CISO Desk Reference Guide

A practical guide for CISOs belongs on the desk of every Chief Information Security Officer and wannabe.

stack papers legal documents
Credit: Thinkstock

Are you an aspiring, recently hired or promoted CISO looking for the definitive how-to guide for your position? Look no further. An experienced CISO along with two security subject matter experts have authored a comprehensive modern day text -- 'CISO Desk Reference Guide: A practical guide for CISOs' -- which covers risk management, compliance, audit, IT security disciplines, cybersecurity extending to IoT (internet of things) devices, cyber insurance, staffing, board concerns, and everything in between.

The three authors -- Bill Bonney, Gary Hayslip, and Matt Stamper -- state their decision to write the book came from the shared realization that the dramatic escalation in cyber threats was not going to peak any time soon. A recent report from Cybersecurity Ventures aligns with their thinking -- and predicts cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion last year.

(Disclaimer: Steve Morgan is founder and CEO of Cybersecurity Ventures.)

Hayslip brings direct CISO experience to the book. He is deputy director, CISO for the City of San Diego, Calif. -- which has more than 1.37 million people, and is the eighth largest city in the United States and the second largest in its home state. He advises the City of San Diego’s executive leadership consisting of Mayoral, City Council, and 40+ city departments and agencies on protecting city government information resources. Hayslip oversees citywide cyber security strategy and the enterprise cyber security program, cyber operations, compliance and risk assessment services.

The CISO Desk Reference Guide is suitable material for security chiefs at Fortune 500, global 2000, and mid-sized corporations, as well as security leaders at U.S. federal agencies, state and local governments, universities, and non-profits. CIOs and senior IT staff at small to mid-sized firms with and without CISOs will also benefit from the soup-to-nuts security guidance found in the book.

The rubber hits the road in chapter 2, which covers regulatory, compliance and audit - a particularly gnarly topic which leaves many new CISOs wondering where to begin. The authors explain what regulatory requirements are, how to engage with auditors, and how to make audits effective. The chapter also speaks to legislation, which is changing cybersecurity... not something immediately obvious to most CISOs.

A severe cybersecurity workforce shortage has left CISOs and corporate IT security teams shorthanded and scrambling for talent while the cyber attacks are intensifying, according to the recent Cybersecurity Ventures report. Corporations are responding by placing some or all of their IT security into the hands of third parties. The IT security outsourcing segment recorded the fastest growth (25 percent) out of the entire cybersecurity market last year, according to Gartner. Outsourcing security introduces a whole new risk for enterprises — choosing the right third party which has the cyber defenders, cyber operations, and security platforms to effectively combat an increasingly hostile threatscape. The CISO Desk Reference Guide devotes an entire chapter to third-party risk -- including eight risk factors to assess with vendors including:

  1. Operational Risk
  2. Privacy Risk
  3. Reputation Risk
  4. Security Risk
  5. Regulatory Risk
  6. Revenue Risk
  7. Financial Risk
  8. Service Risk

A careful read through these eight points in the CISO Desk Reference Guide is sure to make outsourcing any aspect of security a much less risky proposition for CISOs who are leaning in that direction.

The book is worth its weight in gold for Hayslip's overview on Cybersecurity Tools and Techniques. He shares that if there's one thing he has learned as a CISO, it's that if you want to be effective you must work to build trust with the organization's stakeholders and make the case that cybersecurity is a value proposition, a service that all business channels should leverage to be competitive. Then he dives into what readers have been waiting for -- an experienced CISO's recommendations around security policy, incident response, data back-up, security awareness training for employees, patch management, anti-virus and malware protection software, vulnerability scanning, desktop encryption, wireless network security testing, email security, and more.

There's still 10 days left until the end of summer 2016... so it's not too late to make the CISO Desk Reference Guide your summer read.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.