Another Security “Must Read”

After finishing Joseph Menn’s book, “Fatal System Error,” a few months ago, I blogged about the book’s value. This is a no-nonsense profile of the world of cybercrime that anyone associated with cybersecurity policy or practice should read. I’ve heard similar things about Richard Clarke’s new book, “Cyberwar,” and am awaiting the shipment of my copy soon.As far as the list of “must read” books about cybersecurity goes, allow me to submit another entry — “The Illusion of Due Diligence” by my old friend Jeff Bardin. Jeff is a veteran security professional with experience in both the public and private sectors. Throughout Jeff’s career, he has been extremely diligent about finding risks, threats, and vulnerabilities and then candidly articulating the details to business managers. In his investigations, Jeff has also uncovered evidence of past breaches that were either never discovered or simply swept under an organizational rug. When approaching senior management, Jeff pulls no punches about problems but also tends to accompany the bad news with a detailed plan for risk reduction. Jeff’s book uncovers a sad and serious problem that most security professionals are all too familiar with. Unfortunately, security risk and remediation is often a political hot potato. After hearing about security issues from someone like Jeff, some managers ignore the risks or claim that the problems only apply to IT and not the business. Even worse, other CEOs blame the security staff and then mandate that they keep silence. Still others fudge their compliance reporting. In his book, “The Illusion of Due Diligence,” Jeff describes this disconnect between security and business management with stories of some of the worst abuses he has seen throughout his career. It’s pretty scary stuff but almost any security professional will tell you it happens all the time.Hopefully this report from the corporate security trenches will shake some corporate boards and legislators up. With the fragile state of cybersecurity, we should be doing everything we can to protect our digital assets. When pros like Jeff tell the CEO that they have big problems, you’d think they would respond with immediate action but many simply look the other way. In my view, this type of blatant neglect is as bad as a hacker’s criminal intent. Jeff’s book won’t get the publicity or distribution of Richard Clarke’s and Joseph Menn’s but I believe it is worth digging around, finding a copy, and passing it on to the CEO, CIO, and CISO at your organization. While Clarke and Menn describe a sophisticated foe, Bardin points out that corporate greed, ignorance, and neglect may be the enemy within.