REVIEW: "A Practical Guide to Managing Information Security", Steve Purser

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Oct 11, 2004.

  1. BKPGTMIS.RVW 20040514

    "A Practical Guide to Managing Information Security", Steve Purser,
    2004, 1-58053-702-2, C$120.50
    %A Steve Purser
    %C 685 Canton St., Norwood, MA 02062
    %D 2004
    %G 1-58053-702-2
    %I Artech House/Horizon
    %O C$120.50 800-225-9977 fax: 617-769-6334
    %O http://www.amazon.com/exec/obidos/ASIN/1580537022/robsladesinterne
    http://www.amazon.co.uk/exec/obidos/ASIN/1580537022/robsladesinte-21
    %O http://www.amazon.ca/exec/obidos/ASIN/1580537022/robsladesin03-20
    %P 259 p.
    %T "A Practical Guide to Managing Information Security"

    After years of reviewing security books there were a number of red
    warning flags in the preface: the perception that a book was needed to
    address the "entire" subject of security, an insistence on a
    "pragmatic" and management oriented approach, and the use of a
    "fictitious but realistic case study" to support the arguments in the
    work. The final omen came in the author's bio on the back cover: he's
    a banker.

    Chapter one is a vague statement that the information technology world
    is getting riskier, but states outright the irresponsible notion that
    it is better to provide a less secure product to customers as long as
    that reduces your "time to market." This is backed up by a great deal
    of waffling managementspeak that boils down to the idea that we have
    to learn to work faster *and* cheaper *and* better *and* smarter. The
    footnotes and references intended to demonstrate that this is a
    scholarly and researched effort are, instead, a grab bag of varying
    origin and quality, indicating that the author isn't really familiar
    with security literature, and used whatever he happened to read. A
    few security information sources and generic advice on planning is in
    chapter two. The taxonomy of technical tools, in chapter three,
    contains no entries for accounting, application development,
    operations, physical security, assurance, or business continuity, thus
    indicating the enormous gaps in this work. The artificial structure
    imposed on the list works against an integrated view of the tools:
    Purser obviously doesn't understand intrusion detection divisions, or
    that host-based and net-based systems both provide details--but of
    differing views.

    In chapter four, Purser obviously thinks that he is giving us new
    insight into security assessment, when all that is really being
    delivered is a generic project planning cycle. Similarly, chapter
    five deals with business and threat analysis. A vague review of
    policy documents is in chapter six. Chapter seven takes on that
    wonderful buzzphrase, "process re-engineering," having almost nothing
    to do with security at all. A planning cycle comes up again when
    chapter eight supposedly looks at security architecture. Chapter nine
    covers security training, in an overly formal way.

    This book adds almost nothing to the existing security literature,
    except for a lot of management directed verbiage.

    copyright Robert M. Slade, 2004 BKPGTMIS.RVW 20040514

    --
    ======================

    ============= for back issues:
    [Base URL] site http://victoria.tc.ca/techrev/
    or mirror http://sun.soci.niu.edu/~rslade/
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    or
    Rob Slade, doting grandpa of Ryan and Trevor, Oct 11, 2004
    #1
    1. Advertising

  2. Rob Slade, doting grandpa of Ryan and Trevor

    Steve Purser Guest

    Here is my response to the review of my book written by Robert Slade.
    Hopefully, it will clear up any confusion that this review has
    created. Unlike the reviewer, I will avoid emotionally charged
    language and stick to the facts.

    The first paragraph aims to establish the credibility of the reviewer
    and does not really require a response from my side, except to point
    out the fact that I am not a banker - I just happen to work for a
    financial institution. Needless to say, I wouldn't consider it any
    kind of omen if I were a banker and sweeping statements about
    professionals in particular sectors are unlikely to add value to any
    serious review.

    The opening statement of paragraph 2 is a classic example of quoting
    out of context. The text in the book actually refers to the balance
    between the benefits to the organisation of getting to market quickly
    versus the risk to the organisation of reducing security
    functionality. Most organisations have to take similar decisions all
    the while and there is nothing irresponsible about achieving a
    sensible compromise.

    Most of the remaining text is subjective, rather than objective
    criticism and the reviewer simply conveys the feeling that he didn't
    like what he read. Again, I won't comment on this, as this is no facts
    are stated. The description of the content as being "generic" and
    "vague" is entirely unjustified in my opinion. The comment regarding
    the taxonomy of tools is correct however – I took the decision to
    limit the content of this section and I still stand by this decision.
    This is a book about managing information security and the emphasis is
    on management, not technology. This being the case, it is perhaps not
    too surprising to discover the fact that it contains a lot of
    "management directed verbiage".

