I go into my classes in Information Security, and it’s probably more than one sentence, but I tell them I’m The Fried Egg Professor. I say this because I consider Cybersecurity management to be like maintaining the integrity of a fried egg.
Yolk: technical infrastructure that you need to protect. On its own, you can’t do anything with the yolk of an egg.
What you need around that is this albumin layer which protects the integrity of that yolk. I call that the formal structures that exist in an organization for the yolk to be protected. This really means that in order for the yolk to be very protected, you need a structure of rules, responsibilities, and accountabilities around that yolk which is going to assure the protection of information assets for the firm.
Now, the yolk of the egg and albumin layer on its own they can’t stand. They need to be incorporated into a culture, an organizational setting where people are interacting with each other, and I call that the white of an egg. And I call that the informal aspect of Information Security.
So in totality, when you talk about information security, you are talking about the integrity of that particular fried egg. You have to not only focus on the technical aspects, but also the formal, as well as behavioral aspects of an organization.
One of the biggest problems in the world of IS security is many authors only focus on one aspect. Which is okay, but then you don’t have the comprehensive view. So in this particular book, and that’s why I call it a book with an attitude, I bring this assertion that technical security is good, formal security is good, informal security is good, but you can’t look at them in isolation from each other. They all have to be thought about collectively. And hence I call this a book with an attitude (because it makes a strong argument throughout).
So I have been associated with this field from the very beginning. Not only the formation of those ten domains, but how they transformed over a period of time from the British Standard, to the ISO standard, to NIST, to (ISC)2 and all this stuff. So with that background, and me being a cybersecurity person anyways, I incorporated all those aspects throughout the book.
So hence many of my students come up to me and say, “You know what? I am preparing for an (ISC)2, CISSP exam, and I have taken your course, and it’s a perfect fit.” You know, they really don’t have to do anything else because of the subtle way in which all those domains have been incorporated into this particular text.
You know, everything is so interconnected, and we have our own privacy and identity to protect, so it touches every single walk of life. You are on Facebook, twitter, any social media, you feel and sense it that you need to protect your information resources. And hence when someone is able to relate back to the principles or concepts that I’m talking about in my book, it’s just very fulfilling. That they have learned something and can now relate to these aspects.