Author: Caroline Wong

Publisher: McGraw-Hill – 397 pages

Book Review by: Venkat Subramaniam

This book is not only easy to read and to understand, but it is thoughtfully organized in a highly systematic way. More than an ordinary book on measuring information security levels in an organization and taking the necessary steps to enhance it, this is a detailed reference work on the many aspects, imperatives and nuances of security.

It has a short two-page table of contents followed by a nine-page, detailed outline and description of what you will find within its pages, enabling you to quickly get to the chapter and page of the topic you’re looking to find out more about.

Or, you may first want to read it chapter by chapter to gain as much information as you want. Then, you can more closely read the chapter and-or the topics on which you seek to get detailed information and develop close understanding and insight on.

This almost 400-page guide covers numerous areas of security in its nine parts and 17 chapters, from the why of measuring security and the risks you take if your company is not protected from threats and intrusion, all the way to what precautions you need to take in the relatively new world of cloud computing.

Part I entitled “Why Security Metrics?” helps you understand the imperatives of information security and how to measure the level of security your company is at in given areas. It contains two chapters entitled: “Why Measure Security”and“Why Security Metrics are Needed Now.”

Part II, “Essential Components of an Effective security Metrics Practitioner,” gives you details on analyzing your firm’s vulnerabilities and committing to developing a program that will make it more secure. Accordingly its first chapter entitled “Analytics” helps you visualize your security metrics, bundle interpretation and metrics, leverage analytic patterns developed by others, and use the trend analysis pattern. It also gives you five examples of applying analytic patterns.

The second chapter of Part II, “Commitment to Project Management,” guides you develop and implement security metrics program within your available resources (people, expertise, time and money). Here you get into the meat of what needs to be done, first by developing a framework with a project name, statement of the problem, the solutions, start and end date, the required budget, and other details.

Part III, “Decide What to Measure,” shows you how to identify core competencies, the  information security work and resourcing options in its first chapter and identify targets (e.g. what’s basic, what’s broken, what’s important, what’s new, what needs to be discussed) in its second chapter.

Part IV, “Get Started,” one of the most important sections of this book, helps you, respectively, within its first through fourth chapters, define project objectives, define your priorities, identify key messages and key audiences, and obtain buy-in from stakeholders.

You get “training for a marathon,”  map a target to a defined benefit, define the objectives of  particular security metrics projects (direction, distance, timeline) and learn some lessons relating to setting bylines and getting initial buy-in from stakeholders in the first chapter of Part IV. The next chapter deals with critically important issues such as compliance, risk reduction, threat analysis, alignment with top business objectives and specific prioritization factors for security metrics projects.

Identifying key information security needs of the heads of different departments within an entity is the scope of third chapter of Part IV of this book, which is chapter 9. It deals with questions such as what are the areas of responsibility of the CEO, CFO, CTO, CIO (and other key executives such as the key risk officer) in your company, what is valuable to them, and what information do you need from each of them? For what purpose do you need their buy-in and what do you need them to approve? Chapter 10 deals with the details of getting buy-ins from different stakeholders of an organization.

Part V entitled “Toolkit” deals with the details of datasets involved in security metrics. Chapter 11 covers automation – its benefits and workflow – and chapter 12 in the analysis technology. In these two chapters you learn to manage data. The topics include designing and strategizing a program that includes collecting data (extract, cleanse, transform, merge, load datasets); calculate (slice, dice and model) and communicate (visualize, annotate, and publish) the information; and orchestrate it (deploy, schedule, executive, and coordinate).

Parts VI, “Creating the Best Environment for Healthy Metrics” instructs you on defining a communications strategy and driving an action plan, stressing the importance of project management.

Part VII, “Secret Sauce: Lessons Learned from an Enterprise Practitioner” engages you in the ways of improving data quality and presentation and discusses your resourcing and outsourcing options in security metrics projects.

Part VIII, “Looking Forward,” addresses the issue of cloud computing, defining its characteristics, service models and deployment means.

Part IX, “Appendix and Glossary” provides in the Appendix very useful checklists relating to the chapters in this book and templates of qualitative metrics questions along with notes, helping identify major information security issues with an organization and what to do about them. The Glossary is a list of words used in security metrics that helps you get familiar with the meaning of terms used in this book.

Caroline Wong has done excellent work reflected in this book. She was formerly chief of staff got the global information security team at eBay, where she built the security metrics program from the ground up. She has been a featured speaker at numerous trade-related conferences.