Font Size: A A A

Home > Reviews > Lessons Learned: Critical Information Infrastructure Protection

Lessons Learned: Critical Information Infrastructure Protection

Author Toomas Viira

ISBN No 978-1-84928-959-7

Review date 30/06/2022

No of pages 92

Publisher IT Governance

Publisher URL

Year of publication 12/01/2018


Our Review


£ -

We could manage without critical infrastructure services (CII). If mobile phone networks went down; people might fret, but well within living memory we did not own mobiles. Likewise, social networks. But connected buses and trains, and traffic lights; banks running their IT; radio and TV? How long could society run without electronic money, or cash coming out of ATMs? Only days, maybe hours. That puts the ‘critical’ into CII; and an Estonian in this field begins a short book, Lessons Learned: Critical Information Infrastructure Protection, by quoting a past United States homeland security figure fretting about a possible cyber “Pearl Harbor’. Americans might not need outsiders to point it out, but the US was not well prepared for the actual physical attack on Pearl Harbor in 1941; would it or any country be better prepared for the cyber equivalent?

Although the author studiously avoids mention of the Baltic state’s looming and threatening neighbour Russia, he does say early on how well ahead Estonia are in use of e-services; but that does bring dependency on cyberspace. Hence the need to protect it, ‘and do so as quickly and with as little effort as possible’. He only writes in terms of being ‘as successful as possible’; this is real-world stuff, and the last of seven chapters covers a ‘back up plan’. He doesn’t actually detail how to be prepared (to provide only what’s most essential in a crisis) but sets out a scenario of how society could break down - no check-ins at the airport, nothing done at the hospital because doctors cannot access patient records, no-one with banknotes to buy food, and payment cards not working. As the book puts it, that’s be like going back to the Stone Age; but even worse, because people have forgotten how to live that simply. The book’s so short, it does not go into any detail, beyond offering 23 ‘lessons learned’, from defining what those CII services are, to being prepared to provide such services without IT. This includes training, business continuity, and identifying threats, besides the actual work of IT security.

This book and others from IT Governance Publishing, are like a cup of espresso coffee; short to the point of abrupt, and all the better for that; with the effect of jolting you in a way that a longer and more complicated volume would not. An hour with this book should equip you or at least enthuse you to ask the right questions and set to knuckling down to doing infrastructure cyber-security. It’s striking and welcome how the book avoids computer and IT terms, making it readable for general, non-IT managers.

About the author

Toomas Viira has worked in cyber security for more than 20 years. In 2004 he joined RIA ( (Estonian information system authority), in 2005 he began work to create CERT Estonia, and in 2007 he was a member of the team that protected Estonia from large scale cyber attacks. Viira is also one of the authors of the Estonian Cyber Security Strategy. In 2009 he was appointed head of the Critical Information Infrastructure Protection department in RIA. Visit