The CISO Handbook

A practical guide to securing your company

by Mike Gentile, Ron Collette and Tom August

Auerbach Publications, 2006

ISBN: 0-8493-1952-8

~US$60 from Amazon

Summary

This is a well-written practical guide to building and delivering an information security improvement programme. Presenting sage advice in a consistent manner, the book is a helpful primer for the person tasked by management with ‘fixing information security’.

Authors

The book is written by and for those in the front line, not in ivory towers. The three authors each have CISSP and other information security qualifications plus 10 to 20 years’ work experience in information security management, meaning that their advice holds weight. They all combine hands-on with management and/or consulting expertise, meaning that they view information security in a business context.

Scope and purpose

The primary focus of the book is to guide, advise, encourage and support Chief Information Security Officers (or equivalents) working on their information security improvement programmes. It’s a bit like having a personal trainer at the gym: the trainer points out the aims of the training and suggests how to the trainee might improve his technique, but the trainee must interpret the advice, internalize it and of course put in the hard work to improve.

The book generally avoids making specific recommendations for particular information security controls. The reader is expected to be able to figure out for himself (perhaps using some of the techniques and checklists presented) what the security improvement projects will actually achieve. Instead, it emphasizes the programme management aspects. This approach is more broadly applicable since each organization’s information security needs differ. There are numerous other books and standards describing best practice security controls, but few address the overall planning.

Content

The overall flow of the book follows the suggested lifecycle of an information security implementation or improvement project:

Assess - identify the drivers or needs for security improvement (e.g. risks, legal obligations) and the constraints
Plan - obtain management support for the programme, prepare an improvement strategy and build your team
Design - prepare information security policies, conduct a gap analysis and prepare a portfolio of projects
Execute - numerous suggestions to help manage the improvement projects successfully
Report - management reporting.

Each chapter contains a consistent structure with an introduction, some theoretical framing, the ‘guts’ and a conclusion which links to the next chapter. The ‘guts’ reflect the authors’ practical approach, offering pragmatic and helpful guidance to the newly appointed or would-be CISO.

Style

The writing is clear and straightforward, with key messages consistently presented and reinforced throughout the book. There are useful checklists, tables and process flows embedded in the text although some of the block diagrams seem rather too high-level and pointless (that’s just my personal opinion).

Conclusion

I am currently working with a client to initiate a large information security improvement programme and so enjoyed reading this book cover-to-cover in a few sittings. It was gratifying to find that we are already following the recommended approach with few if any exceptions, and there’s nothing substantial we would quarrel about. Better still, I am glad to have picked up some good tips and look forward to thumbing through this book every month for the next year or so.

Whether you are already a CISO or aspire to becoming one, I commend this book to you.

Home > Security books > CISO Handbook >