Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stepping Through the InfoSec Program

Posted by samzenpus on from the read-all-about-it dept.

Ben Rothke writes "For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read after The Pragmatic CSO: 12 Steps to Being a Security Master. While The Pragmatic CSO provides a first-rate overview of the higher-level steps to being a CSO and building an information security program, Stepping Through the InfoSec Program provides the low-level details and nitty-gritty elements on just how to do that." Keep reading for the rest of Ben's review. Stepping Through the InfoSec Program author J.L. Bayuk pages 238 publisher ISACA rating 9 reviewer Ben Rothke ISBN 1604200308 summary The low-down on how to build an information security program Author Jennifer Bayuk spent over a decade at a large brokerage firm building their information security program. Her experience in managing and designing security there is manifest in the book and it is clear throughout the book that she is writing a deep pool of from real-world experience.

The first part of the book contains 3 sections and in just under 150 densely packed pages, the book walks you through the process in which to build an effective information security program. The book details 6 steps in which to facilitate this, namely: strategy, policy, awareness, implementation, monitoring and remediation.

The book starts out and begins to develop the context for an information security program. It astutely notes that an information security program exists only in the context of an organizational management structure. Anyone building an information security program for its own sake, removed from the organizational management structure will quickly find themselves devoid of a budget, and often shortly after that, out of a job.

The books attention to detail and specific definitions are superb. In the opening section, it defines the objectives, prerequisites, typical tasks and performance measures for over 10 different jobs within information security. It then creates a segregation of duties matrix for these jobs. Such detailed information is invaluable to anyone attempting to build a security program.

The main part of the book is in section 2 which steps through what an information security program is, how it is created, how it operates and what resources are required to maintain it. The beauty of the book is that the author understands that information security is not a monolithic undertaking. Rather it must be developed and customized according to the specific needs and requirements of the particular organization. These differences are made clear in the chapter when it details 9 unique information security reporting hierarchies; and deciding on the appropriate reporting hierarchy is not a trivial undertaking.

The book writes that successful information security program development, by definition, must align with organization goals. This alignment can only be achieved if the CISO has an open, two-way communication path to each manager with information security responsibilities. While this is a necessary and realistic goal, far too few CISO's have such communications paths at their disposal, and even less have constituent ears that are receptive to such communications.

Section two provides an excellent overview of metrics and how they can be effectively used. In the last few years, metrics has been the rage in the security community. Individuals such as Pete Lindstrom and groups such as Security Metrics have been at the forefront of such efforts.

But the book notes that metrics for their own sake can also be taken too far. The book references a volume on metrics that has over 900 possible things to measure that would provide security metrics, including such silly metrics as "number of times, by fiscal year, that fines and jail sentences were imposed for altering, destroying, mutilating, concealing or falsifying financial records". Bayuk perceptively observes that any CISO who is measuring these types of concerns and analyzing them for feedback on how to improve their information security program should realistically look for a different job.

Section 3 concludes the main part of the book with a security program case study. The point of the case study is to show how an information security program evolves around changes in the organization it supports. The case study shows that all of the six steps on which the book is premised are indeed necessary.

The final 100 pages of the book detail various sample security policies, standards, procedures and guidelines. All of the policies, standards, procedures and guidelines are well-written and it would have been nice if these would have been available in electronic format.

The book notes that the information security professional has evolved from computer operator to chief information security officer; from controlling punched cards to negotiating strategic plans, defining policies, documenting processes, managing technology, measuring performance, controlling costs, supporting business recovery and demonstrating regulatory compliance. For those that want to make that transition, Stepping Through the InfoSec Program is a most valuable guide to get you there.

The book is written by an author who has significant amounts of real-world experience in a leading edge organization. That unique knowledge and experience is evident after reading the first few pages of the book. The book provides the reader with a comprehensive overview of how to build an effective information security organization.

One final note, don't judge a book by the cover. On the cover are three busy looking executives, all smiling and looking refreshed. The reality is that most people who have taken the time to build effective security programs often emerge from that battle exhausted and battle weary.

For anyone contemplation entering the information security field, or those in it already that need effective direction, Stepping Through the InfoSec Program should be on their required reading list.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Stepping Through the InfoSec Program from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

56 comments

  1. the problem with books on this topic by pha7boy · · Score: 2, Insightful

    I think the danger with books on this topic is that by the time you get them to the publisher, and printed, and distributed, half the content is about to be out of date, and the other half will not be current after one year.

