Being a CISO isn’t easy.

Stand on the shoulders of giants.

Whether you’re a long-time CISO, a first-time CISO, you aspire to be a CISO someday, or you work with or hire a CISO, How to CISO is your canonical library. Collecting and synthesizing wisdom across the CISO community, we aim to provide clear, actionable guides for CISOs as all levels. From strategic topics like structuring your organization, implementing security, and reporting to the board to tactical topics like zero trust, AI, and identity, you can make How to CISO your quick reference.

The Library collects the major works (long-form Volumes, and short-form Handbooks) of How to CISO; Concepts lets you look at content based on topic. Opinions are the interesting opeds written by the How To CISO crew, and Podcast? Well, find interesting podcasts there until the How To CISO podcast launches!

Recent content

  • How to CISO Volume 0: The Idealized CISO Job Description

    How to CISO Volume 0: The Idealized CISO Job Description

    Many companies are not in dire need of a CISO right now, but need to define a role for their future CISO, often including a plan to develop the incumbent security executive into a credible CISO. This guide provides a profile of the idealized CISO. Why idealized, and not ideal? Because a CISO is often…

  • Handbook: Zero Trust Principles

    Handbook: Zero Trust Principles

    In the 2010s, the cybersecurity community was introduced to the concept of zero trust, the idea that implicitly trusting remote systems might be a … bad idea. John Kindervagt coined the term while at Forrester Research, although practical applications were developed in parallel elsewhere. In response to the breaches from Operation Aurora, Google implemented its…

  • Preview: How to CISO Volume 2: Risk Measurement

    Preview: How to CISO Volume 2: Risk Measurement

    As a CISO, you’re often going to be asked to measure risk. This has a lot of different meanings, depending on who is speaking, so you’re going to have to listen carefully to the speaker to understand what they’re actually asking for. It’s possible that you’re being asked to provide a quantitative answer to the…

  • Zero Trust in Administration

    Zero Trust in Administration

    CrowdStrike, Windows domain administration, SolarWinds — our implicit trust in admin software is a recipe for repeated disasters. The most unsafe part of our technology ecosystem isn’t the number of unpatched systems we have. Nor is it shadow IT, whether it’s homegrown software or the burgeoning bring-your-own-SaaS ecosystem. The shared responsibility model, and the impossible complexity of safely configuring systems…

  • The Death of the CIO

    The Death of the CIO

    CISOs grew up in the CIO’s blindspot. As cloud and SaaS bring IT and security back together, which will survive their impending deathmatch? A half-century ago, most corporations were paper-native: Their business processes all executed on paper from both back office (accounting) to go-to-market functions (sales and marketing). Their businesses were location-native: Revenue was often…

  • Why assessing third parties for security risk is still an unsolved problem

    Why assessing third parties for security risk is still an unsolved problem

    A recent ranking of the most cyber-secure companies reveals weaknesses in current third-party risk management practices. A Forbes article is making the rounds right now about America’s most cyber-secure companies, and I can already see the cybersecurity outrage machine up in arms. Full confession: I haven’t yet read the article, but I’m about to. I’m writing this…

  • How to CISO Volume 1: The First 91 Days

    How to CISO Volume 1: The First 91 Days

    Ninety days is generally the grace period (or “honeymoon,” if you’d like) that a new executive has to get acclimated to a new environment. At the end of this time window, your employer is going to expect you to be executing on a plan, anyone you need to meet will expect you to have already…

  • We don’t need another infosec hero

    We don’t need another infosec hero

    By setting yourself up as the defender, the solver of problems, you cast your business colleagues as hapless victims or, worse, threats. This is not a useful construct for engagement. There’s this belief among a lot of security professionals that we are special, in that we are the defenders of our companies.  We like to…

  • The cloud security emperor has no pants

    The cloud security emperor has no pants

    “Shared responsibility” usually means that no one is responsible for minding the gap. Don’t fall in. As anyone who has worked on a cross-functional team with no clear owner knows, “shared” or “joint” responsibility often means that everyone assumes that someone else is taking care of the problem. Without clear effort to make sure that…

  • CISOs are still chiefs in name only

    CISOs are still chiefs in name only

    If you’re not in the meeting where decisions are made, then you’re not part of the C-Suite—whatever your title may be. Look around the CISO community, and you’ll find signs of burnout everywhere.   Where CISOs aren’t just quitting, you’ll find increasing tension between them and their executives, sometimes resulting in surprising departures. Ply a friendly CISO with…

  • Vulnerabilities don’t count

    Vulnerabilities don’t count

    No one outside the IT department cares about your vulnerability metrics (or they shouldn’t, anyway). They care about efficacy. And traditional stats don’t show that. I had a lovely chat with one of my favorite CISOs the other day, helping them think through the security metrics that they report upwards.  Front and center, as I…

  • Drop the SBOM

    Drop the SBOM

    Software bills of material are having a moment, but the costs of an externally visible SBOM are likely to outweigh the benefits, says Andy Ellis. There’s a big movement afoot to move to an SBOM-oriented world.  If you’re new to this acronym, an SBOM is a “Software Bill of Materials.”  The idea is that any…