Today, all organizations need to understand and manage threats to their corporate business systems and data, as well as threats to the privacy and information of their customers. This responsibility is no longer limited to technical specialists, but is increasingly seen (and legislated) to be the responsibility of the most senior levels of management.

Harkins discusses the broad issue of business risk, covering a range of technology threats and vulnerabilities from a business perspective and offering strategies to help organizations develop solutions to mitigate these risks in a rapidly changing environment.

The first chapter gives a broad, high-level introduction to the information technology (IT) risks facing business. It covers issues such as security skill shortages, privacy expectations, and regulatory requirements and introduces the controls that can help to manage security threats. Chapter 2 looks at the subjective nature of the perception of risk, discussing how an individual’s familiarity with a particular technology can skew his or her perception of the associated risks, and the consequences that can result from this.

Chapter 3 examines governance of information risk management, looking at several governance structures for monitoring, oversight, and day-to-day risk management activities. The establishment of good working relationships with various groups within an organization to ensure the protection of corporate resources such as contract and financial information, intellectual property, and personal data are all covered. Chapter 4 extends the discussion to external partners. The issues associated with the exchange, sharing, and protection of information with business partners are discussed. Chapter 5 discusses the weakest link in any security system--people. Whether a result of inadvertent actions through lack of security awareness, negligence of technical staff in patching known vulnerabilities, or the malicious actions of insiders, the results are generally the same. The actions of employees can present a significant risk to information security, and Harkins proposes that improving the security awareness of employees can go a long way to achieving the right balance between ease of doing business and security. Chapter 6 moves on to review and assess current and developing threats and vulnerabilities. Discussing the development and evolution of threats using a product life cycle model is an interesting approach; Harkins describes how this approach can be used to track, assess, and respond to new security threats.

In chapter 7, Harkins describes a security architecture that he believes is agile enough to learn and adapt to new security challenges as they arise. His approach is “the 9 box of controls,” which plots areas of industry security focus on a matrix of control types versus control approaches. The approach is discussed in detail, along with how it can be applied to the evolving threat landscape. Chapter 8 looks at the opportunities that new technologies present and, of course, the challenges that come along with these opportunities. Security issues involving context-aware mobile applications and the dramatic growth of Internet-connected devices such as smart TVs and cars are examined.

Harkins devotes chapter 9 to examining corporate social responsibility and other ethical issues associated with managing information risk and in particular protecting the privacy of consumer data. The discussion on the social impact of the three main historical waves of technological change in modern times (namely: the 1760s, 1860s, and 1990s) is particularly interesting. Chapter 10 discusses the value of having an information security specialist at the “C” management level of an organization. A chief information security officer (CISO) with good business acumen can make all the difference for an organization--not just in legislation compliance, but also in leading broader risk management within the executive management team. The final chapter is a segue into a high-level discussion of the skills needed by an effective manager. This chapter could stand alone as a guide for management, briefly discussing initiative, effectiveness, commitment, professionalism, discipline, teamwork, problem-solving, and communication.

Harkins provides a good, high-level overview of the security landscape and describes an approach that can be used by an enterprise to manage information risk and security in an environment of rapidly changing and evolving threats. The book is well supported with diagrams and has a detailed table of contents and a thorough list of references as an appendix. The book could easily have been just one more boring treatise on security, but in fact it is quite readable and offers management guidance based on Harkins’ experience.

More reviews about this item: Amazon