Get the Book

The Field Guide

The New CISO Field Guide

Practical tools and action items drawn from The CISO Crucible — a novel about a cybersecurity executive’s first 90 days navigating crisis, politics, and organizational transformation. Whether you’re stepping into a new CISO role or strengthening your leadership approach, use these alongside the book or as standalone resources.

How to use it: Start with the Day 5 checkpoint. Work forward. Use the self-assessment questions honestly — they’re designed to cut through the “I’m doing fine” narrative that buries most new CISOs.

Who it’s for: Any security leader starting a new role, whether it’s your first CISO position or your fourth. The crises change. The patterns don’t.

The Core Lesson

William Sterling walked into BigCo with a 90-day plan. It didn’t survive Day 1.

That’s not a failure story — it’s the point. Every CISO builds a plan. The ones who succeed treat it as a compass, not a map. This field guide gives you progress markers you can check regardless of what crises have rearranged your calendar.

One question drives everything: Am I making progress, or am I just busy?

Quick-Start: Your First Five Actions

If you do nothing else from this guide, do these five things in your first week.

  1. Start a Delay Log — every time a decision requires cross-departmental permission, write it down. Date, decision, who you needed, how long it took. This single document becomes your most powerful evidence for the structural conversation at Day 30.

  2. Conduct 1-on-1s with every direct report — don’t ask “what’s broken.” Ask “what would you fix if you had air cover?” The gap between those answers reveals your team’s trust level.

  3. Inventory shadow AI usage — send a brief, non-threatening survey to department heads. Assume the real number is 3x whatever they report. You need to know the actual attack surface before you can defend it.

  4. Learn why your predecessor failed — request the exit interview, talk to the people who worked with them, read between the lines. The political fault lines that broke them will try to break you too.

  5. Identify who was passed over for your role — ask HR, ask your boss, ask whoever recruited you. These people are either future allies or active threats, and you need to know which before your first all-hands meeting.

Phase 1: Before Day 1 — Preparation

  • Learn why your predecessor failed — request the exit interview, read between the lines, and identify the political fault lines that broke them before they break you (Ch 2)
  • Identify who felt passed over for your role — ask HR, ask your new boss, ask the person who recruited you. These people shape your political landscape from minute one (Ch 2)
  • Draft your 90-day plan, then hold it loosely — you need a compass, not a map. Write it down so you can measure deviation, not so you can follow it blindly (Ch 1)
  • Know your actual timeline — not the one you planned, the one the organization already committed to regulators, partners, and the board. Your deadline might already be set (Ch 2)
  • Research the regulatory landscape — what filings are pending? What audits are scheduled? What did the last SEC/regulator communication say? These shape your real timeline (Ch 2, 11)

Phase 2: Days 1–5 — Orientation Under Fire

You’re not implementing anything yet. You’re building situational awareness while everything around you suggests you should be acting. Resist.

  • Start a Delay Log — document every decision that required cross-departmental permission. Date, decision, who you needed, how long it took (Ch 1)
  • Document reporting structure bottlenecks — map who reports to whom, where security sits in the org chart, and every place where your authority doesn’t match your accountability (Ch 3)
  • Conduct 1-on-1s with every direct report — ask “what would you fix if you had air cover?” not “what’s broken?” (Ch 3)
  • Inventory shadow AI usage — send a brief, non-threatening survey to department heads. Assume the real number is 3x whatever they report (Ch 2)
  • Map who’s documenting your decisions — someone is already building a file. Identify them early and give them nothing to weaponize (Ch 4)
  • Respond to every outreach from former employees — institutional knowledge left with them. The ones reaching out are telling you something (Ch 3)
  • Write down what confuses you every evening — the pattern hiding in your confusion is the framework you’ll need later (Ch 1, 7)
  • Identify your team’s unspoken fears — listen for what wounded teams aren’t saying. Silence is data. The things they won’t tell you matter more than the things they will (Ch 3)
  • Protect different working styles immediately — if your best analyst has a “Do Not Disturb” sign, don’t override it. Their focus is your detection capability (Ch 4)
  • Separate the confidence you perform from the uncertainty you manage — your team needs to see steadiness. Your journal needs to see honesty (Ch 2)

Day 5 Self-Assessment

Rate yourself honestly. You’re on track if you answer YES to at least four:

  • I know why the last person in this role failed or left
  • I’ve spoken 1-on-1 with every direct report
  • I have a written list of at least three authority/accountability mismatches
  • I know who felt passed over for my role and have assessed their current posture
  • I’ve started my Delay Log and have entries in it
  • I can name the top three things my team is afraid to tell me

Warning signs you’re already off track:

  • You’ve made promises about what you’ll fix (you don’t have enough data yet)
  • You’ve reorganized anything (it’s Day 5)
  • You skipped 1-on-1s because a crisis pulled you in (the crisis is real, but the 1-on-1s are how you survive the next one)

Phase 3: Days 6–14 — Mapping the Terrain

Now you can start asking harder questions — but you’re still in discovery mode, not fix-it mode.

