I still remember when getting a book published was a bucket-list item. It had to start with writing one, which seemed simple before I embarked on the journey of actually doing it. That proved to be anything but, and getting one published is a whole ‘nother bowl of cereal.
With the original Why CISOs Fail, I got lucky. My proposal sailed through with practically no resistance, a feat that to this day makes me wonder if there was simply another glitch in the matrix. Turns out the people at Taylor & Francis had it right, as the book found an audience – and is still doing so, years later. So much so that upon its inclusion in the Cybercannon, I was invited to update it.
That’s when I discovered that revising a book is just about as difficult as writing it in the first place. I’ll make another post about that process, but today I wanted to share something else.
Something remarkable.
Something that made me cry (in a good way).
One thing I wanted revised was the foreword. But who should I ask to do it? One common advice is (if you can) to ask someone famous in the field, so your book sales can benefit from their name on the cover alongside yours. But that approach felt… transactional. I mulled it over for a little while, and then a name popped into my head. It felt right for the right reasons.
A year beforehand, a very nice gentlemen reached out to me on LinkedIn to express his joy, his gratitude for Why CISOs Fail. His name was Randy Gross, and he shared with me the positive impact the book had on his working life. We ended up chatting a fair amount. He really loved it, and he really got it. I couldn’t think of anyone better to write a new foreword than a stranger who was so inspired by the original text. But would he agree? It’s not a small ask.
I reached out to him.
He was surprised and touched (I guess that makes sense). More importantly, he said yes. Some time later, he produced the remarkable, tear-inducing piece below. I cannot even begin to tell you how happy I am that I followed my instincts and asked him to do this.
Thank you so much, Randy.
Foreword, Why CISOs Fail 2nd Edition — Randy Gross
When you read this, I will have been a CISO for over a year. In no small part, that tenure—and my ongoing development—is thanks to Barak Engel and Why CISOs Fail. It’s almost cliché—as this year progressed, the lessons seemed to return at just the right time. My nearly chronic imposter syndrome faded, anxiety morphed into intense curiosity, and my confidence continued to grow. My job has been remarkably fulfilling and, thankfully, the kind of exciting most CISOs prefer.
My association’s growth often matches that of the cybersecurity industry, on a cycle of perpetual escalation. Our board created a standalone CISO role and function, shifting me away from my decade-
long CIO and operations duties. I wanted to level up to match their expectations—plus, hundreds of thousands of CompTIA-certified cyber pros would expect nothing less. I ordered a tall stack of books,
some of which are the inches-thick volumes we all love to hate. When the books arrived, Why CISOs Fail had the best and most provocative title and required far fewer trees to print. Plus, starting with a concise and witty author had to make for a great start.
As you start the book, you immediately realize Barak is genuine, gracious, and gregarious—and he happens to work at the highest levels in cybersecurity. I’ve spoken with him several times, immediately hitting it off on personal and professional matters. He’s disarming, quite the opposite of a typically rigid guardian of the keys to a digital kingdom. To him, information security is accessible, valuable, and slightly misunderstood. Why CISO’s Fail and the follow-up The Security Hippie foster camaraderie with the reader and the characters in each story. Barak wants you to be successful and fulfill what can be a fantastic role. His books irrevocably changed how I view CISOs and information security overall. His viewpoint will change you too.
It’s not a surprise that Barak believes InfoSec, at its core, is risk management rather than simply information assurance. Where things get interesting, though, is his take on technological risk beyond the rigid constraints of traditional information security practices. Barak’s practical approach offers a simple framework—people, technology, operations, and privacy/compliance. His rubric makes for effortless
conversations. It’s a subtle and sublime shift: “I work to decrease undue tech risk to help businesses win” vs. “I work in Information Security to secure our data.” With the first, I’ve had unexpectedly deep
conversations that led to novel and lasting impacts across the business. I still talk about InfoSec too—it’s my go-to for a quick exit at cocktail parties.
While Barak’s perspective makes the industry and role approachable, CISOs do have a hard job with a steep and unyielding learning curve. When the job feels overwhelming for me, Barak’s principles steady
the ship, the first being that there is nothing inherently special about cybersecurity. If you knock out the notion that you have a magic, elevated status, others perceive that you are looking for a shared
outcome. Rather than being the strong arm of the law, you are a de-facto Chief Risk Officer for your company. You enable others and are not an end to yourself. As you read, I’d encourage you to think hard
about his philosophy. As you work, I’d urge you to do more than just think hard about it.
What emerges when you buy in is an earned and permanent seat at the table rather than feeling like you’re avoided or endured. Others treat you and your function with the respect and due care it demands
because they know how important it has been and will be to them. The cycle gets even stronger as you get more calls about brand-new business matters fueled by your positive and enduring perspective. And yes, each of those happened to me and my function in Year One.
Here’s the personal gift that Barak’s book gave me. I needed the CISO move more than I knew—for my literal sanity. I’ve battled mental illness most of my life. While I have the acumen and experience
for building technology and operations, types of operational stress can hit me hard. Too much stress isn’t healthy for anyone. With no end to InfoSec threats and the stakes rising daily, accepting a job
designed perhaps to be a convenient scapegoat or one with a chance of catastrophe could be particularly bizarre.
Why CISOs Fail is a key to mental strength for me, with strategic insight into traditional pain points and how to avoid them. I might have previously sent myself into a tailspin worrying about a catastrophic miss
far outside my control. Instead, summarized throughout the book, we prepare, listen, advise and respond. We work on how to get to the right place, never leading with “No.” We diligently and empathetically tailor
and implement the processes and procedures built by giants before us, acting as partners rather than police. We involve the entire business in managing and responding to technology risk. We acknowledge that complete perfection is impossible and instead train for what truly matters. Worry then morphs into a broad and proactive outlook, and stress instead has a productive and pragmatic channel.
I grew up during the era of the ridiculous ‘No Fear’ t-shirts and bumper stickers. In stark contrast to those macho slogans, Infosec needs a healthy fear. With the next vulnerability lurking around the corner, Barak’s toolset and notions of resilience bring added and reliable firepower that keeps fear at bay. We are on the hook for taking stock of our businesses, advising on that risk in ways anyone can understand.
We seek to build strong and sustainable solutions and ultimately serve as trusted advisors and strong practitioners. We view risk without hysterics, collaborate rather than indict and use the position as a license for how to grow rather than screaming “No.”
I’ve read each of Barak’s books once through—there is no time to repeat them yet as there is much to learn inside the inches-thick tomes I ordered. However, absorbing and applying all of the above has
persisted and continues. Barak’s approach makes intuitive sense and it works in a practical, daily setting.
The power of this book is that the chapters weave together like a fabric I can wear every day, and it still fits very well. After reading this book and the follow-up The Security Hippie, I reached out to Barak
to thank him for illuminating a path I didn’t expect to find. From personal experience, after you read the book, pay attention to Barak’s voice as you do the job. I suspect you’ll be writing him a thank-you note too.