After finishing Joseph Menn’s book, “Fatal System Error,” a few months ago, I blogged about the book’s value. This is a no-nonsense profile of the world of cybercrime that anyone associated with cybersecurity policy or practice should read. I’ve heard similar things about Richard Clarke’s new book, “Cyberwar,” and am awaiting the shipment of my copy soon.
As far as the list of “must read” books about cybersecurity goes, allow me to submit another entry — “The Illusion of Due Diligence” by my old friend Jeff Bardin. Jeff is a veteran security professional with experience in both the public and private sectors.
Throughout Jeff”s career, he has been extremely diligent about finding risks, threats, and vulnerabilities and then candidly articulating the details to business managers. In his investigations, Jeff has also uncovered evidence of past breaches that were either never discovered or simply swept under an organizational rug. When approaching senior management, Jeff pulls no punches about problems but also tends to accompany the bad news with a detailed plan for risk reduction.
Jeff”s book uncovers a sad and serious problem that most security professionals are all too familiar with. Unfortunately, security risk and remediation is often a political hot potato. After hearing about security issues from someone like Jeff, some managers ignore the risks or claim that the problems only apply to IT and not the business. Even worse, other CEOs blame the security staff and then mandate that they keep silent. Still others fudge their compliance reporting.
In his book, “The Illusion of Due Diligence,” Jeff describes this disconnect between security and business management with stories of some of the worst abuses he has seen throughout his career. It’s pretty scary stuff but almost any security professional will tell you it happens all the time.
Hopefully this report from the corporate security trenches will shake some corporate boards and legislators up. With the fragile state of cybersecurity, we should be doing everything we can to protect our digital assets. When pros like Jeff tell the CEO that they have big problems, you’d think they would respond with immediate action but many simply look the other way. In my view, this type of blatant neglect is as bad as a hacker’s criminal intent.
Jeff’s book won’t get the publicity or distribution of Richard Clarke’s and Joseph Menn’s but I believe it is worth digging around, finding a copy, and passing it on to the CEO, CIO, and CISO at your organization. While Clarke and Menn describe a sophisticated foe, Bardin points out that corporate greed, ignorance, and neglect may be the enemy within.
Related posts:
Tags: cybercrime, Cybersecurity, Cyberwar, Fatal System Error, Jeff Bardin, Joseph Menn, Richard Clarke, The Illusion of Due Diligence
A bunch of this seems to be undue hot air – here is WSJ article that presents a different point of view: http://online.wsj.com/article/SB10001424052748704370704575228653351323986.html
My favorite excerpts:
Perfect security—in cyberspace or in the real world—has huge political and social costs, and most democratic societies would find it undesirable. There may be no petty crime in North Korea, but achieving such “security” requires accepting all other demands of living in an Orwellian police state. Just like we don’t put up armed guards to protect every city wall from graffiti, we should not overreact in cyberspace.
In reality, we don’t need to develop a new set of fancy all-powerful weaponry to secure cyberspace. In most cases the threats are the same as they were 20 years ago; we still need to patch security flaws, update anti-virus databases and ban suspicious users from our sites. It’s human nature, not the Internet, that we need to conquer and re-engineer to feel more secure.
Agreed and good point. In general, we know what to do but we just don’t do it.
Name (required)
Mail (will not be published) (required)
Website
Your email: