About the Book
The book takes readers though a series of security and risk discussions based on real-life experiences. While the experience story may not be technical, it will relate specifically to a value or skill critical to being a successful CISO. The core content is organized into ten major chapters, each relating to a "Rule of Information Security" developed through a career of real life experiences. The elements are selected to accelerate the development of CISO skills critical to success. Each segments clearly calls out lessons learned and skills to be developed. The last segment of the book addresses presenting security to senior execs and board members, and provides sample content and materials.
Table of Contents:
List of Figures
List of Tables
Prologue
Foreword
Acknowledgments
Author
Section I INTRODUCTION AND HISTORY
1 Introduction: The Journey
2 Learning from History?
3 My First CISO Lesson: The Squirrel
Section II THE RULES AND INDUSTRY DISCUSSION
4 A Weak Foundation Amplifies Risk
5 If a Bad Guy Tricks You into Running His Code on Your Computer, It’s Not Your Computer Anymore
6 There’s Always a Bad Guy Out There Who’s Smarter, More Knowledgeable, or Better-Equipped Than You
7 Know the Enemy, Think Like the Enemy
8 Know the Business, Not Just the Technology
9 Technology Is Only One-Third of Any Solution
10 Every Organization Must Assume Some Risk
11 When Preparation Meets Opportunity, Excellence Happens
12 There Are Only Two Kinds of Organizations: Those That Know They’ve Been Compromised and Those That Don’t Know Yet
13 In Information Security, Just Like in Life, Evolution Is Always Preferable to Extinction
14 A Security Culture Is In Place When Talk Is Replaced with Action
15 NEVER Trust and ALWAYS Verify
Section III SUMMARY
16 My Best Advice for New CISOs
Appendix A: The Written Information Security Plan
Appendix B: Talking to the Board
Appendix C: Establishing an Incident Response Program
Appendix D: Sample High-Level Risk Assessment Methodology
About the Author :
Gene Fredriksen, Chief Information Security Officer at PSCU, is responsible for the company’s development of information protection and technology risk programs. Gene has over twenty-five years of information technology experience, with the last twenty focused in information security. In this capacity, he has been heavily involved with all areas of audit and security. Prior to joining PSCU, Gene held the positions of CISO for Tyco International, Principal Consultant for Security and Risk Management Strategies for Burton Group, Vice President of Technology Risk Management and Chief Security Officer for Raymond James Financial and Information Security Manager for American Family Insurance. Gene is a Distinguished Fellow with the Global Institute for Cyber Security and Research, located at the Kennedy Space Center. He is also the Executive Director of the newly formed National Credit Union Information Sharing and Analysis Organization. He was as the Chair of the Security and Risk Assessment Steering Committee for BITS, and served on the R&D committee for the Financial Services Sector Steering Committee of the Department of Homeland Security. Gene is a Distinguished Fellow for the Global Institute for Cyber Security and Research, headquartered at the Kennedy Space Center. Gene is a member of the SC Magazine Editorial Advisory Board and was named one of three finalists for the SC Magazine CISO of the Year Award in 2015. He served as Chair of the St. Petersburg College Information Security Advisory Board and the Howard University Technology Advisory Board. He is a member of multiple advisory boards for universities, organizations, and security product companies. Gene attended the FBI Citizens Academy and maintains a close working relationship with both local and federal law enforcement agencies.
Review :
As a CISO, I approached Gene's book with caution. Put two such people in a room and ask them a question, and an argument will inevitably ensue - even if they agree. Therefore, and as you might expect, I found some of Gene's conclusions to differ from mine. But what really stood out to me is how, even as I was having these arguments play out inside my head, I seemed to also be adopting an almost imperceptible yet constant nod. I could not help but enjoy reading his thoughtful analysis of every information security topic that he chooses to tackle, and his ability to tie everything together in an easy-to-understand, clear and logical fashion is highly appreciated and sorely needed in the industry.
Then, as I continued my journey through Gene's carefully laid-out thoughts and explanations, personal experiences, war stories, and insightful advice, it became apparent that this is far more than merely an instructional book into the many aspects of managing information security. Indeed, for anyone who is interested in advancing their career in the field, this book offers countless tools that can be followed to success, in every area. Just the chapter "NEVER trust and ALWAYS verify" is itself worth the price of admission.
Consume it slowly, and give it the attention it deserves, and Gene's book will repay you for it in spades. You may not follow his exact path, but whatever path you take, his guidance will certainly help you forward.
-- Barak Engel, CISO and author of Why CISOs Fail: The Missing Link in Security Management--and How to Fix It
Gene Fredriksen's The CISO Journey is a valuable and insightful guide for aspiring and seasoned Chief Information Security Officers (CISOs). Fredriksen leverages his extensive experience to provide practical advice on navigating the multifaceted challenges of the CISO role. His blend of personal anecdotes and professional insights offers readers a comprehensive understanding of balancing technical expertise with strong leadership skills. This approach makes the book informative but also engaging and relatable.
One of the standout aspects of the book is its emphasis on the importance of having a robust information security plan. Fredriksen underscores that a well-structured plan is essential for protecting an organization’s data and ensuring operational resilience. He stresses the need for a balanced approach integrating people, processes, and technology. This holistic view is crucial for developing effective security strategies adapting to the rapidly evolving threat landscape. Fredriksen’s practical tips on creating and maintaining these plans particularly benefit CISOs looking to strengthen their organization's cybersecurity posture.
Additionally, Fredriksen highlights the critical role of mentorship and continuous professional development. He advocates for fostering a security-minded culture within organizations and emphasizes the value of collaboration and ongoing learning. By sharing his journey and the lessons he has learned, Fredriksen provides a roadmap for CISOs to develop their skills and advance their careers. The CISO Journey is a must-read for cybersecurity professionals seeking to enhance their strategic and leadership capabilities while effectively managing information security.
-- Tom Godlove, Ph.D.
This book’s engaging, personable tone and insightful advice draw readers into a world of valuable lessons and practical strategies. Its approachable style makes complex topics accessible, guiding new CISOs through the essential challenges of the role with clarity and empathy. The well-crafted narrative not only captures the reader’s interest but also builds a strong foundation of trust and understanding.
Beyond serving as an introductory handbook, this book is a trusted reference for every security leader. It blends comprehensive background knowledge with thoughtful, well-articulated opinions, empowering emerging leaders to develop their own unique style of leadership. Whether you’re just starting out or looking to refine your approach, this book offers indispensable guidance for navigating the ever-evolving landscape of cybersecurity.
-- Saurav Bhattacharya
This is a thought and practical book for information security managers who wish to proceed towards leadership. The book reflects nicely away from security expertise towards being an executive leader and discusses good lessons in good security culture, governance, and managing risks. The book is highly suitable for information security managers who have complex leadership roles as a Chief Information Security Officer (CISO) as it is nicely balanced in decision-making at a strategic level and real experience.
One of the greatest things about this book is compliance and risk management, and in defining how security strategies can be aligned to business objectives for CISOs. The description about enterprise security frameworks, governance frameworks, and compliance (such as GDPR and NIST) is a good start for security leaders. The book is practical in defining security awareness, incident response, and leadership for security organizations and why security culture should be at top agenda for organizations. More metrics and key performance indicators (KPIs) for cyber security performance would be ideal in making it practical in application.
The book is as good at addressing emerging threats and security trends in the future as it is. Ransomware, security based on AI, and security in the cloud are topical and offer vision for the future for CISOs. It is good and comprehensive in content but can be taken a notch higher in offering technical detail for some topics like security architecture in the cloud and DevSecOps. More practical real-time case studies for organizations succeeding in implementing the best practices in security would add meat to it. Overall, The CISO Journey is a wonderful read for security professionals who are looking to develop leadership skills and remain current in today's ever-changing cyber threat landscape. The book successfully blends career advancement, thinking in a strategic way, and industry best practices in a way it is a must-read for novice and experienced CISOs. Presently, this book can be utilized as a go-to book for security professionals at any career level
-- Rajesh Vayyala.
