A recurring complaint of many executives when berating their CISO, is that they’ve spent exorbitant amounts on information security and often don’t have a lot to show for it. In Why CISOs Fail: The Missing Link in Security Management--and How to Fix It (Auerbach Publications 978-1138197893) author Barak Engel shows how these executives are at times correct.
Engel has been in the information security field for decades and this is his soliloquy on many of the bigger problems in information security management. At 125 pages, he lays out what is wrong; and he does that with a combination of humor, swagger and polemic. As someone who has significant industry experience, Engel is a voice who should be heard.
Engel makes it clear that his book is not about technology. The role of a CISO he declares is getting away from the technology, and focusing on the security symptoms in the organizations.
As someone who truly understands what information security really is; Engel dismisses security initiatives that don’t advance the state of infosec. For example, he has no patience for the HITRUST Common Security Framework (CSF), which he observes uses an all-or-nothing approach with respect to its interpretation of the HIPAA security and privacy rules. Their approach extends these rules in applying security controls, that Engel sees as not only counterintuitive, but may be damaging to an enterprises security posture. This and other types of check the box approach is what the author rails against repeatedly, as a common CISO fail.
An underlying issue Engel notes is that there’s often no long-term career path for many CISO’s, and if there was, where would that next step be? He thinks the next step should be the role of the COO. To which he notes that good CISO’s will have an operations outlook. By having a business operations background, and in a perfect world an MBA, the CISO can move away from the technology that often is their problem.
This is an enjoyable read and Engel take a bare-knuckles approach to the topic. Most of the book is spent on what’s wrong in the industry, and he gives numerous real-world example of his adventures in infosec. Nonetheless, it’s not as prescriptive as I would have like it to be.
With that, this is a good book that can assist information security professionals, executive management and concerned citizens on starting a reboot of their broken information security programs. A book like this demands a much larger and comprehensive sequel detailing the steps needed to do security management right. Let’s hope Engel is working on that now.