By Jeffrey S. Bardin; Reviewed by Paul H. Aube, CPP
The Illusion of Due Diligence isn't a security textbook, it's CISO war stories from inside the corporate belly.
** The Illusion of Due Diligence: Notes from the CISO Underground. By Jeffrey S. Bardin; published by CreateSpace, www.createspace.com; 214 pages; $13.99.
In The Illusion of Due Diligence, author Jeffrey S. Bardin is not trying to demystify the art of due diligence from the chief information security officer’s (CISO) perspective. The book instead demonstrates “the relative immaturity of the profession in the face of such well-heeled and established organizational icons that a CISO faces.”
Bardin’s message is presented inquisitively: “What do you do when ethical behavior, integrity, corporate due diligence, and attorney-client privilege collide in a cacophony of biased opinion and or negligence?”
This isn’t an information security textbook so much as a collection of anonymized case studies about dealing with senior management as an information security professional. The text presents a number of corporate “skirmishes” ranging from instances of careless network management to unethical behavior and blatant conflicts of interest. The stories feature all of the seven deadly sins—including pride, sloth, lust, and the ever-present greed—but from an information security point of view.
This easy-to-read, pocket-size book begins with an overview of the code of ethics of IT security certification body (ISC)2. The most useful are the self-assessed “situational reviews” after each story, individual learning experiences that offer lessons for any reader. After the case studies, Bardin concludes the book with some useful personal insights.
Bardin decided to share his professional “scars” so that information security and risk professionals will save themselves from his fate and “solve their problems with integrity and ethical behavior.” His text is an especially worthwhile read for IT security professionals interested in doing the right thing, even when those around them aren’t, and it will illustrate to managers and investigators that faults often attributed to IT systems are in fact the work of the people who design and use them.
Reviewer: Paul H. Aubé, B.Sc., CPP, CAS (Certified Antiterrorism Specialist), is an assistant director for security at Ecole Polytechnique in Montreal and an independent consultant. He has been a security professional for more than 20 years and is a member of the ASIS Global Terrorism, Political Instability, and International Crime Council. He received ASIS’s Distinguished Achievement Award in 2003 and is a former chair of the Montreal Chapter.