The authors state that the practice of Information Security is flawed in many ways (something I don’t disagree with in many ways).
This is not a book about information security, but a call for the practice of it to change…to grow up so to speak.
The authors want the practice of InfoSec to be based on hard data and suggest that many approaches just don’t do very much, or are not worth the cost.
With shout-outs to the OODA, Moneyball, security economics, and psychology, it is an interesting read.
For the last six months I have been doing network engineering (rather then information security engineering), so I have been looking at the practice of information security with an outsider’s PoV. While I still enjoy much of the tactical work of network security and other aspects of information security, at the strategic level, I question many of the ‘best practices”. Too much is driven really by auditor’s canned interpretations of SOX requirements. Information Security program often just are checklist of controls mandated by auditor’s. Whether the control is useful or not or cost-effective is a secondary consideration.