The order of the essays within each chapter of Volume 1 follows the arc of our authors’ differing backgrounds and perspectives. Bill’s essays lead off each chapter and provide a high-level perspective that reflects his background in the finance industry and the structured governance that comes with working in a highly regulated industry. Matt’s essays come next and his perspective on providing services to many customers simultaneously provides insight into a highly programmatic approach. Gary’s essays finish each chapter and his vast experience in the trenches as a hands-on cyber expert provides the reader with a treasure trove of lists and lessons that they can repeatedly reference.
The different perspectives can be used as standalone refreshers and the five immediate next steps for each chapter give the reader a robust set of 45 actions based on roughly 100 years of relevant experience that will help you strengthen your cybersecurity programs. In the conclusion of this book we provide contact information and encourage you to join the community of CISOs who use these resources. We also encourage you to provide us with feedback about the guidance and about our tri-perspective approach to this book. We hope you like it.
Introduction Where and to Whom Should the CISO Report? We begin our book with one of the most basic and fundamental issues facing cybersecurity today, namely the reporting structure for CISOs. As our authors will note, this reporting structure has a tremendous impact...
Introduction How Do Regulations, Frameworks, and Standards Impact Cybersecurity and Audit Practices? In this chapter, we review strategies and techniques to assess and address the seemingly infinite number of regulations and standards that impact cybersecurity...
Introduction There are few topics more critical in cybersecurity than the establishment of proper data classification and protection programs within an organization. For many organizations, data and information are their most valuable assets, the new currency in the...
Introduction In Chapter 4 we turn our focus to third-party risk. You could say that the first half of this decade was the dawn of a new era of third-party risk in cybersecurity. Edward Snowden was an independent contractor when he expropriated and disseminated a trove...
Introduction In Chapter 5 we look at how to create a metrics program that will help you measure the performance of your entire organization and determine what to report to your management and your board of directors. Each of the authors has a bias toward objective...
Introduction In Chapter 6 we turn to our interactions, as CISOs, with our management and our board of directors. As we note, there is a heightened awareness of cybersecurity within both the senior management team (what we often refer to in this book as the “C-suite”)...
Introduction In this chapter, we will talk about the one fundamental issue that drives most CISOs and influences how they create and manage their security programs. That issue is risk. Our authors will note that there are numerous types of risk facing an organization...
Introduction In Chapter 8, we discuss our views on tools and techniques that the CISO can use to validate an organization’s security controls. Each of us provides guidance on how we have used specific tools and techniques and will examine the importance of...
Introduction In our last chapter, we review one of the core topics that all security and risk mitigation operations revolve around – the organization’s cybersecurity program policies. Policies are the foundation for a security program. They explain the requirements...
Review of the book: CISO: Desk Reference Guide
A Practical Guide for CISOs
Publisher: DRG Joint Venture Publishing, 2016
Authors: Bill Bonney, Gary Hayslip, Matt Stamper
Winnie Callahan, EdD
Director, University of San Diego Center for Cyber Security Engineering and Technology
The book, CISO: Desk Reference Guide; A Practical Guide for CISOs is an amazing effort to assist new CISOs or CISOs in mid-size companies to better understand their respective roles, but it actually provides a plethora of in-depth “how tos” and “whys” from the vast wealth of experiences enjoyed by the three authors.
The book is easy to read and is divided into nine distinct chapters each addressing a major issue, concern or responsibility inherent to the role of a CISO. It is not a directive nor is it a textbook designed to provide the reader with a credential. Rather it is exactly what a CISO needs when confronted with the day to day demands placed upon the person brave enough to try a fill some extraordinarily large shoes: the person expected to have a super technical background, but must also understand cybersecurity, laws and policies, have a clear focus on regulations, be a proven leader and also be a “great communicator” to the CEO but often to a Board of Directors as well. (Perhaps when a CISO is hired and/or appointed, one should also receive a Superman costume …. He or she just may need it.)
Realistically, the Superman attire is less likely to be necessary with this volume of guidelines, concrete examples and a concise summary of such valuable information as the NIST framework and the SANS descriptors for handling risk, as examples.
The book is unique, as the reader gets the opinion on each topic from the three authors independently. For the reader, it’s like having a private conversation with experts in the field on the readers’ timeline … in short, when really needed. (This could be during business hours, over the weekend or during the “heat of a crisis.”)