    I'm not knocking the book, but in tech matters, I rather keep up via web/new media. tech-philosophy books, now that I like and buy.

    --
    -- All this knowledge is giving me a raging brainer.
    1. Re:the problem with books on this topic by Anonymous Coward · · Score: 0

      Well, that's just, like, your opinion, man.

    2. Re:the problem with books on this topic by KernelMuncher · · Score: 3, Insightful

      If it's in technical specifics, that could be true. But if the book covers more conceptual ways of handling security matters or security philosophy, it could be very useful for some time. Topics like how to stop social engineering or creating effective security policy never go out of style.

      I got a lot out of The Cuckoo's Egg and that was published forever ago.

    3. Re:the problem with books on this topic by Major+Byte · · Score: 5, Insightful

      I think the danger with books on this topic is that by the time you get them ... half the content is about to be out of date, and the other half will not be current after one year.

      Sorry to knock your opinion man, but the fact is that building an information security program is really quite distinct from the technology. For example, the Certified Information Systems Auditor (CISA) examination requires a vast knowledge of organizational processes, legal requirements, and risk assessment, but really very little about Linux or Vista or OS de jour. A really talented CSO attempts to define a technology-independent computer security plan, and so it is a given that the technology changes very fast.

    4. Re:the problem with books on this topic by Jansingal · · Score: 1

      Well, if the book is about Windows XP, then yes. but core concepts of security, CIA triad, etc., they are timeless. Well, not timeless, but you know what I mean. First Ed. of 'Security Enginnering' by ross anderson is 8 years old. my guess is that at least 90% of it is still 100% relevent.

    5. Re:the problem with books on this topic by Jansingal · · Score: 1

      published in 1990. Way before slashdot

    6. Re:the problem with books on this topic by Anonymous Coward · · Score: 0

      Actually, not in security. While it's true there are new developments every day, and you can't keep up with all the specific code releases and changes in the toolkits, you can keep pace with the generalities. The tools in my red and blue kit are the same ones as last year, just different versions, and then only a couple. I mean, netcat is netcat is netcat, yes? It's how you USE the tools that takes a few years to learn, but once you understand how to exploit something or defend it, it's pretty much just a matter of intent to keep up the pace. For me, it's the politics and the disgust. Having to tell people time and time again to turn of f*cking LANMAN compatability and layer defenses, and by BOG send your people to training and TEST them, and all the other mgmt puke stuff that goes with building a security program. Some places are great, other suck worse than a black hole. Frankly, I'm amazed the botnets aren't bigger and the headlines more frequent. It's not the tech or keeping pace, it's getting the bureaucracy to move its fat, greedy, self-centered, button down rear. The ignorance is staggering at times, and almost always semi-intentional. I wish the negligence law would catch up with this stuff. And you prosecuting attorney's need to get more in depth on this crap. The cases I've seen that never made it past initial revue because they don't know what to ask. *sheesh* But then there's the good ones, and heck, so long as they keep signing the checks, I'll just file my reports and move on. Somebody start a site where us security types can all log on and blog about the sh*t we wade through. It'd be like BOFH meets the IRS.

  2. Dupe by HairyCanary · · Score: 0

    Here you can review the discussion from the first review of this book:

    http://books.slashdot.org/article.pl?sid=08/07/28/1330215

    1. Re:Dupe by everynerd · · Score: 3, Informative

      If you read anything above you would realise that this is in fact a review of a completely separate book, the tagline only references the one reviewed in the link you posted.

    2. Re:Dupe by Jansingal · · Score: 1

      dude - different book

  3. Did we go back in time? by Anonymous Coward · · Score: 0

    The cover of the book looks straight out of the 80's.. and not the cool 80's either.

    1. Re:Did we go back in time? by Jansingal · · Score: 1

      as to the 80's, i heard they were going to use pat benatar on the cover but could not get the rights :)

  4. We can be guilty as well by Anonymous Coward · · Score: 0

    Business-side executives who think they can manage without understanding anything at all about the technical details are just as arrogant and dangerous to the bottom line as techies who think they don't need to understand anything about the business.

    In a wonderful Dilbert cartoon, the PHB says "Reasoning that anything I don't understand must be easy..." and assigns Dilbert an impossible task predestined for failure.

    People on both the money side and the technical side need to work for mutual respect and understanding, and both need to be patient enough to listen to, and understand, material that doesn't fall within their specialty.

