Assessing Information Security: Strategies, Tactics, Logic and Framework
What do information security and the art of war have in common?
The answer, this book argues, is a great deal. Although the authors have an expert technical knowledge of information security, they strongly believe that technical and procedural measures cannot offer a solution on their own.
The human factor
Information security is not painting by numbers. You can tick all the right boxes and acquire the latest technology, and you may fail all the same. This is because information security is ultimately a human problem, not a technical one. In the end, the threats to your information security come from human beings, not from machines. Although one problem you will face is simple human error, the major threat to your business information is from the criminal.
Cybercrime is on the move. It is in a state of constant evolution, capable of adapting both to developments in technology and to whatever security measures its targets have already put in place. It will seek out your weak points in order to exploit them for its own advantage. However, although the people who want to harm your business will try to take you by surprise, they are also bound to have weaknesses of their own. Because the activity of the cybercriminal is both deliberate and hostile, they can be compared to a military adversary. So if you want to defend yourself from cybercrime you can learn from military strategy.
Fighting cybercrime is about more than bureaucracy and compliance. Your company’s approach to information security has to be integrated with your overall business goals. The people at the top have to provide leadership, while the people at the bottom need to understand the company’s information security policy and be able to show initiative when faced with an unexpected attack. If you want to take active steps to deter the cybercriminal, then this book is for you. It will help you plan the right strategy for defending your business from cybercrime.
Business is an intensely competitive environment. This is why so many executives enjoy the insights that the classics of military strategy, such as Clausewitz and Sun Tzu, provide on how to win. The authors of this book have drawn on Clausewitz in order to interpret the detailed knowledge of information security they have built up through their extensive experience in the field. The result is expert guidance on information security, underpinned by a profound understanding of human conflict.
Benefits to business include:
- Protect your business information. If you do not carry out proper checks, then something will go badly wrong, and your business will suffer. Use this book to help you understand the best way to implement an information security assessment.
- Spend money wisely. Information security is not just about having the right equipment. Before you go spending money on fancy gadgets and expensive software, you need to understand what your priorities are, and work out which security measures will be the most effective in protecting your business information.
- Learn to adapt. The reality is that your business information is not stored in a fixed, fortified place like a castle. Your employees could be blackmailed or bribed, or their company laptops may be hacked into or stolen when they are travelling abroad. So, to protect your company’s business information, you must avoid a fortress mentality and be capable of adapting to an ever-changing environment.
- Prepare to fight back. Defending your company from malicious hackers, or corrupt and embittered employees, is not just a matter of putting appropriate security structures in place. Criminals go for soft targets, but, if they know your company is ready to fight back, they will be deterred from attacking it. When you know how to identify suspicious behaviour among your staff, you will be in a stronger position to prosecute them for any offence against your company.
As the authors argue, ‘An information security professional is engaged in a form of continuous warfare which is defensive by its very nature. The aim of this “combat” is not to give an inch of the protected “territory” (data, systems, resources) to the adversaries. ‘
- Paperback: 412 pages
- Publisher: IT Governance Publishing (March, 2010)
- Language: English
- ISBN-10: 1849280355
- ISBN-13: 978-1849280358