Preface from Why CISOs Fail, 2nd Edition

Preface from Why CISOs Fail, 2nd Edition

As we move towards publication of the 2nd edition (have you ordered yours?), I wanted to share the new preface, where I discuss how it came to be, and the thinking behind how to even come up with a 2nd edition for a non-technical book that doesn’t require updating.

Let me tell you a story.

We were about to start our weekly security program meeting when Dario brought it up. “Congratulations, man!”

Even through the Zoom window, he seemed genuinely excited.

“For what?” I wondered.

Nothing happened in my life that would merit a congratulatory note. Not that Dario would know. It was deep into the still scary, highly isolating stage of the COVID-​19 pandemic, a few weeks following one of the most depressing Christmas holiday periods I can recall. The pandemic economy was minting winners and losers all over the place, and the particular company involved was unfortunately on the latter side. Dario was one of a couple of holdouts after they recently let go of most of their staff.

That I was still there was a positive surprise to me personally, but surely he couldn’t be that cynical.

“Your book!” He gushed.

My book? I was still a year away from the publication of The Security Hippie and had only started writing it –​partly because the very same Dario inspired me to do so (a story I share in that book).

“What book? What are you talking about?”

His face took on a look of astonishment. “You don’t know?”

I shook my head.

“Your book. Why CISOs Fail. It’s in the Cybercannon.”

“Wait, what?!”

As a repeat offender, I can confidently say that writing trade books like this one must be a labor of love, or at least it’s not done for money, because there isn’t any in it. Motivations will vary; for me, Why CISOs Fail was an attempt to share key insights I’d gained over decades of serving in the capacity of fractional CISO (a.k.a vCISO) in many organizations.

I kept it short and accessible, asked and answered one question—​the one in the title. That it needed an entire book to do so is a clear indicator of how important it is to me. But it’s hard for these kinds of books to gain recognition, and I’m not good at self-​promoting. Still, somehow, it found an audience, and that audience kept growing.

One of my best moments came when my friend Lance sent me a photo from the NY subway of somebody sitting across from him, reading Why CISOs Fail. In his text, he said the fella was laughing every couple of minutes, which was precisely what I was hoping to achieve with the book’s overall tone. It felt amazing.

Then, at some point, someone I hadn’t known who had that power saw fit to nominate it into the cannon. I had no idea it was happening, and it led directly to this second edition.

So let me tell you what it’s actually about, beyond a way to put that nice logo on the cover.

It’s a response to the feedback I’d received over the years from many parties. People who have done more than I could ever do to promote Why CISOs Fail by telling others about it.  Readers who reached out to me over LinkedIn because they felt so inspired. This includes Randy Gross, whom I only met because he read and loved the original book. So much so, that I felt compelled to invite him to write the new foreword.

By and large, they liked that it was short—​but they wanted more anyway. Especially more stories.

Good luck sorting that schizo message out.

As I revisited the original text, I realized that most of it is still just as relevant today as it was back when I first wrote it. It didn’t grow stale; if anything, it became more relevant. And that provided me with the key inspiration for how to construct a second edition unlike any other second edition I’d ever read—​and allowed me to square that circle. It would be a bit longer, but you could easily distinguish between old and new.

What if, on top of making the necessary updates, I added shorter, half chapters to each of the original ones, with all new content? Since the chapters each already covered individual topics, it would be easy to maintain the theme. I proposed it to the good people at Taylor&Francis, and in their virtual slanty-​eyed shoulder-​shrugging sort of way they said “sure, go for it.”

They already knew I can’t do anything the normal way.

Then the idea of identifying the half chapters with the “.2” at the end came into life, a nod and a wink towards all the software engineers out there, and a way to easily support further editions; surely you can see the arrival of the “.3”s. Since I am nothing if not responsive to my audience, there are plenty of new stories; if you like those, really check out The Security Hippie. Also, in keeping the tradition from the first edition, one of the chapters is written by a new external contributor, the wonderful (and frighteningly smart) Dr. Todd Jacobs.

Most importantly, the last chapter offers a new paradigm for thinking about security management. And in that, I feel that this second edition provides a better, more comprehensive answer to the question of “why CISOs fail” than I ever could imagine when I wrote the original.

It is my sincerest hope, whether you are new to Why CISOs Fail, or bought this new edition because you loved the first and wondered what new and outrageous thing I might say here, that you will enjoy these pages. And please, don’t hesitate to let me know!

Thank you for coming along this journey.

With my love and appreciation to all of you,


Related Posts
Leave a Reply

Your email address will not be published.Required fields are marked *