Incites Redux - July 9, 2007

Good Morning:
As opposed to last year, when I wrote the Incite Redux pieces each morning of my vacation - I'm really going to unplug from the grid. Through the wonders of scheduling blog postings and email blasts, I'm writing to you from the past. It's only a couple of days, but it's the past nonetheless.

It's Day 1 on my respite, so I'm in all likelihood sleeping right now as you read this. Good for me, bad for you. Though I must admit is has been WAY TOO LONG since I unplugged from my life and just vegged out of a week. Remember, you don't get any awards for letting vacation days go poof. It's a little different when you run your own business, but we all need to rest, recharge and rejuvenate. Most of us run too hard every day to keep up the pace indefinitely.

Just to give you a general overview of the Incites Redux process, I revisit my 2007 Incites (or projections for those of you not familiar with my lingo). I do this provide some level of accountability, which still seems to be unique in the technology research business. Folks make ridiculous projections, both on market sizing and industry dynamics with impunity. If they are wrong, so what? They still collect their checks and no one is worse for it. Except those poor saps that actually follow their advice.

So hopefully by now you've realized I'm a different kind of analyst and a different type of guy. I not only welcome the scrutiny of my positions, I search it out. So this week, I'm going to revisit each of my 2007 Incites and give myself a "grade." Of course, this is self-analysis - but I'm confident that if you strongly disagree with something, you'll let me know. Bashful folks you are not.

Have a great day.

Incite #1: Get with the Program

As security professionals continue to struggle with the number of threats and contradictory goals (protect information, but assist business), they increasingly turn to structured security programs (ISO 27001, COBIT, Pragmatic CSO) to assist in getting things done and communicating progress. Security management tools (predominately SIEM) continue to leave customers wanting for value and assistance in automating programmatic operations.

Read the original Days of Incite post on this topic.

6-month grade: B

Over the past 6 months, I’ve given quite a few Pragmatic CSO pitches. The message goes over well because it is very frustrating to be a security professional nowadays. Though the reality of the situation is that changing mindsets and changing behavior is hard and it takes time.

I’ve even happier about the seeming acceptance of addiction as a way of describing the problems plaguing the CSO today. I’m not sure it’s at the level of Kleenex or Xerox yet, but we’ll get there. When other thought leaders are starting to use the Pragmatic vernacular, I know the message is getting across.

But what about short-term progress? That’s a bit hard to gauge. I do inherently believe that some type of security framework is absolutely critical to give you a road map of what you need to do and where the finish line is. Of course, you never get there because by the time you get close, the rules have changed – but that’s part of the game.

Another key lesson from the first wave of Pragmatic CSO interactions is that the 12-step program is very complimentary to something like ISO 27001 and COBIT. Why? Because neither of these security frameworks spend any time telling you how to figure out what should be protected and COMMUNICATE what you are doing and why it’s relevant. All assets and information are created equal with the leading frameworks. Obviously we know that isn't the case, so you need a way to prioritize what needs to be done.

Likewise, the P-CSO process doesn’t tell you all the fronts and control schemes you need to protect your environment and information. Thus the answer is likely both. Of course, I’m biased – but if you have to choose one to get started with – do the P-CSO because if you can’t figure out what you should be protecting and start interacting on business terms with business people – then all the controls in the world aren’t going to help you.

Incite #2: CSO Next

A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisers and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically oriented CSO.

Read the original Days of Incite post on this topic.

6-month grade: A

Everywhere you look the conversation is about how security is no longer a technical discipline, but a business function. That means the CSO needs to also understand business and this makes the role both unique and very valuable. A recent study shows that the CSO position is showing the greatest growth in salary and stature.

BUT, and this is a big BUT – you need the credibility to see at the executive table and be taken seriously. How? You must think business. You need to talk business and you need to be business. Like Chevy Chase’s character says in Caddyshack, “Be the ball.” You need to be and represent the business. Technologists are not invited to those parties. You know the one's where everyone drives up in their 911's and hob-knobs with folks named Biff and Muffy.

Thus all of those characteristics mentioned above are what you need to be working on. Are you there? If yes, then great. Go ask for a raise. $150 large is a pretty good payday for getting poked in the eye every day. Not as good as the CEO, but it's unlikely the CSO will be led on a perp walk anytime soon.

If not, then find a mentor and do it fast. Actually, while I’m putting together a wish list, you should get two. One internal to the organization and running a business function. This person needs to help you understand your business, the political landscape and give you an idea where the land mines are in working the security program through the organization.

The second mentor should be outside of your organization and a senior technology person. CSO (of a company bigger than yours) or CIO that can both give you perspective about how dysfunctional your organization is (pretty much every organization has it’s “nuances,”) and also advise you on some of the technical challenges.

Where do you find these folks? For the internal mentor, ask your boss – who is presumably connected into the business folks. Externally, start networking at places like ISSA and InfraGard to get exposure to folks that can help you.

If becoming CSO Next were easy, everyone would be doing it…