This month’s book of the month theme is security strategy & operations. Without a strategy and effective operations; there is no information security.
The Major League Baseball All-Star game is somewhat of an oddity. You take all of the best players, and have them play together for one night. For the rest of the season, what often separate a winning team from a losing one, is the ability of not necessary to have all of the best players. Rather to have a team that is able to work well together. Obviously, talent is key. But it is often the teamwork and culture than can bring a team to the World Series.
In Building a Corporate Culture of Security: Strategies for Strengthening Organizational Resiliency (Butterworth-Heinemann 978-0128020197), author John Sullivant has written a most helpful guide that can enable firms to build a culture within their organization, that can help them achieve high levels of information security.
Sullivant is big on bridging the gap between the technical side of security, and the executive. For too many firms see information security as a cost center or a tax on doing business. Sullivant shows how to build the trust of management by create a program where information security is seen as a crucial part of the business.
The approach Sullivant takes is to use a slow methodical risk-based approach. Many books are heavily product driven, and suggest specific tools to throw at a security problem. Here, the approach is more at the management level, with the book designed for a security manager, director, or this CISO. The book suggests focusing on building security strategies and guiding principles, developing relationships with senior management, and then building the security program from there.
One of the more interesting chapters in the book is on developing a realistic and useful threat estimate profile. Too often, enterprise security strategies are not aligned with corporate business strategies. Aligning the security strategies with business strategies ensures that the information security program is in harmony with corporate priorities and can the CISO and CEO on the same page.
The only downside to the book is that while it comes with a lot of useful templates, diagrams and charts; there are not available for download.
Building an effective security program is a daunting task. It certainly can’t be encompassed in a single book. But for those looking for an effective resource in which to start or jumpstart their program; Building a Corporate Culture of Security: Strategies for Strengthening Organizational Resiliency is a book that will certainly help them immensely.