296 pages | 10 B/W Illus.
The book takes readers though a series of security and risk discussions based on real-life experiences. While the experience story may not be technical, it will relate specifically to a value or skill critical to being a successful CISO. The core content is organized into ten major chapters, each relating to a "Rule of Information Security" developed through a career of real life experiences. The elements are selected to accelerate the development of CISO skills critical to success. Each segments clearly calls out lessons learned and skills to be developed. The last segment of the book addresses presenting security to senior execs and board members, and provides sample content and materials.
As a CISO, I approached Gene's book with caution. Put two such people in a room and ask them a question, and an argument will inevitably ensue - even if they agree. Therefore, and as you might expect, I found some of Gene's conclusions to differ from mine. But what really stood out to me is how, even as I was having these arguments play out inside my head, I seemed to also be adopting an almost imperceptible yet constant nod. I could not help but enjoy reading his thoughtful analysis of every information security topic that he chooses to tackle, and his ability to tie everything together in an easy-to-understand, clear and logical fashion is highly appreciated and sorely needed in the industry.
Then, as I continued my journey through Gene's carefully laid-out thoughts and explanations, personal experiences, war stories, and insightful advice, it became apparent that this is far more than merely an instructional book into the many aspects of managing information security. Indeed, for anyone who is interested in advancing their career in the field, this book offers countless tools that can be followed to success, in every area. Just the chapter "NEVER trust and ALWAYS verify" is itself worth the price of admission.
Consume it slowly, and give it the attention it deserves, and Gene's book will repay you for it in spades. You may not follow his exact path, but whatever path you take, his guidance will certainly help you forward.
-- Barak Engel, CISO and author of Why CISOs Fail: The Missing Link in Security Management--and How to Fix It
The CISO as a Business Partner: Balancing Business Need with Security Need. Serving Executive Management and the Board. Gaining a Seat at the Table. Adding Value While Meeting Security and Regulatory Needs and Mandates. Addressing Issues When Management Objects. Can Your CISO Role Be Viewed as Strategic Value Add. The Ten Rules and How They Impact the Business and Your Career Path: Explaining Security and Risk Issues Clearly and Succinctly. Methods for Implementing Cultural Change to Build Security. Management Expectations vs. Security Policy and How to Resolve Conflicts. Clear, Simple Examples of Implementing Basic Risk Analysis Processes. Developing Clear Key Risk Indicators and Metrics that Yield Business Value. Methods to Build a Clear, Concise Information Security Strategic Plan. Developing the Written Informaiton Security Plan. Talking to Executive Management and the Board and Career Development: Emerging SEC Regulations Require CISO to Brief Board and Provide Education. Dealing with "Shadow IT". Building an Experiential Portfolio to be an Effective CISO. Building Trust with Executive Management. Outsourcing, Co-sourcing, and In-sourcing Keys and Challenges. Maintaining Appropriate Skill Sets and Knowledge within Information Security