Book Review: Why CISOs Fail: The Missing Link in Security Management--and How to Fix It

Posted on by Ben Rothke

A recurring complaint of many executives when berating their CISO, is that they’ve spent exorbitant amounts on information security and often don’t have a lot to show for it. In Why CISOs Fail: The Missing Link in Security Management--and How to Fix It (Auerbach Publications 978-1138197893) author Barak Engel shows how these executives are at times correct.

Engel has been in the information security field for decades and this is his soliloquy on many of the bigger problems in information security management. At 125 pages, he lays out what is wrong; and he does that with a combination of humor, swagger and polemic.  As someone who has significant industry experience, Engel is a voice who should be heard.

Engel makes it clear that his book is not about technology. The role of a CISO he declares is getting away from the technology, and focusing on the security symptoms in the organizations.

As someone who truly understands what information security really is; Engel dismisses security initiatives that don’t advance the state of infosec. For example, he has no patience for the HITRUST Common Security Framework (CSF), which he observes uses an all-or-nothing approach with respect to its interpretation of the HIPAA security and privacy rules. Their approach extends these rules in applying security controls, that Engel sees as not only counterintuitive, but may be damaging to an enterprises security posture. This and other types of check the box approach is what the author rails against repeatedly, as a common CISO fail.

An underlying issue Engel notes is that there’s often no long-term career path for many CISO’s, and if there was, where would that next step be? He thinks the next step should be the role of the COO. To which he notes that good CISO’s will have an operations outlook. By having a business operations background, and in a perfect world an MBA, the CISO can move away from the technology that often is their problem.

This is an enjoyable read and Engel take a bare-knuckles approach to the topic. Most of the book is spent on what’s wrong in the industry, and he gives numerous real-world example of his adventures in infosec. Nonetheless, it’s not as prescriptive as I would have like it to be.

With that, this is a good book that can assist information security professionals, executive management and concerned citizens on starting a reboot of their broken information security programs. A book like this demands a much larger and comprehensive sequel detailing the steps needed to do security management right. Let’s hope Engel is working on that now. 

Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community