Once more unto the Breach

Once more unto the Breach: Managing information security in an uncertain world

ANDREA C SIMMONS
Copyright Date: 2015
Edition: 2
Published by: IT Governance Publishing
Pages: 237
https://www.jstor.org/stable/j.ctt155j4f2
  • Cite this Item
  • Book Info
    Once more unto the Breach
    Book Description:

    In this revised edition ofOnce more unto the breach, Andrea C Simmons uses her extensive experience to provide an important insight into the changing role and responsibilities of the ISM, walking you through a typical ISM's year and highlighting the challenges and pitfalls of an information security programme.

    One of the key failures of security change management is that it is perceived as a project instead of a programme , and is therefore mistakenly assumed to have an end.Once more unto the breachexplains why information security is an ongoing process, using the role of project manager on a programme of change to highlight the various incidents and issues that arise on an almost daily basis - and often go unnoticed.

    A major challenge for the ISM is achieving all-important buy-in from their colleagues.Once more unto the breachexplains how to express the importance of the tasks you are undertaking in language that executive management will understand. You'll also discover the importance of having a camera with you at all times.

    For too long, security has been seen as more of an inhibitor than an enabler. Once more unto the breach is an invaluable resource that will help you improve this perception, and achieve better overall information protection results as a result.

    eISBN: 978-1-84928-709-8
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. PREFACE
    (pp. 5-6)
  3. ABOUT THE AUTHOR
    (pp. 7-8)
  4. ACKNOWLEDGEMENTS
    (pp. 9-10)
  5. Table of Contents
    (pp. 11-13)
  6. INTRODUCTION
    (pp. 14-20)

    “Once more unto the breach” is a key phrase from the “Cry God for Harry, England and Saint George!” speech of Shakespeare’sHenry V, Act III, 1598. The breach in question is the gap in the wall of the city of Harfleur, which the English army had put under siege. Henry was encouraging his troops to attack the city again, even if they had to “ close the wall with English dead”. We read these kinds of battle-cry stories now, in our enlightened and empowered times, and find it hard to countenance such unfailing support for heading into a perilous...

  7. CHAPTER 1: AUGUST - PULLING A TEAM TOGETHER
    (pp. 21-42)

    The most important thing to remember from this book may very well be that there should be no more information security projects, but rather programmes. What we, as information security professionals, are ultimately delivering are programmes of change across our organisations. All the security breaches that have dogged the second decade of the 21st century appear to have been as a result of operating at odds with the importance of the key elements of security (i.e. maintaining the integrity, confidentiality and availability of information assets). This book will not repeat detailed definitions of information security per se – there are many,...

  8. CHAPTER 2: SEPTEMBER - STREET TRASH
    (pp. 43-62)

    So, now that your team is up and running, you have your reporting in place and people understand what is expected of them, you are starting to get noticed and the programme of change is under way.

    You have learnt a vast amount about the organisation already – if you have all the answers to the questions asked inChapter 1, that is! No doubt, there are many people surprised at how interested you are in such a wide variety of issues. This is precisely how it should be. The ISM is interested in the security of information in all its...

  9. CHAPTER 3: OCTOBER - COMPLIANCE MAY BE ONLY SKIN DEEP
    (pp. 63-77)

    The experience that is behind the writing of this book is that of usually swooping in at the last minute, with about six weeks to deliver a compliance state for an organisation. However, most organisations tend to realise very quickly that saying you’ve done it (security) doesn’t necessarily mean that you are it (secure). The capacity to successfully fill in forms and ‘get through’ audits is staggering, when you consider the gap between the contents of the verbiage and the reality of the infrastructure and operation across many organisations. It may be that ‘compliance is only skin deep’ and you...

  10. CHAPTER 4: NOVEMBER - HOW REMOTE IS REMOTE?
    (pp. 78-97)

    There are times in your career as an ISM when you really have to put your hand up and say, ‘ hold on a moment’, and ask yourself where sanity and sense have gone!

    We can all too easily make things far too complicated. The answers we are seeking are often so simple that they are not what we first consider; nor are they easy to believe because of their simplicity.

    If you set yourself up with a particular network segmentation approach, it may label a significant amount of users as ‘remote’, and this will mean needing to apply two...

