After taking a month off to recover, I restarted writing and spent the next four months finishing the last 75 percent of the book. Finishing the book was one of my last promises to Elisa. I never broke a promise to her and I was not going to start at that time. She would have been proud of me.

Since Elisa died, I am committed to finding a cure for cancer. I have teamed up with the National Foundation for Cancer Research (NFCR) to look for that cure. All the money earned from buying my book is donated to NFCR. I am also a member of the Amazon.com Associates Program. All commissions earned from any sales through my website is also donated to NFCR. If you buy from Amazon.com, please do so by clicking through my site first. That way we can raise more money for cancer research!

If you could start writing the book all over again, would you change anything?

Other than my personal situation, I would add a chapter on mobile code policies and one on how to write policies for portable devices like PDAs, notebooks, cell phones, etc.

How important are, in your opinion, security policies when it comes to the overall security architecture?

I think that security policies are the most underrated aspect of any information security program. In chapter 1 I write "They provide the blueprints for an overall security program just as a specification defines your next product." How do you tell your administrators to configure a firewall if you don't have a policy to specify what you are protecting? Policies are the foundation for a sound infosec program.


Handheld devices are now owned by many people who use them for business purposes, which makes companies more susceptible to wireless security problems. In your opinion, what is a good approach in writing a wireless and handheld device usage policy to safeguard the corporate network?

Handheld devices, like any new technology, come with a lot of security issues. The first thing I would do is a risk assessment of the device. The risk assessment would look at how the device is used, what its capabilities are, and what are the risks being added to the environment. Once I have that information, I would then look at the proposed mitigations and write a policy that would allow me to mitigate the risks I am unwilling to accept.

For any technology, old or new, this is a good approach to devise a policy. It also allows you to better understand the technology and how it is being used and its effect on information security.

What is, in your opinion, the biggest challenge in protecting information at the enterprise level?

Watching the threat from the insider. Everyone focuses on the attacker from the Internet or what can happen outside of the enterprise. However, statistics continue to show that the biggest threat continues to come from insiders. And sometimes it is a challenge to determine who the insiders are that could cause problems.