Book Reviews: Information Security Books and Product Reviews – Security 2020

Book Title: Security 2020    

Subtitle: Reduce Security Risks This Decade

Author(s): Doug Howard and Kevin Prince

Publisher: Wiley

Date of Publishing: December 2010

ISBN(13): 9780470639559

Price (UK&US price – full price, not discounted price):  £26.99   $39.99

URL of Publisher Site: Wiley.com

URL of Amazon UK web page:  Security 2020: Reduce Security Risks This Decade

URL of Amazon UK (Kindle) web page: Security 2020: Reduce Security Risks This Decade

URL of Amazon US web page:  Security 2020: Reduce Security Risks This Decade

URL of Amazon US (Kindle) web page:  Security 2020: Reduce Security Risks This Decade

At 264 pages of content, organised over ten chapters, ‘Security 2020 – Reduce Security Risks This Decade’, is an engaging and informative read for seasoned security practitioners, as well as for that growing number of business and corporate professionals whose roles and/or responsibilities are expanding to include (or be influenced by) aspects of IT security, and system and information risk management.  The authors, both veterans of the security profession, manage to engage (and retain) the technical and non-technical reader alike through a narrative that is reflective yet exploratory, non-technical (by in large), yet sufficiently probing for the technically minded, and contextualised in such a way that those new to the subject are drawn to it.  The authors support their own analysis and coverage with frequent contributions (nicely boxed “from our contributors” sections) that provide the reader with expert analysis and opinion from respected security and information management practitioners. For me, this added to the reader’s experience and I felt it provided a further tangible measure of the value of this book – there’s a lot in here and from a lot of very good people – and these snippets, by their summative nature were inviting to read.

As a self-confessed techie and with my background and training in that tradition, I found this aspect of Security 2020 – its appeal and relevance to a dual/hybrid audience – both unique and compelling. The authors succeed in delivering a textbook that is wide in appeal and anticipated readership without sacrificing depth of coverage.  To my mind, they do this in no small part by structuring the book into a logical and convincing series of chapters that deliver on the ambitious endeavour suggested in the title.  They begin in chapter one for instance, with an historical review of what the past has shown us: the origins of the security industry, its norms, behaviours and its artifacts, including things like viruses, worms and hackers, along with their history and evolution. I found this particularly useful, even as a techie, and didn’t feel compelled to skip ahead, such was the often probing and exploratory nature of the narrative; I expect this coverage is particularly orienting for the non-technical reader.  One gets a sense that in the 20 pages that make up chapter one the non-technical reader has been drawn in while the experienced security professional has not been switched off. This useful orientation is followed be a review that considers the changing and increasingly challenging nature of the information security arena and the impact of these changes on corporate governance practices and practitioners.  As such, world events (9/11, for instance), the political climate, emerging cultural norms and the increased sophistication of security breaches are all considered.  Then, just when the pure techie might be compelled to switch off (I wasn’t – but we are all different), a nice peppering of technical challenges is offered in chapter three, including the security risks and challenges presented by remote access, virtualization and the increasingly portable and ubiquitous nature of computing/computing devices.  By the end of chapter three – just shy of 100 pages into the text – one has a real sense of the state of the art of security and the challenges facing those tasked with risk management in the enterprise; all at a level that is informed by both technical and business/corporate governance considerations. The remainder of the text – approximately two-thirds (170 pages) – which for me represents the right balance for a text whose title is clearly future focused, is dedicated to evaluating and synthesizing these lessons from the past and observations from the present to offer a warranted assertion of what the future holds. A plethora of scenarios and technologies are considered including inter alia vulnerability exploits, social networking threats, infrastructural attacks, challenges with user-generated content, unified communications, and other messaging systems, as well as threats from infected software and third parties.  The penultimate chapter (chapter 9) looks at eleven possible scenarios (I would have though that a list of ten would suffice) that the authors suggest are, “maybe not so crazy,” and that could happen on or before the year 2020.  This is followed in the final chapter by a discussion that includes likely tipping points over the next ten years in the information security and risk management space.  ‘Compliance overload’ is listed here as one example; auditing and enforcement standards demanding more and more of the IT budget is likely to reach a tipping point; one is inclined to concur and it will be interesting battleground.  Ironically, having read this text – and in many ways it is a measure of a compelling and thought provoking read – one is left with a whole host of new unanswered questions on this and other anticipated tipping points.  I would recommend Security 2020 to anyone tasked with (either wholly or in part) an information security and/or risk assessment and management role. I think it may be particularly useful to business professionals, particularly those involved in corporate governance and risk assessment who are increasingly being pulled into the information systems and IT management space

Security 2020 is an excellent read; suitable for the bookshelf of the corporate governance professional and the technical IS security professional alike.  Easy to read, yet not cursory in its coverage, it provides an informed (and informative) analysis of where the challenges for individuals and organisations lie in securing information systems and corporate practices over the coming decade.

Marks: 5 out of 5
*****