    1. Re:We can be guilty as well by Darkness404 · · Score: 2, Insightful

      Business-side executives who think they can manage without understanding anything at all about the technical details are just as arrogant and dangerous to the bottom line as techies who think they don't need to understand anything about the business.

      Even though this is totally off topic, you are totally wrong. Business-side executives who think they can manage without understanding technology are more dangerous then a tech guy who doesn't understand a business.

      The executives usually are the ones setting easy passwords or demand insecurities, while the tech guy usually wants to make everything secure. A good tech guy needs to understand nothing about the business because he should be in *gasp* technology not running a business.

      --
      Taxation is legalized theft, no more, no less.
    2. Re:We can be guilty as well by profplump · · Score: 2, Insightful

      Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.

    3. Re:We can be guilty as well by Kjella · · Score: 1

      Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.

      Business executives think highly of people that understand them and can relate to them, big surprise there. Those that live "in between" certainly knows the value of a tech guy who delivers, and should relate that upwards when needed. Honestly, a business exec has no understanding of whether you're a SQL guru or thedailywtf material. You probably got very little idea if he's a PHB or a CEO in the making either. Very few achieve "fame" outside their own field, in business or elsewhere. The best you can usually get is those that depend on you saying "You can have him over my cold dead body".

      --
      Live today, because you never know what tomorrow brings
  5. Twelve step program? by Anonymous Coward · · Score: 0

    Like this?

    1. Re:Twelve step program? by Naked+Jaybird · · Score: 1

      Step two: Come to believe a third party vendor can restore your security.

    2. Re:Twelve step program? by Anonymous Coward · · Score: 0

      Step three: Don't actually be responsible for security -- way to hard. Be a consultant and advertise with shameless book reviews on Amazon and Slashdot.

    3. Re:Twelve step program? by thogard · · Score: 1

      Step four: Throw money at a group like (ISC)2 which happened to pick a name for maximum confusion with legitimate groups and then convinced the world they are the security training experts.

    4. Re:Twelve step program? by Jansingal · · Score: 1

      you mean an MSSP :)

    5. Re:Twelve step program? by Jansingal · · Score: 1

      >>>ISC)2 which happened to pick a name for maximum confusion with legitimate groups

      What is the confusion with a legitimate group?

    6. Re:Twelve step program? by Anonymous Coward · · Score: 0

      The ISC,ISC and ISC. All who were doing security related things before ISC came around with their hand out looking for cash.

    7. Re:Twelve step program? by Anonymous Coward · · Score: 0

      With 3 groups names ISC, no wonder there was confusion.
      Is that why they are ISC2?

  6. Current? by Darkness404 · · Score: 1

    For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read

    Yah, really current, books on technology are never current. Even some magazines aren't current, let alone books. Seriously, anyone who wants to be current should subscribe to a mailing list, or at least use magazines which are usually only 1-2 months out of date rather than a book which at best are 3-4 months out of date.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Current? by OriginalArlen · · Score: 2, Informative

      True, technology books ARE always out of date, but whilst it's a truism that things are always changing, it's also true that there's an linear relationship with the degree to which they stay the same. (I believe the French have a neat saying that encapsulates this notion.)

      The MULTICS pentest paper and it's review 30 years later are cases in point. See also Thompson, K., "Reflections on Trusting Trust", a matter which Kaminsky, D., has recently demonstrated is as true today as it was then (in a context which is completely different, yet exactly the same.)

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    2. Re:Current? by Jansingal · · Score: 1

      didn't someone say above that this is NOT that type of book.

  7. What I want to know by OriginalArlen · · Score: 4, Interesting

    I work in the field. There's only one question I really care about - the rest is just a simple question of reading man pages and documentation and textbooks and writing policies and having meetings and reviewing designs and, and, and. You know. Stuff that you can do.

    What I want to know is, how can I make my senior management care?

    Seriously. Yes, I've tried all the known things. All I have to cling to now are customer requirements. Show them a pot of gold and, like Valerie Solanos' view of men and sex, they'd wade through a river of warm puke up to their nostrils to get to it, and if that means tossing some budget at security, they'll do it. (So, to answer my own question -- folks who are involved in assessing suppliers - for heaven's sake, ask them about their security, and I mean really ask - don't believe the marketing bullshit, look for independent reviews and certifications. Hell, even an ISO 27001 cert is better than nothing (and that has very little to do with real, on-the-metal infosec.)

