How long did it take you to write "Mission-Critical Security Planner: When Hackers Won't Take No for an Answer" and what was it like?
The book took a little over two years to write. Writing a book is a very exciting and somewhat spiritual process for me-- I feel as though writing is something I'm "supposed" to do in this life. At the same time, it's incredibly exhausting. This particular book required a great amount of up-front conceptual forethought. From the beginning, the goal of Mission Critical Security Planner was to make the life of the reader easier. Myself, and Carol Long (the fantastic Wiley executive editor I worked with), kept the pressure on ourselves throughout the writing/editing process, making sure we never forgot that goal. Whenever I wrote anything, we asked ourselves 1) will this make a security person's life easier and how and 2) is this an actionable/workable/usable approach because if it isn't, go back to the drawing board. We set-out to provide a workable, actionable security planning approach. Since no such approach existed (my reason for writing the book), I needed to find answers to problems that didn't exist. I would spend endless hours going over and over various approaches to modelling secure distributed computing and, very importantly, ways of synthesizing that model into something the reader can immediately use. As we applied the principles of Mission Critical Security Planning in our NetFrameworks security consulting work, we went back and refined the book's content to reflect our experiences. We didn't just write about mission critical security planning, we lived it.
If you could start working on the book all over again, what changes would you make?
There are no changes, this book was a great journey from start-to-finish and a very enjoyable process working with Carol Long and Wiley, the publisher.
In your opinion, what are the most important things an administrator has to do in order to keep a network secure?
Boy, that's a tough question. As folks working in security, we keep seeing so many areas for improvement, not just one thing. At the same time, I can say one thing comes to mind, right at the top-- disablement. Administrators don't disable enough. Software developers don't disable enough. Security is disablement. Disable network protocols, applications, and features of all kinds that you don't need. Software comes shipped by vendors today with too much enabled, that's one of our biggest problems in security. There's too much focus on getting things working (maximum enablement) and not enough on security, wherein security, by my definition, implies maximum disablement.
What is, in your opinion, the biggest challenge in protecting information at the enterprise level?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.