Information Governance Leadership Summit

Information Governance Leadership Summit:
March 30 & 31
San Diego, California

Attendance includes: 2 Workshops, breakfasts, lunches, breaks, 2 signed books & a networking reception

Click here to register!

About the Agenda

Day 1: Drafting Effective IG Policies
Effective Policy Writing has been cited by IG pros in recent research as a top priority and key to successful IG programs. Day One of the 2nd Annual CIGO Association “Information Governance Leadership Summit” will bring together IG leaders from around the world for a deep dive with renowned policy expert Lewis Eisen, author of, “Respectful Policies and Directives: How to Write Rules People Want to Follow.”

Networking Reception

To close the first day, we will hold a Networking Reception at the hotel, with appetizers and an open bar. We want to encourage forming bonds and long-term business relationships to help advance careers, and the field of IG.

Day 2: Privacy Program Management and Info Risk Management

Privacy & Cybersecurity expert, Justine Phillips, Partner at the major law firm DLA Piper, along with Cybersecurity expert Matt Stamper, CIPP/US, CISA, CISM, CRISC, CDPSE, QTE, the “CISO to CISOs” will present a two-part workshop on Privacy Program Management, and Information Risk Management, based on their book, “Data Privacy Program Guide: How to Build a Privacy Program the Inspires Trust.”

We will also have a panel discussion of leading experts in IG and InfoRisk.

Cost: $1495, includes all materials, meals, reception, and breaks.

14 hours of Continuing Education Units approved by CIGO Association

Seating is limited. So register today.

Second edition of Creating a Small Business Cybersecurity Program: A Non-Technical Guide for Small Business Owners.

CISO DRG is pleased to announce publication of the second edition of Creating a Small Business Cybersecurity Program: A Non-Technical Guide for Small Business Owners.

After the first edition of this book was initially published in July 2020, using the CIS Controls® version 7.1, the CIS Controls® underwent a major update to version 8, issued in May 2021. The new version emphasizes the three Implementation Groups and expanded Implementation Group 1 (IG1), which applies primarily to small-to-medium businesses (SMBs). Another change in v.8 is having only 18 primary controls rather than 20. The Controls v.7.1 started with 43 Safeguards for IG1, then through revision, realignment, or incorporation into other Safeguards; IG1 v.8 has 56 Safeguards. These Safeguards are the key to achieving the security objectives identified in the overall CIS Controls®.

This Second Edition has incorporated the v.8 Safeguards into the book’s content, so that small business owners can follow simple, step-by-step approach to implementing these new safeguards in their company. Other changes are also included in the edition to bring the information up-to-date and provide new guidance on best industry practices.

Version 8 Addendum to Creating a Small Business Cybersecurity Program – August 2022

(The following is taken from the introduction to the addendum)

After the book was initially published in July 2020, using the CIS Controls® version 7.1, the CIS Controls® underwent a major update to version 8, issued in May 2021. The new version emphasizes the three Implementation Groups, including an expanded Implementation Group 1 (IG1), which applies primarily to small-to-medium businesses (SMBs). Another change in v.8 is now having only 18 primary Controls, rather than 20. In addition, the book only focused on 37 Safeguards; however, IG1 started with 43 Safeguards in v.7.1. In v.8, 11 new Safeguards were added to IG1, while others were revised or merged into other Safeguards. This Addendum will address all of the v.8 IG1 Safeguards, even if the v.7.1 equivalent was not provided explicitly in the book.

This Addendum aims to provide businesses with a guide to take you from v.7.1 into the new v.8 Safeguards while maintaining the categorization structure created in the book. This Addendum will walk you through, chapter-by-chapter, first the changed Safeguards and then the newly added Safeguards within the categories for each chapter. The four chapters that identify key Safeguards will continue to address the same groupings of control measures, as listed below.

  • Chapter 11—Key Safeguards for SMBs (“The Basics”)
  • Chapter 12—Implementing Administrative and Configuration Controls
  • Chapter 13—Implementing User Controls and Training
  • Chapter 14—Implementing Incident and Breach Controls

In addition to the changes to the Safeguards in the CIS Controls, in July 2022, we updated the governance documents associated with the book and made them available at: Version 8 Addendum to Creating a Small Business Cybersecurity Program Control

Data Privacy Program Guide: How to Build a Privacy Program that Inspires Trust

CISO DRG Publishing is pleased to announce the availability of the Data Privacy Program Guide: How to Build a Privacy Program that Inspires Trust, the first book in the CISO Desk Reference Guide® Governance Series. This book was written by David Goodman, Justine Phillips, and Matt Stamper and is intended for Chief Privacy Officers and privacy professionals at all levels of the organization. This book focuses on building and managing privacy programs. From the author’s extensive and varied backgrounds, readers will gain unique insights, practical advice, and inspiration. Privacy professionals will learn how to create a privacy program that will help you improve your relationship with your customers while giving you the foundation for complying with the dizzying maze of privacy regulations. This is a groundbreaking book in the privacy space.