    --

    Everything I needed to know about life, I learnt from Blake's Seven
    1. Re:What I want to know by Anonymous Coward · · Score: 0

      "What I want to know is, how can I make my senior management care?" - by OriginalArlen (726444) on Monday August 11, @02:48PM (#24558763)

      IF you were to say, get "hacked/cracked", & the data is of a 'sensitive nature' (either personal, or financial say, for instance)? They'll care... especially IF lawsuits sprout vs. they because of those.

      (NOT saying YOU ought to "originate" the remote (or heck, even internally LOCAL) hack/crack to say, your DB's & such, but... the point is there - you COULD run an analysis & make assessments to they (mgt.) pointing out how this COULD more than even just POTENTIALLY affect they, adversely... selling fear - it works, just ask ANY life insurance salesman!)

      AFTER ALL - they're "the bosses" right? Well, with that 'greater pay' comes 'greater responsibility', right? They avoid taking your suggestions, especially IF based on say, weak "endpoints" security (PC's on LAN/WAN nodes + printers, etc.)?? Well - it's on THEIR HEADS @ that point, if you were maliciously penetrated...

    2. Re:What I want to know by Jansingal · · Score: 1

      >>>>What I want to know is, how can I make my senior management care?

      Absolutely zero you can do.

      either they get it and take action on it, or else they are clueless.

      don't try to have them get security, if they don't get it, they won't.

    3. Re:What I want to know by Jansingal · · Score: 1

      >>What I want to know is, how can I make my senior management care?

      I take back my comment.

      run a pen test and they will get it.

      a good pen test team has at least a 95% success rate.
      A really good pen test team has a 99% success rate.

      Hack em and then scare them and then you got them!

    4. Re:What I want to know by OriginalArlen · · Score: 1

      Nah, we do them all the time. It doesn't help.

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    5. Re:What I want to know by bbasgen · · Score: 1

      >What I want to know is, how can I make my senior management care? You can't. That doesn't mean you have no recourse. First, realize that you are not asking a security question. Your question is about your organization, its goals, values, and mission. It is a question about resources and priorities, and there isn't a single employee, department, or division -- that isn't always asking the same kind of question (albeit, likely in a different form). Information Security is all about the business, communication, information flow, etc. If you start talking on those terms, you'll find that you can serve the institution in various in sundry ways. Some folks tilt at Windmills, trying to convince upper management about why Packet X must be stopped, but that misses the point. Management has no need to care about IT security -- that is the CIO's job. Management does need to care about information security, but you can't make any progress speaking in terms of IT security. Management that doesn't care about a properly presented case on information security likely doesn't care about a whole host of departments and organizational functions. If I'm the CEO of a commodity organization, I probably wouldn't care either.

    6. Re:What I want to know by maestro371 · · Score: 1

      If you really believe that striving towards the ISO27001 certification is not real InfoSec, then you're in the wrong line of business.

      Information Security is not about technology.

    7. Re:What I want to know by Anonymous Coward · · Score: 0

      "If you start talking on those terms, you'll find that you can serve the institution in various in sundry ways" - by bbasgen (165297) on Tuesday August 12, @04:41PM (#24574673) Homepage

      Good Lord, you mean "speaking in terms that moron mgt. can 'grok'", what a joke. It won't be such a joke when his company is hacked/cracked, & then they try to "pass the blame bucket" over to he, as the information security person/network admin/network tech/CIO (whatever his title/position there is), when the lawsuits from customers start up, for mgt.'s lack of vision and foresight in this matter.

      He's doing the right thing presenting his findings to they, & were I he?? I would do it with numerous witnesses and via emails as well, to cover his behind in this regard. One thing for he to look out for, is that they can & will try to fire him for such things (since this is about all those morons are good for, as regards this field (computing)).

      They'll doubtless perceive it as a "power move", because this is how dolts of that nature think, and they act in packs & cover one another this way, nearly every time. Hence, the warning to the original poster on THIS particular note.

      To the Original Poster:

      Please - watch it with these idiots, they act in packs/in collusion/collectively, & if they feel threatened in any way, you will be able to tell and start sending out the resume @ that point.

      To myself? It really sounds as if You don't NEED to be working for idiots that leave the keys to the kingdom out there, wide open, for the taking, because the FIRST thing they try to do, when the shit hits the fan? Pass the blame elsewhere.

