Dr. Winnie Callahan Review

Review of the book:  CISO:  Desk Reference Guide
                                           A Practical Guide for CISOs

Publisher:  DRG Joint Venture Publishing, 2016
Authors:  Bill Bonney, Gary Hayslip, Matt Stamper


Winnie Callahan, EdD
Director, University of San Diego Center for Cyber Security Engineering and Technology

The book, CISO:  Desk Reference Guide; A Practical Guide for CISOs is an amazing effort to assist new CISOs or CISOs in mid-size companies to better understand their respective roles, but it actually provides a plethora of in-depth “how tos” and “whys” from the vast wealth of experiences enjoyed by the three authors.

The book is easy to read and is divided into nine distinct chapters each addressing a major issue, concern or responsibility inherent to the role of a CISO. It is not a directive nor is it a textbook designed to provide the reader with a credential.  Rather it is exactly what a CISO needs when confronted with the day to day demands placed upon the person brave enough to try a fill some extraordinarily large shoes:  the person expected to have a super technical background, but must also understand cybersecurity, laws and policies, have a clear focus on regulations, be a proven leader and also be a “great communicator” to the CEO but often to a Board of Directors as well.  (Perhaps when a CISO is hired and/or appointed, one should also receive a Superman costume …. He or she just may need it.)

Realistically, the Superman attire is less likely to be necessary with this volume of guidelines, concrete examples and a concise summary of such valuable information as the NIST framework and the SANS descriptors for handling risk, as examples.

The book is unique, as the reader gets the opinion on each topic from the three authors independently.  For the reader, it’s like having a private conversation with experts in the field on the readers’ timeline … in short, when really needed.  (This could be during business hours, over the weekend or during the “heat of a crisis.”)

The layout of the book follows closely the rules of public relations:  tell the public what you’re going to tell them, then tell them more than once using different techniques and then summarize what you told them. The book also invites contact with the author(s) if you still need more clarity.  What a deal!

Each chapter has an introduction, then three different opinions on the topic, one by each author from a “different experience perspective.”  Each chapter is rich in explanation, many with charts and graphs.  And each chapter concludes with a summary of what the chapter provided.

Whether you’re trying to understand your role better, figure out how to develop policies to ensure the protections your organization requires, desperately need to review the NIST Incident Response Guide, or just validate some steps you plan to take in working with your leadership team, this guide truly has it all.

One of the major criticisms often voiced regarding standards and regulations is that “one size does not fit all.”  Frequently, though experts are supportive of the need for standards and the fact that having some are very helpful, they often express dismay that standards are blind to context … this book is exactly what is needed to take that challenge head-on.  Again, three differing opinions from three different perspectives reflecting the best and worst of the issues most CISOs encounter … only the type of environment is different and thus, the approach and needs to solve and address the issues will no doubt vary.

As this review concludes, it is important to state that the Appendix at the end of Chapter Nine on Policy is, even as a stand-alone, incredibly valuable as it exemplifies different type of Policies.  The reader will also find the Bibliography of great value if wanting to dig more in depth on a given topic.  Though the subject is dynamic and fits into the category of “always changing,” the basics of the observations and lessons learned will NOT lose their value to the practicing professional.  At the least, it helps clarify the thought processes and the potential evolution to any new applications that will be evident in the future.

In closing, I would encourage those aspiring and or existing CISOs to invest in this book.  I would also recommend that universities who are attempting to prepare well-educated cyber professionals for their roles in the Cyber domain to make sure this book, and hopefully subsequent volumes, known to and available for their students.  You can’t get much better than a practical, easy to read reference for those times when an answer or validation of a plan would lower one’s stress level and help our corporations, government agencies and our nation as a whole do a better job of protecting assets.

Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.