Useful Resources for CISOs: Blogs, Papers, Conferences & More
We've collected 50 resources, including blogs, videos, research, and databases, to help CISOs keep up with the demands of their busy job.
While the CISO role is becoming increasingly accepted as a central role in managing enterprise data and security measures, the profession continues to evolve. CISOs bear a substantial amount of responsibility in the enterprise environment, sharing responsibility for developing long-term strategic vision collaboratively with other executives while maintaining primary responsibility for protecting the enterprise's information and assets.
From ensuring that ongoing employee security training is effective, to managing security teams and overseeing the company's information security practices and policies, CISOs wear a variety of hats. Fortunately, there are many useful resources on the web that make it easier for CISOs to find information on newly discovered threats, rapidly identify patches and fixes for vulnerabilities, learn about best practices and new security methods that fit into the broader enterprise information structure, and keep up with all the details that CISOs must oversee on a day-to-day basis. We've rounded up 50 resources we feel are highly useful or essential components of the CISO toolkit, arsenal, or knowledge base - from helpful blogs, videos, research, and reports to government agencies and databases. This list, originally created in 2015, has been updated in 2019 to reflect current resources for today's CISO. NOTE: The following 50 resources are not listed in any particular order of importance, but rather they are organized by category to make it easier to find the resources you're looking for. If there's something you think we've missed, feel free to add it to the comments!
Table of Contents:
- Multimedia Resources
- Reports and White Papers
- Conferences and Training
- Government Resources, Organizations, and Databases
The Ponemon Institute is a highly-regarded resource for CISOs and other security professionals. The Ponemon Blog contains up-to-date and relevant information impacting CISOs, touching on corporate data issues, insider threats, and other security topics. The Ponemon Blog is also a useful source for staying up-to-date on the latest research and global surveys available from the Ponemon Institute.
Three posts we like from Ponemon Institute:
- The Cyber Hygiene Index: Measuring the Riskiest States
- Data Breaches Caused by Insiders Increase in Frequency and Cost
- Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication
TechTarget's SearchCIO section is a comprehensive resource for CIOs and CISOs, as well as other top- and mid-level security professionals. With news covering leadership, mobile, security, cloud strategies, and business intelligence, SearchCIO goes beyond the technical topics to focus on security-related news and information encompassing the broad roles of the CISO.
Three posts we like from SearchCIO:
- How AI cybersecurity thwarts attacks -- and how hackers fight back
- Learning from 2018 cybersecurity incidents: Perform due diligence
- CIO role: Should a CIO manipulate information?
Security Intelligence offers "analysis and insight for information security professionals," including a multitude of topics particularly relevant to CISOs. You'll find articles about strategy, information security trends, collaboration, and other topics with valuable information to aid CISOs in leading their respective companies through the rapidly changing information security landscape - along with valuable insights on pursuing the CISO career path.
Three posts we like from Security Intelligence:
- Are Applications of AI in Cybersecurity Delivering What They Promised?
- 6 Steps Every New CISO Should Take to Set Their Organization Up for Success
- To Improve Critical Infrastructure Security, Bring IT and OT Together
TechRepublic's Security category has hundreds of articles, but nearly 200 of them are related specifically to the challenging role of the CISO and the many variables impacting professionals in this ever-changing field. Read about the role of the CISO, the dynamics of managing enterprise security, new developments impacting CISOs, and a variety of other pertinent security topics.
Three posts we like from TechRepublic - Security:
- Burnout warning: High stress levels impacting CISOs' physical, mental health
- How to help CISOs understand their role in cloud security
- 3 enterprise cybersecurity trends CISOs must pay attention to
From social engineering to CSO events, application security, and other pressing topics impacting organizations today, CSO Online is a useful hub for the modern CISO. Aside from blog posts, CSO Online is also a great source for security-focused slide shows, white papers, and other media.
Three posts we like from CSO Online:
- Are zero-day exploits the new norm?
- IoT botnets target enterprise video conferencing systems
- DDoS explained: How distributed denial of service attacks are evolving
A leading source of information on security training, the InfoSec Institute features a multitude of articles and tutorials on security topics. Founded in 1998 by a team of information security instructors, the InfoSec Institute is trusted by more than 50,000 individuals on everything from industry standard certifications to highly specialized, niche subject matter. The InfoSec Institute blog is a reflection of the varied and in-depth expertise of its instructors and contributors. You'll find everything from podcast episodes to blog posts, news from industry events, and more.
