The book itself was quite difficult to write in the beginning. It was not similar to anything available, and honing in on the right balance of philosophy and practical example to achieve maximum impact, proved challenging. Additionally, knowing what you want to say is easy, but relating it to the world is not. Because the book is focused on "all audiences," not just technical gurus or security professionals, great editorial care had to be taken to make the book easy-to-read, with minimal technical acronyms.

What kind of response did you get from the security community to your book? Are you satisfied with the results?

The feedback has been tremendous. When exploring a new approach you can never be sure how readers will respond. In the short time since its publication, Inside the Security Mind has received Kudos from several infosec publications and security leaders (like Stephen Northcutt of SANS). I am also pleased to hear the enthusiastic feedback on the "philosophy and concepts", which are the core focus of the book.

What do you see as the major problems in online security today?

Thankfully we have evolved beyond the question "Is information security a problem," which was the first major hurdle. Now we are stuck on the concept that information security is a person that comes in to fix our security issues when we need help. All to often, the need for security is triggered by a limited set of circumstances. "Adding a new WAN link? Giving access to remove users? Suring the net? Let's call in the Security Experts first". So the problem is such:

Security cannot be isolated to such simplistic triggering events as is commonly recognized by executive and management staff. But how do we train the Executives, Managers, and Technical staff to see beyond this and to know when and where security issues need attention.


The primary goal of my book is to train people how to "think" in terms of security and how to be better equipped to recognize security issues. Security will continue to be a problem if only "security professionals" recognize and address security issues. To truly be secure, every manager, director, and technician in an organization needs to have some understanding of basic security principles.

What do you think about the full disclosure of vulnerabilities?

As the arguments rage back and forth with the pros and cons of disclosing information on vulnerabilities, a few ideas have been widely accepted.

1. Vendors are more incensed to write, "Bug free code" and to respond to exposures and exploits if they are publicly known.

Conversely

2. Making the exposure publicly known opens a window of opportunity for every script-kiddy in the world to use it to their advantage.