Product Description
Information is the lifeblood of an organization. Information breached is brand, customers, and corporate value lost. The solutions of today are not working. It is time for change. Michael ventures Into the Breach to lear… More >>
Into The Breach; Protect Your Business by Managing People,
Written by admin on September 1st, 2010 in Business & Investing.
Tags: Breach, Business, into, Managing, People, Protect
“Into the Breach” offers a humanistic solution to a consistantly growing concern. How refreshing! Santarcangelo examines (with compassion), the all too human mistakes that can be made in data security scenario’s. Using forward thinking, he has developed a plan to get the people who handle sensitive data involved in the process of protecting it. His approach will offer great relief to company owners, big and small, who worry that the only way to protect themselves and their customers is to throw more money into technological solutions. Santarcangelo is easy to read, using a conversational style that gets to the point. His frequent use of real life scenario’s and analogies make it easy for anyone outside the world of data security to follow along.
Rating: 5 / 5
I began my information security career in 1998 as a consultant. My first client was a military organization. In the military, getting people to adhere to infosec policies is easy – everyone is required to follow the rules, and there are clear and unequivocal consequences for those who choose not to.
I’ve spent the rest of my career in business, and out here it’s a different story. It’s generally ineffective to “order” anyone to adhere to policy, and there are countless good reasons why people won’t do it at any given time. I’ve seen millions of dollars wasted on the latest silver bullet technologies to fix what is fundamentally a human problem. Of course the problem remains, and now we’re throwing good money after bad to support the new tools.
Michael’s book is the first to call a spade a spade and address the human problem with a human solution. By taking away the intermediaries that cause end-users to feel disengaged from their responsibilities, he transforms the problem itself (end-users) into the solution. It’s not rocket science, it doesn’t cost millions of dollars, there’s nothing to support for eternity, and best of all, it works!
Rating: 5 / 5
I just finished a book by Michael Santarcangelo entitled Into the Breach: Protect your Business by Managing People, Information, and Risk. I am ashamed to admit that I hadn’t run across this book sooner and didn’t know about it until after I was a guest on Michael’s Podcast a few weeks back. At 110 pages the book is a quick read but don’t let that fool you – there is a lot of information in here.
The book is aimed at executives and other decision makers and not at technical information security professionals themselves. That is not to say that there isn’t value in here for the technically minded as long as they remember that they are not the targeted audience. There are a few things in here that might actually cause the technically focused some anguish but if they are honest with themselves and take a step back they should admit that what Michael says is true.
Into the Breach is the book that I wanted to write. I share Michael’s perspective on many of the topics discussed and have come to the same conclusions, although independently. We attack the problem from different angles but we share so much in common that I’m left to wonder if the differences are merely trivial. As I read the book I heard my own thoughts being echoed back to me more than a few times. I found new and interesting perspectives on issues that I have worked hard to solve and I even learned a few things (which means that it was time well spent.)
The book is broken up into three parts. The first part explains the human factors at play in any environment and seeks to provide a understanding of the human factors as they relate to protecting information. I really couldn’t find fault with anything I read in this section.
The second part lays out Michael’s Strategy to Protect Information and its implementation. Michael’s approach to the problem is different from mine but in no way does that make it any less valid. He does a good job explaining not only how something needs to be done but why it needs to be done which is the key to mastering anything. That said I have some constructive criticism to provide with regard to a few things that were mentioned.
The first being that Michael talks about how a management team can learn and deploy his strategy by just reading his book. The concepts that he lays forth are simple and well explained however I can say that I have facilitated groups through similar processes and it is not as easy as Michael makes it sound. The greatest fear that I would have by someone reading Michaels book is that they will try to implement his program without guidance then in failure believe that this approach is just a load of crap and go back to the way they have been doing things. Processes like this need to have someone with experience facilitate their adoption in order to steer teams around pitfalls and ultimately achieve success.
The second criticism is that near the end of Part Two, Michael talks about metrics and how to measure the success of the program. This is indeed an important point however his examples did little to illustrate his point and may have in fact made his argument weaker. He talks about the blending of quantative and qualitative measures (a concept that I’m wholly in favor of) but gives his executive/decision maker reader little to take back that is actionable.