Three posts we like from InfoSec Institute:
- The Business Impact of Cyber Risk - CyberSpeak Podcast
- The Current State of Artificial Intelligence in Cybersecurity - CyberSpeak Podcast
- What Happens on the Endpoint Stays on the Endpoint
Dark Reading offers a wealth of news and information on IT security, including plenty of content useful for CISOs. Dark Reading is one of the most well-known and widely read cyber security news websites, with insights on new threats, vulnerabilities, data protection, technology trends, and more.
Three posts we like from Dark Reading:
- Embracing DevSecOps: 5 Processes to Improve DevOps Security
- A 'Cloudy' Future for OSSEC
- Social Media Platforms Double as Major Malware Distribution Centers
Verizon's Security Blog is a wealth of information, including expert analysis, studies and whitepapers, news coverage, insights on security trends, and plenty of other valuable information for today's CISOs. Part of the Verizon Insights Lab, the Verizon Security Blog features hundreds of articles offering insights and expertise on social engineering, insider threats, and other information busy CISOs need to stay up-to-date on important trends.
Three posts we like from Verizon Security Blog:
- Insider Threat: One pattern, four scenarios, thirteen countermeasures
- Data breaches in industrial environments: Safety comes first
- Acceptable use policies: Keeping your workplace secure
Wired's Threat Level is a highly regarded news source on privacy, crime, and security online. Regular posts on topics relevant to CISOs and other security professionals, from a variety of contributors including well-known senior writer Andy Greenberg, help today's CISOs keep their fingers on the pulse of the industry.
Three posts we like from Wired - Threat Level:
- Hack Brief: Dangerous 'Fireball' Adware Infects a Quarter Billion PCs
- Security News This Week: Bug Bounties Pay But Piracy Doesn't
- Hackers are Trying to Reignite WannaCry with Nonstop Botnet Attacks
The Center for Internet Security is a "forward-thinking non-profit entity that harnesses the power of a global IT community to safeguard private and public institutions against cyber threats." The Center for Internet Security's blog is a wealth of useful information for CISOs, including information on the latest cyber threats, trends, and priorities for CISOs.
Three posts we like from Center for Internet Security:
- 2019 New Year's Resolutions for CISOs
- Product Development & the CISO
- How to Build a Cybersecurity Compliance Plan (with Free CIS Resources)
"Technology is such a vital competitive differentiator that all business execs, whether they are CIOs, CEOs, CFOs or CMOs, need to understand the essentials," according to ZDNet's CXO blog, which sets out to provide the in-depth understanding C-level security executives require to excel in their challenging careers. From mainstream technology and security news to research and developments on security-related topics, ZDNet CXO offers the breadth and depth of knowledge modern executives demand.
Three posts we like from ZDNet CXO:
- Federal bidding scam targets US contractors
- Thunderclap flaws impact how Windows, Mac, Linux handle Thunderbolt peripherals
- Researchers hide malware in benign apps with the help of speculative execution
Get the latest news, analysis, video, blogs, tips, podcasts, and research in one place: CIO Online. The site's Security category offers a plethora of useful information for CISOs, covering topics such as firewalls, encryption, spam blockers, and in-depth reviews of security suites by experts.
Three posts we like from CIO - Security:
- The 11 biggest issues IT faces today
- How data governance can support data privacy compliance
- Exploring the economic realities of cybersecurity insurance | Salted Hash Ep 43
Health IT Security is a leading source of news and resources for health IT professionals. Many articles are pertinent to CISOs within the healthcare industry, with coverage of topics including tips for reducing security risk, risk management, mergers from a security perspective, current events, and more.
Three posts we like from Health IT Security:
- Healthcare Email Security Defenses Lag Behind Other Industries
- Blue Shield, AltaMed Patient Data Breached in Business Associate Hack
- What's at Stake with Healthcare IoT and Cloud? Unnecessary Risk
GovTech Security is the online portal to Government Technology, a publication belonging to an award-winning family of magazines covering information technology's role in state and local governments. The publication focuses on the dynamics and challenges of governing in the digital age, with the website offering multi-media resources on hacking, cyber crime, cybersecurity, tactics for strengthening security, privacy, and much more.
Three posts we like from GovTech - Security:
- Why Many Organizations Still Don't Understand Security
- To Understand IoT Security: Look to the Clouds
- How Far Should Organizations Be Able to Go to Defend Against Cyberattacks?
Technology professionals around the globe rely on Computing Now for up-to-date information, expert insights, and advice on coping with the latest security risks. With a large advisory board consisting of leading professionals in the field, higher education professionals, and other disciplines, Computing Now is a key resource for any CISO.
