Suppose you want to know everything about Information Security. In that case, the late great Ross Anderson's epic book Security Engineering: A Guide to Building Dependable Distributed Systems is one of, if not the best, Information Security books ever written.

If you want to know everything wrong with Information Security, Jean-Christophe Gaillard’s The CyberSecurity Leadership Handbook for the CISO and the CEO: How to Fix Decade-Old Issues and Protect Your Organization from Cyber Threats (Leaders Press) will tell you.

The fact that organizations store, process, and transmit confidential and regulated data and have insecure systems after not months but decades is enough to make your blood boil.

In the 113 chapters of this excellent book (The CyberSecurity Leadership Handbook), Gaillard covers all of the core areas security leaders need to know to do their job.

For many organizations, CSO means “chief scapegoat officer.” Gaillard shows how to understand if someone is in that type of organization and how to deal successfully with its limitations. 

The book is a collection of articles Gaillard has written over the years. It gives the reader a really good framework for building security programs from the ground up. The chapters are highly tactical and practical and cover the entire security lifecycle.

There are a few chapters on the first hundred days in the role of a CISO. While a CISO can certainly effect change well after day 100, he shows how that initial period can have a significant positive effect in setting the trajectory of how security will operate in the organization.

The first 100 days will also be when the CISO can see if they are empowered to effect change. If not, then it becomes, as Dr. Gene Spafford of Purdue University spells out in Spaf's First Principle of Security Administration, "If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong."

But wait, there's more. Another great read by Gaillard is The Cybersecurity Spiral of Failure - And How to Break Out of It: Why Large Firms Still Struggle with Cybersecurity and How to Engineer Real Change Dynamics (Leaders Press). Parenthetically, Gaillard's books have some of the most extended titles I can remember.

In this quick read, he shows how many firms, even though they have sunk huge sums into their security programs, often do not have much to show for it. He provides many examples of corporate security failures and how others can learn from it. Many of Gaillard's ideas are common sense. Yet, in Corporate America's IT departments, common sense can be quite uncommon.

A common theme in the book is that firms often appoint a pure technologist as CISO and then expect them to use technology to solve security problems. But more often, the problems are bigger than that, and technology won't, and often can't, solve them. 

Many articles and podcasts use the hamster wheel as a metaphor for I security. One that comes to mind is David Spark's The Cybersecurity Hamster Wheel of Getting Nothing Done. Here, Gaillard shares many examples of those who have made numerous journeys on those security hamster wheels. But more importantly, he shows how to get off it.