Thursday, 6 June 2019

Book Review - You'll See This Message When It Is Too Late - The Legal and Economic Aftermath of Cybersecurity Breaches

This is another of my irregular series of book reviews for the British Computer Society (BCS), who kindly provided me with a review hard-copy of this publication.

You'll See This Message When It Is Too Late
The Legal and Economic Aftermath of Cybersecurity Breaches

By Josephine Wolff

https://mitpress.mit.edu/books/youll-see-message-when-it-too-late

The title of this book gives away the core message, but in a very subtle way.

During the first few chapters, the author, Professor  Josephine Wolff, walks through a number of high-profile security incidents, affecting public and private sector organisations as diverse as the US Office of Personnel Management, the certificate authority, Diginotar, and the dating website, Ashley Madison.

In each case, she describes the technical details of the security breach, the political and organisational landscape of the affected organisation, the key stakeholders ( employees, customers, interested parties ) and, most importantly, how the incident was reported, mitigated and defended, the latter in the context of the personal, political and financial ramifications.

For me, as a technologist, whilst I initially thought that I was seeking a technical and deep-dive analysis of security breaches, this book made me appreciate the deeper impact of such a breach, especially in the way that organisations seek to spread the blame far and wide.

Additionally, Professor Wolff spends a fair amount of the book looking at the instigators of each breach, and explains how their motives vary from financial gain ( perhaps easier to understand ) to political and strategic aims ( espionage and geopolitics ).

This makes the book a very compelling read, and emphasises why this should be on the required reading list for anyone responsible for, or even just interested in, information security.

The book serves to provide a very credible alternative to the image of IT security portrayed by television and the cinema, and sits nicely alongside the reportage provided by the information security industry, and the journalists and analysts who report on it's trials and tribulations.

I sincerely recommend this to anyone with more than a passing interest in information security, and give it 10 out of 10 for breadth, depth and detail.

No comments:

Jenkins and the Case of the Missing Body

I was repeatedly seeing this: - java.lang.IllegalStateException: There is no body to invoke with a Jenkins Pipeline that I was executing...