The Illusion of Due Diligence: Notes from the CISO Underground Paperback – April 27, 2010

I am sorry to say that I am very disappointed in this eBook, to the point where I really think I should be able to get a refund.Mr. Bardin seems to be very qualified, and he has written some very good columns for CSO Online, where I first saw mention of this document. And I have no doubt that Mr. Bardin adheres to the highest personal standards of professionalism and integrity.But this is not a finished book. It reads like a very rough first draft, filled with typographic errors and badly constructed sentences. The overall tone of the book is that of a disgruntled employee complaining about all the incompetent and malicious managers he has had to put up with. There are a few useful insights buried in the text, but most of the material consists of attacks on the character, qualifications and ethics of various individuals.What I was hoping for was some insight into the challenges of working within the business culture, dealing with opposition and competing agendas, forming strategic alliances, making the case for security to management. Instead, I got one long rant, with no useful content.

The author of this book brings a lot of skeptism to the read.As he should. Being a security practitioner for the past 25 yearsI have come to the conclusion that unless security is mandated by lawnobody bothers.Good read and true to what security really means in the corporate world.An illusion.

I have mixed feelings about Jeffrey Bardin's "The Illusion of Due Diligence" (TIODD). I did read the whole book. However, I am not sure I would advise others to read it. TIODD struck me as a collection of stories describing how bad choices can lead to difficult situations. Some of the bad choices are the author's, so I have trouble sympathizing with him. Still, I was continuously amazed that the author would choose to record his professional life story in print, especially given the reader's ability to reassemble the true names behind the pseudonyms. Overall, I consider TIODD to be a curiosity that would keep your attention mainly for the "train wreck" aspect of the author's security career.It's plain to see that the author cares about the information security profession. Juxtaposed against that care is his tendency to align himself with characters who are likely to cause trouble. For example, I cannot understand how the author chose to do business with "Ariel," a pseudo-partner who was really an incompetent competitor. I blame the author for his woes with that relationship, but does that mean I should pay attention to how he dealt with the consequences? Similarly, the author took a job working for "the Little Corporal," despite knowing it would be a mess from the beginning! I could cite other examples: resorting to blackmail to keep a job, political power-plays at start-ups, etc. Amazing.The bottom line is this: should I be listening to the advice of a person who constantly puts himself in compromising positions? Your answer to this question defines if you should read it.One final note: the book is self-published, so it lacks the presentation and polish one would (usually) enjoy if delivered by a professional publisher. The language and formatting are rough in places but not overly distracting.

I was impressed with the read. I though that the author made his points well and did a fine job of painting the profession as a colorful and exciting adventure. I loved your descriptions of working in Monterey! I call it home as well! Jeff Steven Bardin, thank you for the read!

Thank you for writing such a robust and complete report on the nature of Cyber Investigations. It was a great read. I loved the details of your Experiences growing up in New York and New Jersey and the time you have spent in Monterey since. Again, excellent read!

Two years ago, I took the position of CSO at a small but growing firm. I wish I had had this book available then. Not only does this book expose the risks associated with protecting a corporation from insider activity, but it provides advice on what actions to take, and discusses what has worked and what has failed.The author is not afraid to expose his own failures, and convey lessons learned, as well as discuss what has worked and his critical observations on how that too can be improved.I highly recommend this book to all those in the information security and risk management profession, especially to those who are new to the challenges of management in this profession.