The CISO Handbook: A Practical Guide to Securing Your Company provides unique insights and guidance into designing and implementing an information security program, delivering true value to the stakeholders of a company. The authors present several essential high-level concepts before building a robust framework that will enable you to map the concepts to your company's environment. The book is presented in chapters that follow a consistent methodology - Assess, Plan, Design, Execute, and Report. The first chapter, Assess, identifies the elements that drive the need for infosec programs, enabling you to conduct an analysis of your business and regulatory requirements. Plan discusses how to build the foundation of your program, allowing you to develop an executive mandate, reporting metrics, and an organizational matrix with defined roles and responsibilities. Design demonstrates how to construct the policies and procedures to meet your identified business objectives, explaining how to perform a gap analysis between the existing environment and the desired end-state, define project requirements, and assemble a rough budget. Execute emphasizes the creation of a successful execution model for the implementation of security projects against the backdrop of common business constraints. Report focuses on communicating back to the external and internal stakeholders with information that fits the various audiences. Each chapter begins with an Overview, followed by Foundation Concepts that are critical success factors to understanding the material presented. The chapters also contain a Methodology section that explains the steps necessary to achieve the goals of the particular chapter.

As organizations struggle to implement effective security measures, all too often they focus solely on the tangible elements, such as developing security policies or risk management implementations. While these items are very important, they are only half of the equation necessary to ensure security success. CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives presents tools that empower security practitioners to identify the intangible negative influencers of security that plague most organizations, and provides techniques to identify, minimize, and overcome these pitfalls.

The book begins by explaining how using the wrong criteria to measure security can result in a claim of adequate security when objective assessment demonstrates this not to be the case. The authors instead recommend that organizations measure the success of their efforts using a practical approach that illustrates both the tangible and intangible requirements needed by a healthy security effort.

The middle section discusses the root causes that negatively influence both a CISO and an organization 's ability to truly secure itself. These root causes include:

• Employee apathy
• Employee myopia or tunnel vision
• Employee primacy, often exhibited as office politics
• The infancy of the information security discipline

These chapters explain what a CISO can do about these security constraints, providing numerous practical and actionable exercises, tools, and techniques to identify, limit, and compensate for the influence of security constraints in any type of organization.

The final chapters discuss some proactive techniques that CISOs can utilize to effectively secure challenging work environments. Reflecting the experience and solutions of those that are in the trenches of modern organizations, this volume provides practical ideas that can make a difference in the daily lives of security practitioners.

The CISO Handbook: A Practical Guide to Securing Your Company provides unique insights and guidance into designing and implementing an information security program, delivering true value to the stakeholders of a company. The authors present several essential high-level concepts before building a robust framework that will enable you to map the concepts to your company's environment. The book is presented in chapters that follow a consistent methodology - Assess, Plan, Design, Execute, and Report. The first chapter, Assess, identifies the elements that drive the need for infosec programs, enabling you to conduct an analysis of your business and regulatory requirements. Plan discusses how to build the foundation of your program, allowing you to develop an executive mandate, reporting metrics, and an organizational matrix with defined roles and responsibilities. Design demonstrates how to construct the policies and procedures to meet your identified business objectives, explaining how to perform a gap analysis between the existing environment and the desired end-state, define project requirements, and assemble a rough budget. Execute emphasizes the creation of a successful execution model for the implementation of security projects against the backdrop of common business constraints. Report focuses on communicating back to the external and internal stakeholders with information that fits the various audiences. Each chapter begins with an Overview, followed by Foundation Concepts that are critical success factors to understanding the material presented. The chapters also contain a Methodology section that explains the steps necessary to achieve the goals of the particular chapter.