  • Run a full shadow IT audit — every SaaS subscription, personal device on the network, and workaround someone built because the official tool didn’t work. Track subscriptions as systems — one SaaS purchase can mean 50+ user accounts creating separate attack vectors (Ch 3, 6)
  • Map data flows to every external service — APIs, integrations, vendor connections. The volume will be worse than you expect (Ch 6)
  • Audit pages 40–150 of every major vendor contract — that’s where AI training rights, data usage clauses, and liability limitations hide (Ch 17)
  • Assume your IP is already in AI training models — check which tools have been feeding company data to external models. It’s probably already happened (Ch 6)
  • Check physical security basics — walk the building. Broken badge readers, propped-open doors, unlocked server rooms. Broken locks indicate broken culture (Ch 6)
  • Accept that shadow IT exists and govern it — banning it drives it underground. Governing it brings it into your visibility (Ch 6)
  • Initiate threat hunting — don’t wait for alerts. Assume persistent threats are already present and task your best analyst to go looking (Ch 4)
  • Create clean enclaves for business continuity — identify systems you can isolate during incident response so the business keeps running while you contain threats (Ch 4)
  • Map the political landscape — observe lunch patterns, meeting invitations, who gets cc’d and who doesn’t. Identify the real decision-makers (Ch 7)
  • Give territorial leaders partnership roles — invite IT Ops, Engineering, and Infrastructure leads to co-own security outcomes. Partnership, not subordination (Ch 4)
  • Calculate per-hour business impact of downtime — get finance to validate the number. This single figure changes every conversation with the board, with insurance carriers, and with vendors (Ch 5)
  • Accept that your company contains multiple incompatible cultures — the engineering floor and the sales floor are different countries. Stop trying to unify them (Ch 7)
  • Observe three times longer than feels comfortable before acting — in stakeholder relationships, premature action is more expensive than delayed action (Ch 7)

Phase 4: Days 15–30 — Building Your Case

You’ve seen enough to know what’s wrong. Now build the evidence to prove it.

  • Identify every single point of failure — human and technical — if one person’s absence would cripple a function, that’s your most urgent problem (Ch 8)
  • Build redundancy plans before your heroes break — and they will break. Cross-train now, not after the 2am call that doesn’t get answered (Ch 8)
  • Document what’s not working before you understand why — you don’t need root cause to justify action on single points of failure (Ch 8)
  • Establish DDoS mitigation and IR vendor relationships — sign the contracts and run a tabletop exercise. When the crisis hits, procurement paperwork is not an acceptable delay (Ch 5)
  • Design graduated response plans — not every incident is a five-alarm fire. Build playbooks that show immediate progress without full mobilization (Ch 5)
  • Order a real penetration test — not a compliance checkbox, an actual adversary simulation. Test security, not compliance (Ch 9)
  • Document every authority/accountability mismatch formally — specific examples, specific consequences. This becomes your most powerful slide at the board meeting (Ch 9)
  • When smart people hint you’re missing something, believe them — your team sees things you can’t from your vantage point. Their hesitation is signal, not noise (Ch 9)
  • Disclose known problems to the board before regulators find them — you earn trust by volunteering bad news. You lose it permanently when they hear it from someone else (Ch 11)
  • Map every regulator’s unique requirements — they don’t coordinate with each other. You need a matrix of who wants what, in what format, on what timeline (Ch 11)
  • Fight for structural changes during crisis — when evidence is undeniable, that’s when the reorg conversation becomes possible. Use your Delay Log (Ch 11)
  • Build direct board relationships — don’t let IT monopolize executive communication. Get your own seat at that table (Ch 11)

Day 30 Self-Assessment

Rate yourself honestly. You’re on track if you answer YES to at least five:

