Slashdot Mirror
Enterprise Security For the Executive
brothke writes "If Shakespeare were to write an information security tragedy, it would not be titled Hamlet, rather Bayuk. The story of Jennifer Bayuk is tragic in that she spent a decade as CISO at Bear, Stearns, building up its security group to be one of the best in the business; only to find it vaporized when the firm collapsed and was acquired by J.P. Morgan Clearing Corp. After all that toil and sweat, Bayuk was out of a job. (Full disclosure: Bayuk and I have given a presentation together in the past, and I did get a copy of this book for free.)" Read below for Ben's review.
Enterprise Security For the Executive
author
Jennifer Bayuk
pages
176
publisher
Praeger Publishers
rating
9/10
reviewer
Ben Rothke
ISBN
0313376603
summary
helps business executives become familiar with security concepts and techniques
While the information security engineering group that was at Bear, Stearns is no more, Bayuk has taken her vast expertise and put it in a great new book: Enterprise Security for the Executive: Setting the Tone from the Top. While many other books equate security with technology, and are written for technologists; Bayuk writes that information security is all about management control. And to the extent which a CxO controls assets, is the extent to which others can't use them in unexpected ways.
The book is written to help CxO's and business executives become familiar with information security concepts and techniques to make sure they are able to manage and support the efforts of their security team. This is an issue, as a big problem for the poor state of information security is that CxO's are far too often disconnected from their information security groups. No story is more manifest than that of when Heartland Payment Systems CEO Robert Carr blamed his PCI auditors for his firm's security problems. Carr is a perfect example of the type of person that needs to read this book. As an aside, for an excellent reply to Carr's kvetching, read what Rich Mogull wrote in An Open Letter to Robert Carr, CEO of Heartland Payment Systems.
While many CxO's think that security is about firewalls and other cool security products, it is truly a top-down management approach, and not a technology one. The book notes that the only way for information security to succeed in an organization is when management understands what their role is.
What is unique about the book is that Bayuk uses what she calls SHS (security horror stories). Rather than typical FUD stories, the horror stories detail systematic security problems and how they could have been obviated. By seeing how these companies have done it wrong, it makes it easier for pragmatic organizations to accomplish effective security by setting a strong tone from the top down.
Bayuk details the overall problem in the introduction and notes that many CxO's have wrongly spent significant amounts of money on security to avert security incidents; but have done that without any context of a greater information security methodology. The leads to executives thinking that security as nothing more than one long spending pattern.
Chapter 1 — Tone at The Top, notes that tone exists at the top, whether it is set or not. The tone is reflected in how an organization thinks about the things it really cares about. Employees can tell how a CxO cares about security by their level of personal involvement. Not that a CxO needs to be, or should be involved with minutia of firewall configuration or system administration; the key is rather that they are for example, championing the effective and consistent use of firewalls and how systems are securely administered.
In chapter 5 — Security through Matrix Management — Bayuk does a good job of detailing the various places that the security group can be placed in an organization. The chapter notes that there are as many ways to organize security as there are organization structures. Bayuk writes for example that if CxO's in a given organization are a tight-knit group, accustomed to close coordination, then it should not matter to which CxO the person managing information security reports to. If that is not the case, there may be multiple security programs that end up far too below the required C-levels that are needed for effective security. The chapter provides a number of different organizational scenarios, with requisite roles and responsibilities.
Chapter 5 closes with an important observation that a CxO should task the human resources department to put a line in all performance reviews whereby managers attest (or not) that the person being reviewed follows security policy. A CxO should fire people who willfully avoid compliance with security policy. Whatever tone at the top exists should be employed to make sure that everyone knows that the CxO is serious about the corporate security program. Such a tone clearly demonstrates an organization that is resolute about information security.
One thing that Bayuk does very well repeatedly throughout the book is to succinctly identify an issue and its cause. In chapter 6 — Navigating the Regulatory Landscape — she writes that if a CxO does not have management control over an organization, then the organization will fail the audit. It will fail because even if the organization is secure today, there is no assurance that it will be going forward. In addition, control means that the CxO will ensure that the organization is attempting to do the right thing. And in such cases, passing an audit is much easier.
Overall, Enterprise Security for the Executive is a fantastic book. It provides a no-nonsense approach to attaining effective information security. For those executives that are serious about security, the book will be their guiding light down the dark information security tunnel. In its 8 chapters (and a case study), the book focuses on a straightforward and plain-speaking approach to enable CxO's to get a handle on information security. As such, it is hoped that Enterprise Security for the Executive will soon find its way onto every executives required reading list.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .
You can purchase Enterprise Security for the Executive: Setting the Tone from the Top from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The book is written to help CxO's and business executives become familiar with information security concepts and techniques to make sure they are able to manage and support the efforts of their security team. This is an issue, as a big problem for the poor state of information security is that CxO's are far too often disconnected from their information security groups. No story is more manifest than that of when Heartland Payment Systems CEO Robert Carr blamed his PCI auditors for his firm's security problems. Carr is a perfect example of the type of person that needs to read this book. As an aside, for an excellent reply to Carr's kvetching, read what Rich Mogull wrote in An Open Letter to Robert Carr, CEO of Heartland Payment Systems.
While many CxO's think that security is about firewalls and other cool security products, it is truly a top-down management approach, and not a technology one. The book notes that the only way for information security to succeed in an organization is when management understands what their role is.
What is unique about the book is that Bayuk uses what she calls SHS (security horror stories). Rather than typical FUD stories, the horror stories detail systematic security problems and how they could have been obviated. By seeing how these companies have done it wrong, it makes it easier for pragmatic organizations to accomplish effective security by setting a strong tone from the top down.
Bayuk details the overall problem in the introduction and notes that many CxO's have wrongly spent significant amounts of money on security to avert security incidents; but have done that without any context of a greater information security methodology. The leads to executives thinking that security as nothing more than one long spending pattern.
Chapter 1 — Tone at The Top, notes that tone exists at the top, whether it is set or not. The tone is reflected in how an organization thinks about the things it really cares about. Employees can tell how a CxO cares about security by their level of personal involvement. Not that a CxO needs to be, or should be involved with minutia of firewall configuration or system administration; the key is rather that they are for example, championing the effective and consistent use of firewalls and how systems are securely administered.
In chapter 5 — Security through Matrix Management — Bayuk does a good job of detailing the various places that the security group can be placed in an organization. The chapter notes that there are as many ways to organize security as there are organization structures. Bayuk writes for example that if CxO's in a given organization are a tight-knit group, accustomed to close coordination, then it should not matter to which CxO the person managing information security reports to. If that is not the case, there may be multiple security programs that end up far too below the required C-levels that are needed for effective security. The chapter provides a number of different organizational scenarios, with requisite roles and responsibilities.
Chapter 5 closes with an important observation that a CxO should task the human resources department to put a line in all performance reviews whereby managers attest (or not) that the person being reviewed follows security policy. A CxO should fire people who willfully avoid compliance with security policy. Whatever tone at the top exists should be employed to make sure that everyone knows that the CxO is serious about the corporate security program. Such a tone clearly demonstrates an organization that is resolute about information security.
One thing that Bayuk does very well repeatedly throughout the book is to succinctly identify an issue and its cause. In chapter 6 — Navigating the Regulatory Landscape — she writes that if a CxO does not have management control over an organization, then the organization will fail the audit. It will fail because even if the organization is secure today, there is no assurance that it will be going forward. In addition, control means that the CxO will ensure that the organization is attempting to do the right thing. And in such cases, passing an audit is much easier.
Overall, Enterprise Security for the Executive is a fantastic book. It provides a no-nonsense approach to attaining effective information security. For those executives that are serious about security, the book will be their guiding light down the dark information security tunnel. In its 8 chapters (and a case study), the book focuses on a straightforward and plain-speaking approach to enable CxO's to get a handle on information security. As such, it is hoped that Enterprise Security for the Executive will soon find its way onto every executives required reading list.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .
You can purchase Enterprise Security for the Executive: Setting the Tone from the Top from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
is the CxOs who dont care about security in the first place. blaming lower echelons of management is useless if the people at the top dont get IT.
boldly go where no security consultant has gone before!
Err... so what's all this paper crap between the covers? Oh, I get it, that's so it doesn't fall over. Very clever.
mmmm...forbidden donut
I had a top secret security clearance with an armful of qualifiers by the time I was 18. The intensity of the security requirements for the things that I did in no way left me prepared for what was misnamed "security" in the corporate world, but it did lead me to abruptly learn one thing: It is not smart to tell anybody who has more power or connections than you do that their laziness or ineptness poses a a security or business continuity risk.
All things - to include security - play second fiddle to office politics in corporate America.
Except, of course, in those rare instances where everybody in the executive suites has a vested interest in keeping either their competitors or the government unaware of their activities.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Simply put Security is a standard Risk Management job, the risk of the problem occurring against the cost of preventing it. This then includes the cultural requirements for risk avoidance and the practices to ensure that.
Now will someone tell me why I should trust someone to tell a business person how to do the IT Risk Management who worked at a bank whose major failing was in Risk Management.
Isn't that like asking an Enron accountant to teach you ethics?
