CISO Resources

The resources found here are provided to you by other CCISOs and EC-Council. To find out how you can contribute, send an email to: [email protected].

news icon 1 - CISO Resources

Latest News

– View All –

December 17, 2018
Building Competent CISOs through the Certified Chief Information Security Officer Program

The Certified CISO (CCISO) Program is an exclusive program designed to produce top-level information security leaders by focusing on both technical skills and information-security management[…]

Read More
October 31, 2017
(CCISO) Program Receives ANSI Personnel Certification Accreditation

EC-Council announces that it has been accredited by the American National Standards Institute (ANSI) to meet the ANSI/ISO/IEC 17024 Personnel Certification Accreditation standard for its[…]

Read More
October 20, 2017
EC-Council Issues KRACK Attack Briefing

As you undoubtedly know, the KRACK attack affects nearly every wireless device to some extent. EC-Council has issued a briefing on standard precautions you and[…]

Read More

Tips from industry-leading CISOs

pgcontentbox - CISO Resources
Tip: Always be willing to collaborate, help, aid, and assist.
arrow to left - CISO Resourcesarrow to right - CISO ResourcesZachM tips slide - CISO Resources
Zachery S. Mitcham
Chief Information Security
& Compliance Officer
North Carolina Central University
We can all benefit from viewing the problem from different vantage points. Collaboration is the life blood of Information Security.
pgcontentbox - CISO Resources
Tip: Never Pay Lip service to your Security Awareness Program
arrow to left - CISO Resourcesarrow to right - CISO ResourcesFavourFemiO tips - CISO Resources
Favour Femi-Oyewole
Certified Chief Information Security Officer
Awareness training is an essential part of securing an organization. However, the idea should be to create a security culture, not to make them knowledgeable. If it is handled as tick the box, then it heads into failure, if it lacks Top management involvement and support, it results in futility. If it is not a continuous activity using a strategy that target imbibing a security culture among the employee, it makes a mess of every other good thing the CISO is doing. CISOs should “market” Information Security and cybersecurity best practices as a matter of personal importance that promotes the protection of home and family.
pgcontentbox - CISO Resources
Tip: Be A CISO That Walks Around
arrow to left - CISO Resourcesarrow to right - CISO ResourcesTysonMartin tips - CISO Resources
Tyson Martin
 
Take your lead from Bill Hewlett & Dave Packard’s example of management by walking around. Get outside your security safety zone and stroll around the office, talking to others from other teams about their latest initiatives and goals. The relationships you build and the things you learn will be priceless in the cultural transformation you have ahead of you.
pgcontentbox - CISO Resources
Tip: No CISO is an Island of Knowledge
arrow to left - CISO Resourcesarrow to right - CISO ResourcesFavourFemiO tips - CISO Resources
Favour Femi-Oyewole
Certified Chief Information Security Officer
The importance of CISOs sharing information among each other and learning trends from one another is essential. Avoid the silo mentality; we all need one another in this global village.
pgcontentbox - CISO Resources
Tip: The 6 or 9 approach.
arrow to left - CISO Resourcesarrow to right - CISO Resourcesjothidugar tips 1 - CISO Resources
Jothi Dugar
CISO, National Institute of Health
If two people stand on either end of the number 6 or 9, both will see a different number, yet both are right in what they see. Many times in organizations there seems to be a dynamic in which CISOs and CIOs and their Technical Operations personnel are on opposite ends of the same "number" and feel the need to prove either side wrong. To be a successful CISO, it requires you to look at situations with a different perspective and have strong communication skills to enable you to communicate effectively and effectively with diverse groups of people in a "language" that resonates with them without making anyone right or wrong.
pgcontentbox - CISO Resources
Tip: The CISO needs to understand the business.
arrow to left - CISO Resourcesarrow to right - CISO ResourcesFavourFemiO tips - CISO Resources
Favour Femi-Oyewole
Certified Chief Information Security Officer
I ensure time is created even in the midst of no time to read business books that broaden my knowledge on how to interface with business people in my organization. My job is to help all the stakeholders in the business and ensure their activities align with the security program.
pgcontentbox - CISO Resources
Tip: Invite yourself to peer staff and leadership meetings whenever possible
arrow to left - CISO Resourcesarrow to right - CISO ResourcesChuck McGann tips - CISO Resources
Chuck McGann
Independent Security Consultant
pgcontentbox - CISO Resources
CISO as a True Corporate Advisor
arrow to left - CISO Resourcesarrow to right - CISO ResourcesFavourFemiO tips - CISO Resources
Favour Femi-Oyewole
Certified Chief Information Security Officer
A CISO that has matured into the level of Corporate Advisor will easily have its way and have many in the organization consulting him/her you on different issues, even outside of security stuff because the CISO function is seen as an Enabler, the opposite will lead to the CISO being in the darkness of so many things happening in the organization.
pgcontentbox - CISO Resources
Tip: Stress Test Your Cybersecurity Program
arrow to left - CISO Resourcesarrow to right - CISO Resourcestaris tips - CISO Resources
Tari Schreider
Cybersecurity Strategist, Author & Instructor

In my career, I have assessed literally hundreds of cybersecurity programs. Of those programs I reviewed, less than five-percent were ever stress tested. Having a program audited or assessed does not constitute stress testing. They only serve to review control existence, not execution or performance. One has to purposefully test the reactions of their cybersecurity program and staff against a number of scenarios or simulated attacks.

I have found that using the NIST Cybersecurity Framework (CSF) is perfectly suited as a baseline. Particularly the detect, respond, and recover functions. Next you would select a hypothetical data breach or cyber-attack scenario as a test of your organization’s ability to react to the simulated event. The stress test is an advanced table top exercise and is best carried out unannounced using a scenario ripped from today’s headlines. Your staff can only use what is presently documented within your organization’s cybersecurity program. You will be amazed at how the stress test unfolds.

pgcontentbox - CISO Resources
Tip: Never be too quick to accept blame.
arrow to left - CISO Resourcesarrow to right - CISO Resourcescurtisl tips - CISO Resources
Dr. Curtis KS Levinson
United States Cyber Defense Advisor to NATO
Privacy, Cyber Defense, Compliance,
Continuity/Recovery,
Secure Cloud & Information Governance
Very often, the CISO tends to be the dumping pit of everything gone wrong. One zero-day attack, when you’re fully prepared (as budget will allow) everyone wants to fire the CISO. Even when budget has been tightly restricted (as it often is) the CISO gets blamed for every cyber incident. Don’t be afraid to push back, cite budget and staff limitations and quote as many statistics as possible. Always hang tight.