Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The CISO Handbook

samzenpus posted more than 8 years ago | from the look-and-learn dept.

Security 48

Ben Rothke writes " Far too many books on information security focus on security from the product point of view. They equate security with firewalls, intrusion detection systems, biometrics, and myriad other hardware and software products. But if security was really about products, corporate America would be a very safe place because never have there been so many security products in use. But the reality is that much of today's computing infrastructure is insecure, and there are plenty of products in use." Read on for Bens' review.

The CISO Handbook: A Practical Guide to Securing Your Company lives up to its title as being a practical guide to security. The book is antithetical approach to the products equal security approach, and takes a pragmatic approach to security.

The authors have extensive real-world experience and approach information security from a holistic perspective. They clearly understand what it takes to build an information security program. One of the biggest mistakes in security is that it is seen as plug and play. Buy a security product, install in, and like magic, you have this thing called data security. But that only works in the world of product brochures and marketing material, not in the real world. The book does not approach security from a plug and play perspective, but as an endeavor that requires a multi-year effort to come to fruition.

The five chapters deal with security from its true source, namely that of risk. The chapters are: Assess, Plan, Design, Execute and Report. These five areas encompass all of information security and those firms that have built an information security infrastructure all done it by focusing on these five areas.

The first area, Access, is all about risk management. Many companies will purchase security products without even knowing what their specific risks are, and have often not performed a comprehensive risk analysis. Without a comprehensive risk analysis, any security product will simply operate in a vacuum. The benefits of a risk assessment and analysis are that they ensure that an organization is worrying about the right things and dealing with real, as opposed to perceived threats. The ultimate outcome of a risk analysis should be to see if the organization can benefit from the security product.

Chapter 1 ends with an assessment checklist of various areas that go into a risk assessment. One of the questions in the checklist that you likely will not see anywhere else is "describe the political climate at your company". Too many security people think only about the technology and neglect the political implications of a security system. Not taking into consideration the politics is a surefire way to potentially doom a project. Similar questions detailed in the checklist will give the reader a good feel for how secure their organization truly is; as opposed to the often perceived view of being much more secure.

Chapter 2 is aptly titled Plan. The planning phase is meant to combine the issues of assessment and to integrate options to mitigate those risks. The way in which a specific security technology or methodology is implemented is dependent on the organization. Rather than using a cookie-cutter approach, effective planning ensures that the security technologies chosen support your security program. Far too many organizations make the mistake of simply buying products without giving enough consideration into the myriad details of how they will be deployed, managed and used.

Chapter 2 emphasizes the need for planning, and the book as a whole emphasizes the need for the use of a methodology when dealing with information security. For many security technologies, the challenges of are not so much with the technology, but rather with ensuring that the technology meets business requirements, is scalable and reliable, etc.

Building a comprehensive information security program is likely to be more complex than previous experience of typical IT projects. As well as project management, technical and operational aspects, there are many policy, legal and security issues which must be taken into consideration. By following a structured methodology based on practical experience, many of the potential traps and pitfalls can be avoided. The risks to the business and the project are reduced and those that remain are quantified at an early stage.

The planning checklist at the end of chapter 2 will helps by ensuring that the solutions identified are deployed in the context of a well designed information security program. It can also be used as a wake-up call to management that often seriously underestimates the amount of time and manpower required to create an effective information security program.

One of the added benefits of planning is that it makes it much easier to integrate new regulatory requirements into the security program. A well-planned network can retrofit new requirements much more quickly and efficiently. This is a critical need given the increasing amount of new regulations that will come into play in the coming years, in addition to current regulations such as HIPAA, Sarbanes-Oxley and much more.

Chapters 3, 4 and 5 progress in a similar manner with the topics of Design, Execute, and Report. Each chapter details the essentials of the topic and shows how it is critical to the efficacy of an successful information security program.

What the reader may find missing from the book is particulars of the various security technologies. But that is the very function of the book, to show that information security is not primarily about the products, rather the underlying infrastructure on which those products reside on. Any product that is not deployed in a methodology similar to that of The CISO Handbook is likely to find itself lacking. The product might be there and hum along; but the security that it provides will likely be negligible.

The uniqueness of The CISO Handbook is that is shows how to design and implement an effective security program based on real world scenarios, as opposed to product reviews and vendor evaluations.

The CISO Handbook: A Practical Guide to Securing Your Company is indeed a most practical guide, as its title suggests. It is quite helpful to anyone in a security organization, whether they are the CISO, system administrator, or in a different capacity.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

The Misosoft Cookbook (0)

Anonymous Coward | more than 8 years ago | (#13951988)

Should go well next to it

Mod summary insightful! (3, Insightful)

Spy der Mann (805235) | more than 8 years ago | (#13952042)

The summary alone makes me want to buy that book. Security is not about products, but about safety practices.

Re:Mod summary insightful! (1)

loxfinger (571135) | more than 8 years ago | (#13952144)

It does sound as if security products are ultimately required, using them as an integral part of a thought-out scheme. Any mention of defense against social engineering in the book?

hah! (0)

Anonymous Coward | more than 8 years ago | (#13952053)

planning, whatever next? intelligent managers perhaps

Yay, covers the most overlooked parts of security. (4, Insightful)

LargoSensei (896728) | more than 8 years ago | (#13952073)

Thats great and all for the digital front, but dont forget about the social front. Thats where most threats come from anyway AFAIK. Art of Deception [] , covers nearly all social fronts, and how to help defend against social engineers. Not suggesting this as a replacement, but as a supplement.

Re:Yay, covers the most overlooked parts of securi (0)

Anonymous Coward | more than 8 years ago | (#13953468)

"social front"? If you mean people, yes, all security issues are due to people. People build the machines, people build the networks, people make the malware, people make mistakes. This is true.

If you are talking about Social engineering, then this is just a fraction of the security issues out there.

Re:Yay, covers the most overlooked parts of securi (1)

monkeydo (173558) | more than 8 years ago | (#13954059)

Except that Art of Deception reads like a children's book. I doubt it would hold any executive's attention for long. I had to force myself to get through it, and I was actually interested in what Mitkin had to say.

Heh... (1)

Otter (3800) | more than 8 years ago | (#13952093)

Apparently the previous review ("I give it 10/10. Score: 8/10") has shamed the system into the award of an unprecedented 9!

It's OK, Bender -- there's no such thing as a 9!

Must be exciting (-1, Flamebait)

P3NIS_CLEAVER (860022) | more than 8 years ago | (#13952131)

Story up for 20 minutes and 5 comments. The chance of me reading this review is slim.

Re:Must be exciting (-1, Offtopic)

bradkittenbrink (608877) | more than 8 years ago | (#13952150)

I'm so sorry to hear that the intellectual juggernaut "P3NIS CLEAVER" won't be joining us in our discussion.

uuuh just so you know... (0)

Anonymous Coward | more than 8 years ago | (#13952148)

it's spelled CISCO not CISO. you forgot a "C". thank you.

Chief Information Security Officer, you troll ... (1)

millisa (151093) | more than 8 years ago | (#13952198)

You are welcome!

Re:uuuh just so you know... (2, Interesting)

Keruo (771880) | more than 8 years ago | (#13952210)

But this book is Chief Security Officer handbook, not CISCO manual, so the correct abbreviation actually is CISO.
Just copypaste that isbn to your favourite search engine and see the results.

Re:uuuh just so you know... (1)

ch-chuck (9622) | more than 8 years ago | (#13952248)

But this book is Chief Security Officer handbook

Must be Chief Information Security Officer - otherwise you'd be in charge of the night watchman as well. Of course we could make it the Chief Information Security and Confidentiality Officer.

What security is all about... (1)

alexandreracine (859693) | more than 8 years ago | (#13952149)

Security is not a destination, it is a road.

1st area "Access"? (1)

192939495969798999 (58312) | more than 8 years ago | (#13952151)

"The first area, Access, ..."

If the first area is Access (i.e. my access of your data), then you DEFINITELY need better security! Should probably be "Assess".

CISCO (1, Funny)

Punboy (737239) | more than 8 years ago | (#13952213)

Anyone else read that "CISCO" instead of "CISO"?

Re:CISCO (1)

mopslik (688435) | more than 8 years ago | (#13952261)

Anyone else read that "CISCO" instead of "CISO"?

I read it as "CRISCO" and thought, "mmm, lard."

Re:CISCO (1)

Punboy (737239) | more than 8 years ago | (#13952373)

Darn you, now I want to bake brownies. Do you have any idea how disastrous that would be? I'd burn the bloody house down, thats how.

Re:CISCO (1)

NetNinja (469346) | more than 8 years ago | (#13952435)

No. maybe if you looked up the books ISBN number and read what the title was. It's not Cisco it's Ciso and for 69.95 they can keep it.

Re:CISCO (1)

Punboy (737239) | more than 8 years ago | (#13952569)

Its not a matter of being mistaken as to the book title, its a simple matter of misreading the title on the first pass. Nobody is saying that it is indeed a Cisco book, I'm saying at first glance I thought thats what the article title was.

Re:CISCO (0)

Anonymous Coward | more than 8 years ago | (#13955100)


GP asked if anyone else looked at the headline and *misread* "Cisco".

I saw the headline and started reading the summary expecting it to be about Cisco. When it wasn't, I re-read the headline and this time picked up that it was CISO (never heard of that acronym). The brain wants to recognize familiar patterns and will see things that aren't really there if it fits other cues.

Why on earth would you start spouting crap about looking up ISBN numbers, unless perhaps you misread his post and assumed he was compaining that the title really was supposed to be CISCO??

Oh yeah, because you are a dolt.

yes... (1)

drewxhawaii (922388) | more than 8 years ago | (#13952680)

...and i saw it upwards of 10 times

now THAT is great product association

Re:CISCO (1)

Tyklfe (903962) | more than 8 years ago | (#13953204)

Yeah, I did at first, but then caught myself and read it again. It just took me a second to remember cisco and security have nothing in common.

Re:CISCO (1)

Tony Hoyle (11698) | more than 8 years ago | (#13954842)

Damm, I got as far as your comment before going back and rereading the headline.

Never heard of CISO though.. are you *sure* it's not just a mistype?

Re:CISCO (1)

Fishstick (150821) | more than 8 years ago | (#13955128)

I thought the same thing at first.

No, that is apparently correct, though I had never seen that acronym before and had to look it up to be sure: []

Chief Information Security Officer (CISO)

The position of CISO is relatively new in most organizations. The CISO should be providing tactical information security advice and examining the ramifications of new technologies. In most corporations the CISO reports to the CIO or CTO. The CISO role does not usually include responsibility for physical security, risk management and business continuity, which are more often delegated to the CSO.

Re:CISCO (1)

Mika24 (784640) | more than 8 years ago | (#13955852)

Hahahahaha I did and had to scroll back up

Save the $ (-1, Redundant)

Ctrl+Alt+De1337 (837964) | more than 8 years ago | (#13952263)

I'll save everyone the time and money to get and read the book. Get an air-tight firewall (OpenBSD or similar), run anti-virus and resitrict IE's bad features (ActiveX, and so on) if you're on a Windows network, train employees so they aren't completely ignorant, and force all users to run in non-administrator mode. Ta da! Do I win a prize?

If they're feeling adventurous, admins also could do things like require Firefox and Thunderbird, run OS X or Linux on desktops, etc. as long as they have some extra scratch in the training budget.

Re:Save the $ (3, Insightful)

soma_0806 (893202) | more than 8 years ago | (#13952316)

Wow, what a shining example of the very knee-jerk, laundry list approach of one-size-fits-all security this book tries to warn against!

Thanks for the illustration.


Re:Save the $ (1)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#13952484)

And pray that you never have a crooked insider?

That list left out the need for a shredding policy and a standard for disposing of used hardware that might have sensitive information. Not sure what's sensitive? That's why you need the risk assessment.

Health care is an eighth of the economy and has a specific set of infosec regulations it's required to follow. The financial industry has its own set of legal obligations. One size does not fit all.

That said, I do wish people would follow the advice in the parent post. There would still be plenty of work for people like me but at least it would be less repetitious.

Local Administrators Group (1)

Sir_Eptishous (873977) | more than 8 years ago | (#13953225)

The worst is when the company you work for uses a vital revenue generating application on Windows and it will only work if the user is a member of the local admins group...

When you discuss this with the support from the software company, they will tell you to upgrade.

When you discuss this with management and elaborate on how unsecure this situation is, they say they have the upgrade budgeted for next year and hopefully the validation docs will be written by then...

You see, thats what is so cool about Windows. So much software won't run unless the user is root.
Isn't that just great.

Re:Save the $ (1)

Anthony (4077) | more than 8 years ago | (#13954329)

Ah so it *is* just the products thet makes a network secure. Thanks.

machine translation? (2, Funny)

DrVomact (726065) | more than 8 years ago | (#13952298)

The book is antithetical approach to the products equal security approach, and takes a pragmatic approach to security.

I think you are trying to say something here. Try again.

Is there a section on TPS reports? (1, Flamebait) (645325) | more than 8 years ago | (#13952384)

Anybody who attempts to solve their organizations' security issues by going out and buying something to slap into the network needs to be cock-punched. That much should be obvious.

On the other hand, anybody who makes a living writing books about why it's a bad idea to do it should probably be cock-punched, too.

I've sat through waaaay too many seminars taught by swaggering little ex-cop six sigma management flunkies who vomit out more technical jargon and meaningless acronyms about proccess and procedures and ISO and SOX and their frickin' CISSPs than the most autistic assembler programmer.

I was at one time considering a move toward the coporate network security area versus my current more traditional sysadmin job, but the amount of wanking that goes on at the management level in infosec would probably make me go postal.

Sorry for blathering, but this is kind of a sensitive topic for me lately.

Security is a myth (2, Insightful)

NVP_Radical_Dreamer (925080) | more than 8 years ago | (#13952536)

What is this security thing that you speak of? There will never be a secure computing environment as long as we have users

Re:Security is a myth (1)

drewxhawaii (922388) | more than 8 years ago | (#13952650)

true, you can never make something "secure," but you can always make it more secure, and this book teaches you how.

What a terrible review (1)

ArchAngelQ (35053) | more than 8 years ago | (#13952634)

Lets see: How about we describe the chapter titles, and use big words? Yeah! That'll work.

Examples of the content, especially what they chose to exemplify as risks, would make for a much better review. As it stands, I have no idea if the content rambles for pages and pages about things that I consider to be trivial, or if they really do a good job at covering risk assesment areas I don't know about or want more detail than I have about.

The C stands for cretin, apparently (1)

44BSD (701309) | more than 8 years ago | (#13952728)

Let's not forget that the audience for this book are C-level execs in charge of information security. If folks at that level need to be told that results need to be measured, that access needs to be controlled, that risks need to be managed, then they aren't fit for the positions they hold.

Consider what an equivalent book would be for CFOs --"It ain't just calculators"

No shit.

Re:The C stands for cretin, apparently (0)

Anonymous Coward | more than 8 years ago | (#13952832)

Actually, I for one would be happier if the GLBH, SARB-OX, and HIPPA were even *MORE* tightened.

Most middle and senior level management won't do *ANYTHING SERIOUS* about security until it's required by law and audited.

If you don't understand where I'm coming from, just remember that most middle-to-upper management will stare blankly at you with the "but we've got a *firewall*, that's good enough isn't it...?" when you bring up anything else. The rest of them will tell you (privately) that they don't want to do anything until they are required to.

Yes, you are right, it's like "It ain't just calculators", but the sad part is that 99% of them either won't read it, or won't understand it.

Re:The C stands for cretin, apparently (1)

Fishstick (150821) | more than 8 years ago | (#13955172)

>the audience for this book are C-level execs in charge of information security.

I would think that the audience is a bit broader. Perhaps those with aspirations and ambitions to reach that sort of postition? Also seems like a good book for information consultant wanna-be's.

Kind of like CEO magazine -- I've seen it on desks of managers and directors. They aren't the CEO, but they want to know what kind of crack the higher-ups are smoking.

Thank you! (1)

Serious Poo (597509) | more than 8 years ago | (#13952912)

Thank you Ben, for taking the time to review our book, and a huge THANK YOU! for your kind words. Our intention was to write something that both IT and security professionals can truly get a lot out of, and to be honest we're very happy with the end result. On behalf of Mike, Ron, the good folks at Auerbach, and everyone else who helped out in putting together The CISO Handbook, thank you very much! Tom August

Re:Thank you! (1)

scovetta (632629) | more than 8 years ago | (#13978859)

The CISO Handbook was written by a guy named Serious Poo?

Save some money! (0)

Anonymous Coward | more than 8 years ago | (#13952987)

Save yourself some money by buying the book here: The CISO Handbook [] . And if you use the "secret" discount [] , you can save an extra 1.57%!

Non-referrer link (0)

Anonymous Coward | more than 8 years ago | (#13954859)

Here's an amazon link that doesn't have kaleidojewel as a referrer: []

"Assess", not "Access" (1)

Serious Poo (597509) | more than 8 years ago | (#13953019)

To answer a question raised by several Slashdot readers, the first section of the methodology in the book is titled "Assess", not "Access". The goal with this section is to first assess all of the external and internal factors driving the need for information security in your enterprise, and then moving forward from there.

Hope that helps!

Tom August

Schneier and co. (1)

BalkanBoy (201243) | more than 8 years ago | (#13953108)

.. I believe Bruce Schneier already beat this issue to death - security is a process - that can not be gained from a book or a product or a tool or whatever... If the book moves you in the right direction, it's worth a read. Check out his short essay [] on this.

Re:Schneier and co. (1)

Ithika (703697) | more than 8 years ago | (#13955126)

You're right; Schneier doesn't stop talking about this (and I mean that in a good way). The same with Ross Anderson. I have only a tangential - and entirely academic - experience of security, but even I can see that the book isn't saying anything as revolutionary as the reviewer makes out.

Too bad about the capitalization (1)

dclaw (593370) | more than 8 years ago | (#13955204)

It's really too bad the books cover sucks so bad. I would've expected something a little nicer than a compass. And also.... they didn't capitalize all of CISO on the cover. As you would normally do when using an Acronym.

Since when is Ciso a word?

The Ciso Handbook []
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?