While it isn’t exclusively an information security manual, it can be helpful to IT managers and others who work in today’s enterprises. The authors are corporate consultants who have done numerous security assessments. Brown is a security and HR consultant. Winkler is a “security professional who has been around way too long,” (as his LinkedIn bio states) and has written numerous infosec and business books. This one was published earlier in December and based on an RSA conference keynote given by the duo earlier this year.
Many of the strategies and suggestions in this book originate from actual experience of various assessments done by the authors. For example, one pharmaceutical product manager was resisting their suggestions, saying that “security stands in the way of innovation.” That firm was subsequently breached and suffered a major loss. I am not saying this particular manager was personally responsible, but the anecdote does get to the need for improvements in corporate culture and to take security measures seriously.
Breaking down how to avoid stupid security practices
The book covers a lot of ground and is fairly rough going, mainly because it is written in fairly dense prose. One plus: it introduces a lot of different “stupid” examples and ways to avoid them. There are foundational concepts that are drawn from several sources, including general safety science, security culture, and the aging total quality management efforts of the 1950s when Ed Deming occupied the best-seller list with his insights gleaned from studying how Japanese corporations worked. That is a wide waterfront to cover well.
But don’t let you think that this book is stuck in the past. There are current examples of now-infamous breaches of Target, Equifax, the U.S. Office of Personnel Management and Sony that serve as case studies in stupidity.
The basic subtext is: “No matter how well-meaning or intelligent a user may be, they will inevitably make mistakes.” The authors go on to say that ”a comprehensive strategy is required to mitigate damage resulting from user actions. Wherever there can be a loss resulting from user actions or inactions, you need to proactively determine whether that loss is worth mitigating and then how to mitigate it.”
The book covers three broad countermeasures to fighting user stupidity: governance-related (such as business process analysis), technical ones (such as operational and cybersecurity-specific tactics) and creating effective security awareness programs. The technical countermeasures is a weak area: I suggest a better and more thorough treatment would be Tanya Janca’s app security book that I previously reviewed.
There is also much to be made about “getting ahead of the boom”— a term used by the U.S. military to refer to disrupting terrorism attacks before they can explode their bombs. I found this section less than satisfying, and lacking specifics on cyber tools and tactics.
“Even if you hire only the most intelligent and honest people to work with your systems, they will inevitably initiate some form of loss due to carelessness, accidents, their compliance budget, and similar reasons. There will never be a system where all users act appropriately at all times.“
The authors have several simple strategies:
- Take metrics of your problems before you start to solve them, so you will be able to track your progress.
- Start somewhere small and build confidence in your approach before making it more comprehensive.
- Don’t blame users for every mistake — it could be something in your systems design, like a canary in the coal mine.
- Finally, realize that all users behave differently and have different needs.