Читать книгу Critical Infrastructure Risk Assessment - Ernie Hayden MIPM CISSP CEH GICSP(Gold) PSP - Страница 7

Foreword
by Peter Gregory

I first met Ernie Hayden in 2003 just as I stepped off the stage at the SecureWorld Expo conference in Seattle. Ernie attended my talk and came up to me afterward. He held up a book in his hands and exclaimed, “I’ve read your book!” referring to the first edition of CISSP For Dummies. That meeting would prove to be the start of a going-on-eighteen-years friendship.

Ernie was one of the early instigators of The Agora, a quarterly conclave of information security professionals in the Pacific Northwest. I attended as often as I could, which was usually 2-3 times each year. Ernie was always there, and I always made it a point to speak with him. While we didn’t get into many “deep dive” conversations, I knew right away that he was well learned in information security. As the CISO for the Port of Seattle (which included the shipping port, the cruise ship port, and the airport), Ernie was in the crucible of risk management for multiple high-profile critical infrastructure facilities that were very “out there” and visible to all.

Ernie and I, along with Dave Cullinane and Michael Ray of Washington Mutual Bank (WAMU), Kirk Bailey of the City of Seattle, Barb Padagas of Starbucks, Bruce Lobree of Costco, Ravila White of drugstore.com, and a few others, were co-founders of the Pacific CISO Forum, a peer roundtable of information security leaders in Seattle and beyond. Ernie was as involved as anyone there, and sometimes hosted our quarterly meetings at one of the port facilities.

Ernie was also involved in regional critical infrastructure disaster and attack simulation events. This is all to say that Ernie is a doer, and his community involvement is but one aspect of his professional testimony as a man who cares about his community and the people who live in it.

From then until now, Ernie has held a variety of positions in critical infrastructure protection, and this has taken him around the world where his services were needed. He has become one of the world’s premier experts on the topic. For him to write this book is a gracious and generous gift to the profession as a whole. This book is a treasure for the profession and will serve to advance the state of the art of critical infrastructure protection and the professional growth of hundreds or even thousands of others in the profession.

This book is a well-organized, step-by-step, how-to treatise on risk assessment and risk management for critical infrastructure. This book is a high-quality, high-density, low-noise reference to help any professional excel at big-picture or detail-oriented risk management and risk assessment work. It explains the concepts of risk, risk assessment, and the steps for performing a proper risk assessment found in few other texts. I especially appreciate the chapter on observation that instructs the reader how to perform various types of evidence gathering and the value of tech technique. While this book is highly detailed, each chapter contains numerous references where the reader can go for even more in-depth information on each chapter’s topics. The book’s appendix contains a detailed, lengthy sample risk assessment report that puts many of the topics in the book to use.

In my experience as an executive consultant and having served dozens of companies and agencies over the past six years, I can confidently say that half or more of all organizations practice little or no risk management at all.

As the need for risk management becomes more apparent in organizations, this book should be in the library of every risk manager as well as every consultant performing risk assessments of critical infrastructure facilities -not on the shelf, but on the desk as a regular desk reference.

Peter Gregory

CISM, CISA, CIPM, CRISC, CISSP, CCSK, CCISO, QSA

Seattle, Washington