RE: REVIEW:

• Previous message: Ford Prefect: "Re: REVIEW: "A Practical Guide to Managing Information Security", Steve Purser"
• In reply to: Rob Slade, doting grandpa of Ryan and Trevor: "REVIEW: "A Practical Guide to Managing Information Security", Steve Purser"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 23 Oct 2004 20:56:25 GMT

Here is my response to the review of my book written by Robert Slade.
Hopefully, it will clear up any confusion that this review has created.
Unlike the reviewer, I will avoid emotionally charged language and stick
to the facts.

The first paragraph aims to establish the credibility of the reviewer
and does not really require a response from my side, except to point out
the fact that I am not a banker - I just happen to work for a financial
institution. Needless to say, I wouldn’t consider it any kind of omen if
I were a banker and sweeping statements about professionals in
particular sectors are unlikely to add value to any serious review.

The opening statement of paragraph 2 is a classic example of quoting out
of context. The text in the book actually refers to the balance between
the benefits to the organisation of getting to market quickly versus the
risk to the organisation of reducing security functionality. Most
organisations have to take similar decisions all the while and there is
nothing irresponsible about achieving a sensible compromise.

Most of the remaining text is subjective, rather than objective
criticism and the reviewer simply conveys the feeling that he didn’t
like what he read. Here are some comments for those who have read the
review:

- The taxonomy of tools is indeed incomplete. I deliberately restricted
the discussion on tools to support the main theme of the book, which is
security management.
- On page 58 of the book I make the same point about intrusion detection
systems as the reviewer. It is therefore difficult to see how he reaches
the conclusion that I have not understood.
- Most security professionals would agree that "Business or threat
analysis", more correctly risk analysis in this context, is central to
the subject under discussion.
- There is nothing "vague" about the content of chapter 6.
- It is interesting to note that Rob thinks process re-engineering has
little to do with security. Anyone with management experience in this
domain will surely realise the importance of getting the process right.
I think that this has everything to do with security.
- Chapter 8 does look at security architecture - there is no
"supposedly" about it.

 The description of the content as being “generic” and “vague” is
entirely unjustified in my opinion. The comment regarding the taxonomy
of tools is correct however – I took the decision to limit the content
of this section and I still stand by this decision. This is a book about
managing information security and the emphasis is on management, not
technology. This being the case, it is perhaps not too surprising to
discover the fact that it contains a lot of “management directed
verbiage”.

It seems likely to me that Robert Slade made his mind up about this book
on the basis of the “red warning flags” he refers to in his first
paragraph and not on the basis of the content.

Steve Purser.

*** Sent via WindowsHostList http://www.windowshostlist.com ***

• Previous message: Ford Prefect: "Re: REVIEW: "A Practical Guide to Managing Information Security", Steve Purser"
• In reply to: Rob Slade, doting grandpa of Ryan and Trevor: "REVIEW: "A Practical Guide to Managing Information Security", Steve Purser"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]