If you're a cybersecurity professional, then you know how it often seems that no one cares about (or understands) information security. InfoSec professionals frequently struggle to integrate security into their companies' processes. Many are at odds with their organizations. Most are under-resourced. There must be a better way. This essential manager's guide offers a new approach to building and maintaining an information security program that's both effective and easy to follow.
 

Author and longtime chief information security officer (CISO) Todd Barnum upends the assumptions security professionals take for granted. CISOs, chief security officers, chief information officers, and IT security professionals will learn a simple seven-step process for building a new program or improving a current one.
 

• •  Build better relationships across the organization
• •  Align your role with your company's values, culture, and tolerance for information loss
• •  Lay the groundwork for your security program
• •  Create a communications program to share your team's contributions and educate your coworkers
• •  Transition security functions and responsibilities to other teams
• •  Organize and build an effective infosec team
• •  Measure your company's ability to recognize and report security policy violations and phishing emails
  
  The Art of Building Your Security Program

Why I Wrote this Book

In January 2000, I started my first corporate information security (InfoSec) position after serving in the military. I had no appreciation for the cultural differences between the military and corporate life—in particular, the views and attitudes toward InfoSec. My assumption was that cybersecurity (I use this term interchangeably with information security) anywhere was still cybersecurity, and naturally valued by all. Boy, was I in for a shock. I had more sleepless nights in my first year of corporate life than I had sailing the Persian Gulf during a time of armed conflict.

While writing this book, I’ve made the assumption that you are very well versed in the eight domains of InfoSec. Many will ask why I mention the eight domains when we have so many industry frameworks that enumerate the various facets of our profession. The difference between the industry frameworks and the eight domains is that the former is a set of security controls by topic area, whereas the eight domains provide descriptions of those topics. The two are fundamentally different.
 

What you’re looking at is a culmination of my learning over the past 25 years. I’ve learned that InfoSec is vastly different from one company to the next. And, although there is a science aspect to our field, as outlined in the eight domains, the art of our profession is far less understood by us in the industry. Yet this nuanced art side, seldom (if ever) discussed within our profession, is just as important, if not more important, than the science side. I like to call this art side the last domain of InfoSec
.

This book presents this art side of our field through a simple seven-step process focused on the essential elements in building an InfoSec program. These seven steps contain the basic formula for success, whether you’re a new or well-established security leader. They are applicable to programs up and down the maturity scale, and are best used if you’re building an InfoSec program from scratch or revisiting an already existing program you inherited from your predecessor.
 

A lot of important security topics are not mentioned in this book. This book, however, is not intended to be a technical manual or comprehensive guide for security leaders, but to provide a basic road map of key activities to guide you—whether you’re building a new InfoSec program or revisiting an already established program. I hope you enjoy the book.

Editorial Reviews

About the Author

Todd Barnum is the current CISO of GoPro where he works with world class engineers to design, build and secure GoPro cameras, mobile apps, video editing software, cloud systems, and drone products. Although GoPro is known for manufacturing the worldâ??s best action camera, the company also develops multiple software applications enhancing the use of its camera and drone products. The company has 20 offices worldwide, and is thought to be one of the worlds largest cloud only companies.
 

Prior to coming to GoPro, Barnum was VP and Chief Information Security Officer at Warner Bros. Entertainment. He has also served as CISO of Amgen, VP of the InfoSec consulting practice at Forrester. He has a degree from Stanford Law School and a Master of Science Telecommunications, and Computer Systems.