Click the badges above for information about each certification.

Charles Cresson Wood


Charles Cresson Wood, JD, MBA, MSE, CISA, CISSP, CISM, CGEIT, is an attorney and independent information security consultant based in Mendocino, California. In the information security and privacy field since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute) as well as lead network security consultant at the Bank of America. He has done information security work with over 125 organizations -- many of them Fortune 500 companies -- including a large number of financial institutions and high-tech companies. His consulting work has taken him to over 20 different countries around the world.

He is noted for his ability to integrate competing objectives (like a "cloud first" policy, data transparency, clarity of multiple-party responsibilities, re-engineering flexibility, privacy, and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi- departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear action-oriented documents.

He has published over 370 technical articles and six books in the information security and privacy field. He is best known for his book entitled "Information Security Policies Made Easy," which is now in its twelfth edition. In addition to TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented cutting-edge information security ideas at over 125 technical and professional conferences around the globe.

His latest article is entitled "Solving the Information Security & Privacy Crisis by Expanding the Scope of Top Management Personal Liability," and it was published in the Journal of Legislation (Vol. 43, No. 1, December 2016). That article defines how management incentive systems can be readily re-engineered to bring about significantly more desirable results in the information security and privacy area. With the rapid rise of outsourcing and cloud services (software as a service, infrastructure as a service, platform as a service, etc.), it is more important than ever to clarify roles and responsibilities of all the involved parties, and make sure that they are all properly incentivized in order to bring about desired results. This topic is partly addressed in Charles' book entitled "Information Security Roles and Responsibilities Made Easy."

Charles has been a Senior North American Editor for the Elsevier journals "Computers & Security" and "Computer Fraud & Security Bulletin." He has also been on the Editorial Board for the European newsletter called "Inside Fraud Bulletin," published by Maxima Group. For many years, he wrote a monthly information security policies column for United Business Media's publication called "Computer Security Alert." He has also been an information security columnist for the web portal maintained by TechTarget Media Group.

Charles holds a JD in law from St. Francis School of Law (magna cum laude), and is a licensed California attorney. He also has an MBA in financial information systems and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He additionally holds an MSE in computer science from the Moore School of Engineering at the University of Pennsylvania. 

While Charles has passed the California Certified Public Accountant (CPA) examination, he is neither certified as a CPA, nor does he hold himself out as a CPA. In contrast, Charles has been designated as Certified in the Governance of Enterprise Information Technology (CGEIT), a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM), and a Certified Information Systems Security Professional (CISSP). The buttons on the top left corner of this page can be used to authenticate the currency of these designations. He is also the recipient of the 1996 Lifetime Achievement Award from the Computer Security Institute for "sincere dedication to the computer security profession."