The CISO 3.0 A Guide to Next-Generation Cybersecurity Leadership (Walt Powell)(Z-Library)
Author: Walt Powell
教育
No Description
📄 File Format:
PDF
💾 File Size:
9.6 MB
8
Views
0
Downloads
0.00
Total Donations
📄 Text Preview (First 20 pages)
ℹ️
Registered users can read the full content for free
Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.
📄 Page
1
(This page has no text content)
📄 Page
2
(This page has no text content)
📄 Page
3
The CISO 3.0 This isn’t just a book. It is a roadmap for the next generation of cybersecurity leadership. In an era where cyber threats are more sophisticated and the stakes are higher than ever, Chief Information Security Officers (CISOs) can no longer rely solely on technical expertise. They must evolve into strategic business leaders who can seamlessly integrate cybersecurity into the fabric of their organizations. This book challenges the traditional perception of CISOs as technical leaders, advocating for a strategic shift toward business alignment, quantitative risk management, and the embrace of emerging technologies like artificial intelligence (AI) and machine learning. It empowers CISOs to transcend their technical expertise and evolve into business-savvy leaders who are fully equipped to meet the rising expectations from boards, executives, and regulators. This book directly addresses the increasing demands from boards and regulators in the wake of recent high-profile cyber events, providing CISOs with the necessary skills and knowledge to navigate this new landscape. This book isn’t just about theory but also action. It delves into the practicalities of business-aligned cybersecurity through real-life stories and illustrative examples that showcase the triumphs and tribulations of CISOs in the field. This book offers unparalleled insights gleaned from the author’s extensive experience in advising hundreds of successful programs, including in-depth discussions on risk quantification, cyber insurance strategies, and defining materiality for risks and incidents. This book fills the gap left by other resources, providing clear guidance on translating business alignment concepts into practice.
📄 Page
4
If you’re a cybersecurity professional aspiring to a CISO role or an existing CISO seeking to enhance your strategic leadership skills and business acumen, this book is your roadmap. It is designed to bridge the gap between the technical and business worlds and empower you to become a strategic leader who drives value and protects your organization’s most critical assets.
📄 Page
5
Security, Audit and Leadership Series Series Editor: Dan Swanson, Dan Swanson and Associates, Ltd., Winnipeg, Manitoba, Canada The scope and mandate for internal audit continue to evolve each year, as do the complexity of the business environment and the speed of the changing risk landscape in which it must operate. The fundamental goal of this exciting series is to produce leading-edge books on critical subjects facing security and audit executives and practitioners. Key topics addressed include leadership, cybersecurity, security leadership, privacy, strategic risk management, auditing IT, audit management and leadership, and operational auditing. Agile Enterprise Risk Management: Risk-Based Thinking, Multi- Disciplinary Management and Digital Transformation Howard M. Wiener University Auditing in the Digital Era: Challenges and Lessons for Higher Education Professionals and CAEs Sezer Bozkus Kahyaoglu and Erman Coskun Agile Audit Transformation and Beyond Toby DeRoche Information System Audit: How to Control the Digital Disruption Philippe Peret Next-Generation Enterprise Security and Governance Edited by Mohiuddin Ahmed, Nour Moustafa, Abu Barkat, and Paul Haskell-Dowland
📄 Page
6
