What do you think?
Rate this book
Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?
Information security is a rigged game and we have no choice but to play it every day. Rules are mandatory for the good guys but optional for the bad guys. And the good guys are losing. Now's the time to start playing offense and turn this game around. We can do it if we work together! Unsecurity sounds the call and lays out the plan for information security professionals to unite in strength and fix this broken industry.
254 pages, Kindle Edition
Published February 4, 2019
20 people are currently reading
33 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 5 of 5 reviews
June 24, 2019
[I should note before beginning that a colleague of mind picked this up for free at a conference and gave it to me.]
This book is a sane reading of the riot act to all information security professionals and those who want to work in information security. I say "riot act" because Francen is unerring in raising the temperature and alarm at how terribly knee-jerk so much security work is, while simultaneously underscoring how truly at risk we are: companies (large and small) and the federal government alike. (And this is not a provoking of "fear, uncertainty, and doubt" [FUD] because Francen frequently differentiates the fake from the facts.) I say "sane" because I suspect that this book emerged from some very emotional behind-the-scenes ranting, which Francen has managed to control by tempering his approach with facts. The book is loaded with references and recommended reading.
The chapters are thematic, each one a series of problems and solutions. Let me itemize a few things that really got to me:
* First off, the core of this book is based on values. If you don't start with an idea of what you can tolerate for risk, based on your solicitation from business leaders, your security program is simply not going to work. You must identify likelihood and impact, and then go to your business owners and ask them to decide whether it's worth it to fix things up. But the key here is that you're starting from the value proposition that high risk may jeopardize the mission of the business. Francen is very good on the idea that we too rapidly go for technical controls, where our real problems are around user behavior and user training (e.g., pp. 96-99 and elsewhere).
* Second, we are doing a massive disservice to our values around risk and safety by simply turning the crank on what our regulations and assessors tell us to do (especially chapter 7, "Because I Said So"). Francen has clearly been in the business for a long time, because he shrewdly picks out two areas where companies get pummeled by their assessors, but to what end? One area is the SIEM tool (i.e., Security Information and Event Management, or, more humbly, centralized logging). We went through this very exercise motivated by our assessors. As it turns out, after a lot of reflection, we really needed centralized logging, and by implementing a SIEM, we were able to turn off some other systems that were costing us money. But just satisfying the checklist would probably have rendered it shelfware. We have already seen value in our ability to conduct centralized forensics. But, truly, the value emerged from our own assessment, and our definition of requirements brought us the right solution. (Chapter 9, "The Money Grab," has some solid guidance on product selection.) The second area where he identities assessor-driven security is the need to get a penetration test. In this story, he recounts how the report submitted to the assessor was in fact a vulnerability test, not a real penetration test. Yep. But what was the real problem? The company had never really thought about how an attacker would go after them, so they didn't know what to ask the tester.
* Third, the security industry is starved for talent. The final chapter is an eloquent plea for more security professionals that have the right values and know their onions. Francen provides guidance on how to bring more women and minorities into information security. This is doable. Francen points out that in the early 50s there were only a few hundred women certified public accountants in the USA; now there are hundreds of thousands; this gap was rectified by awareness campaigns and hiring initiatives (p. 256).
Like a lot of more general information security books, this one sometimes wavers between generalizations that don't always provide value (experienced nerds will get impatient), coupled with needing to know some nerd talk to understand where Francen is going (so non-information-security people may get a little lost). But I think the balance is good. Even though the book is pretty well-organized, I think it would have benefited from an index, just to make it easier to find his references to certain topics.
This book is a sane reading of the riot act to all information security professionals and those who want to work in information security. I say "riot act" because Francen is unerring in raising the temperature and alarm at how terribly knee-jerk so much security work is, while simultaneously underscoring how truly at risk we are: companies (large and small) and the federal government alike. (And this is not a provoking of "fear, uncertainty, and doubt" [FUD] because Francen frequently differentiates the fake from the facts.) I say "sane" because I suspect that this book emerged from some very emotional behind-the-scenes ranting, which Francen has managed to control by tempering his approach with facts. The book is loaded with references and recommended reading.
The chapters are thematic, each one a series of problems and solutions. Let me itemize a few things that really got to me:
* First off, the core of this book is based on values. If you don't start with an idea of what you can tolerate for risk, based on your solicitation from business leaders, your security program is simply not going to work. You must identify likelihood and impact, and then go to your business owners and ask them to decide whether it's worth it to fix things up. But the key here is that you're starting from the value proposition that high risk may jeopardize the mission of the business. Francen is very good on the idea that we too rapidly go for technical controls, where our real problems are around user behavior and user training (e.g., pp. 96-99 and elsewhere).
* Second, we are doing a massive disservice to our values around risk and safety by simply turning the crank on what our regulations and assessors tell us to do (especially chapter 7, "Because I Said So"). Francen has clearly been in the business for a long time, because he shrewdly picks out two areas where companies get pummeled by their assessors, but to what end? One area is the SIEM tool (i.e., Security Information and Event Management, or, more humbly, centralized logging). We went through this very exercise motivated by our assessors. As it turns out, after a lot of reflection, we really needed centralized logging, and by implementing a SIEM, we were able to turn off some other systems that were costing us money. But just satisfying the checklist would probably have rendered it shelfware. We have already seen value in our ability to conduct centralized forensics. But, truly, the value emerged from our own assessment, and our definition of requirements brought us the right solution. (Chapter 9, "The Money Grab," has some solid guidance on product selection.) The second area where he identities assessor-driven security is the need to get a penetration test. In this story, he recounts how the report submitted to the assessor was in fact a vulnerability test, not a real penetration test. Yep. But what was the real problem? The company had never really thought about how an attacker would go after them, so they didn't know what to ask the tester.
* Third, the security industry is starved for talent. The final chapter is an eloquent plea for more security professionals that have the right values and know their onions. Francen provides guidance on how to bring more women and minorities into information security. This is doable. Francen points out that in the early 50s there were only a few hundred women certified public accountants in the USA; now there are hundreds of thousands; this gap was rectified by awareness campaigns and hiring initiatives (p. 256).
Like a lot of more general information security books, this one sometimes wavers between generalizations that don't always provide value (experienced nerds will get impatient), coupled with needing to know some nerd talk to understand where Francen is going (so non-information-security people may get a little lost). But I think the balance is good. Even though the book is pretty well-organized, I think it would have benefited from an index, just to make it easier to find his references to certain topics.
May 7, 2019
Partial Rating of 3/5, DNF, I thought it was more of a cyber security book but it is more of a self-help in the IT world type book, might pick it up again later
February 23, 2019
Nicely summarizes problems of information security profession and industry. Issues that infosec / cybersecurity experts complain to each other after couple of beers and issues that they don't complain, because it would require self-examination. Recommend reading, kind of information security self-help book.
March 7, 2020
Great read. I haven't been in the infosec industry long enough to claim that the opinions if there author are true or not. However, his arguments are logical, and I agreed a lot with his opinions. I enjoyed his approach and focus on risk management instead of all the usual topics that other information security books focus on. The reality is that risk management is the base for decision making in information security, and most of the industry seems to forget that. If anything, I recommend reading chapters 6 and 10 in this book.
June 18, 2021
The first half of the book deserves 5 stars, but falls off quickly. The second half reads like a mediocre self-help book. There’s also a ton of poorly presented stats/figures throughout, and the sections often get off topic.
I’d recommend picking up this book with the intention of ditching it after about 100 pages.
I’d recommend picking up this book with the intention of ditching it after about 100 pages.
Displaying 1 - 5 of 5 reviews