Review: The Information Systems Security Officer’s Guide, Third Edition
About the author
Dr. Gerald Kovacich has over 40 years of security, criminal and civil investigations, anti-fraud, information warfare, and information systems security experience in both government as a special agent and as a manager in international corporations. He has also developed and managed several internationally based information systems security programs for Fortune 500 corporations and managed several information systems security organizations.
Inside the book
This is not a technical book, nor is it a book that purports to include everything that a cyber security officer needs to know. Instead, it’s a primer on building a cyber security program and on being a cyber security officer.
The author has described an approach that, for him and others, worked well over decades (the first edition of the book was published in 1998, and the approach predates it).
The book is divided into three broad sections that address the working environment of Information Systems Security Officers (ISSOs), their duties and responsibilities, and the global, professional and personal challenges they face.
Section one stresses the need for ISSOs to be knowledgeable about the situation in the world in general and not just the cyber threats they face or the situation in their organizations. Also, they need to understand humans, and not just technology. A varied background is very desirable, and so is the knowledge of as many foreign languages as possible. Keeping up with technological and legislative changes is essential.
This section also deals with the changes that happened to global business and governments, and explains how to adapt to those changes in order to have a good relationship with the management cadre of the organization you are tasked to keep safe. Additional subjects addressed are the political and legislative views on cyber security around the world (which an ISSO would do well to know).
A whole chapter is dedicated to the march of technology and includes information about the various tools cyber security officers can find helpful. A final chapter will quickly take you through the news stories (mostly US-centric) about various cyber attacks – by criminals and nation-state attackers – in the last few years.
Section two is the heart of the book, and concerns itself with the ISSOs’ duties and responsibilities, goals and objectives, and with the establishing of a cyber security program, functions, a metrics management system, and reviewing and reevaluating them. According to the author, this section hasn’t been modified much since the first edition of the book – just tweaked to work with the changes in the cyber security environment.
This section will give you an idea of what the ISSO’s job entails (or should entail), and it’s a fantastic roadmap on how to go about making a successful cyber security program a reality. Great questions are asked and answers are given, and the author explains everything simply and clearly. The section ends with a short chapter that shows how ISSOs must know how to communicate and work effectively with their subordinates and those above them, but also with forensic specialists and law enforcement agents in order to keep abreast of the threats they might be facing.
Section three adresses the topics of information warfare, the ISSO’s responsibilities related to ethical conduct, privacy, and liability, and future challenges and risks. One of the chapters talks about the cyber security officer role as a career – how to get into it and how to develop yourself professionally further.
If you’re gunning for an ISSO career in an governmental organization, this section is a must read.
In general, though, this book is not just for aspiring cyber security officers – it’s also a great read for other professionals in management positions as they should know what cyber security officers do and struggle with.