IT Security: Risking the Corporation.

IT Security: Risking the Corporation. By Linda McCarthy; published by Prentice Hall PTR, www.phptr.com (Web); 272 pages; $26.99.

Experience may be the best teacher, but it can also be the most expensive one. This is particularly true when the costs of the lessons learned are the loss of integrity and confidentiality of business data. The much more economical way is to learn from the mistakes of others. That's where IT Security: Risking the Corporation provides its value. Author Linda McCarthy, a computer security auditor, shares her experiences regarding companies that retained her after confidential information was exposed or put at risk.

This is not a how-to book. Forget about details on securing networks from hackers and insider threats. The book's purpose is to drive home the point that leaving critical data on an unsecured network is tantamount to leaving the doors to the company's headquarters unlocked during a long weekend. Readers learn from real-life examples of how information is at risk on a network and how to start the process of securing it.

After recognizing themselves in one or more scenarios, nontechnical readers will come away with a list of questions to ask and a new realization of their vulnerability. Systems administrators and technical types will find value here as well. For them, the book demonstrates how relating problems in terms of business risk, rather than in technical jargon, can gain the ear of management and possibly the resources needed to secure their systems.

McCarthy writes in a friendly, conversational manner and tries to keep the tone light. Though it contains a few technical terms, the book is written in plain English, and a glossary explains anything that might be unfamiliar to the nontechnical person.

Each chapter presents a scenario based on a situation that the author encountered during an audit, though she alters details to protect client confidentiality. For each scenario, McCarthy tells how she carried out her investigation and what her findings were. She explains the risks uncovered in her probe and what was done to fix the problem--all without getting too technical. Then the book gives a summary of lessons learned and a checklist of questions that readers can use to assess their own preparedness.

After reading this book, security professionals and IT personnel can identify their risks and begin the process of protecting the confidentiality, integrity, and availability of data. Or they can wait and learn the hard way, when the schematics for the company's latest product or the private electronic communications among executives find their way into the hands of competitors.

Reviewer: Brent Campbell is a manager at Computer Sciences Corporation in Falls Church, Virginia. He is a member of the ASIS International IT Security Council.