Information Security Governance Simplified: From the Boardroom to the Keyboard is a perfect guide to developing effective information security at all levels. The experienced and novice information security professional will find Information Security Governance Simplified, by Todd Fitzgerald, to be a valuable resource and I recommend it for that reason and others I will share with you here.
Information security can be an overwhelming responsibility for even the most experienced CIO or CSO. The challenge of balancing appropriate information security standards and practices without obstructing the business can be very painful. Add to it the challenge of resisting a purely technology orientation to information security and you’ll understand why so many organizations struggle with developing an effective information security governance model.
Fitzgerald takes on these challenges and rightfully broadens the focus of information security governance on how to position security so that it is an approachable subject using a proactive top-down strategy rather than just being reactive based on the latest security incident.
Fitzgerald also offers plenty of guidance on recognizing how much security is too much by demonstrating information security governance can be made simple and still be effective.
I appreciated the book laying a solid foundation for what information security is about and reminding readers it is not limited to electronic information and the importance of having a clear information security strategy. Readers that are new to security or find themselves with a growing security role will find the chapters on the Security Management Organization and Interacting with the C-Suite very useful.
And anyone that finds themselves frequently frustrated trying to win support for increased security measures will find lots of ideas for relieving a little of your stress in Managing Risk to an Acceptable Level. In this chapter Fitzgerald reminds us of the reality that businesses and organizations of all types can choose to live with risk despite rationale reasons to mitigate it.
I found the chapters on Creating Effective Information Security Policies and Security Compliance Using Controls Frameworks to be good references for every organization. This includes those operating in verticals that are not heavily regulated but can borrow from those industries with similar profiles.
Information Security Governance Simplified includes three chapters on practical security controls for Managerial Controls, Technical Controls, and Operational Controls. In each of these chapters you will find specific controls most organization would accept as key controls along with mappings to their appropriate control frameworks.
Fitzgerald starts to wrap things up with some important and very useful advice on dealing with audits and auditors, Effective Security Communications, and connections between the Law and Information Security.
The book concludes with a chapter offering lessons in Learning from Information Security Incidents and a most interesting chapter on the 17 Ways to Dismantle Information Security Governance which is sort of a judo lesson in understanding failure so that you can avoid it.
The book was a very comfortable read which more often seemed like Fitzgerald and I were having a conversation over coffee or on a break at a security workshop. Fitzgerald’s conversational writing style and use of questions when framing an issue and organizing important considerations probably really helped give me that feeling.
I do imagine some readers will find Information Security Governance Simplified: From the Boardroom to the Keyboard to be a little unrealistic. Especially many of you in higher education who have experienced resistance to implementing more mature controls and security practices.
But you should not be discouraged and I am sure you will find that Fitzgerald provides plenty of practical and level-headed insights for developing a security strategy that will allow you to influence your organization and win executive and organization support.
You can also expect to come away with a healthier understanding of how to work within an organization that has a fairly high risk appetite or weak sense of urgency when it comes to compliance.