2007 DOI: Day 2 - CSO Next

A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisors and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically-oriented CSO.

The number of questions I get from readers and other industry contacts about the “type” of CSO that can be successful in today’s environment is shocking. But it indicates that the CSO role is in the middle of a significant transition - which is actually true. So in this Incite, I put together a little laundry list of the types of characteristics that I believe make up "CSO Next."

What the hell is CSO Next? Right, that doesn’t mean a hell of a lot, and many of these definitions are kind of motherhood and apple pie. But while you are asking, I figure I may as well eat some apple pie. Though I’m sure I’ll need to spend an extra 90 minutes or so on the treadmill to work it off.

Let’s also be clear that having all of these traits is not a requisite for success. But if you want to maximize your opportunity and have the most impact on your organization, you should probably start working on some of these skills, if they aren’t currently your forte.

• High visibility – For better or worse, the CSO job is all about influence and persuasion. Thus you need to be out there, working with the business folks and celebrating your victories. That’s hard for many CSOs, but if you don’t toot your own horn, no one else is going to.

• Setting milestones – No, getting through the day is not an adequate milestone. One of the hallmarks of the Pragmatic CSO approach is to run security like a business, and businesses have a plan and plans lay out milestones. Upgrading firewalls doesn’t qualify either. Locking down the most critical business system you have does.

• Communicating progress – Once the meaning of success and the associate milestones are agreed upon, then you need to show that you are getting there. This means you need to stay in front of the power brokers and show that you are achieving your plan. Remember, general managers and other operational folks are held to task to achieve their plan – you should be too.

• Prioritizing fiercely – The list is too long. You can’t get it all done. So prioritizing effectively is absolutely critical. ‘nuf said. I do delve into this in one of the “5 tips to be a better CSO.” You can get the tips by registering on the Pragmatic CSO site (http://www.pragmaticcso.com).

• Outsourcing strategically – There is no award for doing everything yourself, so look to get help where necessary and prudent. Staff augmentation is a good thing, since no one I know has enough staff. But CSO Next maintains control of the program management function, since outsourcing strategy is a really bad idea.

• Managing vendors aggressively – This is about more than beating vendors down to get the best price (though that is also a good thing to do). You need to hold vendors to their commitments and stamp your feet and potentially go somewhere else if they’ve sold you a bill of goods (which has been known to happen). There is an entire chapter on this in the P-CSO.

• Embracing advisors and coaches – Pragmatic CSOs are not proud, they are just interested in getting the job done. So that usually means assembling a group of advisors that can help put everything in perspective, challenge your assumptions, and basically keep you on the straight and narrow. Most people are very generous with their time, if they feel they are helping you. Don’t be bashful, there is no crime in asking for help.

You may be good at some of these things and need some improvement in others. And don’t sweat it if you don’t have an MBA. I don’t (much to the chagrin of my Dad). An MBA-type is as much philosophy and perspective as anything else. So think like a business-person and you will be perceived as a business person, and that’s what CSO Next is all about.