Risk management in the real world is not an easy endeavor. On one side, people use toilet seat covers thinking they do something, on the other side, millions of people smoke cigarettes, ignoring the empirical evidence of their danger.
In Managing Risk and Information Security: Protect to Enable, author Malcolm Harkins deals with the inherent tension of information security – that between limitations and enablement.
Harkins, in his role as CISO at Intel, argues that a new and fresh approach to information security is called for and he outlines it in the book.
At under 150 pages, the book provides a good introduction and high-level overview of the fundamentals of information security risk and details numerous risk management strategies.
One of the books key points is that information security often has a disconnect to the underlying business needs that it is expect to secure. Harkins accurately notes that the only way to create an effective risk mitigation strategy is to ensure that the business and technical groups communicate.
As to Harkins new approach to managing risk; he writes that given the increasing role of technology and the resulting information-related business risk, a new approach to information security built on the concept of protecting to enable is needed. Because compromise is inevitable, managing risk and surviving compromise are the key elements of this strategy.
Harkins writes that this new approach should:
incorporate privacy and regulatory compliance by design, to encompass the full scope of business risk
recognize that people and information—not the enterprise network boundary—are the security perimeter
be dynamic and flexible enough to quickly adapt to new technologies and threats
Harkins writes that we need to accomplish a shift in thinking, adjusting our primary focus to enable the business, and then thinking creatively about how we can do so while managing the risk.
Not only is this a good book, it is part of the Apress Open format and is available for free downloadhere. For those that want a hard copy, Amazon sells it here. Amazon also offers it as a free Kindle download here.
The book doesn’t propose a single definitive solution, as Harkins notes that information is a journey without a finish line. For those looking to commence on that journey, Managing Risk and Information Security: Protect to Enable is a great place to start.
Cross Posted from RSA
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.
Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.