Foreword

Throughout my career in government and private industry, I have seen many approaches to securing information systems and managing risks. One question I get asked repeatedly is, “How do I know when I have enough people, process, or technology to manage risk effectively?” In government and regulated sectors, the response to this question is driven by a complex assortment of standards, mandates, and laws pushing to compliance. In private industry, we often see businesses conforming to “best practices” or “industry standards” as a baseline. While conforming to regulatory or legal requirements is a good start, it really is just the bare minimum if an organization wants to excel and mature in risk management. For years I have said, “One can be compliant but still be insecure, and we need to make sure that by being secure we become compliant.”

Schou and Hernandez’s book provides a leadership view of information assurance and a practical perspective for both practitioners and aspiring leaders. They take the reader through the international dimensions of risk management for strategic leaders and senior management. Their approach not only guides the reader through the necessary elements of managing risk in today’s ever-changing IT environment, but also explains why information assurance is important in creating and maintaining a competitive advantage in today’s global economy. They give the reader practical advice for approaching information assurance for emerging technologies, such as the cloud and big data, without getting caught up in the technical details that may confuse or distract leadership.

When I served as vice chair of the President’s Critical Infrastructure Protection Board and later as the first Cyber-Security Coordinator of the Obama Administration, I worked with Dr. Schou to improve the responsiveness of academia to both government and industry needs. In the preparation of the U.S. National Strategy to Secure CyberSpace and subsequently in the National Strategy for Trusted Identities in Cyberspace, the essential linkage between strategic leadership and operations was critical. One of the most difficult challenges I faced was conveying risk; good news needs to travel fast, but bad news needs to travel faster. It is critical to pass the bad news on to senior leaders who may not have an extensive background in information technology or security.

This book functions as a bidirectional guide for leadership and operational personnel alike. For those who are more focused on operational and technical issues, the book provides a guide to why senior leaders insist on specific procedures and visibility. For senior leaders, this book provides information about organizational objectives while explaining some of the limitations and capabilities of today’s information assurance risk management tools and professionals. The authors offer real-world examples of applying information assurance in industries such as healthcare, retail, and industrial control systems.

This book takes a broad perspective and is a nexus of information assurance practice, policy, strategy, and implementation applicable to a diverse audience. It provides an up-to-date guide covering some of the best information assurance practices found internationally. System administrators can use the book to understand how risk management operates throughout their organization and why their role is significant. Government leaders can gain new insights into cloud computing concerns and how big data integrates with information assurance and risk management. As the authors state in their introduction, “If you need help, read this book!”

—Howard A. Schmidt, Partner, Ridge Schmidt Cyber LLC, and former Cyber-Security Coordinator of the Obama Administration