CISO Desk Reference Guide: A Practical Guide for CISOs Volume 1

CISO Desk Reference Guide: A Practical Guide for CISOs

Book written by Bill Bonney, Gary Hayslip, Matt Stamper
Book review by Ben Rothke

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Executive Summary

Every profession has desk references that practitioners can use as go-to guides for tactical information. For information security professionals, CISOs and those on the CISO track, the

CISO Desk Reference Guide: A Practical Guide for CISOs is an excellent example of such a guide.


While the classic prepare 3 envelopes joke revolves around CEOs, it’s quite appropriate for a CISOs as well. For many, their career path is a slow and steady one whereby they deliberately progress toward attaining that role. For others, who quickly obtain the role due to a major security breach, envelope #3 must often be opened immediately.

In the CISO Desk Reference Guide: A Practical Guide for CISOs (CISO DRG 978-0997744118), authors Bill Bonney, Gary Hayslip and Matt Stamper have written a tactical guide that can help the soon-to-be or new CISO get up and running. Each of the three has been in the information security space for decades, and all of them bring their experience from the trenches to every chapter.

For CISOs who find themselves in that position, they’ve entered it as a key entity in an organization. For those who have come into the role suddenly, it’s important to note that poor information security controls can bring an organization to its knees. In the book, the authors share their knowledge and provide real-world experience, showing current CISOs – and security managers with aspirations to be – how to function most effectively in the CISO role.

A recurrent problem for books with multiple authors is that the end result often lacks consistency and is simply a collection of different essays without a unifying theme. The authors here do an admirable job of avoiding that. Each chapter is clearly identified by who the specific author is. A benefit to the approach here is that each of the authors brings his specific style to information security, such that the reader ends up with a broad and multifaceted methodology on the topic.

The nine chapters in the book cover the entire range of the information security lifecycle; from regulatory issues to data classification, reporting to the board, tools, policies and more.  The three authors are battle-tested professionals with real-life expertise that they bring to every chapter.

The previous point is not a trivial one as information security is not monolithic. There is certainly no single way to do information security. By learning the topic from the best and the brightest, information security practitioners and CISO-hopefuls can ensure they will ultimately be successful in their endeavors.

As mentioned above, many books with multiple authors suffer from a lack of consistency and message. This book doesn’t suffer from that. And in fact, each author brings a slightly different approach to the various topics. This is an important point, as there is certainly no one size fits all when it comes to information security.

Of course, an effective CISO can’t rely on any single book. And if they tried, that book would need to be about 2,500 pages long. But for those looking for a go-to reference when the CxO urgently calls, it would be a good idea for any information security professional to have a copy of the CISO Desk Reference Guide handy. It’s an excellent desktop reference – and an indispensable one, at that.


The CISO Desk Reference Guide: A Practical Guide for CISOs is an excellent desk reference that information security professionals, from managers to CISOs, will find of value. It’s full of practical, real-world experience and sage advice, making it an excellent candidate for the Cybersecurity Canon.