The layout of the book follows closely the rules of public relations: tell the public what you’re going to tell them, then tell them more than once using different techniques and then summarize what you told them. The book also invites contact with the author(s) if you still need more clarity. What a deal!
Each chapter has an introduction, then three different opinions on the topic, one by each author from a “different experience perspective.” Each chapter is rich in explanation, many with charts and graphs. And each chapter concludes with a summary of what the chapter provided.
Whether you’re trying to understand your role better, figure out how to develop policies to ensure the protections your organization requires, desperately need to review the NIST Incident Response Guide, or just validate some steps you plan to take in working with your leadership team, this guide truly has it all.
One of the major criticisms often voiced regarding standards and regulations is that “one size does not fit all.” Frequently, though experts are supportive of the need for standards and the fact that having some are very helpful, they often express dismay that standards are blind to context … this book is exactly what is needed to take that challenge head-on. Again, three differing opinions from three different perspectives reflecting the best and worst of the issues most CISOs encounter … only the type of environment is different and thus, the approach and needs to solve and address the issues will no doubt vary.
As this review concludes, it is important to state that the Appendix at the end of Chapter Nine on Policy is, even as a stand-alone, incredibly valuable as it exemplifies different type of Policies. The reader will also find the Bibliography of great value if wanting to dig more in depth on a given topic. Though the subject is dynamic and fits into the category of “always changing,” the basics of the observations and lessons learned will NOT lose their value to the practicing professional. At the least, it helps clarify the thought processes and the potential evolution to any new applications that will be evident in the future.
In closing, I would encourage those aspiring and or existing CISOs to invest in this book. I would also recommend that universities who are attempting to prepare well-educated cyber professionals for their roles in the Cyber domain to make sure this book, and hopefully subsequent volumes, known to and available for their students. You can’t get much better than a practical, easy to read reference for those times when an answer or validation of a plan would lower one’s stress level and help our corporations, government agencies and our nation as a whole do a better job of protecting assets.
A practical guide for CISOs belongs on the desk of every Chief Information Security Officer and wannabe.
Are you an aspiring, recently hired or promoted CISO looking for the definitive how-to guide for your position? Look no further. An experienced CISO along with two security subject matter experts have authored a comprehensive modern day text — ‘CISO Desk Reference Guide: A practical guide for CISOs‘ — which covers risk management, compliance, audit, IT security disciplines, cybersecurity extending to IoT (internet of things) devices, cyber insurance, staffing, board concerns, and everything in between.
The three authors — Bill Bonney, Gary Hayslip, and Matt Stamper — state their decision to write the book came from the shared realization that the dramatic escalation in cyber threats was not going to peak any time soon. A recent report from Cybersecurity Ventures aligns with their thinking — and predicts cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion last year.
(Disclaimer: Steve Morgan is founder and CEO of Cybersecurity Ventures.)
Hayslip brings direct CISO experience to the book. He is deputy director, CISO for the City of San Diego, Calif. — which has more than 1.37 million people, and is the eighth largest city in the United States and the second largest in its home state. He advises the City of San Diego’s executive leadership consisting of Mayoral, City Council, and 40+ city departments and agencies on protecting city government information resources. Hayslip oversees citywide cyber security strategy and the enterprise cyber security program, cyber operations, compliance and risk assessment services.
The CISO Desk Reference Guide is suitable material for security chiefs at Fortune 500, global 2000, and mid-sized corporations, as well as security leaders at U.S. federal agencies, state and local governments, universities, and non-profits. CIOs and senior IT staff at small to mid-sized firms with and without CISOs will also benefit from the soup-to-nuts security guidance found in the book.
The rubber hits the road in chapter 2, which covers regulatory, compliance and audit – a particularly gnarly topic which leaves many new CISOs wondering where to begin. The authors explain what regulatory requirements are, how to engage with auditors, and how to make audits effective. The chapter also speaks to legislation, which is changing cybersecurity… not something immediately obvious to most CISOs.
A severe cybersecurity workforce shortage has left CISOs and corporate IT security teams shorthanded and scrambling for talent while the cyber attacks are intensifying, according to the recent Cybersecurity Ventures report. Corporations are responding by placing some or all of their IT security into the hands of third parties. The IT security outsourcing segment recorded the fastest growth (25 percent) out of the entire cybersecurity market last year, according to Gartner. Outsourcing security introduces a whole new risk for enterprises — choosing the right third party which has the cyber defenders, cyber operations, and security platforms to effectively combat an increasingly hostile threatscape. The CISO Desk Reference Guide devotes an entire chapter to third-party risk — including eight risk factors to assess with vendors including:
- Operational Risk
- Privacy Risk
- Reputation Risk
- Security Risk
- Regulatory Risk
- Revenue Risk
- Financial Risk
- Service Risk
A careful read through these eight points in the CISO Desk Reference Guide is sure to make outsourcing any aspect of security a much less risky proposition for CISOs who are leaning in that direction.
