- ISBN: 9780849379437 | 0849379431
- Cover: Hardcover
- Copyright: 12/22/2007
CISO Leadership: Essential Principles for Successprovides the guidance needed to become a successful executive-level computer security manager. Individuals possessing technical skills and experience often lack the managerial skills needed, such as leadership, team-building, communication, and risk assessment skills, as well as corporate business savvy. Written by experienced security professionals, and including interviews with successful CISOs, this work describes the real-world management skills needed by aspiring senior security executives. This unique text is a valuable reference for IT professionals, students and executives already in or working toward management positions.
| Preface | p. xvii |
| About the Editors | p. xix |
| Contributors | p. xxi |
| Acknowledgments | p. xxxiii |
| A Leadership Disconnect | |
| What You Told Us: A CISO Survey | p. 3 |
| Overview | p. 3 |
| Survey Population | p. 4 |
| The CISO/CSO Title | p. 5 |
| Security Leadership Themes | p. 6 |
| Reporting Relationships | p. 7 |
| Business Acumen | p. 10 |
| Obtaining Budget | p. 10 |
| Management Commitment | p. 11 |
| Organizational Structure | p. 12 |
| Teamwork | p. 13 |
| Impact of Standards and Regulations | p. 13 |
| Information Security Perception: Strategic or Tactical? | p. 15 |
| Leading Change | p. 16 |
| Technical Knowledge | p. 16 |
| Influencing | p. 17 |
| Organizational Culture | p. 18 |
| Maturity of Information Security Field | p. 20 |
| Impact of Audits | p. 20 |
| End User Security Acceptance | p. 20 |
| Organizational Awareness | p. 20 |
| Functions Supported by Security Leader | p. 21 |
| Participation on Committees | p. 22 |
| Dealing with Different and Difficult People | p. 23 |
| Successes and Failures | p. 24 |
| Demographics | p. 24 |
| Summary | p. 26 |
| Recap | p. 26 |
| References | p. 27 |
| A Leadership Mandate | |
| Who Companies Really Want to Hire: How to Advance Your Career and Have Great Success | p. 31 |
| Operational Risk | p. 32 |
| Importance for Information Security Executives | p. 33 |
| Insider's View: What Companies Want | p. 33 |
| The Requirements | p. 34 |
| The Unwritten Requirements: There's More to the Job than the Job Description | p. 34 |
| Soft Skills | p. 35 |
| Communication Skills | p. 35 |
| Desirable Personal Attributes | p. 35 |
| Collaboration Is the Key | p. 36 |
| Managing by Influence | p. 37 |
| Articulating Business Value | p. 37 |
| Execution: The Ability to Get Things Done | p. 37 |
| Breaking the Glass Ceiling | p. 37 |
| Building a Team | p. 38 |
| Personal Career Advancement | p. 39 |
| Networking | p. 40 |
| Soul Searching | p. 40 |
| Recap | p. 41 |
| The Evolving Information Security Landscape | p. 43 |
| Where Security Came From | p. 43 |
| Current Status | p. 45 |
| What's in a Name? | p. 46 |
| Career Model (Milestones) | p. 46 |
| Qualification | p. 47 |
| Summary and Observations | p. 49 |
| The Future | p. 50 |
| Notes | p. 50 |
| Business Drivers for Information Security | p. 51 |
| Characteristics | p. 53 |
| Business Principles | p. 56 |
| Objectives and Priorities | p. 57 |
| Operating Modes | p. 58 |
| Environment and Constraints | p. 60 |
| Recap | p. 62 |
| Security as a Business Function | p. 63 |
| Organizational Structure | p. 63 |
| Culture | p. 64 |
| Organizational Placement | p. 65 |
| Correction Strategies for Organizational Placement | p. 66 |
| Functions of a Security Program | p. 67 |
| Plan | p. 68 |
| Build | p. 68 |
| Policy Framework | p. 68 |
| Processes | p. 70 |
| Tools | p. 71 |
| Run | p. 71 |
| Assessment Function | p. 71 |
| Consulting Functions | p. 72 |
| Operations | p. 72 |