  • I have a complete asset inventory (including shadow IT) — even if it’s ugly
  • I’ve presented to the board at least once and they know the real state of security
  • I have written documentation of every human single point of failure
  • I’ve established at least one external IR/mitigation vendor relationship
  • I have a Delay Log with enough entries to justify structural changes
  • I can articulate per-hour business impact of a major outage in dollar terms
  • At least one leader who initially opposed me now considers me a partner
  • My team has told me something they were afraid to tell my predecessor

Warning signs you’re off track:

  • You still can’t name the shadow IT tools in use (your audit didn’t go deep enough)
  • The board hasn’t heard bad news from you yet (they’ll hear it from someone, and it should be you)
  • Your best people are working late every night and you haven’t addressed it
  • You’ve been so focused on crises that you haven’t built any relationships with business leaders

Phase 5: Days 31–60 — Adapting Your Approach

This is where most new CISOs fail. Your methodology — the one that worked at your last company — isn’t working here. The question is whether you can see it.

The Framework Diagnostic

Before implementing anything new, ask three questions about every department you’re trying to secure:

  1. How do they make decisions? (Data and process? Or relationships and consensus?)
  2. How do they build trust? (Track record and metrics? Or shared experiences and loyalty?)
  3. How do they measure success? (Quantitative targets? Or qualitative outcomes and narrative?)

These answers tell you whether you’re dealing with a process-driven team or a relationship-driven team. The same security message needs completely different packaging for each.

If the answer is mostly data/metrics/process…If the answer is mostly relationships/narrative/consensus…
Lead with spreadsheets, ROI models, and compliance frameworksLead with stories, mission alignment, and collaborative design
Provide documented procedures and clear success criteriaProvide vision, invite co-creation, and celebrate contributions
Example: Your CFO wants risk-adjusted returns on every security controlExample: Your creative team wants to understand how security protects their mission
  • Watch for the quiet breakdown — monitor workload on your strongest contributors. If someone hasn’t taken a day off in three weeks, intervene before they shatter (Ch 12)
  • When the same approach fails everywhere for different reasons, examine the approach — the problem isn’t the teams. It’s the assumption that one method works for all of them (Ch 8, 12)
  • Know the human cost you’re willing to accept before you start pushing — decide this in advance, not in the aftermath of someone’s breakdown (Ch 12)
  • Test frameworks gradually — full rollout can destroy organizations. Pilot, learn, adapt, expand (Ch 12)
  • Map every department’s communication DNA using the three diagnostic questions above (Ch 14)
  • Develop two versions of every security initiative — same objective, different delivery. Metrics and ROI for the finance team. Narrative and mission for the creative teams (Ch 14, 15)
  • Find your translators — people who are fluent in both relationship-driven and process-driven communication. Formalize them as security liaisons (Ch 14)
  • Protect individuals whose style doesn’t match their department — create roles that fit how they actually work, not how their org chart says they should (Ch 14)
  • Identify workarounds that are actually successful translations — someone in every department has already figured out how to make security work for their team. Find them and learn from them (Ch 15)
  • Test new approaches quietly before announcing — pilot with a willing team. Let results speak before you ask for organization-wide buy-in (Ch 15)
  • Ask for partnership, don’t announce programs — “We’d like your help designing this” converts ten times more people than “Here’s what we’re rolling out” (Ch 15)
  • Catch yourself falling into old patterns — the approach that worked at your last company is your comfort zone, not your best option. Adjust mid-conversation when you see it happening (Ch 15)
  • Build your CFO alliance through data — model each security control as an investment with calculated risk-adjusted returns. Spreadsheets and ROI, not coffee and conversation (Ch 16)
  • Position security spending as an investment portfolio — risk-adjusted returns, not cost justification (Ch 16)
  • Use insurance negotiations as external validation — the carrier’s actuarial requirements independently prove what you’ve been arguing (Ch 16)
  • Audit and renegotiate vendor contracts — map all vendor data flows. Your IP is leaking through APIs you forgot existed (Ch 17)
  • Build vendor risk scoring with real consequences — a score without an action trigger at each level is theater (Ch 17)
  • Use crisis leverage to force vendor transparency — vendors are most cooperative after they’ve failed you. Don’t waste the moment (Ch 17)
  • Convert vendor governance into competitive advantage — customers value partners who govern their supply chain ecosystem (Ch 17)

Day 60 Self-Assessment

Rate yourself honestly. You’re on track if you answer YES to at least five:

