About Charles Cresson Wood

Recipient of Computer Security Institute’s Lifetime Achievement Award

Charles Cresson Wood, Esq. JD, MBA, MSE, AIGP, CISSP, CISM, CISA, CGEIT, CIPP/US, is an author, researcher, attorney, and high-tech management consultant based in Lakebay, Washington, USA (internalpolicies.com). In the information security and privacy field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute), as well as lead network security consultant at Bank of America. He has done information security consulting work with over 125 organizations, many of them Fortune 500 companies, including a significant number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world.

He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-jurisdictional, multi-disciplinary, multi-departmental, and multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in information security architectures, information security requirement statements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.

Charles has published over 400 articles and eight books in the information security and privacy field.  His latest book is entitled “Internal Policies for Artificial Intelligence Risk Management”. Before that he authored “Corporate Directors & Officers Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process”.

He is best known for his book entitled “Information Security Policies Made Easy” (which is now in its 14th edition), which is available on this web site. He is also the author of the book entitled Information Security Roles and Responsibilities Made Easy , which is additionally available on this same site.

As a matter of policy, Mr. Wood does not accept referral fees, marketing finder’s fees, sales commissions, or any other financial remuneration for mentioning information security products or services to clients. In this way he can be truly independent and make recommendations, which are unquestionably in the best interests of consulting clients.

A sample of his recent articles follows:

“A Sample of Artificial Intelligence Risk Management Policies for Law Firms,” American Bar Association – Cybersecurity and Data Privacy Committee Newsletter, August 2025

“The New Role of the Chief Artificial Intelligence Risk Officer (CAIRO),” ISACA NOW Blog, July 17, 2025

“The Urgent Need for a Chief Artificial Intelligence Risk Officer (CAIRO),” ISSA Journal (feature article), July-August 2025

“AI’s Evolving Impact on the IT Risk Landscape,” ISACA Journal, vol. 3, May 2025

“AI Now Requires its Own Risk Management Policies and Processes,” Sci-Tech Lawyer (American Bar Association), vol. 21, no. 3, Spring 2025

“The Under-appreciated – But Critical – AI Risk Management Role of User Organizations,” ISSA Journal, March-April 2025 (cover article)

“A Parachute for the Restoration of Trust After Your Firm Has Been Breached,” ISSA Journal, vol. 21, issue 6, June 2023

“Why It’s Now Time for the Independent Legal Auditing of Information Security and Privacy Compliance,” Business Law Today (American Bar Association’s Section on Business Law’s on-line magazine), May 23, 2023

“What the FTX Scandal Reveals About Third Party Risk Evaluation,” ISSA Journal (cover article), January 2023

“Third Party Audit Reports as the New Trust Currency,” ISACA Now Blog – News & Trends, January 30, 2023

“The Serious Management Problem Illustrated by CISO Joe Sullivan’s Recent Conviction,” ISSA Journal (cover article), November 2022

“Adding a New KPI to Determine Whether the Directors & Officers Have Met Their Legal Duties,” ISACA Journal, vol. 6, on-line version, November 2022

“The Rules Have Now Been Clarified – The Minimum Legal Duties for Directors & Officers Are Both Established and Readily Determined,” ISSA Journal, vol. 20, issue 5, May 2022

“Directors & Officers: Just Because They Don’t Perform Technical or Operational Work, Doesn’t Mean They Aren’t Personally Involved,” EDPACS, co-author with Harvey Nunz, vol. 65, issue 6, p. 12, April 2022

“Trusted Business Partners are Now an Essential Component of the New Automated Supply Chain,” ISSA Journal, vol. 19, issue 8, August 2021 (co-authored with Harvey Nusz)

“Trust by Default is No Longer a Reasonable Practice,” ISSA Journal, vol. 19, issue 3, March 2021

“What Type of Management is Required to Stop Serious Cyberattacks?” ISACA Journal, vol. 1, 27 January 2021 (co-authored with Jody Westby, Esq.)