Monday, October 19, 2009

Book Review: “Into the Breach”

“Into the breach” by Michael Santarcangelo is actually a fun read; it seems to be a useful book on security for management. It is non-technical by design since it is about the people side of security. In fact, he presents security itself as “a human issue.”

One of my favorite sections in Part 1 reminds that many policy violations happen because people just want to do their jobs better (the author also claims that people “want to do the right thing” if such choice is easy enough). I loved the “compliance is not a video game” theme, where your faults do not have real world consequences, as well as “security as something inflicted upon the organization” and “security as a crash diet” themes. What is also interesting is that the book seeks to solve one of the key problems of “what is risky?” vs “what is only perceived as risky?”

The part of the book is Part 2 where author’s “strategy to protect information” is unveiled. The author then goes into some level of details on how to implement the strategy (run a pilot, “build a flywheel”, etc).

On the negative side, I was saddened that Michael succumbed to a popular insider myth (on page 11 – “70% of attacks are by insiders”) while trying to dispel another security myth. That is the risk anybody runs while quoting too many questionable surveys. Also, the book sounds too fluffy at times (e.g. the strategy is “understand-engage-optimize”, frequent advice to “be effective”, etc), but does seem to convey its message pretty well.

Overall, if you are managing security on a high level, or manage IT or even the whole business, read this book. It is short enough so that such people will read it and get the ideas! If you are a security pro and can handle a non-technical volume, grab it as well and keep in mind that this is a management book. After reading it, please give it you your manager!

Possibly related posts:

Dr Anton Chuvakin