Harkins - Managing risk and information security: protect to enable

Managing Risk and Information Security

Protect to Enable

Malcolm Harkins

Managing Risk and Information Security: Protect to Enable

Malcolm Harkins

Copyright 2013 by Apress Media, LLC, all rights reserved.

ApressOpen Rights: You have the right to copy, use and distribute this Work in its entirety, electronically without modification, for non-commercial purposes only. However, you have the additional right to use or alter any source code in this Work for any commercial or non-commercial purpose which must be accompanied by the License to Distribute the Source Code for instances of greater than 5 lines of code. Licenses (1), (2) and (3) below and the intervening text must be provided in any use of the text of the Work and fully describes the license granted herein to the Work.

(1) License for Distribution of the Work: This Work is copyrighted by Apress Media, LLC, all rights reserved. Use of this Work other than as provided for in this license is prohibited. By exercising any of the rights herein, you are accepting the terms of this license. You have the non-exclusive right to copy, use and distribute this English language Work in its entirety, electronically without modification except for those modifications necessary for formatting on specific devices, for all non-commercial purposes, in all media and formats known now or hereafter. While the advice and information in this Work are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.

If your distribution is solely Apress source code or uses Apress source code intact, the following licenses (2) and (3) must accompany the source code. If your use is an adaptation of the source code provided by Apress in this Work, then you must use only license (3).

(2) License for Use Direct Reproduction of Apress Source Code: This source code, from Managing Risk and Information Security ISBN 978-1-4302-5113-2 is copyrighted by Apress Media, LLC, all rights reserved. Any direct reproduction of this Apress source code is permitted but must contain this license. The following license must be provided for any use of the source code from this product of greater than 5 lines wherein the code is adapted or altered from its original Apress form. This Apress code is presented AS IS and Apress makes no claims to, representations or warrantees as to the function, usability, accuracy or usefulness of this code.

(3) License for Distribution of Adaptation of Apress Source Code: Portions of the source code provided are used or adapted from Managing Risk and Information Security ISBN 978-1-4302-5113-2 copyright Apress Media LLC. Any use or reuse of this Apress source code must contain this License.This Apress code is made available at Apress.com/9781430251132 AS IS and Apress makes no claims to, representations or warrantees as to the function, usability, accuracy or usefulness of this code.

ISBN-13 (pbk): 978-1-4302-5113-2

ISBN-13 (electronic): 978-1-4302-5114-9

Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.

President and Publisher: Paul Manning

Lead Editors: Jeffrey Pepper (Apress); Stuart Douglas (Intel)

Coordinating Editor: Jill Balzano

Cover Designer: Anna Ishchenko

Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com , or visit www.springeronline.com .

For information on translations, please e-mail rights@apress.com , or visit www.apress.com.

About ApressOpen

What Is ApressOpen?

• ApressOpen is an open access book program that publishes high-quality technical and business information.
• ApressOpen eBooks are available for global, free, noncommercial use.
• ApressOpen eBooks are available in PDF, ePub, and Mobi formats.
• The user friendly ApressOpen free eBook license is presented on the copyright page of this book.

Foreword

Newly promoted CISOs rapidly realize that the scope of the position they have taken on is often beyond what they have been prepared for. The nature of securing an enterprise is daunting and overwhelming. There are no simple checklists or roadmaps for success. Many of the technical security skills a CISO has acquired during the early portion of his or her career may provide a sixth sense or intuition, but technical expertise alone does not prepare the CISO for the business and leadership challenges required for success.

The Dunning-Kruger effect is a cognitive bias in which unskilled individuals suffer from illusory superiority, mistakenly rating their ability much higher than average (Wikipedia). Successful CISOs generally realize and admit to themselves how much they dont know. In my career, I have met many senior security professionals and have noticed a common set of traits among those who are successful.

They generally exhibit a strong sense of curiosity, the ability to be self-aware, the ability to think evil (like the adversary), and have strong communication and critical thinking skills. They are open to new ideas, they invite debate, and they are adaptive in their thinking and positions when new information is presented. They develop leadership skills and build structures that enable balance. They also recognize talent and surround themselves with teams of capable security technologists who are the true experts. Excellent security leaders have learned that risk is not black-and-white and that balance needs to be applied. They are empathic and likeable. My friend Malcolm meets all these criteria.

In Managing Risk and Information Security: Protect to Enable, he distills the hard-acquired knowledge he has learned through his career as a business and security leader into a concise framework that enables CISOs to cut through the chaos of securing the enterprise. Absorb the lessons in this book and enrich them by continuing to experiment and innovate. Threats, organizational dynamics, and technology are constantly evolving and we as security professionals must apply the lessons outlined here and continuously adapt ourselves to the challenge.

Patrick Heim

Chief Trust Officer

Salesforce.com , Inc.

Contents at a Glance