Book review: The CISO Playbook


The CISO Playbook

by Andres Andreu


ISBN: 978-1032762074


US$48 from Amazon
(softback)



GH rating: 70%



Summary

The CISO Playbook is a valuable resource for cybersecurity specialists seeking to build on their technical competencies and progress, or for mid-level IT professionals looking to deepen and extend their understanding of cybersecurity technologies. However, aspiring or newly promoted or appointed CISOs seeking practical advice on the leadership and management challenges of a true C-suite role are out of luck. 

The book leans towards technical details rather than leadership and management topics, core parts of the CISO role. While the technical coverage is commendable, the book would benefit from a broader perspective that encompasses the full scope of a CISO's senior management responsibilities. 

Frankly, and despite the title, the approach described is, I feel, better suited to Cybersecurity or Information Security Managers, heads of department and "up and coming" CISOs, rather than current C-suite/executive-management level CISOs with the expectation, responsibilities, accountability, opportunities and stress that goes with that exhalted territory.


Pros

The author dispenses plenty of pragmatic advice in a compact format, using numerous structured lists presented as bullet points. The advice is succinct, to the point, covering a good range of mostly technical cybersecurity topics.

The cybersecurity field is awash in an alphabet soup of acronyms, many of which are introduced in covering topics ranging from zero trust architecture and SIEM deployments to threat intelligence platforms and incident response procedures. Readers with a technical cybersecurity background will doubtless recognise some but perhaps not all of them. Navigating the acronym soup and dealing with suppliers eagre to sell their tools is a necessary part of the job. I picked up on some new terms myself!

I enjoyed the included contributions from about 50 'special contributors'. These contrasting grey panels covering an eclectic range of topics appear to have been solicited or offered and included verbatim, in the respective authors' styles.  Despite not being integrated into the text, I found their differing perspectives and emphases stimulating.


Cons

The author's generally technical perspective results in weaker coverage of what I feel are crucial senior management and leadership aspects of the CISO role. While technical proficiency is undoubtedly an important foundation, a CISO's responsibilities extend far beyond configuring firewalls and analysing logs. I find the book light on team building, departmental management, budgeting, recruitment and performance evaluation – all critical components of effective departmental administration, management and leadership. [That's my personal opinion: yours may vary.]

Furthermore, with only a little, lightweight advice on corporate power politics, negotiating and collaborating with peers, The CISO Playbook would, I feel, have benefited from greater emphasis on the strategic aspects of cybersecurity at a senior management level. The book provides limited guidance on how to integrate cybersecurity into the broader business strategy, communicate security risks to senior management, or build relationships with other specialist functions such as IT and risk management, not to mention the wider business. These are essential skills and capabilities for an effective CISO, so their absence leaves a noticeable dip in the book's coverage.  Casual references to liaising with legal and meeting with privacy to "try to ascertain if cybersecurity is adding value to privacy initiatives" fall well short of useful guidance.

Maybe it is expecting too much of a new CISO to be au fait with executive management ... which is why I'm suggesting that The CISO Playbook might be better targeted at the manager level, ideally with more guidance on departmental administration and team leadership.


Value

For mid-level cyber security managers seeking to advance, The CISO Playbook is well worth the cover price plus a few hours' study and quiet contemplation. For those heading into true CISO roles in the C-suite with the deep pile carpet, maybe a corner office or penthouse suite with its own Executive Washroom, I suggest supplementing it with executive-level management training or at least discreet mentoring by an experienced and supportive exec, not least your new peers.