The order of the essays within each chapter of Volume 1 follows the arc of our authors’ differing backgrounds and perspectives. Bill’s essays lead off each chapter and provide a high-level perspective that reflects his background in the finance industry and the structured governance that comes with working in a highly regulated industry. Matt’s essays come next and his perspective on providing services to many customers simultaneously provides insight into a highly programmatic approach. Gary’s essays finish each chapter and his vast experience in the trenches as a hands-on cyber expert provides the reader with a treasure trove of lists and lessons that they can repeatedly reference.

The different perspectives can be used as standalone refreshers and the five immediate next steps for each chapter give the reader a robust set of 45 actions based on roughly 100 years of relevant experience that will help you strengthen your cybersecurity programs. In the conclusion of this book we provide contact information and encourage you to join the community of CISOs who use these resources. We also encourage you to provide us with feedback about the guidance and about our tri-perspective approach to this book. We hope you like it.

Buy Here

Excerpts

CISO DRG Vol 1: Chapter 1 – The CISO

by

Introduction Where and to Whom Should the CISO Report? We begin our book with one of the most basic and fundamental issues facing cybersecurity today, namely the reporting structure for CISOs. As our authors will note, this reporting structure has a tremendous impact...

read more

CISO DRG Vol 1: Chapter 4 – Third-Party Risk

by

Introduction In Chapter 4 we turn our focus to third-party risk. You could say that the first half of this decade was the dawn of a new era of third-party risk in cybersecurity. Edward Snowden was an independent contractor when he expropriated and disseminated a trove...

read more

CISO DRG Vol 1: Chapter 9 – Security Policy

by

Introduction In our last chapter, we review one of the core topics that all security and risk mitigation operations revolve around – the organization’s cybersecurity program policies. Policies are the foundation for a security program. They explain the requirements...

read more

Dr. Winnie Callahan Review

Review of the book:  CISO:  Desk Reference Guide
                                           A Practical Guide for CISOs

Publisher:  DRG Joint Venture Publishing, 2016
Authors:  Bill Bonney, Gary Hayslip, Matt Stamper

By:

Winnie Callahan, EdD
Director, University of San Diego Center for Cyber Security Engineering and Technology

The book, CISO:  Desk Reference Guide; A Practical Guide for CISOs is an amazing effort to assist new CISOs or CISOs in mid-size companies to better understand their respective roles, but it actually provides a plethora of in-depth “how tos” and “whys” from the vast wealth of experiences enjoyed by the three authors.

The book is easy to read and is divided into nine distinct chapters each addressing a major issue, concern or responsibility inherent to the role of a CISO. It is not a directive nor is it a textbook designed to provide the reader with a credential.  Rather it is exactly what a CISO needs when confronted with the day to day demands placed upon the person brave enough to try a fill some extraordinarily large shoes:  the person expected to have a super technical background, but must also understand cybersecurity, laws and policies, have a clear focus on regulations, be a proven leader and also be a “great communicator” to the CEO but often to a Board of Directors as well.  (Perhaps when a CISO is hired and/or appointed, one should also receive a Superman costume …. He or she just may need it.)

Realistically, the Superman attire is less likely to be necessary with this volume of guidelines, concrete examples and a concise summary of such valuable information as the NIST framework and the SANS descriptors for handling risk, as examples.

The book is unique, as the reader gets the opinion on each topic from the three authors independently.  For the reader, it’s like having a private conversation with experts in the field on the readers’ timeline … in short, when really needed.  (This could be during business hours, over the weekend or during the “heat of a crisis.”)

The layout of the book follows closely the rules of public relations:  tell the public what you’re going to tell them, then tell them more than once using different techniques and then summarize what you told them. The book also invites contact with the author(s) if you still need more clarity.  What a deal!

Each chapter has an introduction, then three different opinions on the topic, one by each author from a “different experience perspective.”  Each chapter is rich in explanation, many with charts and graphs.  And each chapter concludes with a summary of what the chapter provided.

Whether you’re trying to understand your role better, figure out how to develop policies to ensure the protections your organization requires, desperately need to review the NIST Incident Response Guide, or just validate some steps you plan to take in working with your leadership team, this guide truly has it all.

One of the major criticisms often voiced regarding standards and regulations is that “one size does not fit all.”  Frequently, though experts are supportive of the need for standards and the fact that having some are very helpful, they often express dismay that standards are blind to context … this book is exactly what is needed to take that challenge head-on.  Again, three differing opinions from three different perspectives reflecting the best and worst of the issues most CISOs encounter … only the type of environment is different and thus, the approach and needs to solve and address the issues will no doubt vary.

As this review concludes, it is important to state that the Appendix at the end of Chapter Nine on Policy is, even as a stand-alone, incredibly valuable as it exemplifies different type of Policies.  The reader will also find the Bibliography of great value if wanting to dig more in depth on a given topic.  Though the subject is dynamic and fits into the category of “always changing,” the basics of the observations and lessons learned will NOT lose their value to the practicing professional.  At the least, it helps clarify the thought processes and the potential evolution to any new applications that will be evident in the future.

In closing, I would encourage those aspiring and or existing CISOs to invest in this book.  I would also recommend that universities who are attempting to prepare well-educated cyber professionals for their roles in the Cyber domain to make sure this book, and hopefully subsequent volumes, known to and available for their students.  You can’t get much better than a practical, easy to read reference for those times when an answer or validation of a plan would lower one’s stress level and help our corporations, government agencies and our nation as a whole do a better job of protecting assets.