  • I can describe the communication style of every major department without using the word “resistant”
  • I’ve adapted my delivery for at least two teams and seen measurably better engagement
  • I have a financial model that frames security spending as investment, not cost
  • No one on my team is in a burnout danger zone — and I’d know if they were
  • I’ve piloted at least one initiative with a willing team before rolling it out broadly
  • I have at least one unexpected ally — someone who opposed me early and now champions security
  • My vendor risk framework has defined consequences, not just scores
  • I’ve been to the board at least twice and the conversation is getting more strategic, less reactive

Warning signs you’re off track:

  • Every department still describes security as “the team that says no”
  • You haven’t adapted your approach for different audiences (you’re still using one playbook)
  • Your strongest team member is showing signs of exhaustion and you’re rationalizing it
  • Your CFO still sees security as pure cost

Phase 6: Days 61–90 — Proving the System Works Without You

The final test isn’t whether you can run security. It’s whether security runs when you step back.

  • Launch a champion program and let champions self-select — forced participation fails. Natural leaders know their terrain better than you do (Ch 18)
  • Gamify security engagement — leaderboards, badges, public recognition turn compliance into competition. Let people compete to be the most secure department (Ch 18)
  • Trust distributed intelligence over centralized control — multiplication beats addition. Ten empowered champions across the org outperform one exhausted security team (Ch 18)
  • Enable different champion types for different departments — a champion in Engineering looks different from a champion in Marketing. Let the role adapt to the culture (Ch 18)
  • Separate your strategic role from operational execution — build a CISO + Head of Security Ops partnership model so the machine doesn’t need you for every decision (Ch 18)
  • Build behavioral baselines for all executives — document communication patterns, quirks, and preferences. These become your detection signatures against impersonation and deepfake attacks (Ch 19)
  • Train champions on communication pattern recognition — social engineering attacks exploit human patterns. Your champions are your early warning system (Ch 19)
  • Document executive quirks as security signatures — the CFO who always uses “per my last email” or the CEO who never texts. Deviations from pattern are your alerts (Ch 19)
  • Map every bitter departure to a potential attack vector — former employees with grudges know your systems intimately (Ch 21)
  • Build rotation schedules before the next crisis — fatigue planning prevents burnout. If you’re building the schedule during the crisis, you’re already too late (Ch 21)
  • Design your crisis response to function without you — then test it — the real validation is when your team handles an incident and you hear about it afterward (Ch 21)
  • Track response time improvement across incidents — if your second major incident isn’t handled faster than the first, your systems aren’t learning (Ch 21)
  • Lead your board presentation with ROI in business language — revenue enabled, losses prevented, competitive advantage created. Technical details belong in the appendix (Ch 22)
  • Prepare for “why did we still have losses” — reframe every incident as validation of resilience capability. The goal was never zero incidents; it was fast recovery and minimal impact (Ch 22)
  • Show customers real crisis management — your prospects care more about how you handle problems than whether you claim to have none. Demonstrate response, not perfection (Ch 20)
  • Architecture beats obscurity — ensure critical backups are immutable, not just hidden (Ch 20)
  • Focus on recovery time as your primary metric — prevention is unverifiable. Recovery is measurable. Track and improve it (Ch 20)
  • Trust enables discovery — people reveal hidden systems, shadow processes, and workarounds when they trust you won’t punish them. This is your ongoing asset discovery program (Ch 20)
  • Prove profit center status with revenue AND savings — cost reduction alone doesn’t transform perception. Show the deals that closed because of security (Ch 22)
  • Schedule post-incident analysis 48+ hours after resolution — exhausted teams find blame. Rested teams find insights (Ch 21)
  • Finish with margin — professionals complete before deadlines, not on them (Ch 22)

Day 90 Self-Assessment

Rate yourself honestly. You’re on track if you answer YES to at least five:

  • My team handled at least one incident without me directing the response
  • I have champion volunteers in at least three departments outside security
  • The board discusses security as a business function, not a cost center
  • I can show measurable improvement in response times across multiple incidents
  • My financial case includes revenue enabled, not just losses prevented
  • At least one business deal explicitly cited security posture as a factor
  • I have a succession plan — someone can cover my role for two weeks without the organization noticing
  • I spent more time this week on strategy than on firefighting

Warning signs you need to course-correct:

  • You’re still the bottleneck for incident decisions
  • “Security champion” is an assigned duty, not a volunteer role
  • The board still asks “are we secure?” instead of “what’s our risk posture?”
  • You can’t point to revenue that security helped create

Beyond Day 90: Ongoing Health Checks

Use these quarterly to ensure you’re not sliding backward.

