Yet, as the importance of information security has increased, the field has become crowded with “instant experts.” Many of those who now call themselves “experts” owe their current notoriety to some specific technical skill or to short periods of time in consulting or vendor organizations. Most who publish books and articles on information security have never been accountable for protecting major organizations against the dizzying array of risks nor dealt with the harsh realities of doing so in the context of corporate cultures, politics, and the grind of daily operations.

In contrast, you hold in your hands a book containing the distilled wisdom of 40 years of practical experience from one of the original leaders in information security. Dr. Gerald L. Kovacich, “Jerry” to his many friends and admirers, has spent a lifetime developing and perfecting the materials that are the core content of this book. The original has held up over the years precisely because it is “technology independent.” The assumption is that the reader has either attained already or can obtain, from other books, courses, and seminars, the technical skills to work in the information security field.

Therefore, if you are looking for technical solutions to the current or latest set of acronym challenges, then this is not the book you want to buy. However, if you are an information security professional seeking to understand what it takes to be successful as a manager and to become a leader in your organization and ultimately in the profession, then you have the right book.

Students considering their career options, as well as professionals in other but related fields such as IT, physical security, or IT audit, will also find the information presented so artfully by Dr. Gerald L. Kovacich to be of great value. Readers from all these backgrounds will find this book expands their knowledge of the many activities involved in establishing and sustaining an organization’s information security program.

This updated and expanded edition builds upon the content that made the original volume one of the best-selling security books ever published. What the Guide does that is different, perhaps unique in the information security field, is coach, mentor, and tutor the reader in the various managerial and operational skills that will ensure a more successful and ultimately more satisfying career.

From my personal experience I can testify to the practical wisdom that is captured in these pages. I owe a significant part of my professional success and achievement to actually applying many of the methods and techniques described in the original Guide. Over the past six years I have recommended the previous edition to countless aspiring information security professionals, and note with satisfaction that many found the content to be key to their successful participation in the rapidly burgeoning information security profession.

Understand that a keen appreciation and lifelong commitment to information technology will be required for success as an information security practitioner. However, much as that background is necessary, it alone is not sufficient for professional success and personal satisfaction. Those who aspire to leadership and seek to become the managers, directors, and vice presidents of information security in the future will enjoy and learn much in the Guide that will support their success. I believe they will find, as I have, that Dr. Gerald L. Kovacich has provided them with knowledge that better prepares them for the challenges of managing these important responsibilities.

Whether information concerns a new product or technology, a proprietary process, a business plan, a customer or donor list, or military operations, information has value to its owner. That same information may also have value to competitors, criminals, or enemies. Some will take bold measures to obtain information. Others will rely on the failure of organizations to adequately protect their own sensitive and proprietary information, making it easy for unauthorized collection and use. A few will seek to obtain information any way that they can, using legitimate or illegitimate means.

The very information that contributes to the viability and success of an enterprise, if unprotected and found in the possession of competitors or enemies, may cause the loss of a competitive edge or the embarrassment of exposure or, in the event of military operations, may place war fighters in “harm’s way.” Thus, protecting the availability, confidentiality, and integrity of information is an essential task.

In this book, Dr. Gerald L. Kovacich addresses the question, “Is the position of an ISSO necessary?” Bluntly, unless your goal is failure, the answer is clearly “Yes.” Protecting information is not an easy task. So much information resides on sophisticated and complicated information systems linked in local and wide area networks. To effectively and efficiently protect information and information systems requires the skills and dedication of a security professional: an ISSO.

The ISSO must be skilled in the disciplines of management, security, and information systems; must be capable of convincing others of the need to protect information; and must understand that protecting information is more about risk management than it is about risk avoidance. The ISSO needs to understand how information is used in the context of the world and business environment in which we operate. This includes understanding threats and where they come from, such as competitors, detractors, enemies, opportunists, and “bad guys.”

A skilled ISSO is essential to any enterprise. However, an ISSO is not the only answer or solution. Understand that the ISSO is not an übermensch. The ISSO alone cannot do everything that needs to be done to protect information. The ISSO must be capable of bringing together diverse persons with divergent interests in an effort to develop a protection profile for the enterprise. In this book, Dr. Gerald L. Kovacich provides the architecture to do just that. He provides a framework for establishing an effective information protection program.

