Tailor a swift infosec reading list
August 10, 2015 1:14 AM   Subscribe

I have a new role where I will soon have to speak to IT Directors about Information Security. Good general primers out there to get me started on Infosec?

I'm trying to get myself up to some level of comfort with talking InfoSec. Recommendations for reading/watching material for all areas (strategy, operations, technical and cultural... the works basically).

I have been "in IT" for over a decade, but with more of a focus on the business side of things (making money, providing a service), so I know some jargon but am not "techy" by tech people's standards. If you can provide links or recommendations at different levels of expertise I'd be obliged!
posted by Gratishades to Technology (8 answers total) 18 users marked this as a favorite
The Australian Government has a Protective Security Policy Framework which covers infosec. The framework sets out mandatory and strongly recommended requirements easily adaptable to any environment.

Read in conjunction with the Australian Signals Directorate's Information Security Manual (ISM), and in particular, the 35 recommended strategies for mitigating the risk of cyber intrusion. The top 4 controls alone - application whitelisting, application patching, OS patching, and restricting admin privs - are supposed to mitigate 85 per cent of attacks.

States-side, check out the NIST Cybersecurity Framework.

Finally, ask if somebody in your internal audit team is a member of ISACA; if so, ask them to grab you a copy of this.
posted by obiwanwasabi at 2:03 AM on August 10, 2015

Best answer: Just saw you're in the UK. CESG is your friend - check out their policies and guidance, including their IAMM self-assessment tool. Again, government focus, but makes sense anywhere.
posted by obiwanwasabi at 2:07 AM on August 10, 2015 [2 favorites]

Are you going to be selling security products/services? Managing a security team? Interfacing between management and tech?

The most important thing to understand, and actually believe, as a business-oriented IT person, is that there is no security silver bullet. There is no product you can buy, no configuration you can apply, that will make systems secure against any but the most half-assed red team. Any person who tells you otherwise is either deluded or trying to sell yo something that probably doesn't work.

All you can do is reduce and mitigate risks, and that's an ongoing process. When somebody says "and of course it needs to be secure", the first response should be "against who?" and the second "why?" (as in, why do we need security here? what are we protecting?)

Something else to keep in mind. Security best practices (like the ASD mitigation strategies obiwanwasabi linked) shouldn't be an aspirational goal. They're not the ceiling you're reaching for, they're the floor you stand on.
posted by russm at 2:57 AM on August 10, 2015 [5 favorites]

Best answer: I find Security Now a good way to keep up with current events in info sec. It's weekly and I can listen to it in the car. It is more consumer oriented but the news segments are still relevant.
posted by LoveHam at 4:26 AM on August 10, 2015 [1 favorite]

Become familiar with the ITIL security management process. ITIL seems to be everywhere in IT management these days, and familiarity now (and certification later, if that will benefit you) can help you have these conversations well--it will help you understand where they are coming from in these conversations.
posted by rachelpapers at 7:56 AM on August 10, 2015

Try giving these readings a skim. The author is a cybersecurity researcher who cares about protecting people's security and privacy, and understands that this always also means caring about the usability of our approaches. He reads recent papers from other security researchers and summarizes them, connecting them to the larger context of trends, weaknesses, important ongoing efforts, and so on.

If you will have to consider the security of web applications, also check out The Open Web Application Security Project (OWASP), which puts out a Top Ten list of common vulnerabilities (security flaws) in webapps.
posted by brainwane at 1:29 PM on August 10, 2015 [1 favorite]

One great place is the SANS Reading Room. Infosec Institute has a good bunch of stuff as well. I think those both are frequently going to have things that'll be useful. There's a ton of really solid ITSec blogs, I have an OPML file if you use a reader and I have A List Here. There's a bunch of great podcasts too, someone already mentioned Security Now.
posted by Blake at 7:28 PM on August 10, 2015 [1 favorite]

Infosec institute are plagiarists and awful people, probably don't want to give them traffic. See here.

Infosec basically runs on twitter, which is a fantastic new source (albeit with a bad signal to noise ratio). This is a good recent talk that explains how everything is horrible. Depending on the area of security you're interested in, the advice you get will vary dramatically. For example, what is good for securing the networks that journalists in the middle east use is usually horrible advice for your normal IT environment (and by the same token, your normal IT advice would be dangerous in that situation).

I think you'll easily find no shortage of opinions, the hard part is determining what applies to you.
posted by yeahwhatever at 4:37 PM on August 13, 2015

« Older I was born too late... what current bands put on a...   |   Dealing with third party abuse allegations Newer »
This thread is closed to new comments.