| Internal Business Functions | p. 72 |
| Security Awareness and the Marketing of Security | p. 73 |
| Top Management Involvement | p. 73 |
| Risk Management | p. 73 |
| Leveraging the Industry | p. 74 |
| Final Business Function Thoughts | p. 75 |
| Security Leadership | p. 77 |
| Chicken Little | p. 78 |
| ...By the Company You Keep | p. 78 |
| Storytelling | p. 79 |
| Are You Having Fun? | p. 79 |
| Setting Yourself up for Success | p. 80 |
| How Is Your Performance Rated? | p. 82 |
| Professionalism | p. 85 |
| When Is It Time to Move on? | p. 88 |
| Three Envelopes | p. 88 |
| Jump the Shark | p. 89 |
| Recap | p. 89 |
| Note | p. 90 |
| The Public Sector CISO: Life in the Fishbowl | p. 91 |
| Introduction | p. 91 |
| The Regulatory Environment for Today's Federal CISO | p. 92 |
| Impact of FISMA on the Federal CISO | p. 94 |
| Other Legislation and Policies That Impact the Federal CISO | p. 95 |
| Resource Constraints | p. 95 |
| Public Oversight | p. 98 |
| Different Threat Environments | p. 99 |
| Conclusion | p. 100 |
| Notes | p. 100 |
| A Leadership Evolution | |
| A CISO Introspection | p. 105 |
| Why Did You Enter the Security Field? | p. 105 |
| What Personal Experiences Can You Share to Help Our Readers? | p. 105 |
| What Skills Are Required for a Successful Chief Security Officer? | p. 106 |
| How Does a CISO Acquire Business Acumen? Especially if He or She Grew up in the Technology Field? | p. 106 |
| What Can the CISO Do to Improve Working Relations with the Business? How Do We Get the Business Receptive to Security? | p. 107 |
| How Do You Sell Security to an Organization? | p. 107 |
| At What Level in the Organization Should a CISO Report? | p. 107 |
| Skills, Competencies, Information to Successfully Present to the Board? | p. 108 |
| If You Were to Groom a New CISO, What Type of Individual Would You Be Looking at? | p. 108 |
| What Do You See as the Toughest Challenges Facing Today's CISO? | p. 108 |
| How Do Organizational Cultures Impact Security? | p. 109 |
| What Is the Value of Certifications? | p. 109 |
| How Does a CISO Know He or She Is Successful? | p. 109 |
| When Is It Time to Leave a Security Job? | p. 110 |
| How to Survive Crises? | p. 110 |
| What's Next for the CISO? | p. 110 |
| How Savvy Are You? Can You Get What You Want? | p. 111 |
| The Un-Savvy | p. 112 |
| The Savvy | p. 112 |
| The Savvy Seekers | p. 113 |
| What Is Savvy? | p. 113 |
| Workplace Savvy | p. 114 |
| Power and Influence | p. 115 |
| The Twelve Savvy Questions | p. 115 |
| Key Savvy Behaviors | p. 116 |
| The Savvy Profile | p. 118 |
| The Eight Components | p. 118 |
| Recap | p. 120 |
| Why and How Assessment of Organization Culture Should Shape Security Strategies | p. 123 |
| Why Be Concerned with Organization Culture? | p. 123 |
| Learning to Be Secure: Some Theory | p. 124 |
| So What? | p. 125 |
| The Requirements of Assessment | p. 126 |
| Selling the Assessment | p. 127 |
| Selling Yourself | p. 127 |
| Soliciting Feedback | p. 127 |
| Selling the Organization | p. 128 |
| Choosing Assessment Methods | p. 129 |
| Potential Barriers | p. 129 |
| Interviewing | p. 130 |
| Interview Protocol | p. 131 |
| Selecting Interview Subjects | p. 131 |
| Interview Structure | p. 132 |
| Assessment by Way of Surveys | p. 132 |
| The Survey Instrument | p. 133 |
| Developing Your Own Survey Instrument | p. 133 |
| Tutorial on Developing and Interpreting Survey Items | p. 134 |
| The Survey Protocol | p. 134 |
| Interpreting Results | p. 135 |
| A Classification System for Organizational Cultures | p. 135 |
| The Organization Imperative | p. 136 |
| The Psychological Contract: The Heart of the Culture | p. 137 |
| Vertical, Horizontal, and Blended Cultural Archetypes | p. 138 |
