The Executive Guide to Information Security: Threats, Challenges, and Solutions [Paperback]

Mark Egan (Author), Tim Mather (Author)

Book Description

ISBN-10: 0321304519 | ISBN-13: 978-0321304513 | Publication Date: December 10, 2004 | Edition: 1

The book provides a pragmatic approach to evaluating security at a companyand putting together an effective information security program. The bookfocuses on three key themes; People, Processes, and Technology and isorganized according to the steps executives would follow in order to developan information security program for their company. Key elements of theprogram include staffing this function at a company, putting the necessaryinternal processes in place, and implementing the appropriate technology.Business executives will find this book a good primer for understanding the keyexisting and future security issues, and for taking the necessary action to ensurethe protection of their enterprise's information assets.The objective of this book is to provide a "short cut" for executives to learnmore about information security and how it will affect their business in thefuture. An overview of information security concepts is provided, so they canbe better prepared to evaluate how their company is addressing informationsecurity.

Editorial Reviews

From the Back Cover

Praise for The Executive Guide to Information Security

"In today's world, no business can operate without securing its computers. This book conveys that message in clear, concise terms and acts as a tremendous primer to CEOs."

–from the Foreword by Richard A. Clarke

"Every CEO is responsible for protecting the assets of their corporation–the people, intellectual property, corporate and customer information, infrastructure, network, and computing resources. This is becoming both more important and more difficult with the rise in the number and sophistication of cyber threats. This book helps the CEO understand the issues and ask the right questions to implement a more effective strategy for their business."

–Steve Bennett, president and CEO, Intuit

"Mark Egan and Tim Mather help nontechnical executives gain a comprehensive perspective over the security challenges that all companies face today. This book is well structured and practical. Yet, it also stresses that a strategic approach to cyber security is essential, and that "tone at the top" will determine the effectiveness of any corporate cyber security policy."

–Eric Benhamou, chairman of the board of directors, 3Com Corporation, palmOne, and PalmSource, Inc

"This book is not about cyber security; it's about managing one's company and the role that cyber security plays in that scenario. It's chilling to think of how vulnerable the assets of a business are on a computer network; this book is a fire alarm in the night for business executives to realize computer security is not a tech issue–it's a business issue worthy of the same attention and priority that business executives might place on any other mission-critical element of their company."

–George Reyes, CFO, Google

"This is a must read for any executive of any size company. The Internet makes all businesses equal in that they are subject to the same types of threats regardless of their product. In this book, the CIO and security director of one of the top security companies makes the business case for security and tells you what to do to successfully mitigate threats."

–Howard A. Schmidt, former cyber security advisor to the White House, CSO Microsoft, and VP CISO eBay

"This book gives an excellent overview of the issues around securing information at a time in our history when information is extremely vulnerable to outside attack, retrieval, or manipulation. Steps taken now can make a huge difference to a company's ability to survive and thrive in a heterogeneous attack culture."

–Bob Concannon, Global Practice Leader, Boyden Global Executive Search

"Few if any books expose the business executive to the serious and critical nature of existing and evolving security issues using nontechnical terms. Executives can no longer afford to delegate the responsibility and accountability for security without understanding the issues and without assuming the ultimate responsibility for security in the firm. This book should become required reading for every business executive, regardless of product or company size."

–John Moreno, chair, MS in Information Technology, Golden Gate University

"This book details the what, why, and how to solve issues of information security in business today. It gives examples many people will recognize from the press, discusses the basics of information security in a very understandable way, and reviews approaches for addressing these risks and threats."

–David Schwartz, managing director, Derivative Products Risk Advisors, Inc.

"This book fills a void by addressing the key criteria executives need to consider when implementing an effective information security plan within their organization."

–Shobana Gubbi, former project manager of IOS Technologies, Cisco

A Business-Focused Information Security Action Plan for Every Executive

Today, every executive must understand information security from a business perspective. Now, this concise book tells business leaders exactly what they need to know to make intelligent decisions about security–without ever getting lost in the technical complexities.

