As 2025 slowly comes to a close, many companies still believe that Information Security is solely about a firewall. It’s these firms that often suffer the consequences of data breaches, ransomware attacks, and other similar incidents.

Information Security is often defined as the combination of people, processes, and technology. In truth, it is much more than that. In Cybersecurity in Context: Technology, Policy, and Law (Wiley), authors Chris Jay Hoofnagle and Golden G. Richard III have written a pragmatic text that demonstrates the depth and breadth of what it takes to implement Information Security effectively.

When I note that it is a pragmatic text, an example is that the authors ask how well the intelligence community's threat (IC) model has aged. IC refers to a group of federal bodies, military, and executive agencies, that develop forecasts and assessments in support of national security and foreign policy.

They argue that the IC threat model barely aligns with the needs of consumer and business Internet users. Most users lack the necessary resources or commitment to take proper precautions, such as encrypting emails or using a VPN. And thus, operators of the public Internet can surveil both the traffic data and, in some cases, the contents of users' activities.

The book is designed as an introductory reference for Information Security. At 500 pages, the book offers a comprehensive overview of the core areas of Information Security.

Hoofnagle is a lawyer and professor of law at the University of California, Berkeley, while Richard is a professor of computer science at Louisiana State University. The two combine to create a very readable and informative guide. They are able to balance theory and real-world scenarios, making this a truly enjoyable read.

As Hoofnagle is a lawyer, and law is a significant driving force for Information Security, he provides interesting insights into how to create systems that are both secure and compliant with relevant laws and regulations.

Throughout the book, the notion of Information Security as a holistic system, rather than just relying on firewalls and other hardware, is emphasized. That ensures the reader emerges with a clear understanding of what it truly takes to design and deploy secure systems and networks.

Many security vendors say that their products can be deployed quickly and easily. For those who believe the hype, they are often left with numerous security products, but little actual Information Security.

The authors effectively illustrate the challenges of Information Security. While security software and hardware tools can indeed be deployed quickly, deploying them effectively in a large enterprise is not a trivial endeavor. There are very serious challenges in doing Information Security correctly, which the authors highlight.

The authors devote considerable time to the people element of security, which is often overlooked. They write of the tensions involved in corporate security between management and the security teams. And not every one of these conflicts ends happily. 

Bruce Schnier has often noted that Information Security is a tradeoff. The authors show this in detail, where both sides are usually correct. Business then needs to make a decision, which is more often than not, a binary one, on how to proceed.

Information Security in 2025 is a broad and multifaceted topic. Those looking for a single text that covers everything in depth and breadth would have to expect a book in excess of 2,000 pages. Some of those do exist, but only with the score of authors.

While Cybersecurity in Context excels in breadth, it's obviously not going to be a single reference. As the book has only two authors, they have combined to write a well-integrated and readable book. Those all-in-one books, with scores of authors, often suffer from redundancy between authors and a lack of a single systematic approach. Cybersecurity in Context does not suffer from that.

The authors have combined to write a clear, lucid, and extremely practical introduction to Information Security. The book effectively combines an adequate amount of real-world stories and references to other works, making for a highly readable account of what can be a very dry topic.