This book serves as an introduction into the world of security and provides insight into why and how current security management practices fail, resulting in overall dissatisfaction by practitioners and lack of success in the corporate environment. The author examines the reasons and suggests how to fix them. The resulting improvement is highly beneficial to any corporation that chooses to pursue this approach or strategy and from a bottom-line and business operations perspective, not just in technical operations. This book transforms the understanding of the role of the CISO, the selection process for a CISO, and the financial impact that security plays in any organization.
Table of Contents
1. The Dismal Discipline
2. The Business of Being CISO
3. Let It Rain
4. Don’t Call Me Sue
5. Comply Oh My
7. The CISO, Reimagined
I highly recommend, Barak Engel’s new book, "Why CISO’s Fail?", if you are a CISO candidate, considering applying for a CISO position, or in the process of hiring a CISO (HR, CEO, COO, President, etc.) this book is a must read.
The book provides a reality view that many old Data Automators, as well as business gurus and members of the C-Suite (CEO, CFO, CIO, COO, etc.) can understand and embrace.
Mr. Engel provides some tongue-in-cheek comments as well as questions that might be used for the interview of a candidate and questions that a CISO should use when dealing with vendors, including cloud providers and interface organizations (consultants, etc.).He uses his past experiences to provide the background and supporting evidence that led him to his viewpoint and suggestions.
Mr. Engel’s book focuses on the fact that the CISO failure starts during the hiring process and currently continues throughout the new hires approach to the current and legacy technologies. It appears the job description invariably starts our looking for the Technologist who has a background in data security and continues in that direction.
As with any ‘C-level’ position, Barak provides the insight into the fact that the CISO needs to be a business oriented person with a deep understanding of the technology and its effects on the business. He reminds the reader that the Information Technologies support the business process. The IT guru deals with data; it provides the resources to entering, manipulate, store and presentation the data. When presented to the business person, the data becomes information.
Barak reminds many of us that the IT environment is a tool. As most IT security folks may tell you, the data security guru has to find all the weaknesses in the application, server and network, while the hacker only needs to find one.
Barak also reminds us that the CISO needs to provide the security program for the enterprise while using the technologies as tools to assist with that security program, whereas, a technology guru as a CISO may prove the Abraham Maslow’s statement, "He that is good with a hammer tend to think everything is a nail." The threats and weaknesses reside inside as well as outside the organization.
Elsewhere, Barak reminds the C-Suite and the IT guru that the business information is classified by business personnel and needs to be protected by those same folks. As I mentioned in the beginning, I thoroughly recommend this book for the CISO, job candidate and all others in the organization who will work with the CISO.
-- Steve Katzman, CIA, CISA, CRISC, CRMA, CISSP (Retired) and author of "Operational Assessment of IT."