The third part addresses considerations for extending and enhancing the strategy laid out in Part Two. Michael talks about how his strategy can help protect the bottom line and help reduce the cost of compliance. I agree that it will but again the topic was treated so quickly that a reader may be left to conclude that this is all that there is to the argument. They couldn’t be more wrong however would someone in the targeted audience know this – perhaps it would; perhaps it wouldn’t.
Please dear readers, don’t construe my criticisms as a damning critique of this book. At 110 pages it is nearly impossible to cover the topics that Michael has attempted. This book is exactly where it needs to be in terms of detail when considering the intended audience. I applaud Michael for writing the book. It is a book that has been needed out there for a very hard time. I highly recommend it. I would even go so far to say that you should buy several copies and give them out to senior executives in your organizations. But only do so if you intend to follow up with several conversations about how to apply these principles in your environment. Use this book as a basis upon which to build conversations on how you can improve security within your organization and environment.
(From Ascension Blog – http://www.ascensionriskmanagement.com/BlogOne/)
Rating: 5 / 5
I love to read. Unfortunately I don’t get to read as much as I’d like to (blogs are the exception) and when I do get to read it’s usually in short segments so reading a book can take a while. I used to spend lots of money on Technology books but realized that they usually just adorned my shelves and never were fully read so I quit buying them for the most part. Every now and then a really good book comes along that meets a need that you have and is enjoyable to read. One such book was Mike Rothman’s “The Pragmatic CSO”. It was short and didn’t have a lot of fluff in it and it has proved to be very valuable to me over the last 18 or so months since I read it.
A few weeks ago my friend Michael Santarcangelo sent me a preview copy of his book “Into The Breach” to read. I liked it immediately because it’s less than 100 pages long.
I started reading it and new immediately that this was good stuff. This book is quick and easy to read. It makes sense. Isn’t filled with fluff and unnecessary stuff just to bloat the size and price. Michael lays out a solid plan for implementing processes that can literally change the way you protect information. He puts lots of emphasis on common sense, out of the box thinking and working with your users. The last part is key. Our users are the ones that primarily make put information at risk because they don’t understand the whys and where for’s of protecting data. Michael lays out a plan for engaging them and helping them understand why they need to do things differently.
This is a book that all of us need to read and take to heart. If you are serious about making a difference in your company then this book is for you. If you want to have your old fashioned assumptions challenged then “Into The Breach” will do just that.
I gave a copy of it to my CIO about a month ago to read. He told me that he would read it and let me know what he thought. He has now requested more copies because he wants all of his Directors and Managers to read it. We were on a call with Gartner this morning and he told our Gartner Rep about it and said that it was a book that he needed to read. You don’t know my CIO (most of you anyway) but coming from him that is saying a lot. He is a man of few words and those he says he means.
Rating: 5 / 5
“Into the breach” by Michael Santarcangelo is actually a fun read; it seems to be a useful book on security for management. It is non-technical by design since it is about the people side of security. In fact, he presents security itself as “a human issue.”
One of my favorite sections in Part 1 reminds that many policy violations happen because people just want to do their jobs better (the author also claims that people “want to do the right thing” if such choice is easy enough). I loved the “compliance is not a video game” theme, where your faults do not have real world consequences, as well as “security as something inflicted upon the organization” and “security as a crash diet” themes. What is also interesting is that the book seeks to solve one of the key problems of “what is risky?” vs “what is only perceived as risky?”
The part of the book is Part 2 where author’s “strategy to protect information” is unveiled. The author then goes into some level of details on how to implement the strategy (run a pilot, “build a flywheel”, etc).
On the negative side, I was saddened that Michael succumbed to a popular insider myth (on page 11 – “70% of attacks are by insiders”) while trying to dispel another security myth. That is the risk anybody runs while quoting too many questionable surveys. Also, the book sounds too fluffy at times (e.g. the strategy is “understand-engage-optimize”, frequent advice to “be effective”, etc), but does seem to convey its message pretty well.
Overall, if you are managing security on a high level, or manage IT or even the whole business, read this book. It is short enough so that such people will read it and get the ideas! If you are a security pro and can handle a non-technical volume, grab it as well and keep in mind that this is a management book. After reading it, please give it you your manager!
Rating: 4 / 5