When I saw Mike Rothman’s name on the San Diego ISSA meeting speaker list, I tried to be the first person in the room. Yes, there were more technical talks I could have attended, but why would I want to? If you have never seen or talked to Mike, he is gruff, funny, and knowledgeable about security. I consider Mike to be a friend, so it wasn’t a surprise that he would send me an autographed copy of his self published book (which you will not find on Amazon or B&N). Trust me, that didn’t influence my opinion one way or another, but the inscription was definitely nice. What did influence my opinion of the book was that the content between it’s covers. Once I start reading it, I actually put down the other half dozen books I got until I finished every last word. Me? Finishing a book? I know, as crazy as it sounds, I managed to finish this one last night on a flight home.
Where to start? I think the thing I like about this book is that it’s attempting to be relevant, not just to today’s problems, but all future problems. It’s trying to drop the techno-babble that we all tend to get stuck on, and start talking about how to run a business - a security business no less. He takes a tongue in cheek approach to his lesson, which is that of the CSO as an addict. CSOs have a tendency to live on the edge. Closer to that of a life of a fire fighter than that of an executive. He tries to break the bad habits by discouraging the old school attitude that the security community tends to have - forgetting the modern day reality of monetary gain as a key motivator for malicious hacking.
At first I thought I’d like the book, with quotes like, “I’ve got two dogs at home. I don’t need any more friends.” Then I thought I’d hate the book when the main character, “Mike” said that his tests came back almost completely clean (because they almost never are, unless you really don’t know what you’re doing). But then, almost at the end of the book he pulled it out for me. He really ripped into why vulnerability assessments are critical to understanding your security and then the main character, “Mike” explained that he too had a laundry list of vulnerabilities. Whew! Mike Rothman gets it. One of the best quotes in the book for me was “Good Security = Compliance (but not vice versa)”. Oh, he so got me there. I fell in love with this book.
Not only did he manage to cover a very complex topic, which is that of a troubled CSO in a changing world, but he also managed to make it clear that certain types of testing were critical to business success (including application testing). He also had an interesting take on using actual exploits, and social engineering during the penetration test. He said a number of times that the people who feel that you shouldn’t use those or that it is unethical to do to your staff are wrong. No, I’m not oversimplifying his words. He says they are “wrong”. Bad guys do not follow a code of ethics and neither should anyone who wants to test their security as if they were a bad guy. Bad guys do whatever it takes to break in (understanding, of course, that your data may or may not be valuable enough to risk their freedom for).
Similarly, I loved his comments about not following best practices and not using the same thing as everyone else is. He’s hinting at some of the things I’ve discussed before regarding bio-diversity in networking and applications. It’s an interesting topic to see in a book like this, but I’m glad to see it in there.
Throughout the book Mike puts in statements like, “use common sense”, which I often think are missing from books like this. He’s absolutely right, of course. I think that thread echos throughout his book. It’s not a technical book, it’s a book on changing your thinking to get you ahead of the assailant, in the good graces of your executive staff and into auditory compliance. I’ve run into countless people in the industry who desperately need to read this book so that they too can get a clue. It’s not rocket science. It’s the art of running security like a business. Five stars, Mike!