Three posts we like from Computing Now:
- How You Can Prepare for Cyber Breaches
- Why Cybersecurity Will Change the Internet of Things
- Why We Desperately Need Better Cybersecurity
An independent research company, Forrester has a prestigious reputation as one of the most trusted resources on all things security. The Forrester CIO portal focuses on the challenging role of the CIO and CISO, touching on the multi-faceted demands of these careers, including the oversight of business technology, working collaboratively with fellow executives to develop strategy, and transforming their respective organizations to drive business innovation. You'll find insights for key business initiatives, the latest reports influencing the role of the CIO/CISO, events, and more.
Three resources we like from Forrester CIO:
- Forrester Analytics: Private Cloud Solutions Forecast, 2018 To 2023 (Global)
- Predictions 2019: The Internet Of Things
- Prepare For Blockchain's Impact On The Telecommunications Sector
A resource for CISOs, CSOs, and other security professionals, CISO Handbook is a collaborative forum where security leaders can share expertise, challenges, tips and techniques, and opportunities that exist in the modern landscape for professionals tasked with developing enterprise security programs. From articles to research publications, news, tools, and more, CISO Handbook offers a variety of resources for CISOs.
Three resources we like from CISO Handbook:
- Security Architecture Program | Management and Effectivity of the Suite of Preventive & Detective Safeguards
- Security Policy Management | Associated with the Management of Security Policies within an Environment
- Security Architecture Program | Management and Effectivity of the Suite of Preventive & Detective Safeguards
One of the nation's oldest physical science laboratories, NIST was founded in 1901 and has since become a part of the U.S. Department of Commerce. NIST's Information Technology Portal aims to advance state-of-the-art IT in applications such as cybersecurity and biometrics, accelerating the development of reliable, usable, interoperable, and secure systems. You'll find resources and information spanning categories from computer forensics and computer security to software testing metrics, alongside news stories, videos, information on current programs, and more.
Three resources we like from Information Technology Portal:
- NIST Cybersecurity Framework
- NIST: Blockchain Provides Security, Traceability for Smart Manufacturing
- Mobile Device Security: Cloud and Hybrid Builds
Gartner, a leading independent technology research firm, offers research and insights for CISOs and Security Risk Management Leaders through this portal via research reports, webinars, and other formats. You'll also find listings for upcoming events in the field, executive programs, and more.
Three resources we like from Gartner - CISOs:
- Leadership Vision for 2019: Security and Risk Leader
- Link Cybersecurity to Business Outcomes
- Treat Cybersecurity Like a Business Function
Founded in 1989, the Information Security Forum is an independent, not-for-profit organization with membership comprising many Fortune 500 and Forbes 2000-featured companies. The Information Security Forum's top priorities include investigating, clarifying, and resolving key issues related to security and risk management as well as developing best practices, processes, and solutions to meet the needs of its members.
Three resources we like from Information Security Forum:
- Threat Horizon 2020: Foundations Start To Shake
- Information Security Governance Diagnostic Tool
- Data Analytics for Information Security: From hindsight to insight
With news, white papers, case studies, a vendor directory, events listing, and more, IT Toolbox - Security offers a variety of resources in various formats to help CISOs and other security professionals to stay abreast of the latest developments and happenings in the industry.
Three resources we like from IT Toolbox - Security:
- Machine Learning and the Myth of the Silver Bullet
- Machine Learning is Shifting the Power Back to the Infosec Community
- How to Quantify and Prioritize Security Risks
The largest not-for-profit professional body, ISC2 provides education and certification opportunities for infosecurity professionals. Recognized for Gold Standard certifications and world-class educational programs, ISC2 is a valuable source for the most up-to-date information impacting professionals in this ever-changing field.
Three resources we like from ISC2:
ISACA is an independent, non-profit, global association that promotes the development, adoption, and use of best practices for information systems. Founded in 1969, ISACA provides guidance, benchmarks, and tools for information security professionals and leaders, including research and publications, certifications, training events, and more.
A resource we like from ISACA:
The Unified Compliance Framework has been developing tools to support IT best practices since 1992. It's the only industry-vetted compliance database, offering a plethora of useful resources to aid CISOs and other security professionals in adequately managing requirements and maintaining compliance for their respective organizations.
Three resources we like from Unified Compliance Framework:
The SANS Internet Storm Center monitors the level of malicious activity on the Internet. A useful resource for CISOs for this reason alone, the SANS Internet Storm Center also offers podcasts, tools, data, forums, and other resources to help busy CISOs stay on top of the latest threats and news impacting enterprise security.
