BKESCFTE.RVW 20110323 "Enterprise Security for the Executive", Jennifer L. Bayuk, 2010, 978-0-313-37660-3 %A Jennifer L. Bayuk www.bayuk.com %C 130 Cremona Dr., P.O. Box 1911, Santa Barbara, CA 93116-1911 %D 2010 %G 978-0-313-37660-3 0-313-37660-3 %I ABC-CLIO, LLC/Praeger %O CustomerService@abc-clio.com %O http://www.amazon.com/exec/obidos/ASIN/0313376603/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0313376603/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0313376603/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 175 p. %T "Enterprise Security for the Executive: Setting the Tone from the Top" In the introduction, Bayuk argues against security planning based on FUD (Fear, Uncertainty, and Doubt) and piecemeal implementation of security tools, and for a holistic and systemic approach to security. She also recommends the promotion of a security culture in the top ranks of management, setting the "tone at the top" to consider security in a rational and realistic manner. In chapter one, the author stresses that every organization has a culture, and that the actions (and particularly consistency of actions) by senior management set it, regardless of formal statements. She also raises interesting points, such as that separation of security from the operational units creates perceptions which may be at odds with the security policy. (I appreciate her championing of "no exceptions," although I would argue that a formal exception policy could work as well.) The discussion of threats and vulnerabilities, in chapter two, is weaker (and the questionable etymology of the term "patch" does not increase confidence in Bayuk's technical background): ultimately it just seems to day that there are threats. The title "Triad and True," for chapter three, may refer to "protect, detect, correct" or the more conventional confidentiality, integrity, and availability. In fact there are a number of other "triads" mentioned, and the text raises a number of good security concepts generally related to safeguards, but is somewhat scattered and incomplete. Chapter four talks about risk management, but the process of using it to define a security program remains unclear. Security factors related to organizational governance structure are examined in chapter five. Standards, compliance and audit issues are discussed in chapter six. Chapter seven reviews monitoring, incident response, and investigation. Requirements for candidates for the position of CSO (Chief Security Officer) are noted in chapter eight. A template job description is included, but the document is perhaps too narrowly specified to be applicable in many situations. A fictional case study concludes the book. (In the introduction, the author promised that all "security horror stories" would be true, but I assume reality is less important in case studies.) This recapitulates, in narrative form, much of the content of the work. There is much of value in the text, and it is useful to present that content as it relates to senior management. Senior management support is, after all, the single most important factor in a successful security program. However, as noted above, much important material is missing, along the way, and the volume appears to be focussed at a particular type of industry or corporation, and so be less useful to those outside that sphere. copyright, Robert M. Slade 2011 BKESCFTE.RVW 20110323