| The Vertical Archetype | p. 139 |
| The Horizontal Archetypes | p. 139 |
| Archetypes in the Middle | p. 140 |
| Not Only What, but How Well | p. 141 |
| Linking Strategy to Culture | p. 142 |
| Presenting Assessment Results | p. 145 |
| Focus on Strategy | p. 145 |
| If They Really Need to Know | p. 145 |
| Some Final Thoughts on Culture | p. 145 |
| Recap | p. 147 |
| Note | p. 147 |
| References | p. 148 |
| Selling Information Security | p. 151 |
| What Is a Chief Information Security Officer (CISO)? | p. 151 |
| Believe in Your Product! | p. 152 |
| Stay Visible! | p. 153 |
| Communicate at the Executive Level | p. 154 |
| Starting at the Top: The Chief Executive Officer | p. 154 |
| How Can I Possibly Influence the Chief Financial Officer? | p. 155 |
| The Business Line President: A Must-Have Ally | p. 155 |
| General Counsel: Can This Be a Win? | p. 156 |
| Chief Information Officer: A Natural Ally? | p. 156 |
| Internal Audit: A Symbiotic Relationship | p. 157 |
| Manage through Influence | p. 157 |
| Organizational Structure | p. 158 |
| Matrix Organization | p. 158 |
| Communications in a Matrix Environment | p. 159 |
| Line Organization | p. 159 |
| Legal Responsibility | p. 160 |
| International Management | p. 160 |
| Third-Party Risk Management | p. 161 |
| Recap | p. 162 |
| The Importance of an IT Security Strategy | p. 163 |
| Strategic IT Security | p. 163 |
| Know Your Threats | p. 164 |
| Determine Your Vulnerabilities | p. 165 |
| Avoid Techno-Babble: Talk in Business Terms | p. 167 |
| Whose Plan Is IT? | p. 167 |
| Implementing Your Strategy | p. 168 |
| Recap | p. 168 |
| Extending the Enterprise's Governance Program to Information Risks | p. 171 |
| Background | p. 171 |
| Security Governance | p. 172 |
| Putting Theory into Practice | p. 174 |
| Identification of Enterprise-Level Risks (ENT[subscript RISK]) | p. 174 |
| Assignment of Risk Management Responsibilities | p. 175 |
| Implement Appropriate and Reasonable Controls to Manage the Risk | p. 175 |
| Recap | p. 177 |
| Note | p. 177 |
| Building Management Commitment through Security Councils | p. 179 |
| Establishing the Security Council | p. 180 |
| Appropriate Security Council Representation | p. 182 |
| "Ing'ing" the Council: Forming, Storming, Norming, and Performing | p. 184 |
| Integration with Other Committees | p. 186 |
| Establish Early, Incremental Success | p. 187 |
| Let Go of Perfectionism | p. 187 |
| Sustaining the Security Council | p. 189 |
| End-User Awareness | p. 189 |
| Final Thoughts | p. 191 |
| Recap | p. 191 |
| Measuring Security | p. 193 |
| Introduction | p. 193 |
| Why Do We Not Measure? | p. 194 |
| What Can We Not Measure? | p. 194 |
| "Enterprise Security" | p. 194 |
| Trust | p. 194 |
| Single Systems | p. 195 |
| Cost of Losses | p. 195 |
| What Can We Measure? | p. 195 |
| State | p. 195 |
| Populations of Systems | p. 196 |
| Compliance | p. 196 |
| Service | p. 197 |
| Risk | p. 197 |
| Risk Acceptance | p. 197 |
| Attack Traffic | p. 198 |
| Resistance to Attack | p. 198 |
| Spending | p. 199 |
| Availability | p. 200 |
| Responsiveness | p. 200 |
| Customer Satisfaction | p. 201 |
| Progress | p. 201 |
| Measuring the Security Program | p. 201 |
| Plan | p. 201 |
| Budget | p. 201 |
| Constituent Expectations | p. 202 |
| Peers | p. 202 |
| Industry Practice | p. 202 |
| "Best" Practice | p. 202 |
| How and Where to Start | p. 202 |
| Identify Targets of Reports | p. 203 |
| Require Responsible Managers to Report | p. 203 |
| Report | p. 203 |
| Automate | p. 203 |
| Budget | p. 204 |
| Assess and Iterate | p. 204 |
| Measuring for the CEO and the Board | p. 204 |
| Damage to Brand | p. 205 |
| Employee Awareness and Morale | p. 205 |