Regarding the debate as to where an ISSO should report in the organization hierarchy…stop! Now is not the time for debate. Now is the time to act. Information security is serious business. The protection of information is just as serious as the management of information. In today’s organizations most company information is processed, stored, displayed, and transmitted on and over information systems. CIOs are skilled executives employed to ensure that information systems are effectively managed, meeting the needs of the enterprise and making information available to all users. Protecting this information and its availability, integrity, and confidentiality is just as important. A skilled executive is needed to accomplish this—a corporate security officer (CSO). The CSO is someone knowledgeable in matters of security, information protection, information systems, and business management. The CSO should be independent of the CIO and report directly to the CEO or corporate operations officer. Separating the CIO function from the CSO function is important, as the need to protect information is often in conflict with the need to share and disseminate information. The ISSO should either report to the CSO or be the CSO.

Let’s end the discussion on the need for information protection and the need for an ISSO. One would have to be a resident of Plato’s cave to not realize that information is critical to a business and requires protection. Let’s shift our focus to understanding just what requires protection, how it should be protected, and from whom. Using this book by Dr. Gerald L. Kovacich is a very good beginning.

As organizations and companies continue to become more dependent on information systems and connect to an ever wider group of partners that they have to rely on and “trust,” the probability that they will encounter problems increases on an almost daily basis. In addition to this increasing reliance on systems that are increasingly interconnected, it is now an unfortunate reality that those people who would seek to do us harm increasingly have the knowledge and capability to do so.

For a number of years, the governments of a number of countries have been aware that there are some industries and systems that are essential to the well-being and maintenance of normal life within a country. These may include power production, telecommunications, water supply, food distribution, banking and the financial sector, and a whole range of other industries and have, together, been tagged the critical national infrastructure. It is unfortunate for the ISSOs of these industries that in addition to all of the other risks that they must deal with, they now have to be concerned that they will be a target of attack by terrorists and others who wish to affect not their organization, but the government. This makes life a whole lot more difficult in a number of ways.

Some organizations are starting to better appreciate the implications of these developments and are recognizing that the role of the ISSO is not only increasingly important, but also increasingly difficult. Unfortunately, others have not taken the situation on board for an often repeated, endless set of reasons that have caused them to ignore it in the past. These include a lack of understanding of the underlying problems, a lack of skill to address them, insufficient resources, the “it won’t happen to me” attitude, a lack of education and training, and a lack of direction from government.

The last of these has changed significantly in the recent past, and there is now a will by the governments of most developed countries to improve the security of information systems. This is particularly true of the United States, and huge investment has been made in “Homeland defense,” with an apparently genuine drive by government to make information-dependent countries a safe place to live and trade.

One of the major problems that an organization faces in recognizing the need for an ISSO is based on the undeniable truth that in most cases, security is a costly drain on resources, in both financial and staff terms, that delivers no tangible return on the investment. If you are a member of the board of a company and have to make the choice between investing in a new plant that will reduce production costs and improve profitability and investing in information security, which is likely to get your vote? This is often the decision that must be made, especially when the argument for “spend on information security” is based largely on the intangible and the unprovable. How do you prove that you are likely to be attacked or have security problems, when the evidence from past experience is that it has not been a problem before? How does the person presenting the argument for the information security investment convince a group of people who have probably never suffered the consequences of an information security breach that this is good value for money? If the members of the corporate board have been involved in a previous breach of information security, the investment argument will be received in a very different manner and by people who understand the value of it.

What is different about an ISSO from other types of security officers? Well, the short answer is that the ISSO is a hybrid that did not need to exist in the past. Security officers have traditionally gained their experience in the military or in government or public service (police or three-letter agencies) and they can tell you all about protecting tangible “things,” whether they are objects or people. They are normally very good at it and the methods, tools, and techniques that they use have all been tested and refined over a long period of time.