An Eye for an Eye will make the whole world blind - Gandhi
After hearing that description, I would rather eat glass than read this book. Nonetheless, as much as I hate to admit it, the attitude of the higher execs really will make the difference between an organization that follows security policy, and one that just buys a bunch of equipment and pretends that it's helping them.
Sadly, I don't think that any of this fuzzy management advice is going to make much of a difference in the current environment. What will happen is that criminal groups will become more effective and /that/ will have an effect on the stock price. As a result, CEOs will emphasize security as a top priority. Then you'll see them hiring & giving real power to bright folks who know what they're doing, and making sure that the employees follow policy. The results will trickle down. But there has to be real pain before this is anything more than buzzwords.
Security is something you do, not just somethings you have. In addition to hardware, software, policy and procedures, security requires discipline, constant vigilance, and flexible adaptability to the changing world around us. If you don't have or aren't willing to acquire the latter three of those aspects of security, the preceding four aren't going to cover your risk.
Since the last 4 or 5 book reviews he puts up on Amazon (including this one) get 5/5 stars (and only one out of many scores only two stars). I'm not saying that that is wrong or anything, but it does make me just slightly wary. If anyone else has another opinion please post it because this review alone won't let me buy the book.
Those are more about holding the soldier responsible for their actions,
rather than for actual security. Blab what little you know, and treason
is the charge de jour.
Many soldiers are routinely given Secret clearances, not so much out of
a 'Need to Know', but more as a leash to strangle them if they F*** Up.
It makes them part of the project in their minds, and therefore more likely
to behave. 'Q' cleared, 'NATO briefed' and all the ancillary stuff. 90
percent of these people have no actual need for those and higher level
clearances. Such is life in the Military.
Been there, done that. Security-wise, not military, I was in Engineering.
If only there was some sort of person in charge of security for a cleared facility that you're required to report such things to, some sort of, I don't know, Facility Security Officer....
Or a dozen toll free numbers to anonymously report said violations if that route is compromised. But no, don't bother following procedure or the proper channels to protect national security, just keep telling your boss that he's inept and lazy.
Except, of course, in those rare instances where everybody in the executive suites has a vested interest in keeping either their competitors or the government unaware of their activities.
Wadda ya mean "either"?
The story of Jennifer Bayuk is tragic in that she spent a decade as CISO at Bear, Stearns, building up its security group to be one of the best in the business; only to find it vaporized when the firm collapsed and was acquired by J.P. Morgan Clearing Corp.
And all she got out of it was a lot of money, material for a book, and a great resume. Where's the problem?
Chapter 1:
- Hire someone who knows what the hell they are doing, and let them do it.
Chapter 2:
- Let's work on that golf swing!
[and so on]
I work for a company that uses Bear Stearns services.
These services REQUIRE that users have:
Local Administrative privileges
Run IE6
Run MSJava 3 years after MS pulled the plug on it (Later revised to only allow Sun Java 1.4 r16, which is several years old).
That's the insecurity trifecta that is foisted on the people managing your money.
We still cannot upgrade past Windows XP to this very day because of these HIDEOUS requirements. JP Morgan is barely now getting the ball moving on updating these services.
Shes obviously has no clue about security. I don't have to read the article or book. I would suggest ignoring her completely, and hopefully blackballing her from ever holding any position again.
-nb
"And to the extent which a CxO controls assets, is the extent to which others can't use them in unexpected ways."
She nailed it. Enterprise security is indeed a culture, not a function. You got it, or you don't.
Not only Heartland, but Hannford, show the importance of the culture of ritual and 'things you just don't do'. Virtually every time you hear of a consultant/temp blowing up security and causing a breach, you see the same thing - the organization needs this to be a business-as-usual approach from the top down. It's not only about doing it right, it's about there being no other way.
And then giving your CxOs the authority and assets to actually perform. All the way down.
At my work, there are lots of things we just don't do. My work computer never sees the Internet except through the corporate proxy, either in office or via VPN. I do have the ability to install any software I want, bit I don't install anything that I would not want to justify to the security folks. We get Adobe Reader configured as plain-vanilla, and I turn off Javascript just because. I watch my virus-scanning and resolve any occasional alerts. We also use Cisco Security Agent, and I tolerate it when it jumps in and says no.
I could be messing about with any number of questionable things, but it's not worth it.
Now, my home machines, that's different. :)
deleting the extra space after periods so i can stay relevant, yeah.
I don't think he said that scenario happened in the military. I think he said it was in the corporate world.
She was in the kitchen securing a sandwich for me.