Auditing Information and Cyber Security Governance: A Controls-Based Approach Robert E. Davis Evidence-Based Cybersecurity: Foundations, Research, and Practice Pierre-Luc Pomerleau and David Maimon Operational Auditing: Principles and Techniques for a Changing World Hernan Murdock The Security Leader’s Communication Playbook: Bridging the Gap between Security and the Business Jeffrey W. Brown The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership Walt Powell For more information about this series, please visit: https://www.routledge.com/Security-Audit-and-Leadership-Series/book- series/CRCINTAUDITA
📄 Page
7
The CISO 3.0 A Guide to Next-Generation Cybersecurity Leadership Walt Powell
📄 Page
8
Designed cover image: Shutterstock Image ID 2490883849 First edition published 2026 by CRC Press 2385 NW Executive Center Drive, Suite 320, Boca Raton FL 33431 and by CRC Press 4 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN CRC Press is an imprint of Taylor & Francis Group, LLC © 2026 Walt Powell Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact mpkbookspermissions@tandf.co.uk Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe. ISBN: 978-1-032-82351-5 (hbk) ISBN: 978-1-032-84007-9 (pbk) ISBN: 978-1-003-51078-9 (ebk)
📄 Page
9
DOI: 10.1201/9781003510789 Typeset in Times by Apex CoVantage, LLC
📄 Page
10
Dedicated to my family – Lindsay, Rivers, and Axel Thanks for all the love and support
📄 Page
11
Contents Foreword Acknowledgments Author Chapter 1 Introduction 1.1 Purpose 1.1.1 Target Audience 1.1.2 Scope of the Book 1.2 Why Write This Book Now? 1.3 Motivation and Relevance 1.4 Book Structure and Organization 1.5 Author’s Background and Perspective 1.6 Self-Assessment: Are You Ready for CISO 3.0? PART 1 The Changing Role of the Security Leader Chapter 2 What Is a CISO 3.0? 2.1 Introduction 2.2 Brief History of CISOs 2.3 CISO 1.0 2.3.1 Role Tasks of the CISO 1.0 2.3.2 Challenges and Limitations of CISO 1.0 2.3.3 The Legacy of CISO 1.0 2.4 CISO 2.0
📄 Page
12
2.4.1 Role Tasks for CISO 2.0 2.4.2 Challenges and Limitations of CISO 2.0 2.5 Road to the CISO Role 2.6 CISO 3.0 2.6.1 Why CISO 3.0? 2.6.2 So, What Is a CISO 3.0? 2.6.3 How to Become a CISO 3.0 2.7 Conclusion 2.7.1 Key Takeaways 2.7.2 Reflection and Exploration Questions Chapter 3 The Evolving Regulatory Landscape 3.1 Introduction 3.2 Caremark Lawsuits 3.2.1 Defining the Reasonable Standard and Mission Critical Risks 3.3 Navigating the SEC’s Cybersecurity Rule 3.3.1 Materiality: The Heart of the Matter 3.4 Navigating the FTC Safeguards Rule 3.4.1 Requirements of the FTC Safeguards Rule 3.5 Navigating the NYDFS Cybersecurity Rule 3.5.1 Requirements of the NYDFS Cybersecurity Rule 3.6 Enforcement Actions and Lessons Learned 3.6.1 SEC Enforcement Actions 3.6.2 FTC Enforcement Actions 3.6.3 NYDFS Enforcement Actions 3.6.4 Risk Quantification and Materiality: Cornerstones of Reasonableness 3.7 Implications for CISOs: Increased Accountability 3.7.1 The Fallout of SolarWinds and Uber 3.8 Conclusion 3.8.1 Key Takeaways 3.8.2 Reflection and Exploration Questions
📄 Page
13
PART 2 Business and Risk Alignment Chapter 4 The Language of Business 4.1 Introduction to the Language of Business 4.1.1 The Language of Business 4.2 The Language of Accounting 4.2.1 Three Core Financial Statements 4.2.2 Financial Statement Trends to Watch for CISOs 4.3 The Language of Finance 4.4 The Language of Economics 4.5 The Language of Risk 4.6 Determining Value and Resource Allocation 4.6.1 Common Financial Metrics 4.7 OPEX versus CAPEX and Budgeting 4.7.1 Lease versus Buy Scenario 4.7.2 SG&A and COGS for CISOs 4.8 Aligning Cybersecurity with Financial Business Goals 4.9 Conclusion 4.9.1 Key Takeaways 4.9.2 Reflection and Exploration Questions Chapter 5 Ownership and Boards of Directors 5.1 Introduction 5.2 Corporate Valuations 5.2.1 Methods for Determining Value 5.2.2 Specific Valuation Methods 5.3 Common Ownership Structures 5.3.1 Publicly Held Companies 5.3.2 Private Equity-Held Firms 5.3.3 Venture Capital-Held Firms 5.3.4 Limited Liability Companies 5.3.5 Family-Owned Companies