| Damage to Competitive Position | p. 205 |
| Material Impact on the Bottom Line | p. 205 |
| Legal, Contractual, and Regulatory Compliance | p. 205 |
| Effectiveness and Efficiency of Security Programs and Measures | p. 206 |
| Changes to Threats, Attacks, and Vulnerabilities | p. 206 |
| Changes in Posture since Last Report | p. 206 |
| Final Thoughts | p. 206 |
| Recap | p. 207 |
| Notes | p. 208 |
| Privacy, Ethics, and Business | p. 209 |
| Businesses Need to Have a Conscience | p. 209 |
| Embarrass a Person to Win a Prize! | p. 210 |
| Aren't Teddies Fair Game? | p. 211 |
| Even if It Isn't Illegal, Actions Perceived as Unethical Hurt Business | p. 212 |
| Greed Is Good? | p. 212 |
| Computer Ethics Origins | p. 213 |
| 1940s and 1950s | p. 213 |
| 1960s | p. 214 |
| 1970s | p. 214 |
| 1980s | p. 215 |
| 1990s | p. 215 |
| Regulatory Requirements for Ethics Programs | p. 215 |
| Computing Ethics | p. 217 |
| Ethical Decision Making | p. 218 |
| Know the Law | p. 218 |
| Follow Policies and Guidelines | p. 219 |
| Examine the Ethical Principles | p. 219 |
| Deontology | p. 220 |
| Consequentialism | p. 220 |
| Categorical Imperative | p. 221 |
| Stakeholders | p. 221 |
| High-Level Steps for Integrating Ethics into Business | p. 222 |
| Example Topics in Computing Ethics | p. 222 |
| Computers in the Workplace | p. 222 |
| Computer Crime | p. 223 |
| Privacy and Anonymity | p. 223 |
| Intellectual Property | p. 223 |
| Professional Responsibility | p. 223 |
| Globalization | p. 224 |
| Recap | p. 224 |
| Notes | p. 225 |
| Leading through a Crisis: How Not to Conduct a Security Investigation | p. 227 |
| The Phone Call | p. 227 |
| How Not to Conduct an Internal Investigation | p. 228 |
| What Mistakes Do Companies Make in Responding to Incidents? | p. 228 |
| The First Step: Know You Have a Problem | p. 228 |
| The Next Steps | p. 229 |
| Determine Goals and Objectives | p. 229 |
| What Triggered the Internal Investigation? | p. 229 |
| The Nature of the Evidence | p. 229 |
| Special Problems with Smut | p. 230 |
| Retain Yourself | p. 231 |
| Dramatis Persona | p. 231 |
| Legal | p. 231 |
| IT Department | p. 232 |
| HR Department | p. 233 |
| Outside Investigators | p. 234 |
| Recap | p. 235 |
| Notes | p. 235 |
| Security Pitfalls | p. 237 |
| Executive Meeting, Failure to Prepare Adequately | p. 238 |
| Completely Relying on Security Vendors | p. 239 |
| Even Security Departments Are Not above Company Policy | p. 239 |
| Acquiring Tools to Solve the Problem | p. 240 |
| Developing Security Policies without Management Buy-In | p. 241 |
| Solving It All, Today | p. 242 |
| Implementing Technology before It Is Ready for Prime Time | p. 242 |
| Making Your Own Manager Security-Aware | p. 243 |
| Fight Hard for External Security Program Reviews | p. 243 |
| Prioritize According to Business Priorities versus Best Practice Orientation | p. 244 |
| Executives Accepting Risk | p. 244 |
| Security Awareness Programs Should Not Be Boring | p. 245 |
| Trust, but Verify | p. 246 |
| Treating a Business Project Like a Technology One | p. 246 |
| External Client Relationships | p. 247 |
| Just Say "No" | p. 247 |
| Combining Security Operations with Security Oversight and Strategy | p. 247 |
| Reacting to Security Incidents in a Timely Manner | p. 248 |
| Summary | p. 248 |
| Security Leader Horizon Issues: What the Future Holds | p. 251 |
| Future Management Issues | p. 252 |
| Future Operations Issues | p. 254 |
| Future Technology Issues | p. 256 |
| Index | p. 265 |
| Table of Contents provided by Ingram. All Rights Reserved. |
What is included with this book?
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.
Please wait while the item is added to your bag...