I was referring to dealing with security issues in the corporate world assuming he was working for a company dealing with classified information like a defense contractor. If he's just talking about the difference between going from dealing with classified security environments to run of the day corporate business security then I apologize for my misreading and would probably agree. Security at most companies not dealing with banking or classified materials sucks, and there's not a whole lot you can do to convince them to improve it.
To say that Bear was the least secure company ever, and you did spell it as EVAR, shows how utterly clueless you are.
>>>JP Morgan is barely now getting the ball moving on updating these services.
100% wrong.
>>>. I would suggest ignoring her completely, and hopefully blackballing her from ever holding any position again.
So did she fire or demote you?
You're right, you don't have to read the article. That way you won't have to confront the facts that prove you're talking out of your ass.
It's no wonder she is out of a job, I haven't seen that level of HTML design since Frontpage 1.0. Come on, security is nice but image is everything!
This is less impressive and far more common than it sounds. At that age, most folks have few if any traits or events in their past which might disqualify them from a clearance, or raise any red flags during the background reuired for a TS/SCI. At 18 you simply haven't lived long enough to rack up substantial debt, make enemies, have embarrassing sexual proclivities, etc. A little drug abuse, a few petty crimes on the rap sheet, no big deal; they don't care about the sort of stuff most teens have gotten into.
In short, the average 18 year old is impossible to extort or blackmail, and will have no demonstrable history of being untrustworthy. Rubber-stamp clearance, son.
Do you use JP Morgan clearing services? Do you work for JP Morgan? Did you work for the company formerly known as Bear Stearns? Probably not.
100% wrong? Really? From a customer perspective, there is almost no indication that these services are being updated with respect to security. I know because I support it within our organization.
FYI "EVAR" is an internet meme injected for the purposes of hyperbole.
-nb
I could give a crap how you actually feel, or how black people might feel. I'm not offended. We're both playing the same game here, offend the easily offended. But here we are, both feeling the need to justify our comments. Strange, don't you think? I mean, if you really feel the way you claim to, why even bother to respond to me? Perhaps I hit a nerve? A very small nerve, perhaps?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
and u r the smartest security evar?
u meant Bear is worse than tj maxx? it thought they were the worst EVAR!!!!!
is painful, just like passing a kidney- or a mile- stone. Audit is overrated, as it lacks a penalty feedback; fort example all of the major FI failures 'passed' audits. Companies with serious security flaws also passed audits. And self-disclosure, although it may sound like a regulators' wet dream, is just adding more low-hanging fruit to the auditor's basket. A company that thinks that passing an audit or doing things to pass an audit makes them more secure is not.
Chapter 1 - Hire Worf
Nuff said
>>>I had a top secret security clearance with an armful of qualifiers by the time I was 18.
wow superman, what else did you do?
let's see, to get a clearance, one has to be at least 18.
and you are telling me with all the paperwork and background checks that need to be done, that was done, WITH A TOP SECRET, in your 18th year?
what else? did u win a pulitzer prize also?
nobel?
world series ring??????
>>>>I had a top secret security clearance with an armful of qualifiers by the time I was 18.
Was that before or after you were in charge of the CIA?
Security requires a price in time and effort, and there are always compromises in order to get work accomplished.
> Nearly every large corporation over 20 years old is in the same situation.
My exposure to Exxon a few years ago has me disagreeing. They ran a fairly tight ship. Systems didn't allow alteration, desktops/laptops (even remote-connects) were scanned before admission to the internal network, and users/nets are tight. Annoyingly tight, in fact, with a lengthy approval bureaucracy for custom apps or code.
Anyone else want to hand nortcele some counterexamples.
Oh, and last time I checked, XP wasn't by itself evidence of bad security practices...
What shakespearean fate did she suffer?! She got downsized in a major recession after her company folded. But it was from a C-Level position? Oh, woe. Oh the humanity. What epic greatness did she exhibit? Well, nothing verifiable. Unsurprisingly, since it isn't like anyone brags about their (or their industry's) faults and security breaches. Certainly not banks. We're not going to see some CISO Martin Luther nailing (emailing) his manifesto of change any time soon, unless they plan a career change.
Beyond this dreck, my reaction was the same here as for any other review(er) that likes spinning a good yarn -- deeply flawed. That'd go double for reviewers using hyperbole like I've just mentioned in introducing the author. The whole review becomes questionable since the reviewer is evidently more into building their own personal narrative than doing their job: reviewing the damn book at hand. I'm left wondering if you discarded or overlooked review data that didn't fit your narrative.
Hate to get pedantic, but: Review the book. If favorable, point out flaws. If unfavorable, point out a few good points. While you're at it, indicate the target audience the book seems best suited for, such as artists, engineers, IT, suits, students, or as firestarter.