The Executive Guide to Information Security offers realistic, step-by-step recommendations for evaluating and improving information security in any enterprise. From start to finish, the focus is on action: what works and how to get it done. Here are just a few of the things you will be learning:

• Understanding your security challenges and obligations

• Trends in security attacks

• Systematically identifying your risks and vulnerabilities

• Implementing best-practice processes for access, acceptable use, training, strategy, and emergency response

• Effective executive leadership, governance, and metrics

• Staffing security–coping with a shortage of expertise

Whether you're a CxO, a line-of-business executive, or an IT executive who needs to get colleagues up to speed, this is the nontechnical, business-driven security briefing you've been searching for.

Mark Egan is chief information officer and vice president of the Information Technology Division of Symantec. In this role, he is responsible for all internal systems and security at Symantec. Egan is the co-chair of TechNet's Cyber Security Best Practices Campaign and a frequent speaker on best practices for information security and information technology.

TIM MATHER, Symantec's vice president and chief information security officer, is responsible for Symantec's information security program. Mather is a Certified Information Systems Security Professional and a Certified Information Systems Manager.

The authors' profits from this book will support a scholarship program for underprivileged students planning IT careers.

© Copyright Pearson Education. All rights reserved.

About the Author

The Executive Guide to Information SecurityAbout the Authors

Mark Egan is Symantec's chief information officer and vice president of information technology. He is responsible for the management of Symantec's internal business systems, computing infrastructure, and information security program. Egan led the rapid transformation of Symantec's internal information systems over the past four years, as the company grew to be the leader in Internet security. Egan brings more than 25 years of information technology experience from a variety of industries. Prior to Symantec, he held several senior-level positions with companies including Sun Microsystems, Price Waterhouse, Atlantic Richfield Corp., Martin Marietta Data Systems, and Wells Fargo Bank. He is a member of the American Management Association's Information Systems and Technology Council and serves on the technical advisory boards for Golden Gate University and the Center for Electronic Business at San Francisco State University. Egan is also co-chair of TechNet's Cyber Security Practices Adoption Campaign. Egan was a contributing author to CIO Wisdom and is a frequent speaker on best practices for information technology and information security.

Egan holds a master's degree in finance and international business from the University of San Diego and a bachelor's degree in computer sciences from the University of Clarion.

Tim Mather is Symantec's vice president and chief information security officer and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM). As the chief information security officer, he is responsible for the development of all information systems security policies, oversight of implementation of all security-related policies and procedures, and all information systems audit-related activities. He also works closely with internal products groups on security capabilities in Symantec products. Prior to joining Symantec in September 1999, Mather was the manager of security at VeriSign. In addition, he was formerly manager of information systems security at Apple Computer. Mather's experience also includes seven years in Washington, D.C. working on secure communications for a classified, national-level command, control, communications, and intelligence (C³I) project, which involved both civilian and military departments and agencies.

Mather holds master's degrees in national security studies from Georgetown University and international policy studies from Monterey Institute of International Studies. He holds a bachelor's degree in political economics from the University of California at Berkeley.

© Copyright Pearson Education. All rights reserved.

See all Editorial Reviews

Product Details

• Paperback: 288 pages
• Publisher: Addison-Wesley Professional; 1 edition (December 10, 2004)
• Language: English
• ISBN-10: 0321304519
• ISBN-13: 978-0321304513
• Product Dimensions: 9.2 x 7 x 0.5 inches
• Shipping Weight: 14.1 ounces (View shipping rates and policies)
• Average Customer Review: 4.7 out of 5 stars  See all reviews (11 customer reviews)
• Amazon Best Sellers Rank: #794,752 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

12 of 13 people found the following review helpful:

4.0 out of 5 stars Great resource, but boring at times, February 9, 2005

By 

Dr Anton Chuvakin "Dr. Anton Chuvakin" (CA, USA) - See all my reviews

This review is from: The Executive Guide to Information Security: Threats, Challenges, and Solutions (Paperback)

A fun book on security for executives and managers? Unbelievable, you'd say? This one ("The Executive Guide to Information Security") comes pretty close.

