Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010202462 | HF5548.37 C64 2009 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
As organizations struggle to implement effective security measures, all too often they focus solely on the tangible elements, such as developing security policies or risk management implementations. While these items are very important, they are only half of the equation necessary to ensure security success. CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives presents tools that empower security practitioners to identify the intangible negative influencers of security that plague most organizations, and provides techniques to identify, minimize, and overcome these pitfalls.
The book begins by explaining how using the wrong criteria to measure security can result in a claim of adequate security when objective assessment demonstrates this not to be the case. The authors instead recommend that organizations measure the success of their efforts using a practical approach that illustrates both the tangible and intangible requirements needed by a healthy security effort.
The middle section discusses the root causes that negatively influence both a CISO and an organization's ability to truly secure itself. These root causes include:
Employee apathy Employee myopia or tunnel vision Employee primacy, often exhibited as office politics The infancy of the information security disciplineThese chapters explain what a CISO can do about these security constraints, providing numerous practical and actionable exercises, tools, and techniques to identify, limit, and compensate for the influence of security constraints in any type of organization.
The final chapters discuss some proactive techniques that CISOs can utilize to effectively secure challenging work environments. Reflecting the experience and solutions of those that are in the trenches of modern organizations, this volume provides practical ideas that can make a difference in the daily lives of security practitioners.
Author Notes
Mike Gentile is on a mission to change the status quo in Information Security as we know it. His goal is to translate the discipline from one that is often misunderstood, inefficiently applied, and painful to one that is seamless, collaborative, and repeatable in organizations across the globe. Delphiis is the encapsulation of this mission.Mike brings balance of business acumen and technical skill-set anchored by years in the field and his core focus over the past 15 years has been his practice, Coastline Consulting services. As the Founder and President, Coastline has developed enterprise security programs for countless leading public, private, and government organizations, including many within the Global 1000 and Fortune 500. During that time he also became Co-Founder and Editor for CISOHandbook.com, the leading portal for security leaders.As a researcher, Mike has contributed numerous publications within the Information technology, project management, and security communities. He is also a senior researcher with Computer Economics in the Information Security domain and has written articles for the ISSA Journal, Computer Economics, RSA Conference and Secure World Expo.
As a writer he is the co-author of The CISO Handbook: A Practical Guide to Securing Your Company as well as CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives. The CISO Handbook is used as course material for numerous advanced education and Master's programs on security leadership around the world.Mr. Gentile serves on multiple advisory boards, including being on the Board of Advisors for Savant, a malware protection company, as well an active member of the RSA Program Committee since 2009.
Mr. Gentile is a sought after speaker on security, project management, and information technology topics. For the last 3 years he has been a top rated speaker at RSA, the most prestigious security conference in the United states and has been keynote speaker for the CXO Summits conference series. He has also presented over the years for the Project Management Institute, Secure World Expo, ISSA, Symantec, and many more.Mike lives in Southern California with his wife Tiffany and their two boys.
Table of Contents
| Foreword | p. xi |
| Acknowledgments | p. xiii |
| About the Authors | p. xvii |
| Overview | p. xxi |
| Chapter 1 What's Not Right | p. 1 |
| Overview | p. 1 |
| What Is Security? | p. 3 |
| Why Is All This Important? | p. 6 |
| Measuring Security | p. 8 |
| Security Program Strategy | p. 8 |
| Mission and Mandate | p. 11 |
| Security Policies | p. 14 |
| Roles and Responsibilities | p. 16 |
| Training and Awareness | p. 19 |
| The Security Risk Project Portfolio | p. 21 |
| Other Methods of Measurement | p. 23 |
| Security Constraints (Apathy, Myopia, Priamcy, and Infancy) | p. 29 |
| The Con of Security | p. 35 |
| Conclusion | p. 39 |
| Chapter 2 True Security Model | p. 41 |
| True Security | p. 41 |
| Part I The Tangible Elements of True Security | p. 42 |
| Part II Modeling the Intangible Elements of True Security (The Hard Part) | p. 43 |
| The Two "Step-Children" Groups of the Model | p. 47 |
| Tying It All Together | p. 49 |
| True Security Summary | p. 51 |
| Using the Model | p. 51 |
| Introduction to Systems Theory | p. 53 |
| Components of Systems Theory | p. 53 |
| Overlaying Security onto Systems Theory | p. 54 |
| Putting It All Together | p. 55 |
| Summary | p. 57 |
| Chapter 3 Apathy | p. 59 |
| Overview-What We Are Going to Cover | p. 59 |
| Causes | p. 60 |
| Causes of Apathy in Humans | p. 60 |
| Causes of Apathy within a System | p. 62 |
