John's Reviews > Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?

[I should note before beginning that a colleague of mind picked this up for free at a conference and gave it to me.]

This book is a sane reading of the riot act to all information security professionals and those who want to work in information security. I say "riot act" because Francen is unerring in raising the temperature and alarm at how terribly knee-jerk so much security work is, while simultaneously underscoring how truly at risk we are: companies (large and small) and the federal government alike. (And this is not a provoking of "fear, uncertainty, and doubt" [FUD] because Francen frequently differentiates the fake from the facts.) I say "sane" because I suspect that this book emerged from some very emotional behind-the-scenes ranting, which Francen has managed to control by tempering his approach with facts. The book is loaded with references and recommended reading.

The chapters are thematic, each one a series of problems and solutions. Let me itemize a few things that really got to me:

* First off, the core of this book is based on values. If you don't start with an idea of what you can tolerate for risk, based on your solicitation from business leaders, your security program is simply not going to work. You must identify likelihood and impact, and then go to your business owners and ask them to decide whether it's worth it to fix things up. But the key here is that you're starting from the value proposition that high risk may jeopardize the mission of the business. Francen is very good on the idea that we too rapidly go for technical controls, where our real problems are around user behavior and user training (e.g., pp. 96-99 and elsewhere).

* Second, we are doing a massive disservice to our values around risk and safety by simply turning the crank on what our regulations and assessors tell us to do (especially chapter 7, "Because I Said So"). Francen has clearly been in the business for a long time, because he shrewdly picks out two areas where companies get pummeled by their assessors, but to what end? One area is the SIEM tool (i.e., Security Information and Event Management, or, more humbly, centralized logging). We went through this very exercise motivated by our assessors. As it turns out, after a lot of reflection, we really needed centralized logging, and by implementing a SIEM, we were able to turn off some other systems that were costing us money. But just satisfying the checklist would probably have rendered it shelfware. We have already seen value in our ability to conduct centralized forensics. But, truly, the value emerged from our own assessment, and our definition of requirements brought us the right solution. (Chapter 9, "The Money Grab," has some solid guidance on product selection.) The second area where he identities assessor-driven security is the need to get a penetration test. In this story, he recounts how the report submitted to the assessor was in fact a vulnerability test, not a real penetration test. Yep. But what was the real problem? The company had never really thought about how an attacker would go after them, so they didn't know what to ask the tester.

* Third, the security industry is starved for talent. The final chapter is an eloquent plea for more security professionals that have the right values and know their onions. Francen provides guidance on how to bring more women and minorities into information security. This is doable. Francen points out that in the early 50s there were only a few hundred women certified public accountants in the USA; now there are hundreds of thousands; this gap was rectified by awareness campaigns and hiring initiatives (p. 256).

Like a lot of more general information security books, this one sometimes wavers between generalizations that don't always provide value (experienced nerds will get impatient), coupled with needing to know some nerd talk to understand where Francen is going (so non-information-security people may get a little lost). But I think the balance is good. Even though the book is pretty well-organized, I think it would have benefited from an index, just to make it easier to find his references to certain topics.