About the Book
Released in 2017, the first edition of Why CISOs Fail reimagined the role of the Chief Information Security Officer in a new and powerful way. Written to be easily consumable by both security pros as well as everyone who must deal with them, the book explores the different realms in which security leaders fail to deliver meaningful impact to their organizations, and why this happens. Its central thesis—that security is primarily a human behavioral discipline rather than a technology one—has been gaining increased attention as a core tenet of the field, and the book was ultimately inducted into the cybersecurity canon as a leading book on security management.
In this freshly updated edition, Barak Engel adds new sections that correspond with the chapters of the original book: security as a discipline; as a business enabler; in sales; in legal; in compliance; in technology; and as an executive function. He explores new ideas in each operational area, providing essential insights into emerging aspects of the discipline. He then proposes two critical concepts for security management—the concept of "digital shrinkage" and the transition from CISO to CI/SO—that together offer a new paradigm for any organization that wants to become truly successful in its security journey.
Why CISOs (Still) Fail is delivered in Barak's conversational, humoristic style, that has attracted a global audience to this and his other book, The Security Hippie. As he notes, the book's goal is to entertain as much as to inform, and he dearly hopes that you have fun reading it.
Table of Contents:
0. Why?. 1. The Dismal Discipline. 1.2 A Case Study 2. The Business of Being CISO. 2.2 Incidents, Schmincidents 3. Let it Rain. 3.2 Fear Mongering 4. Don’t Call me Sue. 4.2 Orange Coverall Blues 5. Comply, Oh My. 5.2 Voluntary Self-Immolation 6. Techs-Mechs. 6.2 Follywood 7. The CISO, Reimagined. 7.2 A New Paradigm
About the Author :
Barak Engel brings over three decades of information security experience into his writings. As the originator of the vCISO concept, he has served in the CISO role in dozens of organizations such as Stubhub, Mulesoft, Amplitude Analytics, and BetterUp, and his consulting firm, EAmmune, has managed security for hundreds of brands globally. A sought-after speaker and writer, he has made numerous contributions to the field with his
thought-provoking insights about security as a business enabler, leading to the induction in 2021 of Why CISOs Fail into the Cybercannon. Barak serves on multiple security company advisory boards, and is a member of the Theia Institute, a security think tank.
Review :
The average tenure for a CISO today is two and a half years. Any CISO who reads this book and uses it as a guide will extend that average. Through his entertaining narration of experiences and their outcomes, Barak Engel brings the reader to the inevitable conclusion that integrating security into business practices should never be an adversarial process with internal partners.
With this book, Barak shatters the myth that successful CISOs have to be technologists first and foremost – without attention to the role that security can play in facilitating business goals and objectives. His well-written and humorous anecdotes and musings make it crystal clear that a good CISO is a business enabler, and he provides experiential guidance on what that means in today’s threat environment.
- Greg Reber, CEO, AsTech
"In the realm of cybersecurity, Barak champions the human perspective, a viewpoint often overlooked. The key lies in recognition; Overloading individuals with jargon and a multitude of problems simultaneously reduces the motivation. People thrive on logic; they need to understand the underlying problem and its significance in the cybersecurity landscape to feel motivated to solve it. Throughout history, the most groundbreaking inventions emerged from human motivation, evident in creations like Linux, Git, Falco, Wahuz, and Kubernetes etc. Barak advocates prioritizing cybersecurity issues logically and introduces gamification—an approach that taps into our inherent love for healthy competition and recognition. His innovative proposal of a leaderboard provides the acknowledgment individuals crave. Research attests that completing tasks brings immense satisfaction, and people have a finite capacity to solve problems daily. Barak, by uniting these ideas, has provided a fresh perspective that could revolutionize cybersecurity practices."
- Anshu Bansal, CEO, CloudDefense.AI
“What sets this book apart is it's authenticity. It clearly defines how a CISO helps drive the business to innovate and grow. It prompts a mindset shift that every executive should come to understand about the true value of good cybersecurity in modern business.”
- Mike Hamilton, VP of IT, Cruise
“Why CISOs Fail" by Barak Engel is an absolute gem in the world of cybersecurity literature. Engel's writing style is captivating, drawing readers in with a delightful blend of humor and playfulness. It's a rare treat to find a book on such a serious subject that manages to infuse fun into its pages while maintaining the utmost professionalism. Engel's prose is as engaging as it is informative, making this book a joy to read. What truly sets "Why CISOs Fail" apart is its ability to inject the much-needed human element into the realm of information security. I’ve personally found the insight offered in the book to be a contributing factor in elevating my own mindset in approaching information security with a central focus on people and the business. The results have been nothing short of remarkable with stakeholders delighted with the realized outcomes.
Engel takes a thoughtful approach to dissecting the challenges Chief Information Security Officers face, offering profound insights into the personal and organizational dynamics that often go unnoticed. This book not only educates but also empathizes with the individuals tasked with safeguarding our digital world. It's a must-read for anyone in the field, and even those outside of it will find themselves thoroughly engrossed and enlightened by Engel's unique perspective. In a world where the stakes are high and the margin for error slim, "Why CISOs Fail" is a breath of fresh air that should be celebrated and widely shared. In this updated edition, Barak expands further on the first edition and introduces two pivotal concepts for security management that are poised to further solidify "Why CISOs Fail" as an essential reference for anyone seeking to navigate the complex landscape of information security with intelligence and finesse. I highly recommend this book to anyone curious about the information security field and strongly encourage it for members of my team and cross-functional security partners.”
- Michael Choui, CEO, Atlas One
This book describes the challenges of conventional security mindsets and provides actionable steps for security professionals to align with the business objectives. This alignments puts security as part of the trade-offs business executives are making daily instead of considering security only when required. The author's use of stories and humor makes it easy to recall the key points. This book is not for those who think the current security approach is successful, but it is a guide for those who realize the existing approach needs to change to be successful. While the read is quick the concepts are very deep and thought provoking - I highly recommend this book.
- Dave Tempero, Sr IT Director, Nintendo
As a CISO, this book generally mirrored, sometimes to a freakish level, the exact thoughts I have when I'm talking to security people at other companies. The number of conversations I get in where the focus is on checkbox lists with password complexity questions and whether they can get audit rights for AWS from me is really boggling.
I wish all of them had this book to learn from so they can start seeing the massive disservice they are doing both to themselves as well as to their own security posture by focusing on the wrong things.
From ensuring you take in business context to the examples of how to drive conversations with security personnel on the other side regardless of if you are the vendor or the customer, Why CISOs fail should be more broadly read across the security organization, not just at the top.
- Norris Lee, Sr TPM Director, Slack
“Focused yet irreverent, this is the little book that could. In a narrative
that somehow manages to cover tremendous ground while keeping
tight, Barak conveys important ideas and lessons that everyone can
enjoy, and does so with grace and humor. You don’t need to be a secu-
rity pro to appreciate this text, either. If security somehow touches on
your daily work, like it does almost everyone’s, and there is one book
you want to read to get a better handle on the subject, then you could
do a whole lot worse than picking this one up.”
- Brian Laing, SVP of Corporate Development & Strategic Alliances, Lastline, Inc.
“Barak’s book offers refreshing perspectives on how to focus an infor-
mation security program on business risk. His experiences shine
through. If you are looking for academic concepts, look elsewhere.
Barak offers real-world, pragmatic advice. This book is a great resource
for CISOs, IT leaders and Information Security practitioners!”
- Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP.
“Barak’s real-world stories paint a true picture into the role of the
CISO as a business enabler. Reading, digesting, and learning from
those scenarios alone will add years of experience to any aspiring
CISO’s skills. A fantastic piece!”
- Branden R. Williams, DBA, CISSP, CISM, Author and Cybersecurity Expert.
“Life sometimes offers us mentors and friends, people who will sug-
gest that you may be doing the wrong things or that you don’t even
have the right objectives. Barak’s book highlights how technical secu-
rity management is a case of asymmetric warfare and that no system is
good enough to withstand all attacks all the time. His words explore
where CISOs find themselves today and in the future, managing cus-
tomers, the board, and legal expectations. He articulates the prob-
lem for third-party cloud dependency and provides useful clear advice
such as ‘what to ask your cloud vendor.’ We learn about the ‘power
of negative inference thinking,’ and the art of selling to the business
versus selling to a customer. Barak leaves the reader empowered to
partner with sales, leveraging security as a critical feature set driv-
ing upsell opportunities. My favorite takeaway from this reading was
understanding what people say versus what they want. Spend a day
with a security guru and enjoy the journey into the mind of a modern
day CISO.”
- Robin Basham, M.IT, M.Ed., CISSP, CISA, CGEIT, CRISC, CEO/CISO EnterpriseGRC Solutions.
“Forget CISOs. This book is a must-read for every CEO who’s seri-
ous about security and who needs to understand the challenges faced
by their own Chief Protection Officer.”
- Neal O’Farrell, Founder, Brainisphere, Executive director of the identity-theft council.
“You know, Barak, people sometimes ask me to read what they had
written, and it’s kinda awkward, because that stuff isn’t usually very
good, and how do you tell them that? But I found myself engaged all
the way through, really enjoying the writing, the tales and the humor,
and even feeling like I understand what’s going on. That’s so neat!”
- Some guy called Ed
"Pragmatic, entertaining and enlightening! Barak reframes the definition of a CISO away from misconceptions and limited views, toward one that is much
better positioned to help a business thrive. I believe this book is valuable to rising security leaders as well as any executive that operates in a
high growth, complex and global environment."
-- Eddie Medina, Cofounder, BetterUp
