What do you think?
Rate this book
Why CISOs Fail
Released in 2017, Why CISOs Fail reimagined the role of the Chief Information Security Officer in a new and powerful way. Written to be easily consumable by both security pros as well as everyone who must deal with them, the book explores the different realms in which security leaders fail to deliver meaningful impact to their organizations, and why this happens. Its central thesis - that security is primarily a human behavioral discipline rather than a technology one - has been gaining increased attention as a core tenet of the field, and the book was ultimately inducted into the cybersecurity canon as a leading book on security management.
In this freshly updated edition, Barak Engel adds new sections that correspond with the chapters of the original security as a discipline; as a business enabler; in sales; in legal; in compliance; in technology; and as an executive function. He explores new ideas in each operational area, providing essential insights into emerging aspects of the discipline. He then proposes two critical concepts for security management - the concept of "digital shrinkage" and the transition from CISO to CI/SO - that together offer a new paradigm for any organization that wants to become truly successful in its security journey.
Why CISOs (Still) Fail is delivered in Barak's conversational, humoristic style, that has attracted a global audience to this and his other book, The Security Hippie. As he notes, the book's goal is to entertain as much as to inform, and he dearly hopes that you have fun reading it.
In this freshly updated edition, Barak Engel adds new sections that correspond with the chapters of the original security as a discipline; as a business enabler; in sales; in legal; in compliance; in technology; and as an executive function. He explores new ideas in each operational area, providing essential insights into emerging aspects of the discipline. He then proposes two critical concepts for security management - the concept of "digital shrinkage" and the transition from CISO to CI/SO - that together offer a new paradigm for any organization that wants to become truly successful in its security journey.
Why CISOs (Still) Fail is delivered in Barak's conversational, humoristic style, that has attracted a global audience to this and his other book, The Security Hippie. As he notes, the book's goal is to entertain as much as to inform, and he dearly hopes that you have fun reading it.
192 pages, Paperback
Published March 7, 2024
12 people want to read
About the author
Barak Engel
9 books10 followersBarak is the world's first "virtual CISO" and authored two cyber security books - Why CISOs Fail, a Cybercannon inductee, now in its 2nd edition - and The Security Hippie, full of real stories from his decades of work in the field.
The Crack in the Crystal, his debut fantasy novel, is slated for release in late 2024. He considers it his most important written work to date.
Barak is a massive fantasy/SF fan, gamer, tabletop and live action role player, and proud dad.
The Crack in the Crystal, his debut fantasy novel, is slated for release in late 2024. He considers it his most important written work to date.
Barak is a massive fantasy/SF fan, gamer, tabletop and live action role player, and proud dad.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 4 of 4 reviews
July 17, 2018
A recurring complaint of many executives when berating their CISO, is that they’ve spent exorbitant amounts on information security and often don’t have a lot to show for it. In Why CISOs Fail: The Missing Link in Security Management--and How to Fix It, author Barak Engel shows how these executives are at times correct.
Engel has been in the information security field for decades and this is his soliloquy on many of the bigger problems in information security management. At 125 pages, he lays out what is wrong; and he does that with a combination of humor, swagger and polemic. As someone who has significant industry experience, Engel is a voice who should be heard.
Engel makes it clear that his book is not about technology. The role of a CISO he declares is getting away from the technology, and focusing on the security symptoms in the organizations.
As someone who truly understands what information security really is; Engel dismisses security initiatives that don’t advance the state of infosec. For example, he has no patience for the HITRUST Common Security Framework (CSF), which he observes uses an all-or-nothing approach with respect to its interpretation of the HIPAA security and privacy rules. Their approach extends these rules in applying security controls, that Engel sees as not only counterintuitive, but may be damaging to an enterprises security posture. This and other types of check the box approach is what the author rails against repeatedly, as a common CISO fail.
An underlying issue Engel notes is that there’s often no long-term career path for many CISO’s, and if there was, where would that next step be? He thinks the next step should be the role of the COO. To which he notes that good CISO’s will have an operations outlook. By having a business operations background, and in a perfect world an MBA, the CISO can move away from the technology that often is their problem.
This is an enjoyable read and Engel take a bare-knuckles approach to the topic. Most of the book is spent on what’s wrong in the industry, and he gives numerous real-world example of his adventures in infosec. Nonetheless, it’s not as prescriptive as I would have like it to be.
With that, this is a good book that can assist information security professionals, executive management and concerned citizens on starting a reboot of their broken information security programs. A book like this demands a much larger and comprehensive sequel detailing the steps needed to do security management right. Let’s hope Engel is working on that now.
Engel has been in the information security field for decades and this is his soliloquy on many of the bigger problems in information security management. At 125 pages, he lays out what is wrong; and he does that with a combination of humor, swagger and polemic. As someone who has significant industry experience, Engel is a voice who should be heard.
Engel makes it clear that his book is not about technology. The role of a CISO he declares is getting away from the technology, and focusing on the security symptoms in the organizations.
As someone who truly understands what information security really is; Engel dismisses security initiatives that don’t advance the state of infosec. For example, he has no patience for the HITRUST Common Security Framework (CSF), which he observes uses an all-or-nothing approach with respect to its interpretation of the HIPAA security and privacy rules. Their approach extends these rules in applying security controls, that Engel sees as not only counterintuitive, but may be damaging to an enterprises security posture. This and other types of check the box approach is what the author rails against repeatedly, as a common CISO fail.
An underlying issue Engel notes is that there’s often no long-term career path for many CISO’s, and if there was, where would that next step be? He thinks the next step should be the role of the COO. To which he notes that good CISO’s will have an operations outlook. By having a business operations background, and in a perfect world an MBA, the CISO can move away from the technology that often is their problem.
This is an enjoyable read and Engel take a bare-knuckles approach to the topic. Most of the book is spent on what’s wrong in the industry, and he gives numerous real-world example of his adventures in infosec. Nonetheless, it’s not as prescriptive as I would have like it to be.
With that, this is a good book that can assist information security professionals, executive management and concerned citizens on starting a reboot of their broken information security programs. A book like this demands a much larger and comprehensive sequel detailing the steps needed to do security management right. Let’s hope Engel is working on that now.
February 11, 2021
The book is ok to read, however if you work as a CISOs, it’s hardly going to be a revelation.
It probably could be boiled down to a blog post or two.
On the positive side, there some good practical advices here and there and author makes a solid effort to keep book entertaining by sharing a few anecdotes from his career.
It probably could be boiled down to a blog post or two.
On the positive side, there some good practical advices here and there and author makes a solid effort to keep book entertaining by sharing a few anecdotes from his career.
November 13, 2017
An absolute must-read if you find yourself responsible for information security. Insightful, thought-provoking, practical, and entertaining.
February 12, 2021
I was using this to cram for a CISO interview at short notice. It helped me focus my messages. It's a short read and points out some things other texts don't clearly address.
Displaying 1 - 4 of 4 reviews