There are various types of presentations at security conferences. Some speakers go up and think the more slides with more bullet points, the better. They read from them like a teleprompter, often in a monotone voice, oblivious to the fact that over half the attendees have walked out by the time they get to the Q&A.
Another type of speaker brings deep and wide security experience to the session and is not a slave to PowerPoint. They interact with the audience, who leave the session much more educated. Barak Engel (CEO at EAmmune) is that type of speaker, and in The Security Hippie (CRC Press), he shares the stories of his career in information security.
In his previous book, Why CISOs Fail: The Missing Link in Security Management--and How to Fix It, Engel clarifies that his book is not about technology. There, he notes that the role of a CISO is getting away from the technology and focusing on the security symptoms in the organizations.
In The Security Hippie, he sits down with the reader in a virtual coffeehouse and tells many stories. His experience in information security is quite relatable to anyone who has been in the field for a while (or even a few months). A hippie is someone who often goes to the beat of a different drum, which describes Engel and the reason for the title of the book. Hippies were part of the counterculture, and Engle’s views are often not in line with industry best practices, which is not necessarily bad.
The stories in the book detail Engel’s decades in the industry as a security leader. Many of the struggles he faced, and faces, are those that everyone in the industry faces. Especially with his observation that “welcome to the world of security, where everything is transient, and your migraines only grow, never subside.”
Early in the book, he details a crucial point: if every organization (especially those that must deal with PCI DSS) followed, it could eliminate many security breaches. And that is that sensitive data should never be stored where it is not absolutely needed to be stored. GDPR did an excellent job of forcing that notion down the throat of many companies. But for those who don’t have a presence in the EU via GDPR, that idea should be part of every information security team.
The only problem with this book is that one could get the feeling that the IT & information security worlds are entirely dysfunctional. The many stories of flawed staff, clueless management, and more could lead the reader to think that this indicates the industry as a whole. While there are undoubtedly countless horror stories, as Engel details, what I am looking for in his next book are the stories of the companies that do security right. And the narratives of how they did it and how we all can benefit from the collective wisdom.
Good judgment can only come from past experience, and many of those experiences stem from making mistakes. The key is to learn from our mistakes and the mistakes of others to avoid repeating them. For those who want to escape the information security hamster wheel of pain, The Security Hippie is your guide.