Building an Information Security Awareness Program

There are two main reasons that led me to this conclusion. Firstly, the book focuses primarily on information security rather than security awareness per se. The book is written in the sense of giving sage advice to someone who has recently joined a fairly large company as Chief Information Security Officer rather than Head of Information Security Awareness. A selection of awareness topics are covered, of course, but it is almost as if these aspects have been added on to the main text about information security. One could argue that somebody new to security awareness might not have the grounding in information security and would need to learn more. The coverage in this book is so unstructured and incomplete, however, that it cannot honestly be recommended as a primer either on information security or on security awareness.

Secondly, and by far the biggest barrier to understanding, is the author's consistently bad writing style. Others have described it as "chatty" - excessively wordy and turgid are closer to the truth. Grammatical and punctuation errors do not help. There are sentences on virtually every page that are so convoluted and obscure that all meaning is lost. This is somewhat ironic given the author's insistence that security awareness materials should be written "for 9th graders". The text often meanders into side topics and then loses its way in the detail. A good editor should have pruned these asides 'back to the green wood' in order to maintain the flow of the text. Indeed, it is entirely possible that the editor's red pen has already trimmed out a lot of dead branches, but I kept wishing that more savage cuts had been made. The author clearly has strong feelings about certain pet hates. He attacks concepts such as organizational culture, for example, in cynical language ("idealistic mumbo jumbo" is one choice phrase!). Highly biased coverage of statistics in Chapter 18, probably the worst chapter in the book, completely undermines the author's otherwise good points about the need to measure an awareness program.

That said, the book will remain on my bookshelf because of the useful chapter summaries and a handful of good ideas that surfaced from the text. I liked the suggestion to interview managers to explore their security priorities, thereby drawing them into the awareness program. Gathering and sifting through pre-existing security awareness materials seems well worthwhile. As an ex-auditor, I appreciated the emphasis on working with the auditors to address their information security concerns. So there we are, the book's best parts covered in three short sentences. If only the author had been so succinct.

Rating:
Summary: Excellent info, tone too chatty
Review: This book has great information for the person who has been tasked with creating an Information Security Awareness program at a business which has never previously had one. Good tips on developing Info Security policies, and getting management backing for the policies and awareness program. It would be a great tool for someone wanting to learn how to assess the corporate culture of a new job, if you're not a people person. The only quibble I have is the tone is way too chatty and informal, which gets annoying at times. But well worth the read!