Defending the Digital Frontier (2nd Edition) review

Wendy M Grossman ZDNet.co.uk

Published: 22 Mar 2005

One of the reasons that New York City emergency services were able to respond so swiftly and efficiently to the World Trade Center attacks on September 11 2001 was that in 1996 Mayor Rudolph Giuliani had set up the Office of Emergency Management, which held regular 'table-top exercises' in which administrative and technical members of selected city departments ran through disaster scenarios. When disaster struck they were ready.

The authors of Defending the Digital Frontier: Practical Security for Management, 2nd Edition, who are all Ernst & Young partners, think organisations should use similar methods to prepare themselves for ensuring their recovery and continuity after an attack, and you can see their point. The problem, as they say, is that too often digital security is classed as an IT problem when in reality it's a management problem.

This isn't a new idea, but it can't be documented too thoroughly for frustrated IT managers who are having trouble getting this message across to their directors. Especially since, as this book notes, security is a hard sell: there isn't a fixed correlation between expenditure and results, there's no simple way of calculating return on investment, and it doesn't make an organisation look good. The recent case in which the UK's National Hi-Tech Crime Unit thwarted a £220 million robbery didn't improve the reputation of the affected Japanese bank, even though that was arguably a security success. Still, this book reminds us: past performance is no guarantee of future success.

About a third of the book is taken up with appendices: listings of applicable laws in various countries and the results of Ernst & Young's 2004 security survey. For this second edition, the authors, two of whom are based in the UK, have made a concerted effort to broaden the book's scope beyond the United States. The listing of laws is useful, but the Ernst & Young survey seems like overkill: the authors might have done better to quote a few statistics and fill the space with more new material.

Still, the statistics are sobering enough to show why businesses need a book like this: 33 percent of the businesses that have a business continuity plan have no method for testing it. If you're one of them, the short section beginning on page 94 is for you -- although, like much of the book, it's strong on generalities and a bit weak on specific, practical advice. This is not the book to read to understand how a distributed denial of service attack is carried out; instead, read it to understand what kinds of policies you need to put in place and how.

Defending the Digital Frontier is liberally sprinkled with real-world case studies that illustrate a particular point or type of break-in or reaction. The authors consider all types of scenarios, from virus attacks to the problems inherent in connecting to customers and suppliers. They don't, however, seem to talk much about the threat from insiders or techniques like 'social engineering' that outsiders use to gain inside information. There's a simple reason for this: Defending the Digital Frontier is not a security book but a business management book about security.

• 
• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular

• Most Recent
• Most Popular