Introduction

There are many debates as to where the information and information systems security (InfoSec) and the information systems security officer (ISSO) position fit in a company or government entity. Some believe it belongs in the information technology (IT) department, others say it belongs in the security department. Others believe it should report to the CEO, CIO, or some level of executive management other than the two mentioned.

The IT people may want control of the InfoSec function so that they can ensure that it does not hamper their IT functions. A corporate security manager may want the function to be sure these valuable assets, like other assets whose protection is the responsibility of the security department, are properly protected.

Four individuals, with different backgrounds and InfoSec responsibilities over the many years they have been in the business, share their views on InfoSec and the ISSO function. They are:

• William "Bill" C. Boni: Mr. Boni is the Vice President and Chief Information Security Officer, Motorola Information Protection Services (MIPS), Motorola Corporation.

• Edward Halibozek: Mr. Halibozek is the Corporate Director of Security, and IS Sector & Western Region Manager—Security, for a multi-billion-dollar, global corporation headquartered in Los Angeles, California, USA.

• Andy Jones: Mr. Jones was the business manager for the Secure e-Business department of QinetiQ, the privatized portion of Defense Evaluation and Research Agency (DERA), Malvern, United Kingdom. He is now a senior lecturer at the University of Glamorgan, Wales, United Kingdom.

• Steve Lutz: Mr. Lutz is the President, WaySecure, an information and information systems security international consulting specialist.

William C. Boni

Information security is one of the fastest growing professions at this time. The combination of the terrorist attacks of September 11, 2001, and the increasingly critical role of information systems and technology in global business have contributed to that increase. As this book was being written, the Internet was subjected to an attack against the core infrastructure, terrorists and nation-states are reported to be honing their skills for future cyber attacks, and criminals are siphoning off profits from electronic commerce systems around the globe. There has never been a greater need nor greater appreciation of the need for capable, skilled information security professionals to guard the frontiers of businesses and nations.

Yet, as the importance of information security has increased, the field has become crowded with "instant experts." Many of those who now call themselves "experts" owe their current notoriety to some specific technical skill or to short periods of time in consulting or vendor organizations. Most who publish books and articles on information security have never held the accountability for protecting major organizations against the dizzying array of risks nor dealt with the harsh realities of doing so in the context of corporate cultures, politics, and the grind of daily operations.

In contrast, you hold in your hands a book containing the distilled wisdom of 40 years of practical experience from one of the original leaders in Information Security. Dr. Kovacich, "Jerry" to his many friends and admirers, has spent a lifetime developing and perfecting the materials that are the core content of this book. The original has held up over the years precisely because it is "technology independent." The assumption is that a reader has either attained already or can obtain from other books, courses, and seminars the technical skills to work in the information security field.

Therefore, if you are looking for technical solutions to the current or latest set of acronym challenges, then this is not the book you want to buy. However, if you are an information security professional seeking to understand what it takes to be successful as a manager and to become a leader in your organization and ultimately in the profession, then you have the right book.

Students considering their career options, as well as professionals in other but related fields such as information technology (IT), physical security, or IT audit, will also find the information presently so artfully by Dr. Kovacich to be of great value. Readers from all these backgrounds will find this book expands their knowledge of the many activities involved in establishing and sustaining an organization's information security program.

This updated and expanded edition builds upon the content that made the original volume one of the best-selling security books ever published. What the Guide does that is different, perhaps unique in the information security field, is to coach, mentor, and tutor the reader in the various managerial and operational skills that will assure a more successful and ultimately more satisfying career.

From my personal experience I can testify to the practical wisdom that is captured in these pages. I owe a significant part of my professional success and achievement to actually applying many of the methods and techniques described in the original Guide. Over the past six years I have recommended the previous edition to countless aspiring information security professionals, and note with satisfaction that many found the content to be key to their successful participation in the rapidly burgeoning information security profession.

Understand that a keen appreciation and lifelong commitment to information technology will be required for success as an information security practitioner. However much that background is necessary, it alone is not sufficient for professional success and personal satisfaction. Those who aspire to leadership and seek to become the managers, directors, and Vice Presidents of Information Security in the future will enjoy and learn much in the Guide that will support their success. I believe they will find, as I have, that Dr. Kovacich has provided them with knowledge that better prepares them for the challenges of managing these important responsibilities.