BKINTBRE.RVW 20091012 "Into the Breach", Michael J. Santarcangelo, 2008, 978-0-9816363-0-6 %A Michael J. Santarcangelo michael@securitycatalyst.com %C New York, USA %D 2008 %G 978-0-9816363-0-6 0-9816363-0-6 %I Catalyst Media %O www.intothebreach.com %O http://www.amazon.com/exec/obidos/ASIN/0981636306/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0981636306/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0981636306/robsladesin03-20 %O Audience i+ Tech 1 Writing 2 (see revfaq.htm for explanation) %P 110 p. %T "Into the Breach" The introduction states that security (which seems to be limited to disclosure or breaches) is a "people" problem, and therefore requires social solutions. This addresses a common problem: security professionals, and even non-technical managers, concentrate on breaches in systems and thus miss the real heart of the matter: people. Although not overtly stated, part one seems to be related to the first stage in the Strategy to Protect Information, understanding information. Chapter one repeats the position that breaches are a human problem. Security awareness is promoted in chapter two. In chapter three an analogy is drawn between faddish security and crash dieting, noting that neither works. Chapter four addresses risk management. Part two suggests managing people. Chapter five outlines the aforementioned Strategy to Protect Information: understand your information assets, manage and communicate with your people, and optimize your processes and systems. Implementing this strategy is seen, in chapter six, as a five step process: learn the jobs, gather information, priorize, plan, and communicate. Steps seem to be missing, such as dividing your data or systems into elements for the process. Guidance for planning is limited. Chapter seven suggests making a trial run with a pilot project, which is a good idea. Measurement of the success of the project is discussed in chapter eight. Part three deals with improvement. Chapter nine notes that the strategy benefits overall management, which is unsurprising, since it is basically a general management process. Costs of compliance with regulations or standards are also partially covered, as is mentioned in chapter ten, since a significant portion of the initial cost of compliance relies on the type of research and analysis demanded by the strategy. (However, a great deal of the content simply emphasizes the importance of compliance.) The advice about outsourcing, in chapter eleven, seems to be to audit the vendor. Chapter twelve closes off the book with an exhortation to act. Although generic, the strategy proposed is sound and likely useful. This slim volume would help a significant number of managers and security practitioners who are caught up in the latest security fad or device, to the detriment of actual business (and personnel) needs. copyright Robert M. Slade, 2009 BKINTBRE.RVW 20091012