Because the security of information systems cannot and must not be treated in isolation, the ISSO needs to have all of this knowledge and then, in addition, needs to be able to understand information systems and computers and the implications of their use. In this area, there is no collective pool of knowledge that has been gained over centuries by a large group of people. Information systems are, in historical terms, very young, and their maturity has taken them through so many evolutions in such a short time that there are very few computer professionals, let alone security specialists, who are able to keep pace with the changes and the diversity that have occurred. So the ISSO needs to have a wealth of knowledge and experience in security and in information technologies and has to be able to develop, implement, and manage policies that will protect the information resources of the organization in a dynamic environment.

A complication now arises. Where people will complain about physical security and will subvert it if it becomes too inconvenient and complain about the delays that the checking of passes and locked doors will cause, when you apply security to the information environment, a whole new set of problems is exposed.

The users of information systems have been exposed to and suffered from years of badly conceived and implemented information security that has caused inconvenience and prevented them from getting on with their job. It is a sad comment that, in the field of information security, the user of the system has often had more knowledge of the information technology than has the “security expert.”

The bright side of the situation is that things are improving—the “information security experts” within organizations are gaining experience and the technologies that can help them to provide coherent security for systems are becoming available. The whole issue of threat and risk assessment is gaining credibility as methods are developed that give traceable routes to support the decisions that are made.

In the global context, while things proceed at a very slow pace, there are at least discussions on ways to harmonize the laws in different countries and groups of countries and the exchange of information between those who need it to maintain security.

It is easy for information security officers to become very insular and to look at the problems that they are facing in terms of only their organization—after all, these are busy, overworked people who are struggling just to keep pace with events and developments. This is a huge mistake and can lead only to disaster in the long term. We can no longer, for the most part, “conduct our business in isolation.” The organizations that we work in have an ever-increasing need to communicate and to interconnect with other systems and organizations and in doing so, we have to be aware of the problems that such connections expose us to.

Learning from the best practice that has been developed in other organizations provides two benefits: The first is that it allows the knowledge of many to be applied to the problem of one; and the second is that it is one step down the line toward common standards and practices, which engenders confidence in others that the security that is being applied to your systems is of an acceptable standard (they can understand what you have done to make your systems secure and why you have done it!).

When the larger picture is examined, the responsibility that is placed on an information security officer is immense. The ISSO has a responsibility and a duty to the organization that the ISSO works for, but also has responsibility to partner organizations and others that may rely on the product of the organization. An example of this might be a power company, in which the effect of a security breach might be the loss of availability of their systems. Unfortunately, the power supply company is networked to a number of other power suppliers to facilitate the balancing of power production to meet the customer needs. If one is affected, it may prove to be the weak link in the chain and allow the attacker to gain access to other power suppliers. There is also the issue of the customers—what impact will the loss of power supply have on their businesses? In turn, will it have an effect on their customers?

From the ISSO’s point of view, life can only get worse. In some countries, laws are being introduced that place a legal obligation on organizations and their employees to take what is referred to as “reasonable” (or in some cases “appropriate”) care of information that they have in their possession and also to take “effective measures” to protect the business, sometimes referred to as “due diligence.”

How can ISSOs cope with doing the job of developing, implementing, and managing the security of the information while at the same time making sure that they understand the current risks and threats to their organization and the current technologies and techniques and the laws and best practice and standards? Well, no one ever said it would be easy…

Gone forever are the good old days when we could operate with an island mentality and rely on the perimeter security of our organization to provide the first and main line of defense. The security perimeter is now almost meaningless with regard to our information, although it still has some benefits for the protection of physical assets. Now the routes into our organization are as much about the wires and fibers as they are about the roads and sidewalks. We can monitor physical access to our environment with a variety of technologies (CCTV, access control, pass entry systems) and we can also, fairly effectively, monitor what our staff is doing on our information systems (as long as we have the monitoring systems turned on and are watching them). We can put our security barriers up on the information systems (firewalls), but unless we deploy methods and tools to allow us to see what activity is taking place in our environment through systems such as intruder detection systems, we cannot see what is happening in the area around our “virtual office.” The nearest equivalent would be having the external doors locked, but not having any windows or cameras to let you see what is happening on the sidewalk outside the door (a potentially dangerous situation for when the door is opened, given that our door on an information system opens onto a sidewalk anywhere in the world).

It is also reasonable to suppose that, after the World Trade Center attacks, there is increased consciousness of the impact that a terrorist attack can have. It is a sad fact that in addition to the lives that were lost as a result of the outrage, a number of organizations that could and should have survived the incident did not, as they could not reinstate their business within the necessary period of time. Who was responsible for their demise? You could argue that it was the terrorists, but the reality is that it was actually their own lack of foresight and resilience and, in some cases, just plain bad luck. If the organizations had all carried out risk assessments for their businesses in the environment in which they were operating, more would have taken steps to ensure that they had taken action on very old advice—have backups and store them in a safe place in another location, have contingency plans and practice them. As the ISSO, part of this is your responsibility—how are you going to ensure that your information is stored securely elsewhere and that you can recover it when you need to?

The life of an ISSO can never be an easy one—you are the voice of doom and authority within an organization that says “No” to users who want to do things that to their mind are quite reasonable. You are the one who acts as their conscience and highlights or investigates their sins, and you are the bearer of bad tidings to the board (you need more investment to keep the systems secure, or you have just had a security incident and are reporting the damage). You are the one who is responsible for the security of the “crown jewels” of the company. So why would you want to take on this role? Well, the answer is that it is one of the most satisfying and rewarding roles that you can imagine. It should never be boring, and there will usually not be the same problems to tax your intellect twice. It also allows you to use and develop skills in an area where you can make a difference and to contribute to a struggle that is becoming increasingly fast-moving and ruthless. It can be a hugely satisfying role, for those who can survive the apprenticeship and can accept the responsibility while maintaining a balanced view of the world.

So in the frantic race to beat the competition, technology was deployed with little thought to security. Indeed, people had just enough time to get whatever it was working, let alone secure it in any meaningful fashion. And then pow, some security breach was discovered and it had to be fixed fast. In the rush to put the Web site or whatever together, no one budgeted for security, and there’s nobody in-house with the expertise to handle it. Enter the information security consultant. Since it wasn’t budgeted for in the first place, it’s an out-of-cycle approval from management, and there you are trying to secure a system that has deep design flaws from a security perspective with an obscenely small budget. You explain that to really do it right, a complete redesign is in order. Yes, we understand, and no, we can’t do that. “It’s a production system,” “Our competition will kill us,” “We don’t have that kind of budget for security,” and so on. With a sigh, you do the best you can to place some security Band-Aids on it and advise them to call you before the next design meeting for version 2.0. Guess what happens when v2.0 is released? Same thing.

This cycle repeated itself for pretty much the entire “dot-com” era, with some exceptions. Some of the more forward-thinking companies hired consultants for security architecture and design work and saved themselves a whole lot of money and headaches. Still, the InfoSec consultants had more work than they could handle. (The same was probably true in the 1920s for radio engineers.) One good thing that came out of the 1990s was raised awareness of the role that information systems security plays in a successful technology deployment. Oh, and there are now hundreds (thousands?) of companies offering security products for every conceivable problem.

Now that the party is over and technology has fallen back to being just another business tool, what will this mean for information systems security consultants? Virtually all companies have cut back on their IT spending and are focusing on using what they’ve already overbought. Part of the hangover is that companies have had to lay off significant numbers of people across the board, including IT. Lean and mean, baby. Now it’s time to take stock of what we did during the frenzy and see if there’s anything we missed. Did we buy enough servers? Yes, we’ve got plenty. Networking? Yup, plenty of that. Web sites? Got ‘em. There was something we missed, though…What was it? Something critical…Oh, yeah! That security thing. OK, get somebody on it. Oops, we laid them off. Hmm, can we hire someone? No way, there’s a hiring freeze on. Well, we better call a consultant then.

And that’s where we’re at now. Information systems security consulting is doing quite well in these times and mainly for those reasons. A lot of what we’re seeing is going back over everything and locking it down. That’s great, but where is it going? I think that this will continue for some time during the economic downturn. At just about the time the retrofitting work is done, the economy will probably heat up again and companies will start buying IT again. When that happens, we InfoSec folks will be there to secure the next generation of information technology. Let’s just hope everyone does it right the next time around, rather than rushing into every project just to get it out there fast.