  11. CHAPTER 5: DECEMBER - OH, FOR THE SAKE OF YET ANOTHER PROPOSAL …
    (pp. 98-116)

    In this particular instance, there was an initial budget to deliver a particular goal, then a realignment of expectations following the achievement of that goal. This was because in reality, what was put on the submissions that were required to be presented to external auditors was not the reality of what was actually going on inside the organisation. Not untypical. So a plan of action (in security terms, this is usually called a security improvement programme (SIP)) was put into place to address the compliance gaps. The gaps were way beyond just technological issues and spanned all three points of...

  12. CHAPTER 6: JANUARY - A BATTLE WON
    (pp. 117-136)

    So why do you need to keep on explaining what your ICT colleagues ought to be doing to support BAU functions? Constantly having to explain to internal ICT management what ICT colleagues should be doing normally is a long battle - never mind that you also have to add other extra duties for an initial period while you go through a transition to a new infrastructure or new platform.

    Any large infrastructure-based project can have the unsettling ability to highlight missing work that should have been being done as part of BAU. Therefore, the difficulty is that somehow this work...

  13. CHAPTER 7: FEBRUARY - MONEY DOESN’T BUY HAPPINESS
    (pp. 137-146)

    As an ISM, you can see by now that you have to consider yourself to be some kind of plate spinner – with a number of different sub-projects going on at any one time. This may have been done to serve the needs of management, rather than for anything designed by you. So the end result could be that nobody knows what’s going on!

    However, there is always a concern that your large project is like an elephant that cannot be eaten all at once. Therefore, breaking it down into a number of sub-projects is a good tactic as this will...

  14. CHAPTER 8: MARCH - SLIPPING THROUGH THE NET
    (pp. 147-160)

    During the period when the core of this research was undertaken, the UK political landscape was changing beyond recognition. In the UK public sector, when an election is forthcoming, there is a time referred to as ‘purdah’ - the period from when an election is announced until after the election is held, now more often referred to as the pre-election period. There is an immediate hold on spend, no new projects get approved and ultimately money gets clawed back on projects which have already been funded. This results in most employees feeling quite ‘stuck’, unable to progress existing plans, uncertain...

  15. CHAPTER 9: APRIL - LINKING INFOSEC WITH INFOGOV
    (pp. 161-183)

    As we’ve established, the information security industry loves its acronyms and abbreviations, so in this instance we have InfoSec for information security, and for information governance we have InfoGov.

    As an ISM you need to be thinking more broadly, as this is the trajectory at the moment. Information security begets information assurance begets information governance. If we are truly protecting information assets, holistically, this is where we will end up. So, be prepared to think more widely than your current scope of understanding, and do a lot of reading and extra learning.

    We have seen other acronyms in our space,...

  16. CHAPTER 10: MAY - POLITICS AND MANAGEMENT
    (pp. 184-192)

    Wikipedia describes ‘situational awareness’ as:

    The perception of environmental elements with respect to time and/or space, the comprehension of their meaning, and the projection of their status after some variable has changed, such as time... It is also a field of study concerned with perception of the environment critical to decision-makers in complex, dynamic areas.

    In many ways, the construction of this book is about pulling together a lot of elements that are important to the ISM role because they help you to maintain your situational awareness. An understanding of the impact of politics is part of that jigsaw.

    This...

  17. CHAPTER 11: JUNE - WHAT THE AUDITORS SHOULDN’T KNOW…
    (pp. 193-210)

    The relationship with internal audit can often be fractious, but at the outset of this book, the intention was to portray information security in a positive light. Befriending internal audit is very much part of the experience, because you can so often find that any changes you need to implement have already been identified, long ago and many times over, in previous audit reports.

    In the case of the organisation at the heart of many of these experiences, it had been subject to ‘special measures’ and was fraught with political infighting. This had a highly detrimental impact on the ability...

  18. CHAPTER 12: JULY - JOURNEY’S END… AND CONCLUSION
    (pp. 211-216)

    When your pet project gets cancelled, how do you move forward? Therein lies the rub of labelling anything in the information security space as a ‘project’. As we have seen throughout this book, it needs to be incorporated into the DNA of the organisational infrastructure and so there is no ending, as it is constantly changing and adapting to the threat and vulnerability landscape within which we are operating.

    Equally, as an ISM, you need to know the business. The IT community in its entirety is so often charged with ‘not understanding the business’, so as a professional (see section...

  19. APPENDIX 1: SECURITY AWARENESS THEMES
    (pp. 217-221)
  20. APPENDIX 2: ISM ACTIVITIES
    (pp. 222-225)
  21. APPENDIX 3: RESOURCES
    (pp. 226-233)
  22. ITG RESOURCES
    (pp. 234-237)