Click the badges above for information about each certification.

Charles Cresson Wood


Charles Cresson Wood, JD, MBA, MSE, CISA, CISSP, CISM, CGEIT, is an attorney and independent information security consultant based in Mendocino, California. In the information security and privacy field since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute) as well as lead network security consultant at the Bank of America. He has done information security work with over 125 organizations -- many of them Fortune 500 companies -- including a large number of financial institutions and high-tech companies. His consulting work has taken him to over 20 different countries around the world.

He is noted for his ability to integrate competing objectives (like a "cloud first" policy, data transparency, clarity of multiple-party responsibilities, re-engineering flexibility, privacy, and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations, and then to document these in contracts, security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear action-oriented documents.

He has published over 370 technical articles and six books in the information security and privacy field. He is best known for his book entitled "Information Security Policies Made Easy," which is now in its twelfth edition. In addition to TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented innovative information security ideas at over 125 technical and professional conferences around the globe.

His latest articles deal with IT security management, governance, compliance, and risk measurement. For example, in the December 2016 issue of the Journal of Legislation, Charles wrote about changing the current management incentive systems, reflected in laws and regulations, so as to increase the current level of information security and privacy. Similarly, in the December 2017 issue of the ISSA Journal, Charles wrote about the deficiencies in the current legal and regulatory regime surrounding information security and privacy, and how that regime must now be reengineered on a harmonized multi-national basis.   

Charles has often written about information security and privacy related roles and responsibilities. With the recent rapid rise in the popularity of outsourcing and cloud services (software as a service, infrastructure as a service, platform as a service, etc.), it is more important than ever to definitively clarify roles and responsibilities of all the involved parties, and manifest those roles and responsibilities in outsourcing contracts, service level agreements (SLAs), and contingency plans. This topic is further addressed in Charles' book entitled "Information Security Roles and Responsibilities Made Easy."

Charles has been a Senior North American Editor for the Elsevier journals "Computers & Security" and "Computer Fraud & Security Bulletin." He has also been on the Editorial Board for the European newsletter called "Inside Fraud Bulletin," published by Maxima Group. For many years, he wrote a monthly information security policies column for United Business Media's publication called "Computer Security Alert." He has also been an information security columnist for the web portal maintained by TechTarget Media Group.

Charles holds a JD in law from St. Francis School of Law (magna cum laude), and is a licensed California attorney. He also has an MBA in financial information systems and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He additionally holds an MSE in computer science from the Moore School of Engineering at the University of Pennsylvania. 

While Charles has passed the California Certified Public Accountant (CPA) examination, he is neither certified as a CPA, nor does he hold himself out as a CPA. In contrast, Charles has been designated as Certified in the Governance of Enterprise Information Technology (CGEIT), a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM), and a Certified Information Systems Security Professional (CISSP). The buttons on the top left corner of this page can be used to authenticate the currency of these designations. He is also the recipient of the 1996 Lifetime Achievement Award from the Computer Security Institute for "sincere dedication to the computer security profession."