REVIEW: "Into the Breach", Michael J. Santarcangelo

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

BKINTBRE.RVW   20091012

"Into the Breach", Michael J. Santarcangelo, 2008, 978-0-9816363-0-6
%A   Michael J. Santarcangelo
%C   New York, USA
%D   2008
%G   978-0-9816363-0-6 0-9816363-0-6
%I   Catalyst Media
%O  ( product link shortened)
  ( product link shortened)
%O   Audience i+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   110 p.
%T   "Into the Breach"

The introduction states that security (which seems to be limited to
disclosure or breaches) is a "people" problem, and therefore requires
social solutions.  This addresses a common problem: security
professionals, and even non-technical managers, concentrate on
breaches in systems and thus miss the real heart of the matter:

Although not overtly stated, part one seems to be related to the first
stage in the Strategy to Protect Information, understanding
information.  Chapter one repeats the position that breaches are a
human problem.  Security awareness is promoted in chapter two.  In
chapter three an analogy is drawn between faddish security and crash
dieting, noting that neither works.  Chapter four addresses risk

Part two suggests managing people.  Chapter five outlines the
aforementioned Strategy to Protect Information: understand your
information assets, manage and communicate with your people, and
optimize your processes and systems.  Implementing this strategy is
seen, in chapter six, as a five step process: learn the jobs, gather
information, priorize, plan, and communicate.  Steps seem to be
missing, such as dividing your data or systems into elements for the
process.  Guidance for planning is limited.  Chapter seven suggests
making a trial run with a pilot project, which is a good idea.
Measurement of the success of the project is discussed in chapter

Part three deals with improvement.  Chapter nine notes that the
strategy benefits overall management, which is unsurprising, since it
is basically a general management process.  Costs of compliance with
regulations or standards are also partially covered, as is mentioned
in chapter ten, since a significant portion of the initial cost of
compliance relies on the type of research and analysis demanded by the
strategy.  (However, a great deal of the content simply emphasizes the
importance of compliance.)  The advice about outsourcing, in chapter
eleven, seems to be to audit the vendor.  Chapter twelve closes off
the book with an exhortation to act.

Although generic, the strategy proposed is sound and likely useful.
This slim volume would help a significant number of managers and
security practitioners who are caught up in the latest security fad or
device, to the detriment of actual business (and personnel) needs.

copyright Robert M. Slade, 2009    BKINTBRE.RVW   20091012

"Dictionary of Information Security," Syngress               1597491152 /
============= for back issues:
[Base URL] site /
CISSP refs:     [Base URL]mnbksccd.htm
Book reviews:   [Base URL]mnbk.htm
Review mailing list: send mail to

Site Timeline