| Causes of Apathy within an Organization | p. 64 |
| Causes of Apathy within a Security Program | p. 69 |
| Equilibrium of Accountability and Authority | p. 75 |
| Security Interaction Points within an Organization | p. 76 |
| Eating the Elephant in One Bite | p. 78 |
| Missing Tangible Items of a Security Program | p. 79 |
| Communication-The "Why" | p. 79 |
| Causes of Apathy Section Summary | p. 80 |
| Cause and Effect of Apathy on the True Security Model | p. 80 |
| Apathy and the True Security Model | p. 82 |
| Apathy and the Board of Directors | p. 83 |
| Apathy and the Executive Team | p. 84 |
| Apathy and Middle Management | p. 86 |
| Apathy and the Supervisory Team | p. 86 |
| Apathy and Employees | p. 87 |
| Apathy and Consumers | p. 88 |
| Effects Summary | p. 89 |
| Solutions to Apathy | p. 89 |
| Security Solutions | p. 92 |
| Chapter Summary | p. 96 |
| Chapter 4 Myopia | p. 97 |
| Overview | p. 97 |
| Causes of Myopia within an Organization | p. 103 |
| History and Myopia | p. 104 |
| Complexity of Systems | p. 105 |
| Those Who Perform the Work | p. 106 |
| Professional Fraud | p. 108 |
| Knowledge Management | p. 109 |
| Causes of Myopia within a Security Program | p. 110 |
| What Is Security? | p. 111 |
| Techno-Centric Security | p. 111 |
| It's a Game of Inches | p. 112 |
| Pedigree Matters | p. 113 |
| The Generalist versus the Specialist | p. 113 |
| No Hablas Security | p. 114 |
| Life is a Wheel | p. 114 |
| Buyer Beware | p. 115 |
| Security Training | p. 116 |
| Causes of Myopia Section Summary | p. 116 |
| Cause and Effect of Myopia on the True Security Model | p. 118 |
| Myopia and the True Security Model | p. 118 |
| Myopia and the Board of Directors | p. 119 |
| Myopia and the Executive Team | p. 120 |
| Myopia and Middle Management | p. 122 |
| Myopia and the Supervisory Team | p. 122 |
| Myopia and Employees | p. 123 |
| Myopia and Consumers | p. 123 |
| Effects Summary | p. 125 |
| Solutions | p. 125 |
| Security Solutions | p. 126 |
| Chapter Summary | p. 134 |
| Chapter 5 Primacy | p. 135 |
| Overview | p. 135 |
| Primacy Tune-Up | p. 136 |
| Causes of Primacy within an Organization | p. 141 |
| Organizational Culture | p. 141 |
| Causes of Primacy within a Security Program | p. 148 |
| Walk Softly in the Land of the Giants | p. 153 |
| Summary | p. 153 |
| Cause and Effect of Primacy on the True Security Model | p. 155 |
| Effects of Primacy | p. 155 |
| Solutions | p. 160 |
| Security Solutions | p. 163 |
| Step #1 Assess Your Own Situation | p. 163 |
| Step #2 What's in The Message? | p. 165 |
| Step #3 Be Gentle with Your Knowledge | p. 168 |
| Step #4 Power Flows from the Top | p. 169 |
| Conclusion | p. 170 |
| Chapter 6 Infancy | p. 171 |
| Overview | p. 171 |
| Infancy within an Organization | p. 181 |
| Summary | p. 184 |
| Infancy within a Security Program | p. 184 |
| Nature of Security | p. 185 |
| Lack of Credibility | p. 185 |
| Pedaling Doom (or How Chicken Little Found His Calling in Security) | p. 187 |
| Summary | p. 187 |
| True Security Model and Infancy | p. 189 |
| True Security Model | p. 189 |
| Board of Directors | p. 190 |
| Executive Management | p. 191 |
| Middle Managers | p. 191 |
| Supervisory Team | p. 192 |
| Employees | p. 193 |
| Consumers | p. 193 |
| Summary | p. 195 |
| Security Solutions | p. 195 |
| First Things First | p. 198 |
| No One Likes Big Brother | p. 199 |
| Find Good Sources | p. 199 |
| Do Not Blindly Trust Sources Just Because They Appear Authoritative | p. 199 |
| Educate Yourself and Then Teach Others | p. 201 |
| Organize Your Messages | p. 202 |
| Be Patient | p. 204 |
| Summary | p. 204 |
| Chapter 7 Tying It All Together | p. 205 |
| Tales from the Security Consultant | p. 205 |
| Overview | p. 206 |
| Warning: Awareness and Comprehension of Previous Chapters Are Necessary to Read Past This Point | p. 208 |
| How to Measure Constraints within Your Environment | p. 209 |
| Localized Security Constraint Identification | p. 209 |
| Identification of Security Constraints within the True Security Model | p. 211 |
| Summary | p. 214 |
| GAP the True Security Model | p. 214 |
| The Tangible Elements of the True Security Model | p. 215 |
| Measuring the Intangible Elements of the True Security Model | p. 216 |
| Organizational GAP Analysis within the True Security Model | p. 218 |
| Summary | p. 220 |
| Filling the Gap | p. 220 |
| R.E.A.P.-Security Success Model | p. 220 |
| Final Steps | p. 231 |
| Summary | p. 233 |
| Chapter 8 Closing Thoughts | p. 235 |
| The Final Tale from the Security Consultant | p. 235 |
| Concept 1 Recognize That the Security Constraints Are What Leads to All of the Failures on Security Initiatives and in Security Programs | p. 236 |
| Concept 2 Be Reasonable in Your Approach to Mitigate the Security Constraints | p. 236 |
| Concept 3 True Security Is an Ideal | p. 236 |
| Concept 4 Treat Security Personally | p. 237 |
| Summary | p. 237 |
| Appendix | p. 239 |
| Exercise 8 Apathy | p. 239 |
| Exercise 9 Apathy | p. 240 |
| Exercise 10 Myopia | p. 242 |
| Exercise 11 Myopia | p. 243 |
| Exercise 12 Myopia | p. 244 |
| Exercise 13 Primacy | p. 245 |
| Exercise 14 Primacy | p. 246 |
| Exercise 15 Primacy | p. 247 |
| Exercise 16 Infancy | p. 248 |
| Exercise 17 Infancy | p. 249 |
| Exercise 18 Tying It All Together | p. 250 |
| Exercise 19 Tying It All Together | p. 253 |
| Exercise 20 Tying It All Together | p. 257 |
| Exercise 21 Tying It All Together | p. 260 |
| Exercise 22 Tying It All Together | p. 263 |
| R.E.A.P. Templates: Exercises 24 to 30 | p. 266 |
| References | p. 271 |
| Index | p. 273 |