On the down side, do not look at this book for technology coverage. Almost total lack of coverage of intrusion prevention, spyware, spam as well as some Symantec bias (understandable, considering the publisher) make this book much stronger on the policy, process and "big picture" coverage rather on modern technical threats and countermeasures. Slightly confusing coverage of vulnerability management also falls in the same category. However, given the target audience of CEOs and CFOs, this is certainly excusable.

The book introduces the executives to basic security concepts such as "defense-in-depth", "people, process, technology", etc, and goes into details on using them for organizing security for their organizations.

I also appreciated the sections on planning and executing a security strategy and measuring security by using various included checklists and questionnaires. 50-point security evaluation framework based on"best practices" was another valuable piece. The books also address one of the important questions of organizational security: in-house vs outsourced security.

Regulations and laws also occupy a significant part of the book. The coverage is high-level and provides few details, appropriate given the target audience. A section on future security was pretty insightful and enjoyable to read!

Overall, I think the book will be one of the first (and, so far, best) books about security for the "C-level" crowd.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org

9 of 11 people found the following review helpful:

5.0 out of 5 stars Excellent Reference for Executive Management, November 7, 2004

By 

Tony Bradley "s3kur3" (Houston, TX) - See all my reviews
(VINE VOICE)   

This review is from: The Executive Guide to Information Security: Threats, Challenges, and Solutions (Paperback)

Mark Egan and Tim Mather have done a great job in my opinion of boiling the wide range of topics and information related to corporate network security down to an "executive summary" highlighting the key areas that executive leadership needs to understand in order to make decisions and lead effectively.

This book provides an overview of the history and current state of information security and an appropriate amount of detail for an executive to understand trends in technologies and threats and how to assess risks, hire competent I.T. staff and a general overview of best practices and practical solutions.

The appendices provide a wealth of additional information such as template job descriptions for specific I.T. roles and a listing of information security web sites for reference.

This book covers a little about a lot, and even that lot is aimed at managers and executive leadership. Don't get this book if you are looking for details about any aspect of computer security or even if you are looking for a comprehensive, broad coverage of information security for the "working class". For executive leaders looking to gain an understanding of I.T. to ensure that their networks are properly protected though this is an excellent resource.

[...]

2 of 2 people found the following review helpful:

4.0 out of 5 stars More Phishing Analysis, December 17, 2004

By 

W Boudville (Terra, Sol 3) - See all my reviews
(VINE VOICE)    (TOP 1000 REVIEWER)    (HALL OF FAME REVIEWER)    (REAL NAME)   

This review is from: The Executive Guide to Information Security: Threats, Challenges, and Solutions (Paperback)

The authors write a timely management level briefing on the current key issues in information security. Directed at not just the CEO of any company, as the cover might suggest. The audience of this book arguably includes not just executives involved in IT, but also the technical IT personnel themselves who may, or rather, will, confront such issues on a daily basis.

Perhaps the most important section is Chapter 8, discussing future threats. It starts with an example of a phishing attack on a company. The chapter then goes onto describe possible trends in attacks over the next few years. Sadly, once past the phishing example, the chapter does not talk any more about phishing. Given the realities of book publishing, the chapter was probably written in the first half of 2004. Yet as 2004 draws to a close, it has seen a huge global rise in phishing. So the chapter is already somewhat dated, through no fault of the authors.

Were the chapter to be rewritten now (December 2004), I imagine phishing would, or should, receive far more detailed scrutiny. While it might be objected that phishing is only one type of attack, its current direct monetary costs to banks and the month on month rise in the frequency of attacks make it a prime menace.