Well, this is supposed to be a book about Information Security and has as a target the leaders and managers (non-IT and non-security) at different organizations… Let's start with the positive things first: it manages to avoid being too full of errors, so it can be read from that perspective (but they still exists, e.g. when did ISACA become a standards organisation?).

The bad part is that the author seems to have read some Management-for-Complete-Morons book and tries to merge one of Porters concepts onto InfoSec (generic strategies), but fails at this. Otherwise, it si sprouting platitudes about business management and InfoSec at the level you'll find at the buffet-table at any security conference you choose to attend (aka not very grounded in reality). He also manages to repeat a number of myths as fact, by referring to their presence in other suspect publications.

And what is it with bad books? Are they afraid to have an index or biography (especially when there is numerous references in the text)? Sigh… And the details (or rather lack of) combined with the platitudes makes it worthless as a reference book.

For the managers, this book is totally outside their scope, and shows an ignorance of management realities (not the first security person to do that, I have been there myself) as well as lack of knowledge of even basic management theories.

For the IT-people (which are not the target market), this book manages to loose all detail that is of interest.

For the Security Managers, it will generate a good feeling, as the stuff is very basic and they (hopefully) know it already (pat yourself on the shoulder).

My conclusion is to avoid it, as it is not worth the paper it is printed on (I got it for free).