This book has the look and feel of a business school textbook, moving from topic to topic in a fairly academic matter. It is a combination of 14 essays from prominent authors in the topics they are writing on. This allows for a book that can treat a wide range of concepts and still maintain credibility and a tone of expertise with the downside being the structure of each essay is slightly different between authors. As such, it is meant more as a higher-level introduction to concepts and ideas that swirl around the information security industry but it is couched in the language of business in the hopes that enterprises will adopt a measure of culture change in the area of security. The book seems to have a more European focus, but it is not without value to an American audience.
The book begins with an introduction by the editors laying out what they view as three areas driving enterprise security and what they hope to accomplish with the book. They finger security threats, creating new business opportunities, and regulatory compliance as the main drivers of security investment for the enterprise. In their experience, the editors see businesses still creating processes and applications designed around speed and convenience with security being an afterthought. The editors then establish 4 items they wish to see changed in industry: review of information security requirements, assuming legal liability for poor security practices (it’ll never happen), creating a security-aware culture, and security against insider threats. The rest of the book doesn’t seem to truly address how to bring these four changes to fruition.
The rest of the book is divided into three sections: (1) Concepts & Trends (better described as emerging security technologies), (2) Practical Experiences, and (3) Technologies & Standards. As far as organization, it would seem better to have Practical Experiences come last in the book and address the technologies discussed previously; however this is not a serious deficiency in the book.
Parts 1 and 3 are presented to the reader from a high-level perspective. It assumes little prior technical knowledge and thus is accessible to a wide audience, particularly the business community. It helps the reader understand why these technologies are beneficial from an economic standpoint. Readers who are technically savvy may get easily bored from this section unless they are trying to develop a “business case” for the adoption of security mechanisms for their organization. In that regard, these essays help bridge the gap between “tech heads” and the “pointy-haired management”.
The Practical Experience section is a collection of four case studies of four different organizations facing four different problems. It helps the reader to understand the challenges and obstacles in actual implementation of technologies. It helps bridge the gap between book-learning and real-world experience. 3 of the 4 essays revolve around PKI and digital identities. It is clear based on the focus of the editors that authentication is important to them, however and expansion of case studies based on their other goals would make the text that much more effective.
All in all, the book is a valuable primer for consultants and non-savvy managers who are seeking to get their minds around security and how best to sell the investment of security.