📄 Page
14
5.3.6 Sole Proprietorships 5.3.7 Public Organizations 5.4 Role of the Board of Directors 5.4.1 Understanding the Board’s Role 5.4.2 The Board’s Primary Responsibilities 5.4.3 Key Focus Areas for Boards 5.4.4 Board Governance Models 5.5 Fiduciary Duties 5.5.1 Duty of Loyalty 5.5.2 Duty of Obedience 5.5.3 Duty of Care 5.5.4 Duty of Prudence 5.6 Caremark and Legal Precedents 5.6.1 Caremark Case 5.6.2 Marchand (Blue Bell Ice Cream) Case 5.6.3 Boeing Co. Case 5.6.4 McDonald’s Corp. Case 5.6.5 Sorenson Case 5.7 The CISO’s Fiduciary Duty 5.8 The Dynamics of Governance: Board Directors versus Executives 5.8.1 The BOD: The Legislative Branch 5.8.2 Senior Management: The Executive Branch 5.8.3 Communicating with the BOD 5.8.4 Communicating with ELTs 5.9 Conclusion 5.9.1 Key Takeaways 5.9.2 Reflection and Exploration Questions Chapter 6 Risk 6.1 Introduction 6.2 Risk Strategy 6.2.1 Risk Strategy versus Security Strategy
📄 Page
15
6.2.2 The CISO 3.0 Risk Strategy Framework 6.3 Risk overview and Definition 6.3.1 Likelihood versus Probability 6.4 Risk versus Threat 6.4.1 Common Misconceptions in Risk Registers 6.5 IT Risk versus Enterprise Risk 6.6 Qualitative Risk Analysis 6.6.1 Challenges of Traditional Qualitative Approaches 6.6.2 Risk Matrix: A Common Tool with Shortcomings 6.6.3 Moving to a More Quantitative Approach 6.7 Risk Quantification Basics 6.7.1 FAIR Framework 6.8 Risk Quantification in Practice 6.8.1 LECs: Visualizing Financial Risk 6.8.2 Inherent Risk on the LEC 6.8.3 Risk Appetite: Balancing Risk and Reward 6.8.4 Risk Appetite, Tolerance, and Limit on a Loss Curve 6.8.5 Determining Risk Appetite 6.8.6 Risk Appetite Statements 6.9 Risk Treatment Options 6.9.1 Risk Avoidance 6.9.2 Risk Transfer 6.9.3 Risk Mitigation 6.9.4 Risk Acceptance 6.10 Tail Risk and Black Swan Events 6.10.1 Black Swan Risks 6.10.2 Cyber Value at Risk 6.11 Residual Risk 6.11.1 Calculating Residual Risk 6.12 Loss Exceedance Example: Vandelay Industries 6.12.1 Scenario 6.12.2 Defining Materiality in Risk 6.13 The Risk Register 3.0
📄 Page
16
6.13.1 Risk and Control Self-Assessments 6.14 Integrating Cyber Risk with Enterprise Risk 6.14.1 COSO Alignment 6.14.2 Integrated Risk Management 6.15 DoCRA 6.15.1 DoCRA Principles and Practices 6.16 Risk for Global Enterprises 6.16.1 Challenges in Implementing Risk Quantification 6.16.2 Adapting Risk Quantification Strategies for Global Enterprises 6.17 Conclusion 6.17.1 Key Takeaways 6.17.2 Reflection and Exploration Questions PART 3 Risk Treatment PART 3A Transfer, Avoid, and Accept Risk Chapter 7 Cyber Liability Insurance 7.1 Introduction 7.2 Cyber Risk Buy-Down Investment Mix 7.3 Commercial Cyber Insurance 7.4 The Changing Insurance Market 7.4.1 The Value Proposition of Cyber Insurance 7.5 A Framework for Procuring Cyber Insurance 7.6 Phase 1: Discovery and Self-Assessment 7.6.1 Determine and Understand Your Coverage Needs 7.7 Phase 2: Application and Prequalification 7.7.1 Cybersecurity Controls 7.8 Phase 3: Coverage Comparison and Purchase 7.8.1 Understanding Policy Language 7.8.2 Understanding Exclusions 7.8.3 Negotiate
📄 Page
17
7.9 Phase 4: Claim Readiness 7.9.1 Understanding Panel Providers 7.9.2 Put Retainers in Place 7.9.3 Coordinate with Legal 7.9.4 Ransom Brokers and Extortion Payments 7.10 Conclusion 7.10.1 Key Takeaways 7.10.2 Reflection and Exploration Questions Chapter 8 Self-Insurance and Risk Financing 8.1 Introduction 8.2 Risk Acceptance 8.2.1 Business Line CBA for Cyber Risk 8.3 Capital Reallocation for Cybersecurity 8.3.1 Examples of Capital Reallocation 8.4 Self-Insurance for Cyber Risk 8.4.1 Pure Self-Insurance 8.4.2 Captives for Cyber Coverage 8.4.3 Funded Reserves 8.4.4 Cyber Risk Pools 8.4.5 Bonds as a Cyber Risk Mitigation Tool 8.4.6 Surety Bonds 8.4.7 Cyber Catastrophe Bonds 8.5 Risk Avoidance in Cybersecurity 8.6 Determining the Right Mix of Risk Treatment Methods 8.7 Conclusion 8.7.1 Key Takeaways 8.7.2 Reflection and Exploration Questions PART 3B Risk Mitigation Chapter 9 Developing a 3.0 Program Strategy
