This book is probably the most thought-provoking book on security I read in the last 5-7 years! While I'm somewhat known from my proclivity to exaggerate, I assure you this is not an exaggeration. As I was reading it, I felt like I connected to deep layers of the subconsciousness of security industry.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.
As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.
In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.
The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.
And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.
Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.
As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.
In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.
The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.
And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.
Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.