Book Review: Cyber Security Management

Reviewed by G. Ernest Govea, CPP

01 August 2015

Print Issue: August 2015

Gower Publishing Limited; ashgate.com; 262 pages; $124.95.

The key word in the title of this British publication is “framework,” and readers who are looking for instruction at an operational level will be disappointed. The authors do not have cybersecurity backgrounds, but they have conducted broad and extensive research into the subject of cybersecurity.

A considerable amount of attention is given to governance, business continuity, risk management, and “resilience,” what practitioners in the United States might call “sustainability.” Interestingly, there is also a lot of attention given to corporate intelligence and even counterintelligence. Emphasis is placed on the value of “marketing”—what is called “business development” in America. These topics are not seen exclusively from a cybersecurity perspective.

The authors cite vulnerabilities in government, military, and private industry networks and promote cooperation among the three to achieve better defenses. They recognize that many solutions are beyond the scope of any individual entity—for example, the serious shortage of cybersecurity professionals and cybersecurity education at colleges and universities. They point out that senior management and even many IT professionals lack knowledge of cybersecurity threats, vulnerabilities, and solutions.

Threats and vulnerabilities, reflecting the authors’ extensive research, are discussed, and the book recommends elements of a robust security program. Ghostnet, Aurora, and Stuxnet are described as “cyber weapons” developed by highly trained professionals—implying that they are state sponsored. The United States, China, Brazil, Germany, and India (in that order) are identified as originators of malicious activity. Curiously, a British software called Proteus is heavily and exclusively promoted throughout the book.

Cyberattacks are growing in volume and sophistication and will continue to do so. The authors believe that attacks will increase in severity before adequate solutions can be developed and deployed. The book will be most valuable to those implementing a cybersecurity program who need a strategic overview of what is required, and to those who have implemented such a program and wish to validate it.

Reviewer: G. Ernest Govea, CPP, is the facility security officer and security director of government security, for Parsons in Pasadena, California. He is a Vietnam veteran and has been responsible for the protection of classified information for 39 years with the military and the defense contractor community. He is a member of ASIS International.