Praise for the Book

4

“CISO Desk Reference Guide is a one-of-a-kind reference – well-structured that should be easily understood by techies and non-techies alike (especially the finance and legal types – who probably need this more than the CISOs).  Great work!”

RADM (Ret) Kenneth D. Slaght
Co-Chair and President
Cyber Center Of Excellence

5
4

“I strongly recommend this unique, applicable, and much needed CISO guide. The three authors, all proven CISOs as well as leaders, have taken a very unique approach to creating the CISO Desk Reference Guide, tackling real world issues, but not by each taking a section and sharing their knowledge, but by all three providing relevant input on each topic. Their differences in viewpoints, experience, and writing styles provide more than a single perspective or solution; they provide a rich and diverse foundation for the reader to process information and draw conclusions that best meet their needs, honing critical thinking! 

 I recommend this book for experienced CISOs who want fresh thinking on current topics, new CISOs who want to learn from the best, or others in information security and risk management who desire a greater foundation on the complex world of CISOs.”

Todd Friedman
Chief Information Security Officer
ResMed

5
4

“This is an excellent desk reference for new and established CISOs who are increasingly challenged by advancing threats, standards, and regulations. The organization of the book, where each of the three authors provide their own thoughts on many important topics, illustrates the fact that the challenges faced by CISO don’t have single, pat answers. Readers can consider the book to be written mentorship by three active CISOs.”

Peter H Gregory
Executive Director, National Security Advisory Firm

5
4

“Essential reading for both aspiring and incumbent Chief Information Security Officers, the CISO Desk Reference Guide fills a critical gap in the information security common body of knowledge.

The Chief Information Security Officer has emerged as a key role in forward-thinking organizations that are keenly aware of the existential threat that cyber risks now pose. The authors of the CISO Desk Reference Guide grasp that reality and use their many years of experience to provide a ton of practical advice about how to function effectively in this role.

The unique multi-author approach of the CISO Desk Reference Guide has produced a wealth of insight into the complex and challenging role of Chief Information Security Officer, a role that increasingly anchors organizational risk management in all things cyber and digital. 

From the excellent discussion of the evolving CISO role and how best to embed it in the organization, to fundamentals like data classification and controls, to advice on tools and techniques, the CISO Desk Reference Guide delivers multiple perspectives on the foundations of organizational cybersecurity.

I wholeheartedly recommend the CISO Desk Reference Guide to anyone who is or wants to become a Chief Information Security Officer.”

Stephen Cobb, CISSP
Senior Security Researcher, ESET North America.

5
4

“The CISO Desk Reference Guide” is a useful tool written with a unique tri-perspective of three authors.  The diversity in perspectives is powerful in that it demonstrates there is never just one solution to any situation, yet it provides great examples and things to ponder for the reader.”

Gabriele Benis
Former Vice President of Audit
Intuit, Inc.

5
4

“The field of Information Security & compliance is complex at the very least. And the job of “CISO” still a mystery to most boards and CEO’s. However, three icons in the cybersecurity community, Bill Bonney, Gary Hayslip, and Matt Stamper took a very complex subject matter and through the use of what they call “Tri-Perspective” take on each practical subject matter, and truly makes it a “CISO’s Desk Reference Guide”! The call to action with the five immediate “Next Steps”. Will be a great comfort to those new CISO’s that walk into the job the first day, “with a deer in headlights mentality”! Not because they are not qualified but because the job of CISO, in most companies is still being defined.  And this desk reference book will be a great resource for the CEO, Board and CISO.”

David W. Rooker, CISSP
Chief Information Security Officer
Actian Corporation

5
4

“Bill Bonney, Gary Hayslip and Matt Stamper have managed to successfully explain the role of the CISO and have provided insights and straightforward, practical suggestions for strengthening your cybersecurity programs. This book should be required reading for every CISO or those aspiring to become one.

The best book ever written on the role of a modern day CISO. Ground breaking with insights and advice on every page, The CISO Desk Reference Guide is a major contribution to the industry.”

Jane Frankland
Founder of Cyber Security Capital, Board Advisor ClubCISO

5
4

“…The book is unique, as the reader gets the opinion on each topic from the three authors independently.  For the reader, it’s like having a private conversation with experts in the field on the readers’ timeline … in short, when really needed….

Frequently, though experts are supportive of the need for standards and the fact that having some are very helpful, they often express dismay that standards are blind to context … this book is exactly what is needed to take that challenge head-on.” (read Dr. Callahan’s extensive review here)

Winnie Callahan, EdD
Director, University of San Diego Center for Cyber Security Engineering and Technology

5
4

“This is a fantastic resource for every security professional seeking to improve their skills and their careers.  The structure of the guide works extremely well for readers who want a deep-dive and those who are seeking just the answers or a quick refresher with the key points at the end of each chapter.  It’s rare to find a treasure trove of knowledge like this. I look forward to Volume 2.”

Vickie Miller
Chief Information Security Officer
FICO

5
4

“Tremendous value. Insightful and impactful for any organization, any executive and any board. Ties the criticality of managing risk to the need to be a part of the core business in a mature and commonsense way. This should help organizations futureproof their business with concepts and frameworks that are relevant today and for tomorrow.”

Mark Wales
Vice President, 30+ year industry veteran and board member of the Workforce Institute

5