I highly recommend, Barak Engel's new book, Why CISO's Fail?, if you are a CISO candidate, considering applying for a CISO position, or in the process of hiring a CISO (HR, CEO, COO, President, etc.) this book is a must read
The book provides a reality view that many old Data Automators, as well as business gurus and members of the C-Suite (CEO, CFO, CIO, COO, etc.) can understand and embrace
Mr. Engel provides some tongue-in-cheek comments as well as questions that might be used for the interview of a candidate and questions that a CISO should use when dealing with vendors, including cloud providers and interface organizations (consultants, etc.).He uses his past experiences to provide the background and supporting evidence that led him to his viewpoint and suggestions
Mr. Engel's book focuses on the fact that the CISO failure starts during the hiring process and currently continues throughout the new hires approach to the current and legacy technologies. It appears the job description invariably starts our looking for the Technologist who has a background in data security and continues in that direction.
As with any 'C-level' position, Barak provides the insight into the fact that the CISO needs to be a business oriented person with a deep understanding of the technology and its effects on the business. He reminds the reader that the Information Technologies support the business process. The IT guru deals with data; it provides the resources to entering, manipulate, store and presentation the data. When presented to the business person, the data becomes information.
Barak reminds many of us that the IT environment is a tool. As most IT security folks may tell you, the data security guru has to find all the weaknesses in the application, server and network, while the hacker only needs to find one.
Barak also reminds us that the CISO needs to provide the security program for the enterprise while using the technologies as tools to assist with that security program, whereas, a technology guru as a CISO may prove the Abraham Maslow's statement, He that is good with a hammer tend to think everything is a nail. The threats and weaknesses reside inside as well as outside the organization.
Elsewhere, Barak reminds the C-Suite and the IT guru that the business information is classified by business personnel and needs to be protected by those same folks. As I mentioned in the beginning, I thoroughly recommend this book for the CISO, job candidate and all others in the organization who will work with the CISO.
-- Steve Katzman, CIA, CISA, CRISC, CRMA, CISSP (Retired) and author of Operational Assessment of IT.
I highly recommend, Barak Engel's new book, Why CISO's Fail?, if you are a CISO candidate, considering applying for a CISO position, or in the process of hiring a CISO (HR, CEO, COO, President, etc.) this book is a must read.
The book provides a reality view that many old Data Automators, as well as business gurus and members of the C-Suite (CEO, CFO, CIO, COO, etc.) can understand and embrace.
Mr. Engel provides some tongue-in-cheek comments as well as questions that might be used for the interview of a candidate and questions that a CISO should use when dealing with vendors, including cloud providers and interface organizations (consultants, etc.).He uses his past experiences to provide the background and supporting evidence that led him to his viewpoint and suggestions.
Mr. Engel's book focuses on the fact that the CISO failure starts during the hiring process and currently continues throughout the new hires approach to the current and legacy technologies. It appears the job description invariably starts our looking for the Technologist who has a background in data security and continues in that direction.
As with any 'C-level' position, Barak provides the insight into the fact that the CISO needs to be a business oriented person with a deep understanding of the technology and its effects on the business. He reminds the reader that the Information Technologies support the business process. The IT guru deals with data; it provides the resources to entering, manipulate, store and presentation the data. When presented to the business person, the data becomes information.
Barak reminds many of us that the IT environment is a tool. As most IT security folks may tell you, the data security guru has to find all the weaknesses in the application, server and network, while the hacker only needs to find one.
Barak also reminds us that the CISO needs to provide the security program for the enterprise while using the technologies as tools to assist with that security program, whereas, a technology guru as a CISO may prove the Abraham Maslow's statement, He that is good with a hammer tend to think everything is a nail. The threats and weaknesses reside inside as well as outside the organization.
Elsewhere, Barak reminds the C-Suite and the IT guru that the business information is classified by business personnel and needs to be protected by those same folks. As I mentioned in the beginning, I thoroughly recommend this book for the CISO, job candidate and all others in the organization who will work with the CISO.
-- Steve Katzman, CIA, CISA, CRISC, CRMA, CISSP (Retired) and author of Operational Assessment of IT.
