Library

Volume 16, Number 1, March 2013

Book Review

    Abstract

    Review

    Bill Stackpole and Eric Oksendahl, Security Strategy—From Requirements to Reality, Auerbach Publications, Boca Raton, FL, 2011 (ISBN 978-1-4398-2733-8).

    Reviewed by: Marcus Thompson, University of New South Wales in Canberra

    Security and strategy are two terms that are seldom linked in business literature and corporate manuals. Security is all too often perceived as a hindrance to commercial performance and assigned to single line departments as a compliance matter. This means that mid-level managers in an organisation tend to focus on security within their immediate business unit without an understanding of the broader security requirements of the organisation or other business units. In an age where customer loyalty can be critical to the enduring profitability of a corporation, and trust is critical to the reputation of public sector and not-for-profit organisations, a stove-piped approach to security can be disastrous.

    Security Strategy – From Requirements to Reality, written by Bill Stackpole and Eric Oksendahl articulates an aim to bring together executive managers and security practitioners to present a single and united security methodology for their organisation. It is based on the personal experiences and lessons learned by the authors, both of whom have extensive experience in designing and implementing security strategies in large corporations. The book focuses on security strategy planning and execution and presents security as an integral element of any business. While it consistently refers to information technology security, it is sufficiently generic to have broad utility across all aspects of physical, personnel and information security, and to be applied within any organisation; large or small, public or privately owned, commercial or not-for-profit.

    Achieving a comprehensive view of security strategy is a complex task. The book is deliberately presented in two parts. The first part focuses on business strategy, and is written to be understood by security practitioners. The second part of the book focuses on the tactics needed to implement strategy, and is written to be understood by executive managers. The strength of this approach is that both readership groups can gain an understanding and awareness of each other’s domain and can work together to achieve collective organisational success.

    The book advocates the creation of a corporate security culture as the only way that organisations can achieve their security goals. It describes how, in most organisations, the people responsible for security are technical experts who react to the strategic plan that is produced in isolation by the upper echelon of the organisation. The book then presents a variety of strategic planning methods, models and governance structures that can be used to bridge this gap and generate the desired collective organisational security culture. While the authors stress that there is no perfect method to make a perfect strategy, the first part of the book steps the reader through the inputs and factors that should be considered in the development of an effective security strategy.

    Importantly, the second part of the book includes useful tactics and techniques that should be incorporated into any security strategy. These include concepts such as defence in depth, observation, accountability, incident response, active defence, outsourcing and personnel training. This part of the book essentially forms a series of checklists for security controls for implementing security across an organisation.

    While Security Strategy – From Requirements to Reality is, by design, a high level and generic consideration of security strategy, it contains information that is applicable to any organisation that seeks to develop and execute an enduring state of security. It is applicable to senior managers, security practitioners and anyone seeking a greater understanding of the generic principles that contribute to an effective organisational security strategies.