      Hey, you do/did the right thing - show them your findings (IF ANY) as regards potential vulnerabilities you may have found, this is enough on your part - they are the "decision makers" who get "greater pay for greater responsibility (bullshit on that last note - they're undereducated babysitters 9/10 times who are related to someone in the company or a major stockholder, or were in the same frat with some other moron @ your company like they usually, or have their "MBA" (as do I, what a fucking waste of paper & time that was vs. an actual degree in Comp. Sci. + years of hands on in the trenches in it professionally)).

      If they don't give a damn and the worst happens? Just watch out for them passing the blame YOUR way, so "CYB" (cover your butt, use their tactics against them, because this is the thing THAT TYPE (mgt. morons) are good @ only) properly via email (forward it out of your company to, to your own email account + friends/family you trust etc. also, & witnesses when you present this are important too, somebody you can trust there, IF there is such a someone that is (hard to find)).

      To the person I am quoting & replying to? YOU sound like you're mgt. ... lol!

    8. Re:What I want to know by Jansingal · · Score: 1

      who do you use for your pen testing?

      some firms have bettter reports that get more receptiomn from the execs

    9. Re:What I want to know by OriginalArlen · · Score: 1

      Management has no need to care about IT security -- that is the CIO's job

      We don't have a CIO, any more than we have an IT Director or other exec post where you'd expect security to naturally sit.

      If I'm the CEO of a commodity organization, I probably wouldn't care either.

      We're not a "commodity organisation", we're an IT services / outsourcing firm with turnover in the $100m range. We handle lots of sensitive data from our large number of well-known business customers. We even tout security in our marketing. Yes, it makes me alternately angry and sick and incredibly anxious. Yes, I'm wondering whether it'll soon be time to bail out.

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    10. Re:What I want to know by OriginalArlen · · Score: 1

      ISO (or any other cert) is not orthogonal to really good security practices. It's rather like industry certs - be it MCSE, CCIE or CISSP. It's possible for drooling halfwits to get the letters after their name (OK, less so with CCIE, I grant you.) The cert tells you that the person in front of you at the interview has the basic minimum level of competence required to get them. I'm sure we all know people with letters who were clueless fuckwits, just as there are people with no letters with more knowledge experience and skill in their little finger than I'll ever have. Thus, a cert is "better than nothing", but certainly doesn't mean I rely on it. (I've been thru the 27001 process and know how far bullshit and bluster and having the right paperwork carries you -- a hell of a long way, especially if your sales droids don't mention (and the customers don't ask) what the scope of the cert actually is...

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    11. Re:What I want to know by OriginalArlen · · Score: 1

      We've used several firms. Execs would never read the reports, no matter how much teh shiny and drool-proof the paper is. (Well OK, the IT management get it, all the way up to the level of "our" exec VP, who's tried many times to get the Board to give a fuck, without success.) But it's the Board, who sign off on budget, who we need to get through to.

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    12. Re:What I want to know by Jansingal · · Score: 1

      Have then run some DoS attacks, take down a prod. server.

      then... they will understand.

  8. Has anyone thought that we might by LM741N · · Score: 1

    have created this monster with the presence of too much information, in the way of X degrees of seperation? Why do VP's copy 10 different people on an email? Then those 10 people copy another 10 other people on the response. Why do they even use email, esp unencrypted when communicating overseas?

    Perhaps high level executives should have closed meetings, not use email. Plus email could be compartmentalized so that certain levels of employees could communicate to their bosses and amongst themselves, but no one else.

    I would hope that all of government does this, but then perhaps I'm in a dream world. Well Bush did say that he never uses emails with his staff. Perhaps the smartest thing he has ever done in office.

  9. Twelve step program? by Chris+Mattern · · Score: 1

    Step one: Admit you are powerless over security--that your systems have become unmanageable.

  10. gender issue by Anonymous Coward · · Score: 0

    Ouch, she's a girl!

  11. Not an Objective Review by Anonymous Coward · · Score: 3, Informative

    I'm always skeptical about the people who somehow have the time to read and publish all of these online reviews - many of the are raves for books that nobody has heard of before.

    So I Googled Bayuk (author) and Rothke (reviewer) and came up with a presentation they've done together:

    www.bayuk.com/publications/BayukSOX.pdf

    So, I guess this is nothing more than Ben trying to get us to buy his friend's book.

