The CISO Desk Reference Guide has been a mainstay in my personal library since shortly after I first met Gary, Bill, and Matt in 2015. Newly appointed to my second stint as Deputy Chief Information Security Officer (CISO) and having just moved from Germany to Southern California, I was eager to build relationships in the lively cybersecurity community of San Diego. The community welcomed me with open arms, and I was able to join in on robust conversations, insightful presentations, and war-room problem solving for the latest/greatest malware strain or threat actor activity. If I were to attempt an analogy, I would say reading the chapters of the CISO Desk Reference Guide is like attending a gathering of those fantastic SoCal professionals: approachable, unassuming, informative, and thought-provoking.
Since that wonderful season of my career based in San Diego, I’ve slingshot around the world to a variety of CISO and CSO positions, taking with me their Reference Guide (which I’ve also passed on to members of my leadership teams), their friendship, and their trusted comradery in this global cybersecurity war we as CISOs wage day in and day out.
Gary, Bill, and Matt are a treasure trove of wisdom for future and established CISOs alike. Their dedication to contributing foundational wisdom to the cybersecurity community has rightly earned their two-volume Reference Guide set a prestigious position in the Cybersecurity Canon Hall of Fame. What sets them apart is that they don’t just “teach” the work, they also “do” the work. And by doing the work, they garner continuous insight and examples, which they then use to further teach the work. Theirs is a virtuous circle of support and insight for our cybersecurity community globally.
When the authors asked if I would be willing to read a draft and provide some feedback on the manuscript for their latest endeavor, CISO Desk Reference Guide: Executive Primer, I jumped at the opportunity. The premise of this Executive Primer is to assist non-cyber executives and non-execs in understanding the deep complexities of cybersecurity—without leaving their eyes watering from mind-numbing technical details. This is not a small task, but it is such important work. And this Executive Primer, as expected from the authors’ previous work, does not disappoint.
As CISOs, we must leverage both “science” and “art” in the work we do every day. The science is the complexity, breadth, and depth of the processes, technology, and people capabilities that we must leverage, develop, and continuously improve every day to protect, detect, respond, and recover. The art is a bit more nuanced and requires tremendous skill and honing: every presentation to the Audit Committee and exec and non-exec boards, every meet/greet with business executives, every town hall presentation to non-cyber audiences, every “lunch and learn” session we host, every cyber threat briefing we send out to all hands—these are all examples of where we must demystify the “science” of our work, by using the “art” of communication, influence, connecting seemingly unrelated dots, all while using business-friendly lexicon and relevant, contextualized examples which broaden understanding while eliciting support, partnership, urgency, and priority.
In theory, a better understanding of cybersecurity by our non-cyber exec and non-exec colleagues will lead to greater support for the work of cybersecurity, healthier and courageous challenges in our conversations and dealings, and laser-focused risk prioritization by you and me as we together reduce risk. In practice, and for many, this is a foundational paradigm shift: everyone owns security. Not just the CISO or the CISO Program…everyone. You, dear Reader, own security.
But how can you own something and effectively participate in and contribute to your part of cybersecurity if you don’t understand it, know why to prioritize it, or know what “good” looks like? Enter the CISO: Executive Primer. This Primer will get you well on your way to being familiar with and conversant in the work of the CISO Program at your company, just as we as practitioners and CISOs must be familiar with and conversant in your work, whether its finance, legal, HR, business imperatives, or company strategy. This Executive Primer will also give you a greater understanding of the story behind the story when you see a headline about the latest breach.
Personally, I believe you will come away with at least the beginnings of an understanding that cybersecurity is to no longer be a buried line item on IT’s budget but to rather be seen as a prominent enterprise-wide, escalating risk that each exec and non-exec alike need to have in the forefront of her or his mind when they consider acquisitions, market expansion, product innovation, channels to market, interactions with shareholders, engagement with customers and consumers, leveraging third-party vendors, suppliers, and contractors, broaden their digital transformation, and so on.
I’m thrilled the authors have put pen to paper on this Executive Primer, and I highly recommend you chew through and digest all of this rich yet approachable content. To follow the analogy I began with, reading this Executive Primer is like having a lengthy coffee (or whiskey!) chat with Gary, Bill, and Matt, garnering their wisdom and insights in an approachable, unassuming, informative manner. I believe it will empower you for better, thought-provoking conversations with your CISO. I believe it will change the way you view risk at your company. And I believe you, too, will become a cybersecurity enthusiast at work and at home.
Kirsten Davies is a five-time Information and Cyber Security Executive, safeguarding 2 Global 100 and 3 Fortune 250 companies representing over $230Bn in annual turnover.