Like the UK Information Security industry's Ron Burgundy - Greg van der Gaast is "kind of a big deal round here" - no word on how many leather-bound books he has or whether his apartment smells like rich mahogany, sadly. But when he published his book Rethinking Infosec: Thoughts on why today's Information Security doesn't work, and how we can do better, I made it a priority to read and review for Comfortably Dumb.
Greg is a constant contributor back into the field and is a big proponent of the information-sharing culture that makes me so passionate about working in and writing about this industry. Sadly, projects of my own required exceptional amounts of time away from writing for this site - but I thought it best that my return to form be honouring my word to Greg to review his book and give it some much-deserved publicity.
Buy it here: https://amzn.to/2ZRO7Tj
What's In The Book?
The contents of this book and the way the book is structured reminded me an awful lot of one of a book written by Charlie Brooker called The Hell of It All. It came out quite some time ago, and was a collection of columns that Charlie had written, usually on a specific topic and full of his trademark acerbic wit and nihilistic humour that fans of his love.
This book is structured in a similar way - with each chapter being short, sharp and focused on a given "point" that Greg is making.
Topics run the gamut from Information Security hiring practices, the overemphasis on compliance over actual secure practices, overcomplicating for profit, and the industry at large - all these and many more are addressed within this book. There is no real "structure" to this book, and topics will range from technically-minded to general opinion to calls-to-action for change and back again.
Some may not enjoy the thematic whiplash this then causes, but I honestly thought that it contributed to a book that one could open at any page and understand the general points being made.
How Long Is The Book?
Rethinking Infosec, according to Amazon, weighs in at 240 pages. However, this can sometimes differ based on the medium on which you read Greg's book.
How Easy Is It To Read?
This book is written in a breezy, irreverent tone that makes each short chapter engaging. It makes no attempts to explain certain introduced concepts or the purpose of the compliance/regulatory frameworks it references.
However, this can ostensibly be explained by the target audience being other information security professionals. So depending on how initiated into the industry you are, you might require the odd term Googling - but you should have no issues getting through Rethinking Infosec, it is at no point dense or impenetrable and is a breeze to get through.
Overall Impression:
I want to start this review portion off by saying that having written a sizable book of my own (and with my second in editing), and self-published it, I acutely appreciate how difficult and daunting a project of that size actually is. I highly recommend giving it a try and applaud anyone that does.
This book, in my opinion, feels a lot like a shuffled deck of cards. Each card has Greg's opinion about a given aspect of the industry or the practice of cybersecurity on it.
There are a few main "themes" (the suits, in this analogy) - hiring practices need overhauling, we're too enamoured with shiny blinky-boxes and compliance, basic security hygiene and the basics done well will prevent the majority of breaches and some "down with this sort of thing!" chapters thrown in too.
However, these disparate thoughts on what I would describe as fairly similar semantically are not organised together in any way. Like I mentioned before, there is a thematic whiplash from chapter to chapter that stops the book from building momentum in the reader's mind.
I think the lack of a narrative "thread" running through the book (what is the main thing the book is trying to say?) and the lack of thematic organization of the book's content stops the book succeeding as a sort of "call to arms" or manifesto for widespread systemic change. There are few prescriptions for practical steps of what to do after you go "Yeah, we do need to do that!"
Greg may disagree with me here (after all, he did write the thing), but I do not think that was the aim of the book. Read as a sort of "Finally, someone's saying the quiet part out loud!" collection of opinions and thoughts, in the vein of books like The Hell of It All, Rethinking Infosec becomes in my opinion very successful in its aim. A lot of uncomfortable truths are brought up in an easily understood and digestible manner (no mean feat in and of itself) and I did not disagree with very much of what Greg was saying at all. Greg makes several points that all cybersecurity professionals should take note of.
I overall highly recommend giving this book some real time, and think it makes a lot of exceptional points. Structurally, I think it could do with one more round of editing and collecting thematically similar chapters together to prevent the whiplash effect. However, as a fellow writer and author, I think Greg has done an excellent job.
How much does it cost?
Rethinking InfoSec is currently on sale for £23.99 for the paperback version and £6.99 for the Kindle version (which is a god damn steal).
Buy it here: https://amzn.to/2ZRO7Tj
Commenti