Certified Information Security Manager® (CISM)

Certified Information Systems Auditor® (CISA)

Certified Information Systems Security Professional (CISSP)

Click the badges above for information about each certification.

Charles Cresson Wood

Charles Cresson Wood, JD, MBA, MSE, CISA, CISSP, CISM, CIPP/US, CGEIT, is a licensed attorney and an independent information security and privacy consultant. In the information security and privacy field since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute) as well as lead network security consultant at the Bank of America. He has done information security work with over 125 organizations -- many of them Fortune 500 companies -- including a large number of financial institutions and high-tech companies. His consulting work has taken him to over 20 different countries around the world.

He is noted for his ability to integrate competing objectives (like a "cloud first" policy, data transparency, clarity of multiple-party responsibilities, combined with both privacy and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations, and then to document these in contracts, role definitions, security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear action-oriented documents.

He has published over 390 technical articles and seven books in the information security and privacy field. His most recent book is entitled "Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process." The book provides a scripted audit plan whereby any licensed attorney in the United States can rapidly determine whether the directors and officers at a particular firm are doing all that they are required to do by law (further details at www.dutiesaudit.com). The process results in both a professional opinion, explaining the current level of compliance, and a management letter, explaining what, if any, changes need to be made to reach full compliance in all material respects.

Charles is best known for his book entitled "Information Security Policies Made Easy," which is now in its twelfth edition. In addition to TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented innovative information security ideas at over 125 technical and professional conferences around the globe.

His latest articles deal with IT security management, governance, compliance, and risk measurement. For example, in the December 2016 issue of the Journal of Legislation, Charles wrote about changing the current management incentive systems, reflected in laws and regulations, so as to increase the current level of information security and privacy. Similarly, in the November 2022 issue of the ISSA Journal, Charles wrote the recent criminal conviction of CISO Joe Sullivan and how that reveals a pervasive management and governance problem that remains an issue at many organizations.

Charles has often written about information security and privacy related roles and responsibilities. With the recent rapid rise in the popularity of outsourcing and cloud services (software as a service, infrastructure as a service, platform as a service, etc.), it is more important than ever to definitively clarify roles and responsibilities of all the involved parties, and manifest those roles and responsibilities in outsourcing contracts, service level agreements (SLAs), and contingency plans. This topic is further addressed in Charles' book entitled "Information Security Roles and Responsibilities Made Easy."

Charles has been a Senior North American Editor for the Elsevier journals "Computers & Security" and "Computer Fraud & Security Bulletin." He has also been on the Editorial Board for the European newsletter called "Inside Fraud Bulletin," published by Maxima Group. For many years, he wrote a monthly information security policies column for United Business Media's publication called "Computer Security Alert." He has also been an information security columnist for the SearchSecurity.com web portal maintained by TechTarget Media Group.

Charles holds a JD in law from St. Francis School of Law (magna cum laude). He is an active licensed attorney in both California and Washington, and he can work as either in-house counsel or an independent legal compliance auditor for firms in most US states. He also has an MBA in financial information systems and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He additionally holds an MSE in computer science from the Moore School of Engineering at the University of Pennsylvania.

While Charles has passed the California Certified Public Accountant (CPA) examination, he is neither certified as a CPA, nor does he hold himself out as a CPA. In contrast, Charles has been designated as Certified in the Governance of Enterprise Information Technology (CGEIT), a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Certified Information Privacy Professional (CIPP/US). The buttons on the top left corner of this page can be used to authenticate the currency of most of these designations (some issuing organizations don’t support such buttons). He is also the recipient of the 1996 Lifetime Achievement Award from the Computer Security Institute for "sincere dedication to the computer security profession."