If you do, you may find you'll come out with a more effective security strategy.
Michael Santarcangelo shows why he's known as a "human catalyst" with his strategy-focused effort to change the way we deal with security, Into the Breach.
Michael's basic premise is that a breach is a symptom of a larger problem and not the actual problem itself. Unlike most security-focused discussions today he tackles not the issue of electronic data and disclosure but the larger, more often ignored problem of low-tech breaches caused (often unintentionally) by people.
Soylent security. It's people, people. We've known that for a while, right? After all, aren't we always talking about those "miscreants" against whose attacks we must be ever vigilant?
Michael very quickly explains it's not the people who want to breach security that are the problem, but the people just trying to do their jobs that do not recognize - for many reasons - the ramifications and potential consequences of bringing home sensitive data, using USB keys to carry around employee information, or walking away from a laptop for "just a minute". People are the problem, alright, but they don't even know it. And it's hard to argue with this conclusion as Michael lays out the data, naked and blinding, for all to see.
But this isn't another doom and gloom exercise, or even one that ends with a particular technical solution. What Michael ultimately provides is a strategy for addressing the problem that is intended to lead folks toward a more conscientious handling of information without requiring security professionals to brandish digital whips in their general direction. And then he walks us through the implementation, including how to quantify success.
In his 100 page exploration of a new kind of security strategy (it requires learning to trust users which is something that will surely be difficult for many of us), Michael doesn't waste a lot of time with unnecessary discussion. He includes relevant data that supports his premise and uses the examples to show explain why a shift in thinking is necessary to better address security concerns. He gets to the point with alacrity and uses language that's designed to clearly communicate why and then how, as if he's following his own advice.
Michael isn't dismissing technological solutions nor is he ignoring the very real threat of external attacks. He's simply focusing on a much larger problem that organizations can impact without a huge investment in technology because ultimately there really isn't one and the risk of a breach caused by internal factors is much higher than we like to admit.
Easy to read, easy to follow, Into the Breach is an honest, open discussion of why we do what we do and how to effectively implement a strategy with a focus on the real problem, instead of just the symptoms.
It's a good read, and a great eye opener if you're responsible for security in your organization - at any level. Which essentially, according to Michael, should be everyone. So give it a read, it's definitely worth the time.