BKCISOHB.RVW 20060520 "The CISO Handbook", Mike Gentile/Ron Collette/Tom August, 2006, 0-8493-1952-8, U$69.95/C$89.95 %A Mike Gentile %A Ron Collette %A Tom August %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2006 %G 0-8493-1952-8 %I Auerbach Publications %O U$69.95/C$89.95 800-950-1216 auerbach@wgl.com orders@crcpress.com %O http://www.amazon.com/exec/obidos/ASIN/0849319528/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849319528/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0849319528/robsladesin03-20 %O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation) %P 322 p. %T "The CISO Handbook: A Practical Guide to Securing Your Company" The introduction states that there are generally two kinds of books on the security shelf--the "hack to secure" tomes and the exam preparation guides. (It may sometimes seem like the literature is restricted to those kinds of texts, although I would add a third that seems to be all too prevalent: poorly executed security management works. However, I fully sympathize with the authors' disdain for the "hacking" books, as well as their reasoning of the limited value of such manuals.) The authors also describe a standard structure for each chapter, as well as an overall design of the publication, following a fairly standard project management framework. Chapter one covers assessment. While this may not be a big surprise to those with the slightest familiarity with project management fundamentals, the authors provide a very complete description of the information that will be useful in appraising any situation in which you may find yourself. (The writing is generally clear and easy enough to read, but the point of the examples and illustrations is not always obvious or even intelligible. In some cases it seems the desire to entertain has overwhelmed exegetical utility.) A very complete checklist is given at the end of the chapter. Planning, in chapter two, does not fare as well. Much of the material reiterates the importance of obtaining information, or outlines organizational structures, personnel, and skills. (Rather ironically, the recommendations assume a fairly large corporation, budget, and staff, which was one of the complaints the authors made, in the introduction, about other security books.) Design is a difficult project to nail down, but chapter three doesn't really even try. Various aspects of security management, such as policy components, promotion to the rest of the company, and security reviews, are the major substance dealt with (some of the topics multiple times). Project management is covered in chapter four. Very detailed and complete project management, directed at creating a specific design and implementation, but applicable to any kind of project. (It is somewhat telling that the end-of-chapter checklists, which have been getting shorter, vanish entirely here.) Since the overall thread of the book has been to move through the phases of a large project, one could expect that the title of chapter five, "Reporting," refers to a report back to management on progress or completion. Not so: marketing of security to the enterprise, which has been a thread all the way through the book, now gets a chapter all its own. Chapter six repeats the outline of the book we received in the introduction. A work addressed to the CISO (Chief Information Security Officer) can be expected to be primarily concerned with management issues. However, with the exception of chapter one, very little in the book could not be equally applicable to any C-level executive. (It is interesting to note that, of the references, only two deal with security, twenty-seven are business books.) Indeed, even though Charles Sennewald wrote "Effective Security Management" (cf. BKEFSCMN.RVW) for those dealing with physical security, there is more practical advice for senior information security management in it than in "The CISO Handbook." While the authors have outlined definite structures for the chapters, these patterns are not always easy to determine or follow. I frequently found myself lost in the chapters, and while I could eventually realize where I was in the formation, the inconsistency and multiplicity of header formats certainly did not help matters any. Still, the work does have significant value. Those who rise through the ranks of computer security frequently lack management experience and knowledge, and this addresses, in some detail, the necessary skills. Not as directly, perhaps, as Fred Cohen in the "Governance Guidebook" (cf. BKCISOGG.RVW), but usefully nonetheless. copyright Robert M. Slade, 2006 BKCISOHB.RVW 20060520