The book is worth its weight in gold for Hayslip’s overview on Cybersecurity Tools and Techniques. He shares that if there’s one thing he has learned as a CISO, it’s that if you want to be effective you must work to build trust with the organization’s stakeholders and make the case that cybersecurity is a value proposition, a service that all business channels should leverage to be competitive. Then he dives into what readers have been waiting for — an experienced CISO’s recommendations around security policy, incident response, data back-up, security awareness training for employees, patch management, anti-virus and malware protection software, vulnerability scanning, desktop encryption, wireless network security testing, email security, and more.
There’s still 10 days left until the end of summer 2016… so it’s not too late to make the CISO Desk Reference Guide your summer read.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Every profession has desk references that practitioners can use as go-to guides for tactical information. For information security professionals, CISOs and those on the CISO track, the
CISO Desk Reference Guide: A Practical Guide for CISOs is an excellent example of such a guide.
While the classic prepare 3 envelopes joke revolves around CEOs, it’s quite appropriate for a CISOs as well. For many, their career path is a slow and steady one whereby they deliberately progress toward attaining that role. For others, who quickly obtain the role due to a major security breach, envelope #3 must often be opened immediately.
In the CISO Desk Reference Guide: A Practical Guide for CISOs (CISO DRG 978-0997744118), authors Bill Bonney, Gary Hayslip and Matt Stamper have written a tactical guide that can help the soon-to-be or new CISO get up and running. Each of the three has been in the information security space for decades, and all of them bring their experience from the trenches to every chapter.
For CISOs who find themselves in that position, they’ve entered it as a key entity in an organization. For those who have come into the role suddenly, it’s important to note that poor information security controls can bring an organization to its knees. In the book, the authors share their knowledge and provide real-world experience, showing current CISOs – and security managers with aspirations to be – how to function most effectively in the CISO role.
A recurrent problem for books with multiple authors is that the end result often lacks consistency and is simply a collection of different essays without a unifying theme. The authors here do an admirable job of avoiding that. Each chapter is clearly identified by who the specific author is. A benefit to the approach here is that each of the authors brings his specific style to information security, such that the reader ends up with a broad and multifaceted methodology on the topic.
The nine chapters in the book cover the entire range of the information security lifecycle; from regulatory issues to data classification, reporting to the board, tools, policies and more. The three authors are battle-tested professionals with real-life expertise that they bring to every chapter.
The previous point is not a trivial one as information security is not monolithic. There is certainly no single way to do information security. By learning the topic from the best and the brightest, information security practitioners and CISO-hopefuls can ensure they will ultimately be successful in their endeavors.
As mentioned above, many books with multiple authors suffer from a lack of consistency and message. This book doesn’t suffer from that. And in fact, each author brings a slightly different approach to the various topics. This is an important point, as there is certainly no one size fits all when it comes to information security.
Of course, an effective CISO can’t rely on any single book. And if they tried, that book would need to be about 2,500 pages long. But for those looking for a go-to reference when the CxO urgently calls, it would be a good idea for any information security professional to have a copy of the CISO Desk Reference Guide handy. It’s an excellent desktop reference – and an indispensable one, at that.
The CISO Desk Reference Guide: A Practical Guide for CISOs is an excellent desk reference that information security professionals, from managers to CISOs, will find of value. It’s full of practical, real-world experience and sage advice, making it an excellent candidate for the Cybersecurity Canon.
Praise for the Book
“CISO Desk Reference Guide is a one-of-a-kind reference – well-structured that should be easily understood by techies and non-techies alike (especially the finance and legal types – who probably need this more than the CISOs). Great work!”
RADM (Ret) Kenneth D. Slaght
Co-Chair and President
Cyber Center Of Excellence
“I strongly recommend this unique, applicable, and much needed CISO guide. The three authors, all proven CISOs as well as leaders, have taken a very unique approach to creating the CISO Desk Reference Guide, tackling real world issues, but not by each taking a section and sharing their knowledge, but by all three providing relevant input on each topic. Their differences in viewpoints, experience, and writing styles provide more than a single perspective or solution; they provide a rich and diverse foundation for the reader to process information and draw conclusions that best meet their needs, honing critical thinking!