Three resources we like from SANS Internet Storm Center:
A non-profit association serving IT leaders and professionals committed to advancing higher education, Educause is a source for learning about upcoming conferences and events, career development, accessing recent research and publications, and connecting with fellow professionals in the field.
Three resources we like from Educause Cybersecurity Initiative:
- Security Matters
- Information Security Program Assessment Tool
- DIY Information Security Peer Review Assessment Toolkit
The Ponemon Institute is well-known for its thorough research and analysis in the security field. The Ponemon Library is a collection of past and current research, reports, studies, and white papers conducted by Ponemon, including benchmarking reports, global analyses, and a variety of studies relevant to the work of the CISO.
Three reports we like from Ponemon Institute:
- Separating the Truths from the Myths in Cybersecurity
- The Evolving Role of CISOs and Their Importance to the Business
- The Internet of Things (IoT): A New Era of Third-Party Risk
The University of Washington's Office of the CISO releases reports that address pressing issues facing security professionals in higher education, privacy, cloud computing, managing data, and more. While some topics are focused on the University of Washington, many articles are relevant to the broader work of the CISO, particularly those serving in higher education.
Three reports and resources we like from University of Washington - Office of the CISO:
The National Association of State Chief Information Officers is a leading organization serving executives in the government security field, including state CIOs, CISOs, and similar roles. The Association offers a variety of in-depth informational guides, reports, and analyses which provide useful insights for CISOs and other security professionals.
Three reports we like from NASCIO Publications:
- Technology Forecast 2019: What State and Local Government Technology Officials Can Expect (webinar)
- The State CIO Operating Model: Bridging Trends and Action
- State CIO Top Ten Policy and Technology Priorities for 2019
The EC Council offers the widely known CCISO Certification and has certified some of the world's leading security executives. The organization also manages events, including the CISO Awards and the Global CISO Forum, with the goal of bringing the world's top security executives together to advance knowledge in the field. The EC Council's website is also a valuable source of the latest knowledge, news, and other information offered through podcasts, webinars, and white papers.
Three reports we like from EC Council CCISO Resources:
- Bug Bounty Programs by Tari Schreider
- Automation & Orchestration by Tari Schreider
- Wargaming for Chief Information Security Officers
The IBM Center for the Business of Government connects research to practice, facilitating discussion of how governments can apply new approaches to improve effectiveness at all levels. In addition to a blog, the IBM Center for the Business of Government publishes reports on a variety of topics, including cybersecurity, risk, and other topics of interest to the modern CISO.
Three reports we like from IBM Center for the Business of Government:
- Managing Cybersecurity Risk in Government
- A Roadmap for IT Modernization in Government
- Delivering Artificial Intelligence in Government: Challenges and Opportunities
This massive list of the best cybersecurity experts to follow on Twitter makes it easy for CISOs to find and follow the most forward-thinking security professionals, respected journalists, researchers, and others in the know to stay on top of the latest news, trends, and emerging threats.
Three experts you'll find in The Best Twitter Cybersecurity Accounts You Should Follow:
- Brian Krebs, Independent Investigative Journalist at Krebs on Security
- Graham Cluley, Award-Winning Computer Security Expert, Writer, and Keynote Speaker
- Eugene Kaspersky, Founder and Chief Executive Officer of Kaspersky Lab
33. Security Focus
A technical community for security professionals, Security Focus provides technical updates and technical papers related to newly discovered vulnerabilities in addition to discussions, solutions, and detailed reference information.
Three resources we like from Security Focus:
- WinRAR Multiple Security Vulnerabilities
- Microsoft .NET Framework and Visual Studio CVE-2019-0657 Spoofing Vulnerability
An independent research company, Forrester has a prestigious reputation as one of the most trusted resources on all things security. The Forrester Security & Risk Professionals portal focuses on the challenging role of the CISO, as well as the CSO, CRO, and IT Risk/Compliance Managers, touching on the multi-faceted demands of these careers, including the need to evolve from security domain experts to business leaders, execute on a business technology agenda, and manage information risks. You'll find insights for key business initiatives, the latest reports influencing the role of the CISO, and more.
Three resources we like from Forrester Security & Risk Professionals:
- The State Of Application Security, 2019
- The Forrester MITRE ATT&CK Evaluation Guide
- Widen Your Risk Taxonomy To Remove Blind Spots
The Index of Cyber Security is an independent public service effort co-published by Dan Geer, a computer security analyst and risk management specialist, and Mukul Pareek, a risk professional who has worked extensively in audit, advisory and risk management. The Index of Cyber Security provides a sentiment-based measure of the cyber security risk to corporate, industrial, and governmental entities.