Congratulations David, Justine, and Matt, well done!

CISO Desk Reference Guide Executive Primer Forward


The CISO Desk Reference Guide has been a mainstay in my personal library since shortly after I first met Gary, Bill, and Matt in 2015. Newly appointed to my second stint as Deputy Chief Information Security Officer (CISO) and having just moved from Germany to Southern California, I was eager to build relationships in the lively cybersecurity community of San Diego. The community welcomed me with open arms, and I was able to join in on robust conversations, insightful presentations, and war-room problem solving for the latest/greatest malware strain or threat actor activity. If I were to attempt an analogy, I would say reading the chapters of the CISO Desk Reference Guide is like attending a gathering of those fantastic SoCal professionals: approachable, unassuming, informative, and thought-provoking.

Since that wonderful season of my career based in San Diego, I’ve slingshot around the world to a variety of CISO and CSO positions, taking with me their Reference Guide (which I’ve also passed on to members of my leadership teams), their friendship, and their trusted comradery in this global cybersecurity war we as CISOs wage day in and day out.

Gary, Bill, and Matt are a treasure trove of wisdom for future and established CISOs alike. Their dedication to contributing foundational wisdom to the cybersecurity community has rightly earned their two-volume Reference Guide set a prestigious position in the Cybersecurity Canon Hall of Fame. What sets them apart is that they don’t just “teach” the work, they also “do” the work. And by doing the work, they garner continuous insight and examples, which they then use to further teach the work. Theirs is a virtuous circle of support and insight for our cybersecurity community globally.

When the authors asked if I would be willing to read a draft and provide some feedback on the manuscript for their latest endeavor, CISO Desk Reference Guide: Executive Primer, I jumped at the opportunity. The premise of this Executive Primer is to assist non-cyber executives and non-execs in understanding the deep complexities of cybersecurity—without leaving their eyes watering from mind-numbing technical details. This is not a small task, but it is such important work. And this Executive Primer, as expected from the authors’ previous work, does not disappoint.

As CISOs, we must leverage both “science” and “art” in the work we do every day. The science is the complexity, breadth, and depth of the processes, technology, and people capabilities that we must leverage, develop, and continuously improve every day to protect, detect, respond, and recover. The art is a bit more nuanced and requires tremendous skill and honing: every presentation to the Audit Committee and exec and non-exec boards, every meet/greet with business executives, every town hall presentation to non-cyber audiences, every “lunch and learn” session we host, every cyber threat briefing we send out to all hands—these are all examples of where we must demystify the “science” of our work, by using the “art” of communication, influence, connecting seemingly unrelated dots, all while using business-friendly lexicon and relevant, contextualized examples which broaden understanding while eliciting support, partnership, urgency, and priority.

In theory, a better understanding of cybersecurity by our non-cyber exec and non-exec colleagues will lead to greater support for the work of cybersecurity, healthier and courageous challenges in our conversations and dealings, and laser-focused risk prioritization by you and me as we together reduce risk. In practice, and for many, this is a foundational paradigm shift: everyone owns security. Not just the CISO or the CISO Program…everyone. You, dear Reader, own security.

But how can you own something and effectively participate in and contribute to your part of cybersecurity if you don’t understand it, know why to prioritize it, or know what “good” looks like? Enter the CISO: Executive Primer. This Primer will get you well on your way to being familiar with and conversant in the work of the CISO Program at your company, just as we as practitioners and CISOs must be familiar with and conversant in your work, whether its finance, legal, HR, business imperatives, or company strategy. This Executive Primer will also give you a greater understanding of the story behind the story when you see a headline about the latest breach.

Personally, I believe you will come away with at least the beginnings of an understanding that cybersecurity is to no longer be a buried line item on IT’s budget but to rather be seen as a prominent enterprise-wide, escalating risk that each exec and non-exec alike need to have in the forefront of her or his mind when they consider acquisitions, market expansion, product innovation, channels to market, interactions with shareholders, engagement with customers and consumers, leveraging third-party vendors, suppliers, and contractors, broaden their digital transformation, and so on.

I’m thrilled the authors have put pen to paper on this Executive Primer, and I highly recommend you chew through and digest all of this rich yet approachable content. To follow the analogy I began with, reading this Executive Primer is like having a lengthy coffee (or whiskey!) chat with Gary, Bill, and Matt, garnering their wisdom and insights in an approachable, unassuming, informative manner. I believe it will empower you for better, thought-provoking conversations with your CISO. I believe it will change the way you view risk at your company. And I believe you, too, will become a cybersecurity enthusiast at work and at home.

Kirsten Davies
March 2022
Nashville, USA

Kirsten Davies is a five-time Information and Cyber Security Executive, safeguarding 2 Global 100 and 3 Fortune 250 companies representing over $230Bn in annual turnover.