One of the best Gartner® advisory documents ever written was Toolkit: The New CISO's Crucial First 100 Days by Christian Byrnes and Michael J. Corby. They write that a new chief information security officer (CISO), like any new manager, can expect a honeymoon period. But this period is likely to be very brief—typically the first 100 days or so. The new CISO must make the most of this critical period because it represents the first and sometimes last opportunity to set the enterprise's security processes and technologies on an effective course.
Two of the key findings in the report are that most CISOs who fail do so because they do not meet business requirements and expectations—and don't effectively communicate how they have met those expectations—not because of technical or operational reasons, and that the successful CISO is primarily a leader, a manager and a communicator, not a technologist.
The report does a fantastic job of laying out the foundations of how a CISO can be successful. But what happens on day 101? In Building an Effective Cybersecurity Program (Rothstein Publishing ISBN-13: 978-1944480530), author Tari Schreider has written a tactical guide that a CISO can use to take those core ideas of the first 100 days and put them into play to build out an effective information security program.
While the Gartner document is more conceptual, this book is thoroughly practical and pragmatic. In the seven chapters of the book:
1. Designing a Cybersecurity Program
2. Establishing a Foundation of Governance
3. Building a Cyber Threat, Vulnerability Detection, and Intelligence Capability
4. Building a Cyber Risk Management Capability
5. Implementing a Defense-in-Depth Strategy
6. Applying Service Management to Cybersecurity Programs
7. Cybersecurity Program Design Toolkit
Schreider provides a detailed and real-world roadmap on how to create an effective information security program. He also brings his practical experience to every chapter, detailing what works and does not, the pros and cons of items suggested and more.
Numerous templates are provided to assist in these build-outs. There does not seem to be an online portal to use these templates, which would have been quite helpful. It also lists products for each technology listed, which makes it helpful for the reader to know what it is available.
While the book is geared toward CISOs and security managers, it is of value to anyone tasked to build out an information security program. What makes the book so valuable is that it is light on theory and heavy on practical guidance.
Schreider has decades of information security and risk management experience in numerous environments and industries. He brings that experience to every chapter in this valuable guide.
There's no shortage of books with pages of theory, which is a good thing. But not enough with practical and hands-on advice. For those looking for a go-to guide to assist them in building out their information security program, Building an Effective Cybersecurity Program is just what they need.