The CISO Handbook
A practical guide to securing your company
by Mike Gentile, Ron Collette and Tom August
Auerbach Publications, 2006
ISBN: 0-8493-1952-8
~US$60 from Amazon
Summary
This is a well-written practical guide to building and delivering an information security improvement programme. Presenting sage advice in a consistent manner, the book is a helpful primer for the person
tasked by management with ‘fixing information security’.
Authors
The book is written by and for those in the front line, not in ivory towers. The three authors each have
CISSP and other information security qualifications plus 10 to 20 years’ work experience in information security management, meaning that their advice holds weight. They all combine hands-on with
management and/or consulting expertise, meaning that they view information security in a business context.
Scope and purpose
The primary focus of the book is to guide, advise, encourage and support Chief Information Security Officers
(or equivalents) working on their information security improvement programmes. It’s a bit like having a
personal trainer at the gym: the trainer points out the aims of the training and suggests how to the trainee
might improve his technique, but the trainee must interpret the advice, internalize it and of course put in the hard work to improve.
The book generally avoids making specific recommendations for particular information security controls. The
reader is expected to be able to figure out for himself (perhaps using some of the techniques and checklists presented) what the security improvement projects will actually achieve. Instead, it emphasizes the
programme management aspects. This approach is more broadly applicable since each organization’s
information security needs differ. There are numerous other books and standards describing best practice security controls, but few address the overall planning.
Content
The overall flow of the book follows the suggested lifecycle of an information security implementation or improvement project:
Assess - identify the drivers or needs for security improvement (e.g. risks, legal obligations) and the constraints Plan - obtain management support for the programme, prepare an improvement strategy and build your team Design - prepare information security policies, conduct a gap analysis and prepare a portfolio of projects Execute - numerous suggestions to help manage the improvement projects successfully Report - management reporting.
Each chapter contains a consistent structure with an introduction, some theoretical framing, the ‘guts’ and a
conclusion which links to the next chapter. The ‘guts’ reflect the authors’ practical approach, offering pragmatic and helpful guidance to the newly appointed or would-be CISO.
Style
The writing is clear and straightforward, with key messages consistently presented and reinforced throughout the book. There are useful checklists, tables and process flows embedded in the text although
some of the block diagrams seem rather too high-level and pointless (that’s just my personal opinion).
Conclusion
I am currently working with a client to initiate a large information security improvement programme and so
enjoyed reading this book cover-to-cover in a few sittings. It was gratifying to find that we are already
following the recommended approach with few if any exceptions, and there’s nothing substantial we would quarrel about. Better still, I am glad to have picked up some good tips and look forward to thumbing
through this book every month for the next year or so.
Whether you are already a CISO or aspire to becoming one, I commend this book to you.
|
