Useful Resources for CISOs
The role of the CISO is relatively new. While it's becoming increasingly accepted as a central role in managing enterprise data and security measures, the profession continues to evolve. CISOs bear a substantial amount of responsibility in the enterprise environment, sharing responsibility for developing long-term strategic vision collaboratively with other executives while maintaining primary responsibility for protecting the enterprise's information and assets.
From ensuring that ongoing employee security training is effective, to managing security teams and overseeing the company's information security practices and policies, CISOs wear a variety of hats. Fortunately, there are many useful resources on the web that make it easier for CISOs to find information on newly discovered threats, rapidly identify patches and fixes for vulnerabilities, learn about best practices and new security methods that fit into the broader enterprise information structure, and keep up with all the details that CISOs must oversee on a day-to-day basis. We've rounded up 50 resources we feel are highly useful or essential components of the CISO toolkit, arsenal, or knowledge base - from helpful blogs, videos, research, and reports to government agencies and databases. NOTE: The following 50 resources are not listed in any particular order of importance, but rather they are organized by category to make it easier to find the resources you're looking for. If there's something you think we've missed, feel free to add it to the comments!
Table of Contents:
- Multimedia Resources
- Reports and White Papers
- Conferences and Training
- Government Resources, Organizations, and Databases
The Ponemon Institute is a highly-regarded resource for CISOs and other security professionals. The Ponemon Blog contains up-to-date and relevant information impacting CISOs, touching on corporate data issues, insider threats, and other security topics. The Ponemon Blog is also a useful source for staying up-to-date on the latest research and global surveys available from the Ponemon Institute.
Three posts we like from Ponemon Institute:
- Corporate Data: A Protected Asset or a Ticking Time Bomb?
- Ponemon Institute Releases 2014 Cost of a Data Breach: Global Analysis
- Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication
TechTarget's SearchCIO section is a comprehensive resource for CIOs and CISOs, as well as other top- and mid-level security professionals. With news covering leadership, mobile, security, cloud strategies, and business intelligence, SearchCIO goes beyond the technical topics to focus on security-related news and information encompassing the broad roles of the CISO.
Three posts we like from SearchCIO:
- Nine CIO Tips for Surviving and Thriving in 2015
- Shawn Banerji: CIOs at Inflection Point
- IT Resolutions for 2015
Security Intelligence offers "analysis and insight for information security professionals," including a multitude of topics particularly relevant to CISOs. You'll find articles about strategy, information security trends, collaboration, and other topics with valuable information to aid CISOs in leading their respective companies through the rapidly changing information security landscape - along with valuable insights on pursusing the CISO career path.
Three posts we like from Security Intelligence:
- CISOs Must Exhibit Dexterity When Addressing a Cyber Security Risk
- Do's and Don'ts: Security Management in a Growing Company
- Why the Role of the CISO is Vital in Every Company
TechRepublic's Security category has hundreds of articles, but more than 100 of them are related specifically to the challenging role of the CISO and the many variables impacting professionals in this ever-changing field. Read about the role of the CISO, the dynamics of managing enterprise security, new developments impacting CISOs, and a variety of other pertinent security topics.
Three posts we like from TechRepublic - Security:
- Security report: CISOs get little respect
- Cloud security and compliance trends in 2015, according to Vormetric's C.J. Radford
- CISO Perspectives: Aligning Secure Software Application Development with Business Interests
From social engineering to CSO events, application security, and other pressing topics impacting organizations today, CSO Online is a useful hub for the modern CISO. Aside from blog posts, CSO Online is also a great source for security-focused slide shows, white papers, and other media.
Three posts we like from CSO Online:
- 11 Predictions for Security in 2015
- State of the CSO 2015: Breaches force new security strategy
- Social Engineering: The dangers of positive thinking
A leading source of information on security training, the InfoSec Institute features a multitude of articles and tutorials on security topics. Founded in 1998 by a team of information security instructors, the InfoSec Institute has trained more than 15,000 individuals on everything from industry standard certifications to highly specialized, niche subject matter. The InfoSec Institute blog is a reflection of the varied and in-depth expertise of its instructors and contributors.
Three posts we like from InfoSec Institute:
- Log Analysis for Web Attacks: A Beginner's Guide
- Security Predictions for 2015
- New Developments in Net Neutrality
Dark Reading offers a wealth of news and information on IT security, including plenty of content useful for CISOs. Dark Reading is one of the most well-known and widely read cyber security news websites, with insights on new threats, vulnerabilities, data protection, technology trends, and more.
Three posts we like from Dark Reading:
- Privacy by Design: Protect User Data from 'Get-Go'
- Long-Running Cyberattacks Become the Norm
- Sony Fallout: The Terrorists Win Our Networks
Verizon's Security Blog is a wealth of information, including expert analysis, studies and whitepapers, news coverage, insights on security trends, and plenty of other valuable information for today's CISOs. A Weekly Intelligence Summary breaks down the most pertinent intelligence developments each week, ensuring busy CISOs can stay up-to-date on important trends without wasting precious time tracking down reliable news sources.
Three posts we like from Verizon Security Blog:
- Making Informed Decisions by Using Meaningful Security Metrics
- A Thought Experiment About Shared Credentials
- Twitter and Information Security Awareness
Wired's Threat Level is a highly regarded news source on privacy, crime, and security online. Regular posts on topics relevant to CISOs and other security professionals, from a variety of contributors including well-known senior writers Kim Zetter and Andy Greenberg, help today's CISOs keep their fingers on the pulse of the industry.
Three posts we like from Wired - Threat Level:
- The Most Dangerous People on the Internet Right Now
- The FBI Used the Web's Favorite Hacking Tool to Unmask for Users
- Hacker Lexicon: What is a Backdoor?
ThreatTrack Security develops malware analysis, detection, and remediation solutions, but the company also offers a variety of useful resources for CISOs, including its CSO Blog. From advanced persistent threats to malware analysis, cybersecurity research, big data, BYOD security, and more, the CSO Blog covers the latest news and information on everything of interest to CISOs.
Three posts we like from CSO Blog:
- Are CISOs Trusted to Tackle Data Breaches &Malware?
- 10 Signs We're in for More Data Breaches
- Study: Malware Analysts Say Organizations Haven't Disclosed Data Breaches
"Technology is such a vital competitive differentiator that all business execs, whether they are CIOs, CEOs, CFOs or CMOs, need to understand the essentials," according to ZDNet's CXO blog, which sets out to provide the in-depth understanding C-level security executives require to excel in their challenging careers. From mainstream technology and security news to research and developments on security-related topics, ZDNet CXO offers the breadth and depth of knowledge modern executives demand.
Three posts we like from ZDNet CXO:
- Hunting the hackers: Tough and getting tougher, but more important than ever
- The CISO, the CIO, the CEO, or you: Who is really responsible for cybersecurity?
- Enterprise vendors: Can they scale and keep it simple?
Get the latest news, analysis, video, blogs, tips, and research in one place: CIO Online. The site's Security category offers a plethora of useful information for CISOs, covering topics such as firewalls, encryption, spam blockers, and in-depth reviews of security suites by experts.
Three posts we like from CIO - Security:
- 10 Essential Elements for a Secure Enterprise Mobility Strategy
- Think that software library is safe to use? Not so fast!
- Critical vulnerability in Git client puts developers at risk
Health IT Security is a leading source of news and resources for health IT professionals. Many articles are pertinent to CISOs within the healthcare industry, with coverage of topics including the trend towards greater acceptance of the need for the CISO role, tips for reducing security risk, risk management, mergers from a security perspective, current events, and more.
Three posts we like from Health IT Security:
- Healthcare security risk assessment strategy: CISO perspective
- Healthcare CISO augments risk analysis with strong research
- Aetna CISO: Healthcare must take risks to lessen security risk
GovTech Security is the online portal to Government Technology, a publication belonging to an award-winning family of magazines covering information technology's role in state and local governments. The publication focuses on the dynamics and challenges of governing in the digital age, with the website offering multi-media resources on hacking, cyber crime, cybersecurity, tactics for strengthening security, privacy, and much more.
Three posts we like from GovTech - Security:
- Cloud Security Improvements Aim to Accelerate “Cloud First” Adoption (Industry Perspective)
- Cybersecurity Hits the Boardroom
- Report: Rising Cybersecurity Budgets Still Not Enough
Technology professionals around the globe rely on Computing Now for up-to-date information, expert insights, and advice on coping with the latest security risks. With a large advisory board consisting of leading professionals in the field, higher education professionals, and other disciplines, Computing Now is a key resource for any CISO.
Three posts we like from Computing Now:
- Saying Goodbye and Good Riddance to Passwords
- Keeping Data in the Cloud Private
- Changing malware attack rates guide new strategies for security vendors
An independent research company, Forrester has a prestigious reputation as one of the most trusted resources on all things security. The Forrester CIO portal focuses on the challenging role of the CIO and CISO, touching on the multi-faceted demands of these careers, including the oversight of business technology, working collaboratively with fellow executives to develop strategy, and transforming their respective organizations to drive business innovation. In addition to blog posts covering the latest news and research, you'll find insights for key business initiatives, the latest reports influencing the role of the CIO/CISO, and more.
Three resources we like from Forrester CIO Blog:
- Making Sense of Digital Business: Four Can't Miss Reports from 2014
- Internet of Things Software Platforms Will Become the Rage in 2015
- CIOs Will Lead the Change - Or Be Usurped - in 2015
17. CISO Handbook
A resource for CISOs, CSOs, and other security professionals, CISO Handbook is a collaborative forum where security leaders can share expertise, challenges, tips and techniques, and opportunities that exist in the modern landscape for professionals tasked with developing enterprise security programs. From articles to research publications, news, tools, and more, CISO Handbook offers a variety of resources for CISOs.
Three resources we like from CISO Handbook:
- Why Consultants are Replacing CISO's...and Fast
- The Untold Story of Data Leakage
- Five Tips for Risk Assessments
One of the nation's oldest physical science laboratories, NIST was founded in 1901 and has since become a part of the U.S. Department of Commerce. NIST's Information Technology Portal aims to advance state-of-the-art IT in applications such as cybersecurity and biometrics, accelerating the development of reliable, usable, interoperable, and secure systems. You'll find resources and information spanning categories from computer forensics and computer security to software testing metrics, alongside news stories, videos, information on current programs, and more.
Three resources we like from Information Technology Portal:
- Border Gateway Protocol - Robustness and Security
- Seamless and Secure Mobility - Tools
- Guidelines for Derived Personal Identity Verification (PIV) Credentials
Gartner, a leading independent technology research firm, offers research and insights for CIOs and IT executives through this portal via research reports, webinars, and other formats. You'll also find listings for upcoming events in the field, executive programs, and more.
Three resources we like from Gartner - CIOs & IT Executives:
- How CIOs Need to Think About Digital Business Technologies
- The Art of a One-Page Strategy
- CIO Priorities
Founded in 1989, the Information Security Forum is an independent, not-for-profit organization with membership comprising many Fortune 500 and Forbes 2000-featured companies. The Information Security Forum's top priorities include investigating, clarifying, and resolving key issues related to security and risk management as well as developing best practices, processes, and solutions to meet the needs of its members.
Three resources we like from Information Security Forum:
- The Standard of Good Practice for Information Security
- Information Security Governance Diagnostic Tool
- Information Security - Are you protected - Guardian Supplement - Adapting to changing working practices
21. IT Security
With news, white papers, case studies, a vendor directory, events listing, and more, IT Security offers a variety of resources in various formats to help CISOs and other security professionals to stay abreast of the latest developments and happenings in the industry.
Three resources we like from IT Security:
- The Business Mobility Explosion: Improve Data Security, Compliance and Manageability
- Top 5 Checklist: How to Build a Secure, Compliant & Cost-Efficient IT Infrastructure
- New Insider Threat Emerges in the New Economy
The largest not-for-profit professional body, ISC2 provides education and certification opportunities for infosecurity professionals. Recognized for Gold Standard certifications and world-class educational programs, ISC2 is a valuable source for the most up-to-date information impacting professionals in this ever-changing field.
Three resources we like from ISC2:
The effective governance and management of enterprise IT is essential for IT to support enterprise goals for modern organizations. The IT Governance Institute is an excellent source of information on IT governance and management, offering insights through research and publications, surveys, a knowledge center, and more.
Three resources we like from IT Governance Institute:
- 2014 Advanced Persistent Threat (APT) Study
- A Global Look at IT Audit Best Practices
- Cybersecurity: What the Board of Directors Needs to Ask
The Unified Compliance Framework is a resource used by organizations and GRC vendors to manage conflicting and overlapping compliance requirements across IT regulations. It's the only industry-vetted compliance database, offering a plethora of useful resources to aid CISOs and other security professionals in adequately managing requirements and maintaining compliance for their respective organizations.
Three resources we like from Unified Compliance Framework:
- Unified Compliance Framework Common Controls Spreadsheets
- Compliance Documents
- The Science of Compliance Webinar
The SANS Internet Storm Center monitors the level of malicious activity on the Internet. A useful resource for CISOs for this reason alone, the SANS Internet Storm Center also offers podcasts, tools, data, forums, and other resources to help busy CISOs stay on top of the latest threats and news impacting enterprise security.
Three resources we like from SANS Internet Storm Center:
A non-profit association serving IT leaders and professionals committed to advancing higher education, Educause is a source for learning about upcoming conferences and events, career development, accessing recent research and publications, and connecting with fellow professionals in the field.
Three resources we like from Educause Cybersecurity Initiative:
The Ponemon Institute is well-known for its thorough research and analysis in the security field. The Ponemon Library is a collection of past and current research, reports, studies, and white papers conducted by Ponemon, including benchmarking reports, global analyses, and a variety of studies relevant to the work of the CISO.
Three reports we like from Ponemon Institute:
- Big Data Analytics in Cyber Defense
- Security in the New Mobile Ecosystem
- 2013 Cost of Data Center Outages
The University of Washington's Office of the CISO releases annual reports that address pressing issues facing security professionals in higher education, privacy, cloud computing, managing data, and more. While some topics are focused on the University of Washington, many articles are relevant to the broader work of the CISO, particularly those serving in higher education.
Three reports and resources we like from University of Washington - Office of the CISO:
The National Association of State Chief Information Officers is a leading organization serving executives in the government security field, including state CIOs, CISOs, and similar roles. The Association offers a variety of in-depth informational guides, reports, and analyses which provide useful insights for CISOs and other security professionals.
Three reports we like from NASCIO Publications:
- Funding: The Drive Wheel for Cross-Jurisdictional Collaboration
- NASCIO 2014 Best Practices
- 2014 State CIO Survey: Charting the Course
The EC Council offers the widely known CCISO Certification and has certified some of the world's leading security executives. The organization also manages events, including summits and Global CISO Forums, with the goal of bringing the world's top security executives together to advance knowledge in the field. The EC Council's website is also a valuable source of the latest knowledge, news, and other information offered through podcasts, webinars, and white papers.
Three reports we like from EC Council CCISO Resources:
- Top 10 Ways to Lead a High-Performing Information Security Program
- The High Price of "Faking" Your PCI Compliance Status
- Wargaming for Chief Information Security Officers
Offered by the IBM Center for the Business of Government, this report encompasses the continuously evolving role of the Chief Information Security Officer (CISO), which rose from the increased need for safeguarding information created on and shared among computers, along with society's increasing dependence on information technology.
Three topics we like from Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers:
- Results from a Survey of and Interviews with Chief State Cybersecurity Officers
- Case Studies of State Strategies for Cybersecurity
- Excerpt from Public-Sector Information Security: A Call to Action for Public-Sector CIOs
CEOWorld Magazine recognizes the need for timely alerts when major security risks are around the corner or new developments arise that may mean your company’s network isn’t as secure as you had thought. For this reason, Twitter can be a valuable tool for being in-the-know the moment breaking news hits the security world. This list names the top chief security officers (CSOs), chief information security officers (CISOs), security executives, and experts to follow on Twitter.
Three experts you'll find in Top CSOs to Follow on Twitter:
- Eugene Kaspersky, Chairman and Chief Executive Officer of Kaspersky Lab
- Andy Ellis, Chief Security Officer of Akamai Technologies
- David Ulevitch, the Founder and Chief Executive Officer of OpenDNS
33. Security Focus
A technical community for security professionals, Security Focus provides technical updates and technical papers related to newly discovered vulnerabilities in addition to discussions on more general security subject matter, such as penetation testing.
Three topics we like from Security Focus:
Forrester Research offers a section dedicated to Security & Risk Professionals, including titles such as CISO, CSO, CRO, and similar roles. You'll find insights for key business initiatives, get reports on the latest research relevant to these roles, learn about upcoming events such as forums and webinars, and more. The Security & Risk Blog is updated regularly by leading contributors, offering valuable information on the latest security news and related topics.
Three resources we like from Forrester - Security & Risk Professionals:
- The Security Architecture And Operations Playbook
- Just When We Thought Santa Forgot To Put CISOs On His “Nice List,” Along Comes The Sony Breach
- The Global Risk Environment Looks A Lot Different In The Age Of The Customer
The Index of Cyber Security is an independent public service effort co-published by Dan Geer, a computer security analyst and risk management specialist, and Mukul Pareek, a risk professional who has worked extensively in audit, advisory and risk management. The Index of Cyber Security provides a sentiment-based measure of the cyber security risk to corporate, industrial, and governmental entities.
Three resources we like from Index of Cyber Security:
A peer-to-peer event for CISOs to share concerns, successes, and feedback in a peer-only environment, ISSA CISO Forum offers memberships by invitation only, making it an exclusive organization for modern CISOs. Multiple events are held annually in varied locations, enabling CISOs to network and collaborate with fellow executives across the U.S.
Three resources we like from ISSA CISO Forum:
The National Security Institute, founded in 1985 by Stephen S. Burns and David A. Marston, offers proven employee security awareness solutions. With a combined 35 years of experience in government and corporate security between them, Burns and Marston were responsible for designing key programs that protected some of the nation's most sensitive technology secrets. The National Security Institute quickly became the leading organization responsible for helping cleared defense contractors develop an understanding of the threats to national security.
Three resources we like from National Security Institute:
A comprehensive list of resources for new CISOs and those new to the higher education industry, this Toolkit for New CISOs contains links to discussion lists, articles, books, magazines, newsletters, and more.
Three resources we like from Toolkit for New CISOs (links to third-party websites):
- "A New CISO's To-Do List: ‘Make or Break’ Actions for a Chief Information Security Officer’s First Year" by Brian T. Nichols (Campus Technology, August 2006)
- Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI by Debra S. Herrmann
- "Who Moved My Office? The Evolving Role of the CISO."
An independent portal for cyber security and information security professionals, CISSP offers information on certifications for professionals in the field as well as other news and insights relevant for today's security professionals. It's an excellent resource for security professionals who want to learn more about becoming certified in CISSP.
Three resources we like from CISSP:
The U.S. Department of Defense - Defense Security Service provides a useful Toolkit for information security professionals. The Toolkit contains a variety of resources to aid information security professionals in their roles.
Three resources we like from Defense Security Service - Information Security Professionals Toolkit:
The CISO Summit is provided by CDM Media Summits, designed to enable CISOs and IT professionals to network with their peers in other industries across North America. Get information on sponsors, partners, upcoming events, registration, presentations, and session videos at the CISO Summit website.
Three resources we like from CISO Summit:
- Leveraging Analytics to Manage Risk and Obtain Competitive Advantage
- Marc Gordon Keynote Presentation
- Using Analytics to Thrive in the New Reality
The most-trusted and largest source for computer security, IT security, and information security training, SANS is a robust resouce for all your training needs as a CISO. Information on live training, online training, and an abundance of other useful resources are available from the SANS website.
Three resources we like from SANS:
The United States Computer Emergency Readiness Team responds to major incidents, analyzes threats, and exchanges information with trusted partners around the world with the goal of creating a safer Internet for Americans. You'll find updates on newly discovered vulnerabilities, regulatory changes and information, publications, alerts, tips, and more.
Three resources we like from US-CERT:
- New OMB Guidance Improves Federal Information Security
- "Misfortune Cookie" Broadband Router Vulnerability
- The Risks of Using Portable Devices
ISSA International connects and develops cybersecurity leaders globally, with a network of more than 10,000 security colleagues worldwide. With local chapters, special interest groups, an annual conference, and other opportunities and information, ISSA is a worthy organization for CISOs.
Three resources we like from ISSA:
The National Vulnerability Database is a must-have tool for any CISO's toolkit, offering updates and information on vulnerability management, security measurement, and compliance.
Three resources we like from NIST National Vulnerability Database:
The National Secuity Agency/Central Security Service is the U.S. Government's security defense agency. Information for businesses, academia, careers, research, and public information are all found on the NSA website.
Three resources we like from National Security Agency:
An association representing more than 115,000 professionals, ISACA helps enterprises maximize the value of their information and technology. Certifications and education information is available on the ISACA website, along with the ISACA Journal, a robust knowledge center, and more.
Three resources we like from ISACA:
One of the world's leading centers in information assurance and security research, Purdue University's CERIAS provides a wealth of useful resources for CISOs, including research, white papers, tools, and more.
Three resources we like from CERIAS:
The Privacy Association offers all the privacy tools and information you need in one central location. From tools and research to a helpful glossary, information on employee awareness and education, career development resources, and more, the Privacy Association truly is a one-stop resource for CISOs.
Three resources we like from Privacy Association:
The CISO Platform is a social network dedicated to the CISO profession, aiming to provide a useful resource and collaborative portal for CISOs to network, share knowledge, ask questions, and work collaboratively to advance the field.
Three resources we like from CISO Platform:
- How the Heartbleed bug was found by Antti Karjalainen - discoverer of Heartbleed
- A Google Site Meant to Protect You Is Helping Hackers Attack You
- The Notorious 9 in Cloud Security
More from the Digital Guardian Data Security Knowledge Base:
Get email updates with the latestfrom the Digital Guardian Blog
Thank you for subscribing!