January 12, 2007 - #2

Jules: Now Yolanda, we're not gonna do anything stupid, are we?
Yolanda: You don't hurt him.
Jules: Nobody's gonna hurt anybody. We're gonna be like three little Fonzies here. And what's Fonzie like? Come on Yolanda what's Fonzie like?
Yolanda: Cool?
Jules: What?
Yolanda: He's cool.
Jules: Correctamundo. And that's what we're gonna be. We're gonna be cool.

Since my nostalgic TV analogy went over pretty well last week, I'm going to stick with the entertainment metaphors, until either you kill me (do you have one of those Bad M* F* wallets?) or I tire of it.

When I talk about "being cool," I'm referring to the last scene in my favorite movie of all time, Pulp Fiction. Jules was able to defuse a volatile situation by being cool and suggesting the same to his adversaries.

What does that have to do with the Pragmatic CSO? Things will go down and your team expects you to lead. If you are panicking and not in control of the situation, that is not going to help things - AT ALL. You need to keep your cool, you need to execute on your containment plan.

You are either in control or you aren't. Rudy Giuliani is a legend and a legitimate US presidential contender because he stayed cool under the most horrifying circumstances you could imagine - the Sept 11 attacks in NY. One of the keys to being a Pragmatic CSO is to be in control and in command of the situation. Keep that in mind the next time things go a little awry.

I also want to thank the many of you that have bought the book so far. Initial feedback has been very positive, and with the addition of a hard copy book to the P-CSO family, you can get Pragmatic in the form factor you prefer. If you haven't already, head on over to The Pragmatic CSO website and pull the trigger.

In this week's issue:

• This week's P-CSO Tip: Climbing the wall of worry
• Pragmatic CSO: The Community (Coming Soon)
• P-CSO FAQ: Why is the PDF personalized?
• P-CSO FAQ: Why self-publish?
• P-CSO in the blogosphere: What they are saying!

This week's P-CSO Tip

Climbing the wall of worry

Yes, that's a stock market concept that it usually takes some bad news and uncertainty to drive the market to new heights. Why? Whether it's concern over interest rates, corporate earnings or whatever - you usually see breakouts to the upside after some bad news is digested and deemed to be not so bad.

So what? What does that have to do with being a Pragmatic CSO? Of course, if you are effective enough at climbing that wall, you don't have to be a security person. But that's not me, and probably not you either. I'm talking about worrying about things within your control.

It actually makes my wife crazy that I tend not to worry about much. Much of what you deal with as a CSO is out of your control. You can't control the appearance and success of a new successful attack vector. So why worry? You can't control what your users are going to do, so don't worry about it. You'll be much happier when you focus on the things WITHIN your control.

Like your layered security architecture. Or your security awareness training program. Or your containment plan. Those are things in your control, and if they are screwed up then you should be worried. But if you are in good shape, then play the cards you are dealt each day. Some days you'll be in good shape, other days not so much. But worrying about it won't change the outcome, that's for sure.

Pragmatic CSO: The Community (Coming Soon)

One of the things I refer to in the P-CSO book is the web community. The plan is to launch the community in February, with templates and other content to kick start your Pragmatic CSO process. There will also be forums to discuss each step and share experiences and best practices with your fellow P-CSOs.

But that's not it. There will a lot of value-added content within the community. It's not just for Pragmatic CSO's, but for pretty much everyone that is involved in the security business. I'm in the process of working on a pretty cool idea to get some other industry experts to participate in the community, so stay tuned for more news on that.

There will also be a Security Incite (my other job) research section in the community. I'll be publishing between 8 and 10 "Deep Incites," which go into detail in how to solve some of the biggest problems facing CSO's today. Problems like the insider threat, PCI compliance, leak prevention, mutual authentication, visitor access, etc.

A Deep Incite goes into a deep discussion of the problem and some architectural constructs on how to solve it. What's novel about that? Pretty much all research to date has focused on analyzing arbitrary technology categories. I think that's bass-ackwards. So you can get an analysis of the "NAC" market. But that doesn't help you unless you already know what the problem is and you've come to the conclusion that NAC is the answer. My approach looks at the problem and then the potential solutions. Not the other way around.

Each month, I'll also be doing a few quick interviews with some industry heavyweights to get their perspective on what's going on. Both CSO's and other folks will be represented, and don't expect your run of the mill boring podcast interviews. Expect 10 minutes or so of hard-hitting, no-holds barred perspective.

Once again, I'm swimming upstream in the face of traditional research. It's going to be cool. I'll provide further information closer to launch.

P-CSO FAQ: Why is the PDF personalized?

Some folks are interested in why I personalize each PDF. It does add a bit of work for each order, but I think it's worth it.

Per usual, there are dual motives. First, it's a nice touch and allows me to make a virtual connection with each customer. Second, I believe it will minimize piracy.

I decided not to implement some draconian DRM solution on the book to ensure only the buyer can open the book. That would have been a pain in the ass for me and it would annoy you. Not a great combination.

The reality is that each buyer can send the PDF to other folks. Just like you can share music with your friends. I can't stop that, it's a fact of life in the digital age. But if the book does make its way around, anyone who reads someone else's copy will be reminded of that they are stealing my stuff on every page. You see the guilt-meisters have taught me well.

P-CSO FAQ: Why self-publish?

I can't tell you how many people asked me who my publisher was when I told them I was writing a book. There was also a lot of confusion when I said "it's me." You see Thomas Ptacek of Matasano nailed it in this post (here). I modeled P-CSO's go to market strategy on 37Signals' groundbreaking work in self-publishing.

Thankfully, they went down the path of traditional publishers and found it to be a crappy business proposition. They self-published their second book and have done very well. I was able to learn from them. If anything, I like to learn from others.

Why is a traditional publisher problematic? First, my ability to give away the introduction would be much more complicated. It can be done, but there are hoops to jump through. Also, if at a future time I decide to bundle the content with other works I do - it's messy when someone else controls the rights to publish.

Second, I would make a fraction of the money. I didn't write the book to get rich, but hey - I could think of worse outcomes. Distributors take a large percentage of your revenues, so in order for me to make the same amount of money per copy - I'd need to charge at least twice as much. I figure that wouldn't make Arthur any happier.

So I went the self-publishing route and so far it's working pretty OK. Sure, I get to deal with the wacky nuances of how printers handle fonts and I had to do my own layout, etc. But I actually enjoy that stuff.

P-CSO in the blogosphere

This week, two more of my blogging friends weighed in on the P-CSO:

• Andy, ITGuy:
  "I must say that, just as many others have already said, this is required reading for anyone who is either in Security Management, those who desire to move into Security Management or even those who just work in Security."
  
  "After reading it I know that it is worth the price and even more. I can honestly say that if my free PDF copy was set to self destruct in 30 days I would dig into my wallet and pay the $97 to be able to have it at my disposal for future reference."
  
  Link here.
  
  
• Ravi Char:
  "This book is a must have for any CSO."
  
  "Mike's Pragmatic CSO offering is the manifestation of his identity in the marketplace, compelling analytical writing style and his commitment to help you. Read the Pragmatic CSO and learn the power of getting things done in security land."
  
  Link here.

Thanks fellas. You are both very kind. Keep the comments coming. Both good and bad.