I recommend this book for experienced CISOs who want fresh thinking on current topics, new CISOs who want to learn from the best, or others in information security and risk management who desire a greater foundation on the complex world of CISOs.”
Chief Information Security Officer
“This is an excellent desk reference for new and established CISOs who are increasingly challenged by advancing threats, standards, and regulations. The organization of the book, where each of the three authors provide their own thoughts on many important topics, illustrates the fact that the challenges faced by CISO don’t have single, pat answers. Readers can consider the book to be written mentorship by three active CISOs.”
Peter H Gregory
Executive Director, National Security Advisory Firm
“Essential reading for both aspiring and incumbent Chief Information Security Officers, the CISO Desk Reference Guide fills a critical gap in the information security common body of knowledge.
The Chief Information Security Officer has emerged as a key role in forward-thinking organizations that are keenly aware of the existential threat that cyber risks now pose. The authors of the CISO Desk Reference Guide grasp that reality and use their many years of experience to provide a ton of practical advice about how to function effectively in this role.
The unique multi-author approach of the CISO Desk Reference Guide has produced a wealth of insight into the complex and challenging role of Chief Information Security Officer, a role that increasingly anchors organizational risk management in all things cyber and digital.
From the excellent discussion of the evolving CISO role and how best to embed it in the organization, to fundamentals like data classification and controls, to advice on tools and techniques, the CISO Desk Reference Guide delivers multiple perspectives on the foundations of organizational cybersecurity.
I wholeheartedly recommend the CISO Desk Reference Guide to anyone who is or wants to become a Chief Information Security Officer.”
Stephen Cobb, CISSP
Senior Security Researcher, ESET North America.
“The CISO Desk Reference Guide” is a useful tool written with a unique tri-perspective of three authors. The diversity in perspectives is powerful in that it demonstrates there is never just one solution to any situation, yet it provides great examples and things to ponder for the reader.”
Former Vice President of Audit
“The field of Information Security & compliance is complex at the very least. And the job of “CISO” still a mystery to most boards and CEO’s. However, three icons in the cybersecurity community, Bill Bonney, Gary Hayslip, and Matt Stamper took a very complex subject matter and through the use of what they call “Tri-Perspective” take on each practical subject matter, and truly makes it a “CISO’s Desk Reference Guide”! The call to action with the five immediate “Next Steps”. Will be a great comfort to those new CISO’s that walk into the job the first day, “with a deer in headlights mentality”! Not because they are not qualified but because the job of CISO, in most companies is still being defined. And this desk reference book will be a great resource for the CEO, Board and CISO.”
David W. Rooker, CISSP
Chief Information Security Officer
“Bill Bonney, Gary Hayslip and Matt Stamper have managed to successfully explain the role of the CISO and have provided insights and straightforward, practical suggestions for strengthening your cybersecurity programs. This book should be required reading for every CISO or those aspiring to become one.
The best book ever written on the role of a modern day CISO. Ground breaking with insights and advice on every page, The CISO Desk Reference Guide is a major contribution to the industry.”
Founder of Cyber Security Capital, Board Advisor ClubCISO
“…The book is unique, as the reader gets the opinion on each topic from the three authors independently. For the reader, it’s like having a private conversation with experts in the field on the readers’ timeline … in short, when really needed….
Frequently, though experts are supportive of the need for standards and the fact that having some are very helpful, they often express dismay that standards are blind to context … this book is exactly what is needed to take that challenge head-on.” (read Dr. Callahan’s extensive review here)
Winnie Callahan, EdD
Director, University of San Diego Center for Cyber Security Engineering and Technology
“This is a fantastic resource for every security professional seeking to improve their skills and their careers. The structure of the guide works extremely well for readers who want a deep-dive and those who are seeking just the answers or a quick refresher with the key points at the end of each chapter. It’s rare to find a treasure trove of knowledge like this. I look forward to Volume 2.”
Chief Information Security Officer
“Tremendous value. Insightful and impactful for any organization, any executive and any board. Ties the criticality of managing risk to the need to be a part of the core business in a mature and commonsense way. This should help organizations futureproof their business with concepts and frameworks that are relevant today and for tomorrow.”
Vice President, 30+ year industry veteran and board member of the Workforce Institute