    Without wishing to fall into the same trap as the reviewer, it seems
    likely to me that Robert Slade made his mind up about this book on the
    basis of the "red warning flags" he refers to in his first paragraph
    and not on the basis of the content.

    Steve Purser.
    Steve Purser, Oct 16, 2004
    #2
    1. Advertising

  3. Rob Slade, doting grandpa of Ryan and Trevor

    Ford Prefect Guest

    Re: REVIEW: "A Practical Guide to Managing Information Security",Steve Purser

    Steve Purser wrote:
    > Here is my response to the review of my book written by Robert Slade.
    > Hopefully, it will clear up any confusion that this review has
    > created. Unlike the reviewer, I will avoid emotionally charged
    > language and stick to the facts.


    Aww, did the big nasty reviewer hurt your itty-bitty feelings?

    > The first paragraph aims to establish the credibility of the reviewer
    > and does not really require a response from my side, except to point
    > out the fact that I am not a banker - I just happen to work for a
    > financial institution. Needless to say, I wouldn't consider it any
    > kind of omen if I were a banker and sweeping statements about
    > professionals in particular sectors are unlikely to add value to any
    > serious review.


    Ah, but it does establish that you are not a security professional or
    versed in the wider realms of the issues. Otherwise your bio would
    emnphasis the nature of the expertise that would give you licence and
    credibnility to approach security as a whole.

    > The opening statement of paragraph 2 is a classic example of quoting
    > out of context. The text in the book actually refers to the balance
    > between the benefits to the organisation of getting to market quickly
    > versus the risk to the organisation of reducing security
    > functionality. Most organisations have to take similar decisions all
    > the while and there is nothing irresponsible about achieving a
    > sensible compromise.


    Actually most successful organizations take a much more realistic
    approach of risk mitgation. "Time to market" is meaningless if your
    perceived "balance" leaves you open to fraud and other failures. Your
    approach and the reference to "timne to market: shows that you are
    very much out of date with your concepts. particularly in a post SOX
    world. It also indicates that you have failed to recognize that
    security is part of the business process and that proper security is
    part of what "enables" the success of a business intiative. And it
    completely ignoresthe value of security as part of branding and factor
    in customer choice and satisfaction.

    > Most of the remaining text is subjective, rather than objective
    > criticism and the reviewer simply conveys the feeling that he didn't
    > like what he read. Again, I won't comment on this, as this is no facts
    > are stated. The description of the content as being "generic" and
    > "vague" is entirely unjustified in my opinion. The comment regarding
    > the taxonomy of tools is correct however – I took the decision to
    > limit the content of this section and I still stand by this decision.
    > This is a book about managing information security and the emphasis is
    > on management, not technology.


    I think you completely missed the point -- he wasn't complaining that
    you hadn;t listed all sorts of technical tools. He was commenting
    that you hadn't dealt with the management tools (even at a conceptual
    level) that would be used in the business areas you are claiming to be
    addressing.

    > This being the case, it is perhaps not
    > too surprising to discover the fact that it contains a lot of
    > "management directed verbiage".
    >
    > Without wishing to fall into the same trap as the reviewer, it seems
    > likely to me that Robert Slade made his mind up about this book on the
    > basis of the "red warning flags" he refers to in his first paragraph
    > and not on the basis of the content.


    In any situation, "red warning flags" are a valid basis for a decision
    -- any one involved in security or audit should realize that.

    And you haven't provided any "facts" to refute anything he said -- you
    even conrtadict your declaration that "I will avoid emotionally
    charged language and stick to the facts" as you yourself also make
    many subjective coments and even state "in my opinion".

    After reading your response, one gets the impression you have trouble
    separating facts and opinion, and seem to regard your own opinion as
    fact. My perception is that you are at least as "emotionally charged"
    in your response as you allege Slade is in his review (the lack of
    factual rebutals to his comments is a pretty good indicator). I think
    you are more upset at the fact that he would has dared to criticize
    your work and ideas.
    Ford Prefect, Oct 23, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Samduhman

    ? about a Steve's Digicam review on FUJI A310

    Samduhman, Nov 12, 2003, in forum: Digital Photography
    Replies:
    3
    Views:
    688
    Don Coon
    Nov 12, 2003
  2. Writer R5
    Replies:
    0
    Views:
    422
    Writer R5
    Dec 8, 2003
  3. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Understanding PKI", Carlisle Adams/Steve Lloyd

    Rob Slade, doting grandpa of Ryan and Trevor, Jan 8, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    593
    David H. Lipman
    Jan 9, 2004
  4. Mikey
    Replies:
    3
    Views:
    3,572
    Tonester
    Sep 14, 2006
  5. deryck  lant

    Steve's review of the Nikon D50

    deryck lant, Aug 6, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    253
    Mike Engles
    Aug 6, 2005
Loading...

Share This Page