📄 Page
18
9.1 Introduction 9.2 The Role of Risk Mitigation in the Cyber Risk Investment Mix 9.3 Continuous Improvement 9.3.1 Key Pillars of Continuous Improvement in Cybersecurity 9.3.2 Benefits of Continuous Improvement 9.4 Program Assessments 9.4.1 Assessment versus Audit 9.4.2 Common Security Assessments: NIST CSF and CIS-18 9.4.3 The Assessment Process 9.4.4 Standards versus Frameworks 9.5 Layering Risk Quantification into Strategy 9.5.1 How to Leverage Risk Quantification for Strategic Planning 9.6 Creating a Quantified Roadmap 9.6.1 Security Program Strategy versus Security Program Roadmap 9.6.2 Leveraging Risk Quantification for Prioritization 9.6.3 Building the Roadmap 9.7 Earning Budget and Buy-in with the Quantified Roadmap 9.7.1 Changing the Discussion 9.7.2 Communicating the Quantified Roadmap to Executive Leadership 9.7.3 Combining Qualification and Quantification for a Powerful Narrative 9.8 Conclusion 9.8.1 Key Takeaways 9.8.2 Reflection and Exploration Questions Chapter 10 Security Tactics and Capabilities 10.1 Introduction 10.2 Buying Capabilities, Not Tools 10.2.1 Why Buy Capabilities? 10.2.2 How to Buy Capabilities 10.3 Capability Assessments
📄 Page
19
10.3.1 Assessing Your Team’s Skills 10.3.2 Creating a Skills Gap Roadmap 10.3.3 Program and Individual Capabilities Assessments 10.3.4 Example Assessment Questions 10.4 Skills Matrix 10.4.1 Example 10.5 Capabilities Matrix 10.5.1 Understanding the Matrix 10.6 The Problem with RFPs 10.7 How to Shop for Capabilities Instead 10.7.1 Start with the Current State 10.7.2 Define the Desired Future State 10.7.3 Focus on Positive Business Outcomes 10.7.4 Establish Clear Requirements 10.7.5 Define Success Metrics 10.7.6 Address Current Capabilities and Deficiencies 10.8 Conclusion 10.8.1 Key Takeaways 10.8.2 Reflection and Exploration Questions Chapter 11 Leading Effective Teams 11.1 Introduction 11.2 Understanding Security Roles 11.2.1 The NIST NICE Framework 11.3 Insourcing versus Outsourcing: A Strategic Choice 11.4 Insourcing 11.4.1 Hiring 11.4.2 Training 11.4.3 Retention 11.4.4 Career Pathing and Succession Planning 11.4.5 The CISO as a Talent Magnet 11.5 Leading through Change
📄 Page
20
11.5.1 Key Tenets of Change Leadership 11.5.2 Change Management Models 11.5.3 Behavioral Change Management 11.5.4 Influence and Persuasion 11.5.5 Gamification 11.5.6 Building a Positive Security Culture 11.6 The CISO 3.0 as a Leader 11.6.1 The CISO’s Self-Assessment 11.6.2 Assessments and the CISO Wheel 11.7 Conclusion 11.7.1 Key Takeaways 11.7.2 Reflection and Exploration Questions Chapter 12 Security Tactics 12.1 Introduction 12.2 Identity Centricity 12.2.1 Insider Threats 12.3 Zero Trust 12.4 Continuous Monitoring 12.4.1 Continuous Threat Exposure Management 12.4.2 CTEM and AI 12.4.3 CTEM and the Development of Meaningful KPIs 12.5 Cloud-native Protection 12.5.1 Cloud Security Challenges 12.5.2 Cloud-Native Application Protection Platforms 12.5.3 Managing CNAPP 12.5.4 The CISO 3.0 and Cloud-Native Security 12.6 Data Governance 12.6.1 The Data Governance Lifecycle 12.6.2 Modern Data Platforms 12.6.3 Data Lakehouse 12.6.4 Data Security and Protection
The above is a preview of the first 20 pages. Register to read the complete e-book.
Recommended for You
{{#thumbnailUrl}}
{{/thumbnailUrl}}
{{^thumbnailUrl}}
📚
{{/thumbnailUrl}}
Loading recommended books...
Failed to load, please try again later