. What You'll Learn Learn how enterprise risk and security requirements are changing, and why a new approach to risk and security management is needed Learn how people perceive risk and the effects it has on information security Learn why different perceptions of risk within an organization matters, and why it is necessary to understand and reconcile these views Learn the principles of enterprise information security governance and decision-making, and the other groups they need to need to work with Learn the impact of new technologies on information security, and gain insights into how to safely enable the use of new technologies Who This Book Is For The primary audience is CIOs and other IT leaders, CISOs and other information security leaders, IT auditors, and other leaders of corporate governance and risk functions. The secondary audience is CEOs, board members, privacy professionals, and less senior-level information security and risk professionals. "Harkins logical, methodical approach as a CISO to solving the most complex cybersecurity problems is reflected in the lucid style of this book. His enlightened approach to intelligence-based security infrastructure and risk mitigation is our best path forward if we are ever to realize the vast potential of the innovative digital world we are creating while reducing the threats to manageable levels. The author shines a light on that path in a comprehensive yet very readable way." Art Coviello, Former CEO and Executive Chairman, RSA
Index Terms
- Managing Risk and Information Security: Protect to Enable
Recommendations
Reviews
David Bruce Henderson
Today, all organizations need to understand and manage threats to their corporate business systems and data, as well as threats to the privacy and information of their customers. This responsibility is no longer limited to technical specialists, but is increasingly seen (and legislated) to be the responsibility of the most senior levels of management. Harkins discusses the broad issue of business risk, covering a range of technology threats and vulnerabilities from a business perspective and offering strategies to help organizations develop solutions to mitigate these risks in a rapidly changing environment. The first chapter gives a broad, high-level introduction to the information technology (IT) risks facing business. It covers issues such as security skill shortages, privacy expectations, and regulatory requirements and introduces the controls that can help to manage security threats. Chapter 2 looks at the subjective nature of the perception of risk, discussing how an individual's familiarity with a particular technology can skew his or her perception of the associated risks, and the consequences that can result from this. Chapter 3 examines governance of information risk management, looking at several governance structures for monitoring, oversight, and day-to-day risk management activities. The establishment of good working relationships with various groups within an organization to ensure the protection of corporate resources such as contract and financial information, intellectual property, and personal data are all covered. Chapter 4 extends the discussion to external partners. The issues associated with the exchange, sharing, and protection of information with business partners are discussed. Chapter 5 discusses the weakest link in any security system-people. Whether a result of inadvertent actions through lack of security awareness, negligence of technical staff in patching known vulnerabilities, or the malicious actions of insiders, the results are generally the same. The actions of employees can present a significant risk to information security, and Harkins proposes that improving the security awareness of employees can go a long way to achieving the right balance between ease of doing business and security. Chapter 6 moves on to review and assess current and developing threats and vulnerabilities. Discussing the development and evolution of threats using a product life cycle model is an interesting approach; Harkins describes how this approach can be used to track, assess, and respond to new security threats. In chapter 7, Harkins describes a security architecture that he believes is agile enough to learn and adapt to new security challenges as they arise. His approach is "the 9 box of controls," which plots areas of industry security focus on a matrix of control types versus control approaches. The approach is discussed in detail, along with how it can be applied to the evolving threat landscape. Chapter 8 looks at the opportunities that new technologies present and, of course, the challenges that come along with these opportunities. Security issues involving context-aware mobile applications and the dramatic growth of Internet-connected devices such as smart TVs and cars are examined. Harkins devotes chapter 9 to examining corporate social responsibility and other ethical issues associated with managing information risk and in particular protecting the privacy of consumer data. The discussion on the social impact of the three main historical waves of technological change in modern times (namely: the 1760s, 1860s, and 1990s) is particularly interesting. Chapter 10 discusses the value of having an information security specialist at the "C" management level of an organization. A chief information security officer (CISO) with good business acumen can make all the difference for an organization-not just in legislation compliance, but also in leading broader risk management within the executive management team. The final chapter is a segue into a high-level discussion of the skills needed by an effective manager. This chapter could stand alone as a guide for management, briefly discussing initiative, effectiveness, commitment, professionalism, discipline, teamwork, problem-solving, and communication. Harkins provides a good, high-level overview of the security landscape and describes an approach that can be used by an enterprise to manage information risk and security in an environment of rapidly changing and evolving threats. The book is well supported with diagrams and has a detailed table of contents and a thorough list of references as an appendix. The book could easily have been just one more boring treatise on security, but in fact it is quite readable and offers management guidance based on Harkins' experience. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.