There are countless Quora discussions on why military intelligence is considered an oxymoron. Like many humorous metaphors, it contains some truth to it. With all its work on creating processes and having training, the military often produces unanticipated and irrational decisions and outcomes, even though it is filled with knowledgeable people. And yes, that is the same Quora that banned me for saying Earth isn’t flat.
I thought of that military intelligence metaphor as I read Protective Security: Creating Military-Grade Defenses for Your Digital Business (Apress) by James Seaman. Full disclosure: Jim is a friend, former co-worker and an original participant with me in the PCI Dream Team webinar series. Seaman spent over 20 years in the British Royal Air Force (RAF) and used his vast and deep experience there as a foundation for digital security.
Though not occurring on Quora, there are many discussions on the nature of information security versus compliance. The bottom line is that too many companies focus on compliance and miss the big picture of security. In the book, Seaman focuses on the core, which is not about compliance. Instead, he concentrates on how to identify the most valuable digital assets in your organization, how to identify the threats that put them at risk and how to control and mitigate those risks.
Each chapter closes with a Reality Bites section. These real-world scenarios show how the theory of the protections detailed can fail miserably if not deployed and implemented correctly. And that is the bane of many security products—they work flawlessly on paper and in a pristine lab but fail when deployed in production. This is similar to Hacking Multifactor Authentication, where Roger Grimes rips apart what is perceived as the invincibility of multifactor authentication.
The book spends much time on physical security, which is an often-overlooked aspect of information security. This is crucial as every standard operating system, from Windows to Linux and more, base their security controls on a secure physical infrastructure.
The only downside to the book is its layout. The text has a relatively large font, which brings the page count to nearly 800 pages and a few pounds. Better formatting could have brought that page count down significantly, so your hand would not get sore reading it.
In each chapter, Seaman provides the reader with plenty of stories of his adventures across the globe and uses those experiences to help the reader understand what they need to protect and gives them a strategy for doing that. Those looking for a different approach to information security will find Protective Security an interesting read.