What do you think?
Rate this book
Why CISOs Fail
This book serves as an introduction into the world of security and provides insight into why and how current security management practices fail, resulting in overall dissatisfaction by practitioners and lack of success in the corporate environment. The author examines the reasons and suggests how to fix them. The resulting improvement is highly beneficial to any corporation that chooses to pursue this approach or strategy and from a bottom-line and business operations perspective, not just in technical operations. This book transforms the understanding of the role of the CISO, the selection process for a CISO, and the financial impact that security plays in any organization.
158 pages, Paperback
Published November 16, 2017
12 people want to read
About the author
Barak Engel
9 books10 followersBarak is the world's first "virtual CISO" and authored two cyber security books - Why CISOs Fail, a Cybercannon inductee, now in its 2nd edition - and The Security Hippie, full of real stories from his decades of work in the field.
The Crack in the Crystal, his debut fantasy novel, is slated for release in late 2024. He considers it his most important written work to date.
Barak is a massive fantasy/SF fan, gamer, tabletop and live action role player, and proud dad.
The Crack in the Crystal, his debut fantasy novel, is slated for release in late 2024. He considers it his most important written work to date.
Barak is a massive fantasy/SF fan, gamer, tabletop and live action role player, and proud dad.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 4 of 4 reviews
July 17, 2018
A recurring complaint of many executives when berating their CISO, is that they’ve spent exorbitant amounts on information security and often don’t have a lot to show for it. In Why CISOs Fail: The Missing Link in Security Management--and How to Fix It, author Barak Engel shows how these executives are at times correct.
Engel has been in the information security field for decades and this is his soliloquy on many of the bigger problems in information security management. At 125 pages, he lays out what is wrong; and he does that with a combination of humor, swagger and polemic. As someone who has significant industry experience, Engel is a voice who should be heard.
Engel makes it clear that his book is not about technology. The role of a CISO he declares is getting away from the technology, and focusing on the security symptoms in the organizations.
As someone who truly understands what information security really is; Engel dismisses security initiatives that don’t advance the state of infosec. For example, he has no patience for the HITRUST Common Security Framework (CSF), which he observes uses an all-or-nothing approach with respect to its interpretation of the HIPAA security and privacy rules. Their approach extends these rules in applying security controls, that Engel sees as not only counterintuitive, but may be damaging to an enterprises security posture. This and other types of check the box approach is what the author rails against repeatedly, as a common CISO fail.
An underlying issue Engel notes is that there’s often no long-term career path for many CISO’s, and if there was, where would that next step be? He thinks the next step should be the role of the COO. To which he notes that good CISO’s will have an operations outlook. By having a business operations background, and in a perfect world an MBA, the CISO can move away from the technology that often is their problem.
This is an enjoyable read and Engel take a bare-knuckles approach to the topic. Most of the book is spent on what’s wrong in the industry, and he gives numerous real-world example of his adventures in infosec. Nonetheless, it’s not as prescriptive as I would have like it to be.
With that, this is a good book that can assist information security professionals, executive management and concerned citizens on starting a reboot of their broken information security programs. A book like this demands a much larger and comprehensive sequel detailing the steps needed to do security management right. Let’s hope Engel is working on that now.
Engel has been in the information security field for decades and this is his soliloquy on many of the bigger problems in information security management. At 125 pages, he lays out what is wrong; and he does that with a combination of humor, swagger and polemic. As someone who has significant industry experience, Engel is a voice who should be heard.
Engel makes it clear that his book is not about technology. The role of a CISO he declares is getting away from the technology, and focusing on the security symptoms in the organizations.
As someone who truly understands what information security really is; Engel dismisses security initiatives that don’t advance the state of infosec. For example, he has no patience for the HITRUST Common Security Framework (CSF), which he observes uses an all-or-nothing approach with respect to its interpretation of the HIPAA security and privacy rules. Their approach extends these rules in applying security controls, that Engel sees as not only counterintuitive, but may be damaging to an enterprises security posture. This and other types of check the box approach is what the author rails against repeatedly, as a common CISO fail.
An underlying issue Engel notes is that there’s often no long-term career path for many CISO’s, and if there was, where would that next step be? He thinks the next step should be the role of the COO. To which he notes that good CISO’s will have an operations outlook. By having a business operations background, and in a perfect world an MBA, the CISO can move away from the technology that often is their problem.
This is an enjoyable read and Engel take a bare-knuckles approach to the topic. Most of the book is spent on what’s wrong in the industry, and he gives numerous real-world example of his adventures in infosec. Nonetheless, it’s not as prescriptive as I would have like it to be.
With that, this is a good book that can assist information security professionals, executive management and concerned citizens on starting a reboot of their broken information security programs. A book like this demands a much larger and comprehensive sequel detailing the steps needed to do security management right. Let’s hope Engel is working on that now.
February 11, 2021
The book is ok to read, however if you work as a CISOs, it’s hardly going to be a revelation.
It probably could be boiled down to a blog post or two.
On the positive side, there some good practical advices here and there and author makes a solid effort to keep book entertaining by sharing a few anecdotes from his career.
It probably could be boiled down to a blog post or two.
On the positive side, there some good practical advices here and there and author makes a solid effort to keep book entertaining by sharing a few anecdotes from his career.
November 13, 2017
An absolute must-read if you find yourself responsible for information security. Insightful, thought-provoking, practical, and entertaining.
February 12, 2021
I was using this to cram for a CISO interview at short notice. It helped me focus my messages. It's a short read and points out some things other texts don't clearly address.
Displaying 1 - 4 of 4 reviews