InfoSec Reviews – Practical Risk Management for the CIO

Book Title: Practical Risk Management for the CIO

Author: Mark Scherling

Publisher: CRC Press, Boca Raton, USA

Date of Publishing: 2011

ISBN(13): 9781439856536

Price (UK&US price – full price, not discounted price): £49.99,   $79.95

URL of Publisher Site:  CRC Press, Boca Raton, USA

URL of Amazon UK web page:  Practical Risk Management for the CIO

URL of Amazon UK (Kindle) web page: Not available

URL of Amazon US web page:  Practical Risk Management for the CIO

URL of Amazon US (Kindle) web page: Not available

This is an exceptionally well-written primer for anyone responsible for corporate information risk management. In addition to information security, in a mere 350 pages, it succeeds in covering service delivery risk and a whole host of fundamentals. Nevertheless, the depth is pretty adequate throughout. At first sight, the book’s most impressive attribute, however, is its genuine practicality. It’s obvious that the author has regularly encountered and solved the problems he describes in the course of his three decades in Canadian government and justice IT, and he has an appealing no-nonsense approach. For example, in place of the usual flannel on policies and procedures as paperwork, we find here delightful insights about getting them to actually work – such as, “it is often the super-administrators who do not follow … procedures” and, “most technical people cannot write good policies”; both, sadly, all too true. The author also gleefully debunks the classic but over-idealistic “up/down” corporate information flow model, correctly describing the reality as uncontrolled flows in all directions – something we practitioners struggle with so often in the field.Nevertheless, independent of the excellent quality of the writing, I think one of this book’s greatest strengths is its business-oriented presentation. There’s no technocentric chapter on “IT security” or even “information security”. Both subjects are included instead in a substantial chapter entitled, “Information Protection,” which places them firmly in the broader business context. I wish more security writers and practitioners thought like that.To summarise the book’s content then – the first three chapters provide an “executive summary” of the rationale for risk management, the broad nature of information liabilities and the main accepted models for service delivery. Eighty pages of fundamental principles and concepts follow, by the end of which the information management landscape has been well sketch-mapped. A more detailed exposition of service delivery follows that fleshes out the contours of the sketch map. Part three is entitled “Liabilities Management” and covers not only technical information risk but general information management including classification, lifecycles and flows – all of which is critical knowledge if you want to achieve real security. This part also includes a grounding in e-discovery, privacy, policies and procedures and continuity planning, although these chapters are necessarily limited in detail. It is here that I have my only real gripe: inevitably, I guess, given the nationality and experience of the author, wherever statutory obligations are referred to they are Canadan-centric. However, an appendix on the OECD Privacy Principles is provided that compensates for this to some extent, and in any case the general principles discussed are universal even if the specifics are nationally defined.

The final part is entitled, “Putting It All Together”, and given the book’s coverage there is indeed a lot to put together. It would obviously be impossible to provide a full-depth reference on every subject covered in the book within the scope of some 350 pages. Nevertheless, the author has done the next best thing – he’s provided a clear insight into the real-world implementation of information risk management by elegantly avoiding too many of the trees so the wood shows up in high contrast. So the true greatest strength of this book is its holistic viewpoint – all too rare and much appreciated – that demonstrates how all the disparate aspects of information management actually fit together to create a robust business asset base. I can unhesitatingly recommend it, not only to CIOs but also to anyone tasked with protecting corporate information assets, whatever the level of their role. It imparts understanding, which is vastly more useful than mere facts.

An excellent holistic primer on corporate information management. The author’s credentials are fully justified by the clear, concise and informative text. A must-have for CIOs and anyone else managing business information assets.

Marks: 5 out of 5