PREFACE
This book has been spawned from years of experience in the UK information security industry, both from being in the role of ‘information security manager’ myself and from observing many individuals adopting the role of ‘information security manager’ from a standing start of it not having been either their original role nor anything like a deliberate career choice. Let’s be honest, you don’t hear many (any?) teenagers planning to leave school to be an information security manager! The role is often gifted to an individual, on top of their existing, hugely busy, day job, as a result of the person handing over the ‘gift’ not understanding the breadth of what is required. Therefore, the individual in receipt of the ‘gift’ is not afforded the time or respect required in order to provide appropriate advice and guidance for the protection of information assets belonging to the organisation in question, nor to actively encourage colleagues to do likewise.
The hope of this book is to provide a coalface view of what that breadth actually looks like in action, having spent a year during my PhD studies taking on the role of information security manager for a UK public sector body and realising the benefit of keeping copious notes! In academic circles, this is known as carrying out ‘participant observation’ and was done as part of PhD research into embedding best-practice information assurance. The author observed a great many incidents, events and risks, and also participated in innovative solution creation in order to address all of these, the results of which are worth putting together in this tome. Almost every day brought with it a little gem for which, if you were not ‘in tune’ to the wonders that are the breadth of information security, you might have missed both the cause and the potential mitigation and lessons-learnt elements.
This book is effectively written through the voice of the ‘project lessons learnt’, which were harshly, but fairly, created after phase one of a long project. Given that this book is based on a real project that took place several years ago, the text is imbued with a great deal of hindsight. However, they no doubt could be written by many people in any organisation. Part of the author’s current research is looking into the whys and wherefores of creating lessons-learnt logs, but not actually learning the lessons well and implementing the required changes in practices. The work is appropriately anonymised.
Whilst some of these issues and incidents took place in 2009 and 2010 and may be out of date – one can only hope – you may still be experiencing some of these experiences and the lessons learnt hold true for most situations.
So, I share this with you in the hope that you will either resonate and feel reassured that you are not insane, or you will start to see things differently and know what to watch out for in the future with heightened antennae.