Quarterly Self-Assessment

  • Have I built any new cross-departmental relationships this quarter?
  • Is my team’s average response time still improving?
  • Can I name three things my team is worried about that I’ve acted on?
  • Has the board’s security conversation evolved beyond compliance checkboxes?
  • Am I still adapting my communication for different audiences, or have I slipped back to one-size-fits-all?
  • Is my champion program growing organically, or have I stopped investing in it?
  • Could my team handle a crisis this week without me? (If you’re not sure, the answer is no.)

The Diagnostic Toolkit

Practical templates you can use from Day 1. Download or copy into your own system.

The Delay Log

Keep this running from Day 1. It becomes your most powerful evidence for structural changes.

DateDecision NeededWho I NeededWait TimeImpact of DelayResolution
ExampleApprove IR vendor contractLegal, Procurement, CFO11 daysNo IR capability during Week 2 incidentEmergency sign-off after incident

Stakeholder Communication Map

StakeholderDecision StyleTrust CurrencySuccess MetricBest Security Framing
CFOData-driven, process-orientedTrack record, accuracyROI, risk reduction %Investment portfolio model
Creative DirectorRelationship-driven, narrativeShared vision, loyaltyMission impact, team morale“Here’s how this protects your team’s work”

Single Point of Failure Register

If the “Backup Plan” column is empty, that’s your first action item.

FunctionPerson/SystemBackup PlanStatusLast Tested
Malware analysisSenior analyst (solo)Cross-train 2 junior analystsIn progressNot yet tested

Vendor Risk Scorecard

A score without a defined consequence is theater.

VendorData Access LevelContract Reviewed?Risk ScoreConsequence at This ScoreLast Review
Cloud providerFull customer dataYes — AI clause foundHighRenegotiate or migrate by Q22024-01-15

Topical Guides

Deep dives into specific CISO leadership challenges drawn from The CISO Crucible.

Board Communication for Security Leaders

The board doesn’t speak your language. Neither does your CFO. Neither does your digital transformation team. But they all need to understand risk.

Translate Risk Into Business Impact

Security leaders often lead with technical specificity: “We found 437 unpatched systems across 15 subnets.” The board hears noise.

Reframe: “We identified systems that could give attackers access to customer payment data before we can detect them. That’s a breach risk on our largest revenue stream. Here’s what we’re doing and what it costs.”

Different stakeholders need different messages:

  • The CFO thinks in metrics: ROI, cost avoidance, financial impact. Show them the downside. “A breach would cost us $X in remediation, regulatory fines, and lost customer trust. This investment prevents that scenario.”
  • The Board thinks in narrative and accountability. Give them the story: where you were, where you’re going, and what’s at stake if you don’t get there.
  • Your Team needs transparency and context. They need to know you understand the constraints they’re working under and that the plan is realistic.

The Structure That Works

Every board presentation should follow this pattern:

  1. Status quo. What’s the current state? Be honest. The previous CISO might have oversold progress.
  2. What changed. What new threats or capabilities have we discovered? What’s the business impact?
  3. The plan. Here’s what we’re doing, why it works, and what success looks like in business terms.
  4. What we need. Budget? Headcount? Structural changes? Be clear and quantified.
  5. The alternative. What happens if we don’t act? Regulatory consequence? Breach probability? Data loss? Make the cost of inaction real.

The Burnout Warning (from The CISO Crucible)

You’ve inherited a burned-out team. Your board needs to understand this isn’t just morale — it’s a business risk. Burned-out security teams miss critical incidents. They create process debt that becomes expensive later. Include team wellness in your board narrative. “We’re investing in our team because operational security depends on people who can think clearly under pressure.”

Building a Security Champion Program

The most common mistake new CISOs make: they try to be the security expert for every part of the company. You’ll burn out. Your team will burn out. And you’ll create a culture where security is something the security team does to other departments, not with them.

Distribute Ownership

A champion program inverts this. You identify leaders in each business function — product, sales, engineering, operations, finance — and make them responsible for security outcomes in their domain.

  • What champions do: They’re not security experts. They’re business leaders who understand how security enables their area. They can make tradeoff decisions with context you don’t have. They can prioritize issues that matter most to their function.
  • What champions get: Training (enough to understand the framework), air cover (you publicly support them when they make security calls), and visibility (their contributions get recognized by their leadership).
  • What security provides: Guidance, tools, escalation paths, and accountability measures. You’re the standard-setter, not the executor.

