This book serves as an introduction into the world of security and provides insight into why and how current security management practices fail, resulting in overall dissatisfaction by practitioners and lack of success in the corporate environment. The author examines the reasons and suggests how to fix them. The resulting improvement is highly beneficial to any corporation that chooses to pursue this approach or strategy and from a bottom-line and business operations perspective, not just in technical operations. This book transforms the understanding of the role of the CISO, the selection process for a CISO, and the financial impact that security plays in any organization.
Table of Contents
1. The Dismal Discipline
2. The Business of Being CISO
3. Let It Rain
4. Don’t Call Me Sue
5. Comply Oh My
7. The CISO, Reimagined
Barak has over 25 years of experience in technology, operations, and business management, including over 15 years of information security management experience. Barak came up with the concept of "virtual CISO" - an outsourced, fully managed security suite for companies that wish to implement a security program and mature it over time, at an early stage of developing his consulting practice, and it has become the cornerstone of its service offerings. In this capacity, he has successfully created, developed, grown and run several security organizations as CISO in multiple companies across different industries, and developed his reputation as a nationally recognized security compliance subject matter expert, visionary, and leader. He has spoken frequently in conferences, private industry events, and other venues, authored, both under his own name and as a ghost writer, multiple trade articles, was quoted by media sources, had appearances on local and national TV, wrote the compliance section of a highly respected book on technology operations management, and participated in a number of respected forums, such as a US representative in a state dept hosted conference on global cybercrime. Has was also part of the Israeli team that assisted US authorities in apprehending the late 90s notorious hacker, the Analyzer.
I highly recommend, Barak Engel’s new book, "Why CISO’s Fail?", if you are a CISO candidate, considering applying for a CISO position, or in the process of hiring a CISO (HR, CEO, COO, President, etc.) this book is a must read.
The book provides a reality view that many old Data Automators, as well as business gurus and members of the C-Suite (CEO, CFO, CIO, COO, etc.) can understand and embrace.
Mr. Engel provides some tongue-in-cheek comments as well as questions that might be used for the interview of a candidate and questions that a CISO should use when dealing with vendors, including cloud providers and interface organizations (consultants, etc.).He uses his past experiences to provide the background and supporting evidence that led him to his viewpoint and suggestions.
Mr. Engel’s book focuses on the fact that the CISO failure starts during the hiring process and currently continues throughout the new hires approach to the current and legacy technologies. It appears the job description invariably starts our looking for the Technologist who has a background in data security and continues in that direction.
As with any ‘C-level’ position, Barak provides the insight into the fact that the CISO needs to be a business oriented person with a deep understanding of the technology and its effects on the business. He reminds the reader that the Information Technologies support the business process. The IT guru deals with data; it provides the resources to entering, manipulate, store and presentation the data. When presented to the business person, the data becomes information.
Barak reminds many of us that the IT environment is a tool. As most IT security folks may tell you, the data security guru has to find all the weaknesses in the application, server and network, while the hacker only needs to find one.
Barak also reminds us that the CISO needs to provide the security program for the enterprise while using the technologies as tools to assist with that security program, whereas, a technology guru as a CISO may prove the Abraham Maslow’s statement, "He that is good with a hammer tend to think everything is a nail." The threats and weaknesses reside inside as well as outside the organization.
Elsewhere, Barak reminds the C-Suite and the IT guru that the business information is classified by business personnel and needs to be protected by those same folks. As I mentioned in the beginning, I thoroughly recommend this book for the CISO, job candidate and all others in the organization who will work with the CISO.
-- Steve Katzman, CIA, CISA, CRISC, CRMA, CISSP (Retired) and author of "Operational Assessment of IT."