Examine the evolving enterprise security landscape and discover how to manage and survive risk. While based primarily on the author’s experience and insights at major companies where he has served as CISO and CSPO, the book also includes many examples from other well-known companies and provides guidance for a management-level audience.
Managing Risk and Information Security provides thought leadership in the increasingly important area of enterprise information risk and security. It describes the changing risk environment and why a fresh approach to information security is needed. Because almost every aspect of an enterprise is now dependent on technology not only for internal operations but increasing as a part of product or service creation, the focus of IT security must shift from locking down assets to enabling the business while managing and surviving risk.
This edition discusses business risk from a broader perspective, including privacy and regulatory considerations. It describes the increasing number of threats and vulnerabilities and offers strategies for developing solutions. These include discussions of how enterprises can take advantage of new and emerging technologies—such as social media and the huge proliferation of Internet-enabled devices—while minimizing risk.
What You'll Learn
- Review how people perceive risk and the effects it has on information security
- See why different perceptions of risk within an organization matters
- Understand and reconcile these differing risk views
- Gain insights into how to safely enable the use of new technologies
Who This Book Is For
The primary audience is CIOs and other IT leaders, CISOs and other information security leaders, IT auditors, and other leaders of corporate governance and risk functions. The secondary audience is CEOs, board members, privacy professionals, and less senior-level information security and risk professionals.
"Harkins’ logical, methodical approach as a CISO to solving the most complex cybersecurity problems is reflected in the lucid style of this book. His enlightened approach to intelligence-based security infrastructure and risk mitigation is our best path forward if we are ever to realize the vast potential of the innovative digital world we are creating while reducing the threats to manageable levels. The author shines a light on that path in a comprehensive yet very readable way." —Art Coviello, Former CEO and Executive Chairman, RSA
Conditions of Use
This book is licensed under a Creative Commons License (CC BY). You can download the ebook Managing Risk and Information Security, 2nd Edition for free.
- Title
- Managing Risk and Information Security, 2nd Edition
- Subtitle
- Protect to Enable
- Publisher
- Apress
- Author(s)
- Malcolm W. Harkins
- Published
- 2016-08-11
- Edition
- 2
- Format
- eBook (pdf, epub, mobi)
- Pages
- 214
- Language
- English
- ISBN-10
- 1484214560
- ISBN-13
- 9781484214558
- License
- CC BY
- Book Homepage
- Free eBook, Errata, Code, Solutions, etc.
Contents at a Glance Contents Foreword Praise for the second edition of Managing Risk and Information Security About the Author Acknowledgments Preface Chapter 1: Introduction Protect to Enable® Building Trust Keeping the Company Legal: The Regulatory Flood Privacy: Protecting Personal Information Personalization vs. Privacy Financial Regulations E-Discovery Expanding Scope of Regulation The Rapid Proliferation of Information, Devices, and Things The Changing Threat Landscape Stealthy Malware Nine Irrefutable Laws of Information Risk A New Approach to Managing Risk Chapter 2: The Misperception of Risk The Subjectivity of Risk Perception How Employees Misperceive Risk The Lure of the Shiny Bauble How Security Professionals Misperceive Risk Security and Privacy How Decision Makers Misperceive Risk How to Mitigate the Misperception of Risk Uncovering New Perspectives During Risk Assessments Communication Is Essential Building Credibility Chapter 3: Governance and Internal Partnerships: How to Sense, Interpret, and Act on Risk Information Risk Governance Finding the Right Governance Structure Building Internal Partnerships Legal Privacy Litigation Intellectual Property Contracts Financial Compliance Legal Specialists Within Business Groups Human Resources Setting Employee Expectations in Security Policies Employee Communications Investigations Finance Sarbanes-Oxley Compliance Working with Business Groups Internal Audit Corporate Risk Management Privacy Corporate Security Business Group Managers Conclusion Chapter 4: External Partnerships: The Power of Sharing Information The Value of External Partnerships External Partnerships: Types and Tiers 1:1 Partnerships Communities Community Characteristics Community Goals Sharing Information about Threats and Vulnerabilities Sharing Best Practices and Benchmarking Influencing Regulations and Standards Corporate Citizenship Conclusion Chapter 5: People Are the Perimeter The Shifting Perimeter Compliance or Commitment? Examining the Risks Adjusting Behavior A Model for Improving Security Awareness Broadening the Awareness Model The Security Benefits of Personal Use Roundabouts and Stop Signs The Technology Professional Insider Threats Deter Detect Discipline Finding the Balance Chapter 6: Emerging Threats and Vulnerabilities: Reality and Rhetoric Structured Methods for Identifying Threat Trends The Product Life Cycle Model Understanding Threat Agents Playing War Games Trends That Span the Threat Landscape Trust Is an Attack Surface Barriers to Entry Are Crumbling The Rise of Edge Case Insecurity The Enemy Knows the System Key Threat Activity Areas The Industry of Malware The Web Expands to the Internet of Things Smartphones Web Applications Conclusion Chapter 7: A New Security Architecture to Improve Business Agility The 9 Box of Controls, Business Trends, and Architecture Requirements 9 Box of Controls IT Consumerization New Business Needs Cloud Computing Changing Threat Landscape Privacy and Regulatory Requirements New Architecture Trust Calculation Source Score Destination Score Available Controls Calculating Trust Security Zones Untrusted Zones Selective Zones Trusted Zones Balanced Controls Users, Data, and the Internet of Things: The New Perimeters Data Perimeter User Perimeter Internet of Things Conclusion Chapter 8: Looking to the Future: Emerging Security Capabilities Internet of Things Consistent User Experience Across Devices Cloud Computing Big Data Analytics Artificial Intelligence Business Benefits and Risks New Security Capabilities Baseline Security Protected Environments Encryption Hardware Acceleration Enhanced Recovery AI-Based Security and Automation Context-Aware Security Cloud Security and Context Awareness Security Analytics and Data Protection Conclusion Chapter 9: Corporate Social Responsibility: The Ethics of Managing Information Risk The Expanding Scope of Corporate Social Responsibility The Evolution of Technology and Its Impact Maintaining Society’s Trust The Ethics of Managing Information Risk Conclusion Chapter 10: The 21st Century CISO Chief Trust Officer The Z-Shaped Individual Foundational Skills Becoming a Storyteller Fear Is Junk Food Accentuating the Positive Demonstrating the Reality of Risk The CISO’s Sixth Sense Taking Action at the Speed of Trust The CISO as a Leader Learning from Other Business Leaders Voicing Our Values Discussing Information Risk at Board Level Conclusion Chapter 11: Performance Coaching How to Use the Tables Independence and Initiative Efficiency and Effectiveness Commitment Professionalism Discipline Teamwork Problem-Solving Communication Listening Style Clarity Goal-Setting Conclusion Appendix A Index