Although a little pedantic at times, I feel that it should be the Number One Read (tm)
for any and all CIOs and CSOs. I see people everyday who are quelled into thinking that security can be had with a product, and they are duped into leaving the humans, and the process alone.
Security is a process, not a product, and I think Bruce hits the nail on the head (a bunch of times). I didn't mention Secrets and Lies in my post because it deals with the whole process, and I wanted text book product investigation.
Yes, read "Secrets and Lies". Even if you aren't interested in how encryption works on a mathematical level, how to properly implement the process should be foremost on everyone's minds.