Click the badges above for information about each certification.

Charles Cresson Wood

Charles Cresson Wood, JD, MBA, MSE, AIGP, CGEIT, CISA, CISSP, CISM, CIPP/US, is a licensed attorney and an independent information security and privacy consultant. In the information security and privacy field since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute) as well as lead network security consultant at the Bank of America. He has done information security work with over 125 organizations -- many of them Fortune 500 companies -- including a large number of financial institutions and high-tech companies. His consulting work has taken him to over 20 different countries around the world.

He is noted for his ability to integrate competing objectives (like a "cloud first" policy, data transparency, clarity of multiple-party responsibilities, combined with both privacy and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations, and then to document these in contracts, role definitions, security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear action-oriented documents.

He has published over 400 technical articles and eight books in the information security and privacy field. One of his most recent books is entitled "Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process." The book provides a scripted audit plan whereby any licensed attorney in the United States can rapidly determine whether the directors and officers at a particular firm are doing all that they are required to do by law (further details at www.dutiesaudit.com). The process results in both a professional opinion, explaining the current level of compliance, and a management letter, explaining what, if any, changes need to be made to reach full compliance in all material respects.

Charles is best known for his book entitled "Information Security Policies Made Easy," which is now in its twelfth edition. In addition to TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented innovative information security ideas at over 125 technical and professional conferences around the globe.

His latest articles deal with artificial intelligence risk management and governance. For example, in the July 2025 issue of the Information Systems Security Association’s Journal, Charles wrote about the new role of the Chief Artificial Intelligence Risk Officer (CAIRO). Similarly, in the May 2025 issue of the Information Systems Audit and Control Association’s Journal, Charles wrote wrote about how AI is significantly changing the overall information technology risk landscape. Also on the same track, in the Spring 2025 issue of Sci-Tech Lawyer (American Bar Association), Charles wrote about the reasons why AI now needs its own risk management policies and processes. He is also the author of a new book about AI entitled “Internal Policies for Artificial Intelligence Risk Management” (see http://internalpolicies.com).

Charles has often written about information security and privacy related roles and responsibilities. With the recent rapid rise in the popularity of outsourcing and cloud services (software as a service, infrastructure as a service, platform as a service, etc.), it is more important than ever to definitively clarify roles and responsibilities of all the involved parties, and manifest those roles and responsibilities in outsourcing contracts, service level agreements (SLAs), and contingency plans. This topic is further addressed in Charles' book entitled "Information Security Roles and Responsibilities Made Easy."

Charles has been a Senior North American Editor for the Elsevier journals "Computers & Security" and "Computer Fraud & Security Bulletin." He has also been on the Editorial Board for the European newsletter called "Inside Fraud Bulletin," published by Maxima Group. For many years, he wrote a monthly information security policies column for United Business Media's publication called "Computer Security Alert." He has also been an information security columnist for the SearchSecurity.com web portal maintained by TechTarget Media Group.

Charles holds a JD in law from St. Francis School of Law (magna cum laude). He is an active licensed attorney in both California and Washington, and he can work as either in-house counsel or an independent legal compliance auditor for firms in most US states. He also has an MBA in financial information systems and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He additionally holds an MSE in computer science from the Moore School of Engineering at the University of Pennsylvania. 

Charles has been designated as Certified in the Governance of Enterprise Information Technology (CGEIT), an Artificial Intelligence Governance Professional (AIGP), a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Certified Information Privacy Professional (CIPP/US). The buttons on the top left corner of this page can be used to authenticate the currency of most of these designations (some issuing organizations don’t support such buttons). He is also the recipient of the 1996 Lifetime Achievement Award from the Computer Security Institute for "sincere dedication to the computer security profession."