A peer-to-peer event for CISOs to share concerns, successes, and feedback in a peer-only environment, ISSA CISO Forum offers memberships by invitation only, making it an exclusive organization for modern CISOs. Multiple events are held annually in varied locations, enabling CISOs to network and collaborate with fellow executives across the U.S.
Three resources we like from ISSA CISO Forum:
The National Security Institute, founded in 1985 by Stephen S. Burns and David A. Marston, offers proven employee security awareness solutions. With a combined 35 years of experience in government and corporate security between them, Burns and Marston were responsible for designing key programs that protected some of the nation's most sensitive technology secrets. The National Security Institute quickly became the leading organization responsible for helping cleared defense contractors develop an understanding of the threats to national security.
Two resources we like from National Security Institute:
The first of its kind training and certification program, the CCISO Program aims to produce top-level information security executives. Rather than focusing solely on technical knowledge, this program also emphasizes the application of information security management principles from the executive management vantage point. The program was developed by a core group of high-level information security executives who make up the CCISO Advisory Board.
Three key topics you'll learn in the CCISO Program:
- Risk Management, Controls and Audit Management
- Program and Operations Management
- Strategic Planning, Finance, and Vendor Management
Offered by ISC2, the CISSP Certification "proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program." The program is ideal for experienced security practitioners, managers, and executives who want to prove their knowledge and gain deeper expertise.
Three other certifications you can get from ISC2:
- CAP - Security Assessment and Authorization Certification
- HCISPP - The HealthCare Security Certification
- CCSP - The Industry's Premier Cloud Security Certification
The Center for Development of Security Excellence offers a variety of courses and other training resources, including toolkits, webinars, and certification programs for security professionals.
Three resources we like from Center for Development of Security Excellence:
The CISO Digital Transformation Summit is provided by CDM Media Summits, designed to enable CISOs and IT professionals to network with their peers in other industries across North America. Get information on sponsors, partners, upcoming events, registration, presentations, and session videos at the CISO Summit website.
Three resources we like from CISO Digital Transformation Summit:
- 2018 Phishing By Industry Benchmarking Report
- Security Awareness Training and Simulated Phishing Platform
The most-trusted and largest source for computer security, IT security, and information security training, SANS is a robust resource for all your training needs as a CISO. Information on live training, online training, and an abundance of other useful resources are available from the SANS website.
Three resources we like from SANS:
The United States Computer Emergency Readiness Team responds to major incidents, analyzes threats, and exchanges information with trusted partners around the world with the goal of creating a safer Internet for Americans. You'll find updates on newly discovered vulnerabilities, regulatory changes and information, publications, alerts, tips, and more.
Three resources we like from US-CERT:
- National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems
- Build Security In Archives
- Current Activity
ISSA International connects and develops cybersecurity leaders globally, with a network of more than 10,000 security colleagues worldwide. With local chapters, special interest groups, an annual conference, and other opportunities and information, ISSA is a worthy organization for CISOs.
Three resources we like from ISSA:
The National Vulnerability Database is a must-have tool for any CISO's toolkit, offering updates and information on vulnerability management, security measurement, and compliance.
Three resources we like from NIST National Vulnerability Database:
- Vulnerability Search Engine
- Security Content Automation Protocol Validation Program
- Vulnerability Metrics
The National Security Agency/Central Security Service is the U.S. Government's security defense agency. Information for businesses, academia, careers, research, and public information are all found on the NSA website.
Three resources we like from National Security Agency:
The Federal CIO Council is "the principal interagency forum for improving agency practices related to the design, acquisition, development, modernization, use, sharing, and performance of Federal information resources." The CIO Council supports greater accountability and transparency through the use of innovative IT strategies and establishes standards against which federal agencies can be measured.
Two resources we like from Federal CIO Council:
One of the world's leading centers in information assurance and security research, Purdue University's CERIAS provides a wealth of useful resources for CISOs, including research, white papers, tools, and more.
Three resources we like from CERIAS:
IAPP offers all the privacy tools and information you need in one central location. From tools and research to a helpful glossary, information on employee awareness and education, career development resources, and more, IAPP truly is a one-stop resource for CISOs.
Three resources we like from IAPP:
The CISO Platform is a social network dedicated to the CISO profession, aiming to provide a useful resource and collaborative portal for CISOs to network, share knowledge, ask questions, and work collaboratively to advance the field.
Three resources we like from CISO Platform: