Enterprise Strategy Group | Getting to the bigger truth.TM

“The Illusion of Due Diligence”: Another Cybersecurity “Must Read”

After finishing Joseph Menn’s book, “Fatal System Error,” a few months ago, I blogged about the book’s value. This is a no-nonsense profile of the world of cybercrime that anyone associated with cybersecurity policy or practice should read. I’ve heard similar things about Richard Clarke’s new book, “Cyberwar,” and am awaiting the shipment of my copy soon.

As far as the list of “must read” books about cybersecurity goes, allow me to submit another entry — “The Illusion of Due Diligence” by my old friend Jeff Bardin. Jeff is a veteran security professional with experience in both the public and private sectors.

Throughout Jeff”s career, he has been extremely diligent about finding risks, threats, and vulnerabilities and then candidly articulating the details to business managers. In his investigations, Jeff has also uncovered evidence of past breaches that were either never discovered or simply swept under an organizational rug. When approaching senior management, Jeff pulls no punches about problems but also tends to accompany the bad news with a detailed plan for risk reduction.

Jeff”s book uncovers a sad and serious problem that most security professionals are all too familiar with. Unfortunately, security risk and remediation is often a political hot potato. After hearing about security issues from someone like Jeff, some managers ignore the risks or claim that the problems only apply to IT and not the business. Even worse, other CEOs blame the security staff and then mandate that they keep silent. Still others fudge their compliance reporting.

In his book, “The Illusion of Due Diligence,” Jeff describes this disconnect between security and business management with stories of some of the worst abuses he has seen throughout his career. It’s pretty scary stuff but almost any security professional will tell you it happens all the time.

Hopefully this report from the corporate security trenches will shake some corporate boards and legislators up. With the fragile state of cybersecurity, we should be doing everything we can to protect our digital assets. When pros like Jeff tell the CEO that they have big problems, you’d think they would respond with immediate action but many simply look the other way. In my view, this type of blatant neglect is as bad as a hacker’s criminal intent.

Jeff’s book won’t get the publicity or distribution of Richard Clarke’s and Joseph Menn’s but I believe it is worth digging around, finding a copy, and passing it on to the CEO, CIO, and CISO at your organization. While Clarke and Menn describe a sophisticated foe, Bardin points out that corporate greed, ignorance, and neglect may be the enemy within.

Related posts:

  1. Note to Washington: Read and react to Richard Clarke’s new Book, “Cyber War!”
  2. Fatal System Error: A MUST read for IT professionals, legislators, and law enforcement
  3. Why Are There Still So Many Problems with The Federal Cybersecurity Effort?
  4. Cyber ShockWave Illustrates Why the Federal Government Must Lead the Cybersecurity Charge
  5. “Must Read” Report on Cyber Warfare from McAfee

Tags: , , Cyberwar, , Jeff Bardin, , Richard Clarke, The Illusion of Due Diligence

All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.

2 Responses to ““The Illusion of Due Diligence”: Another Cybersecurity “Must Read””

  1. WSJ says:

    A bunch of this seems to be undue hot air – here is WSJ article that presents a different point of view: http://online.wsj.com/article/SB10001424052748704370704575228653351323986.html

    My favorite excerpts:

    Perfect security—in cyberspace or in the real world—has huge political and social costs, and most democratic societies would find it undesirable. There may be no petty crime in North Korea, but achieving such “security” requires accepting all other demands of living in an Orwellian police state. Just like we don’t put up armed guards to protect every city wall from graffiti, we should not overreact in cyberspace.

    In reality, we don’t need to develop a new set of fancy all-powerful weaponry to secure cyberspace. In most cases the threats are the same as they were 20 years ago; we still need to patch security flaws, update anti-virus databases and ban suspicious users from our sites. It’s human nature, not the Internet, that we need to conquer and re-engineer to feel more secure.

    Reply
    • Jon Oltsik says:

      Agreed and good point. In general, we know what to do but we just don’t do it.

      Reply

Add a comment

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site