This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
By Catherine Paquet and Warren Saxe
381 pages, $39.95
|THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE AND ROI|
The Business Case for Network Security suffers from multiple personality disorder—it's geared simultaneously toward two different demographics. It attempts to provide security managers with a viable approach for pitching their agenda to the C-suite, but spends too much time pandering to senior management with Security 101 material: hacker motives, vulnerability windows, technical and procedural countermeasures.
The opening chapters provide standard fare, but other security books cover the same material more concisely and with more flair. The writing is mediocre and filled with verbosity and nonstandard technical terms. It could be improved substantially by tightening up the descriptions of the vulnerability types and tying them to meaningful business risk analyses.
The text also offers little help in the notoriously difficult task of quantifying security breaches. The advice for using available surveys, such as the CSI/FBI Computer Crime and Security Survey, is opaque at best. In a particularly telling excerpt, the authors warn that "statistics from different sources can appear to be conflicting," and that "it is prudent to error on the side of caution while continuing to study the trending"—which leaves the read to wonder which "cautious" side should one err on?
The Business Case for Network Security does contain some original material. Its two self-assessment surveys—the infosecurity management survey and the infosecurity operational survey—are interesting, but aren't available online and have limited use for calculating an organization's "risk-aversion quotient." The authors fail to instill much confidence that the results would be imbued with analytical value; they're the security equivalent of personality quizzes. The simplistic results ignore the subtle and complex analysis required to make an effective security decision.
While trying to angle to the security manager and the executive, The Business Case for Network Security winds up appealing to neither. Readers would be better off choosing a basic text to educate themselves on successful business politics and accounting rather than waste their time trying to understand this book.
Visit SearchSecurity.com's Information Security Bookshelf for chapter downloads from these books and more.
High-Tech Crimes Revealed
By Steven Branigan
Cryptography for Dummies
By Chey Cobb
John Wiley & Sons
The Art of Computer Virus Research and Defense
By Peter Szor
The Executive Guide to Information Security: Threats, Challenges and Solutions
By Mark Egan and Tim Mather
Malware: Fighting Malicious Code
By Ed Skoudis and Lenny Zeltser
Phishing: Cutting the Identity Theft Line
By Rachael Lininger and Russell Dean Vines
John Wiley & Sons
This was first published in June 2005