Not Another Information Security White Paper!
Before I get too deep in the weeds, the bottom line of this blog entry is to announce a new white paper, so please make sure to get all the way to the bottom.
I am not sure about you, but I have never been a big white paper fan. I am very much a "nuts and bolts" person, and in my many years of reading white papers, I have found very few that satisfy my desire for detail. This is not surprising, because in my reading of expert recommendations on writing such documents, these folks consistently advise that papers not exceed 5-10 pages (and like we did in middle school, double-spaced with big letters to fill the required length). It is a bit difficult to satisfy my desire for detail in 5 pages. It is hard to even properly state the problem in that amount of space.
Another issue I have with many white papers is that their primary focus is marketing the services of those distributing the document. Now, I am certainly not suggesting that there is anything wrong with marketing. This is a time-honored advertising medium. The concept is simple - tantalize them with glowing generalities, collect their personal data, send them the document that may disappoint, and send them 36 emails over the next week. Ok, I may have exaggerated that a bit, but you get the idea.
Third issue - they are often not even written by the folks marketing their services. A quick Google search will reveal countless companies in the business of writing these documents for others. Again, there is nothing necessarily wrong with this approach. If the primary purpose is to convince you of the promoting company's expertise, this might be a bit deceptive (I do make allowances for those who select the specific technical information, and just need someone to put prose behind it).
I hope that those of you who have read some of my prior musing recognize that I am passionate about information security in the Small and Medium Business (SMB) world. They don't have the deep pockets of Target and Home Depot to build an elaborate security infrastructure, and then weather the storm after it fails. By most accounts, both of these large companies will come through with a small financial impact relative to their profits. On the other hand, SMBs suffer from a disproportionally large per capita impact from such attacks, estimated to be $1,513 versus $517, according to an HP-sponsored study.
As a result, I wanted to help the SMB world understand the problem and recommended solutions far beyond the limited group of customers I can assist personally. Since I began my career writing documentation (such as the University of Miami's first guide to computing facilities - Go Canes!), I was not afraid to sit down and take a stab at writing it all down in a white paper.
I confess up front that I broke all of the "rules":
It is too long - 25 pages versus the recommended maximum of 10.
It is full of specifics. It is not intended just to whet your appetite enough to make you call me. With some focus and effort, the intent is for you to be able to work through it by yourself, and make good progress with information security.
Unlike any good church sermon, which always has 3 points, this document has 30. I can see the snoozing in the pews already!
It has very limited hyperbole - the points I make are backed up with links, or involve industry recognized best practices.
It should prove to be worth more than you paid for it, as it includes links to products, many inexpensive or free, that SMBs can use to help solve their issues, such as my favorite self-pentest tool for example.
Those of you who like the current state of the art in many white papers - short on detail, long on marketing, and digestible in 15 minutes, should NOT download this document. You will zone out after page 4. Those who recognize their need to review and address their information security posture, and are willing to put in some effort however, should find it useful and very readable. The SMB world is loaded with such self-reliant folks, because their companies would not exist without this trait.
By way of justification, in every security analysis for SMBs I have conducted to date, all have been found to have significant exposures, and few of the exposures required a major effort or expense to fix. You can't fix a problem you don't know about however, so the first step is to dive in, using my document or something similar, and figure it out.
Thus, without further pomp and circumstance, my white paper:
Yes, I will ask you for a bit of personal information, and no, I will not send you 36 emails.
Comments, suggestions, and questions on the document are invited!