    1. Re:Not an Objective Review by Jansingal · · Score: 1

      dude, not exacatly a smoking gun......

      presentation was in 2004 and book is written in 2008.

    2. Re:Not an Objective Review by Anonymous Coward · · Score: 0

      So the reviewer knew the author well enough to co-present 4 years prior to the book. Don't you think that should be disclosed? All the reviewer does is tells us that this book should be on our "required reading list."

      Looking at some of the reviewer's prior reviews, there's this one that was rated a 9. I'm a CISO, have that book, and found it unreadable. It's nothing but an introduction to project management and risk assessments - skills that any CISO should have acquired years before being promoted to a C-level securit executive. Oh, and the reviewer who gave it the glowing review is thanked in the forward. I'm sure there's more, but I think this is enough to raise serious questions about this guy's credibility.

      I guess if you don't have the brains of a Schneier, Cheswick, or Bellovin, the next best thing to get your name out there is to write these "book reviews."

    3. Re:Not an Objective Review by Anonymous Coward · · Score: 0

      ....Don't you think that should be disclosed?

      That depends on two things: First, is there a Quid pro quo arrangement here? If the reviewer got more than a free copy of the book, there is an issue. If the reviewer gets some sort of payment for driving up sales, that is an issue. If the answer is no to each, then there is no problem.

      Also, what is the Slashdot policy on disclosure? The fact that two parties know each other does not mean one can't write a review of the others publication. Especially in an industry as small as the information security field, this is an accepted practice. ... I'm a CISO, have that book, and found it unreadable.

      He liked it and you did not, that's life. ...I guess if you don't have the brains of a Schneier, Cheswick, or Bellovin, the next best thing to get your name out there is to write these "book reviews."

      Well, that is most of us. There are but a few Schneier's, Cheswick's and Bellovin's on this planet.

    4. Re:Not an Objective Review by Anonymous Coward · · Score: 0

      >>>>>I'm always skeptical about the people who somehow have the time to read and publish all of these online reviews

      How is that different from people who somehow have the time to comment on people who somehow have the time to read and publish all of these online reviews?

      >>> many of the are raves for books that nobody has heard of before.

      Isn't that the point of book reviews; to introduce the reader to new books?

    5. Re:Not an Objective Review by Anonymous Coward · · Score: 0

      Simply knowing someone is very different than knowing them well enough to give conference presentations together. It's deceptive to write a glowing review without disclosing that information. Quid pro quo insinuates these guys are conspiring to drum up sales -- This is more of a case of helping out a buddy with a good review -- without telling anyone of the prior relationship between author and reviewer.

      Same goes for the other book where the reviewer is thanked in the forward for his work in reviewing the manuscript. That was never disclosed, and it should have been.

      Infosec is a small world, but can you actually take anything Ben Rothke says seriously from now on? Assuming you're not Ben Rothke or one of his buddies -- that is...

    6. Re:Not an Objective Review by Anonymous Coward · · Score: 0

      Both Schnier and Cheswick write book reviews of their friends books.

      Cheswick's reviews: http://www.amazon.com/gp/cdp/member-reviews/A3HUOJTOR8R54E/ref=cm_pdp_about_see_review?ie=UTF8&sort_by=MostRecentReview

      Schneier's reviews: http://www.amazon.com/gp/cdp/member-reviews/ACUWZT3YP8I3B/ref=cm_pdp_about_see_review?ie=UTF8&sort_by=MostRecentReview

    7. Re:Not an Objective Review by Anonymous Coward · · Score: 0

      I'm not sure who the friends are that you're referring to - but Schneier discloses in the Viega review that he's the author of the Preface. Ches discloses that he's the co-author of "Firewalls."

      This is the kind of disclosure that Rothke should be doing when he's reviewing books for his friends, especially when it's presented here as an objective review. A simple "Jennifer and I go a long way back, and I'd like to tell you about her book" would go a long way in keeping his credibility intact.

  12. Re:frsit spsot by Jansingal · · Score: 1

    alas, the 7 seas are a verity of the past, mythology, there are certainly more than 7 seas now.

  13. Straight from the horse's mouth by SST-206 · · Score: 1

    In case you missed it, recordings have been released from The Last HOPE conference, including Myrcurial's InfoSec talk "From a Black Hat to a Black Suit - How to Climb the Corporate Security Ladder Without Losing Your Soul" [direct link to large 64kbps MP3 file].

    --
    Co-operation beats competition