The aim of the Analogies Project is to help spread the message of Information Security and its importance in the modern world. By drawing parallels between what people already know or find interesting (such as politics, art, history, theatre, sports, science, music, and everyday life experiences) and how these relate to Information Security, analogies can increase understanding and support across the whole of society.
When it comes to Information Security and analogies, sports are the perfect framework to use. And when it comes to sports, a playbook is the most critical document. Playbooks contain the team's strategies that it will use during a game.
All playbooks start the same, with a blank page over the base concepts of the particular sport. At that point, the coach begins creating various plays for the team. Each play is tailored to multiple positions, situations, scenarios, and more.
Having a playbook enables the team to plan for every situation and deal with how their opponents will respond. A coach's ability to call the right play can determine whether it will be a win or a loss.
As a sports playbook is an excellent metaphor for Information Security, in The CISO Playbook (CRC Press), author Andres Andreu has written a very practical and valuable guide to help today's chief information security officer (CISO).
Many books are heavy on theory and high-level security models. A prime example is the Bell–LaPadula model, which is utilized for enforcing access control in government and military applications. Bell–LaPadula is a formal state transition model of computer security policy that describes a set of access control rules that use security labels on objects and clearances for subjects.
Referenced in nearly every Certified Information Systems Security Professional (CISSP) prep guide, and for years in the CISSP examination itself, the irony is that Bell–LaPadula was never once implemented on a single corporate network. It is far too onerous, restrictive, and lacks any product support.
We won't see Bell–LaPadula or anything similar mentioned in The CISO Playbook. Andreu focuses on real-world and practical scenarios that a new or established CISO can use.
Successful CISOs are primarily leaders, managers, and communicators, and not technologists, according to Gartner. As such, a CISO's success depends on two critical achievements:-establishing a personal brand of credibility and leadership and laying the foundation for a defensible security program. New CISOs struggle when they fail to understand leadership expectations or are unable to communicate how security supports business outcomes effectively.
The book helps CISOs and those in Information Security leadership positions do just that. A CISO must define a security strategy before diving into technical details and technology decisions. That can be an overwhelming endeavor if the person lacks a clear plan or strategy.
A new CISO can expect a honeymoon period. But this period is likely to be very brief, typically the first 100 days. They must make the most of this critical period because it represents the first and sometimes the last opportunity to set the enterprise's security processes and technologies on a practical course. The book notes this in chapter two , where it details how to do that.
Written with input from over 40 Information Security experts, the book lives up to its name. For those seeking a tactical and strategic guide to help them succeed in Information Security, The CISO Playbook is the ideal resource.