Why This Works

When Jessica (the digital transformation leader in The CISO Crucible) moved from opposing security to championing it, the dynamic changed entirely. She understood her business case for security. She could persuade her peers. She made decisions faster because she didn’t need approval from the security team on every detail.

This is what a champion program creates: distributed decision-making and ownership that scales faster than any centralized security team can manage.

Getting Started

  1. Identify one or two potential champions — people with influence and credibility in their area.
  2. Start small. Don’t ask them to overhaul their whole function. Give them one concrete security outcome to own.
  3. Make it visible. When they succeed, celebrate it publicly. This sends a signal: security leadership is valuable in your career.
  4. Iterate. Build your champion network over time. As they prove the model, others will want to join.

The Guiding Principle (from The CISO Crucible)

“InfoSec doesn’t need heroes — it needs systems.” A champion program builds the system. Security becomes embedded in how decisions get made, not bolted on afterward.

Managing CISO Burnout and Team Wellness

Burnout isn’t a personal weakness or a sign of low commitment. It’s an organizational failure. If your team is burned out, it’s because you’ve asked them to do impossible things without the resources, authority, or support to succeed.

Signs to Watch For

In yourself: you’re checking Slack at 11 PM and reading incident tickets before coffee; every decision feels like it might be a career-ending mistake; you’ve stopped thinking strategically because you’re constantly putting out fires; you’re not sleeping, or you’re sleeping badly.

In your team: people are staying late regularly and not taking vacation; the same person is responding to every incident (them becoming indispensable is a red flag, not a sign of excellence); mistakes increase, not decrease, despite everyone working longer hours; new hires leave within 6 months and retention is declining.

What to Do About It

Immediate actions: Give people time off — if someone hasn’t taken vacation in 18 months, make them take a week. Rotate incident response — the same person leading every incident means you have a single point of failure. Reduce meetings — burnout accelerates when people spend 80% of their day in meetings and can’t actually do their work.

Structural actions: Hire — if you have fewer people than the work requires, you will burn them out. Acknowledge the gap and fix it. Automate — find 20% of the workload that’s repetitive and make machines do it. Distribute — use a champion program to push some security work into other parts of the organization.

The Bottom Line

A burned-out team will miss critical security events. They’ll make mistakes under pressure. They’ll leave for competitors. Treating wellness as a security business problem — not an HR problem — is what good CISO leadership looks like.

Templates & Downloads

Free templates from the Diagnostic Toolkit above. Click any link to make your own copy in Google Sheets.

The Delay Log

Google Sheets

Track every decision bottleneck from Day 1 — who you needed, how long it took, and the business impact. Includes a summary dashboard with auto-calculated metrics. This single document becomes your most powerful evidence at the Day 30 board meeting.

Make a Copy · Download .xlsx

Stakeholder Communication Map

Google Sheets

Map how each stakeholder makes decisions, builds trust, and measures success — then tailor your security message accordingly. Includes the three diagnostic questions from Chapter 14 and a relationship status guide.

Make a Copy · Download .xlsx

Single Point of Failure Register

Google Sheets

Catalog every human and system single point of failure, assign risk levels, and track backup plans. Includes a summary dashboard counting critical vs. high vs. medium risks and untested backup plans. If the "Backup Plan" column is empty, that's your first action item.

Make a Copy · Download .xlsx

Vendor Risk Scorecard

Google Sheets

Score every vendor on data access, contract terms, and AI training clauses — with defined consequences at each risk level. Includes a risk scale guide so your team scores consistently. A score without a defined consequence is theater.

Make a Copy · Download .xlsx

Discussion Guides

Book Club Discussion Guide

Coming Soon

Chapter-by-chapter questions for book clubs, leadership teams, and security practitioners who want to dig deeper. Designed for group conversations, not quizzes.

Leadership Team Workshop Guide

Coming Soon

A facilitation guide for using The CISO Crucible in leadership development sessions. Structured exercises around the book's key themes: communication under pressure, framework adoption, and organizational trust.

More Resources

Read Chapter 1 of The CISO Crucible free to see William Sterling’s first day in action.

Browse the full glossary of cybersecurity and leadership terms from the book.

Every item in this field guide comes from The CISO Crucible: A 90-Day Journey in Cybersecurity Leadership. The chapter references point to the full narrative context — the meetings where these lessons were learned the hard way, the crises that forced the adaptation, and the relationships that made the difference.

Plans break. Trajectories don’t have to.