Book Review: “CISO Compass”

CISO Compass

Book written by Todd Fitzgerald
Book review by Ron Woerner

Bottom Line: I recommend this book as a Cybersecurity Canon candidate. I believe it is a must-read for all cybersecurity professionals.


Why learn from just one person when you can learn from a hundred? In “CISO Compass, Navigating Cybersecurity Leadership Challenges with Insights from Pioneers,” author Todd Fitzgerald has compiled a book that covers almost every subject and leverages various great minds within the cybersecurity field. This book includes insights from many of the top leaders and experts in the security industry across a wide variety of important topics to cybersecurity professionals including the CISO’s role, cybersecurity strategy and structure, emerging technology trends, security control frameworks, laws and regulations, security policies, data protection and CISO soft skills. 

Fitzgerald, an award-winning CISO himself, provides material to prepare both cybersecurity newcomers and experienced professionals in all aspects of the profession. CISOs and Security experts interviewed for this book include many well-known security luminaries including Steve Katz, Dan Lohrmann, Rebecca Herold and Rouland Cloutier. 

There are two things to consider with this book: First, it’s a book for those who manage organizational security rather than a technical manual. Second, there’s so much material in this book that it can be overwhelming. Given Fitzgerald’s extensive research, this is a book that needs to be digested over time to take it all in. The insights are best leveraged throughout all stages of a cybersecurity program and whenever a security leader is looking for ideas or inspiration. 

“CISO Compass” starts with a bold promise: You will learn something. Cybersecurity professionals should always be learning and growing. While it’s a bold statement, it’s also true. To reach your destination, you need to know where you are, where you’ve been and where you’re going. In the first section of “CISO Compass,” Fitzgerald provides a history of the CISO role and ideas on where it’s going. He leverages the McKinsey “7-S Framework” (Strategy, Structure, Systems, Shared values, Staff, Skills and Style) to explain the relationship between organizational effectiveness and cybersecurity leadership. 

He also expands on these ideas in the two sections that follow, which focus on security strategy and structure. This book takes insights from cybersecurity experts providing directions for cybersecurity professionals in topics such as security strategy development and execution, governance, risk management and compliance (GRC), incident management, frameworks and laws, data protection, policy development and leadership. These are all vital aspects of a chief information security officer’s life. Furthermore, the last two sections on “Staff and Skills” provide actionable steps for security professionals to improve their leadership and management skills.

Knowing how people think, act and operate across the generations and the necessary professional soft skills to deal with that can make or break a security program. While these topics may be last in the book, they can be a great starting point for both new and seasoned security leaders in improving working with and influencing others.

“CISO Compass” also helps the reader navigate the security control framework maze of laws, regulations, standards, controls and frameworks such as HIPAA/HITECH, ISO/IEC 27001, NIST Cybersecurity Framework, FISMA, PCI DSS and COBIT. Fitzgerald pulls from his previous book, “Information Security Governance Simplified: From the Boardroom to the Keyboard,” to explain actions needed to achieve and maintain compliance with regulations and manage risks to the organizational infrastructure.

The wide variety of topics covered in this book, along with the combined wisdom from leading cybersecurity professionals, makes “CISO Compass” a valuable resource on any cybersecurity professional’s bookshelf. Each chapter contains great ideas from both the author and industry leaders. There are a multitude of references sprinkled throughout and compiled at the end of each chapter, pointing readers toward where to go for continued learning. By paying attention to each of the topics, references and industry leaders contained in this book, you will leave with nuggets of wisdom applicable in your personal and business lives, with the hope of reducing risks to all. Both the breadth and depth of this book make it a must-have for all cybersecurity professionals. 

Pick it up and see if it isn’t true.