May 18, 2007 - #20

Mike's Pep Talk:

"You don't really want to hurt me. You don't really want to make me cry..."
- Culture Club

You knew it wouldn't be long before I broke out the Culture Club reference. Well today is the day. Boy George lives. I don't know where and I don't much care about that, but he/she lives on and on and on.

Yes, there is a point. The folks that were kind enough to bring me into Columbus, OH for the All-Ohio ISSA/InfraGard/ISACA set up a round table discussion before the cocktail party last night. It was a great crowd and an even better conversation. I was all ready to get discussion moving around incident response and monitoring, but that was not to be.

The only thing the group wanted to talk about was CULTURE. Yeah, I was surprised as well. Sure this is a pretty advanced group in a sophisticated security community, but still. It was surprising that their biggest issue remained how to get everyone on board with the security mindset.

Unfortunately, I don't have any silver bullets or panaceas for that. It takes brute force effort, consistently, over a long period of time to change a culture. And the impetus has to come from the top. One of the folks at the round table made a great comment. He talked about how the C-suite at his company have gotten on board, and basically made it very clear if they have to change passwords and carry tokens and have their web traffic and email monitored and all that other stuff that we security folk do, then the rank and file employee better get on board as well.

Sometimes that's what it takes. Another round table member talked about how they recently did a training for one group of employees where HR, Legal and Security were all there at the same time to make it clear what the acceptable use policies of the organization are and why it's important to adhere to them.

Top down thinking? Collaboration between functions? That was great to hear, but still the minority in the room. The clear message is that it CAN happen and it's something that you can do. But it takes perseverance. It takes a lot of work and it takes time. And when you get down in the dumps because the same user makes the same dumb mistakes over and over again, just break into song. I suggest Culture Club's "Do You Really Want to Hurt Me?" That should cheer you up.

UPDATE: The Maiden Voyage of the P-CSO boot camp has been moved to June 6. There are still a few slots left, so don't get shut out. Sign up today. More details HERE.

In this week's issue:

• This week's P-CSO Tip: No one is above the law
• P-CSO Bootcamp UPDATE: Session moved to June 6
• Newsflash: The first return
  
• New Program: Selling to the Pragmatic CSO
  

This week's P-CSO Tip

No one is above the law

One of the other key themes that we dealt with at the Columbus round table was this idea of being "above the law." There was great frustration in the room relative to those folks, especially on "mahogany row" that don't think the rules apply to them.

In the age of Sarbanes-Oxley, where inappropriate trysts between employees and executives are costing Fortune 500 CEOs their jobs, that is not a defendable position. EVERYONE needs to be monitored. EVERYONE needs to adhere to the corporate policies.

At the end of the day it's a liability issue. The organization is liable for the actions of its employees. Period. And the organization will be sued. It happens every day. You have acceptable use policies for a reason. If you don't enforce them, they aren't worth the paper they're written on. Seriously. But don't take my word for it, talk to your General Counsel.

So what do you do when the powers that be don't want to enforce the policies. It would be too "damaging" to take out that rainmaker. It may not feel "clean," but you have to blow the whistle. Many companies have anonymous hot lines that will let you disclose bad behavior and other issues. Use that resource.

If you don't have a hotline, send a letter to the board of directors and copy the CEO and General Counsel. Yes this is hardball. But you don't want to take the fall when the law suits start flying. And if you disclose the issue, the board has a legal responsibility to investigate and take action.

And if nothing still happens, then you need to decide if this is a place you can work in good conscience. No one is above the law.

P-CSO Bootcamp Update: Session moved to June 6

The P-CSO bootcamp - maiden voyage is now locked and loaded for June 6. Location is still up in the air, but the date is now locked down. Forget those G-guys (they'll just huff and puff for 3 days), get some real perspective and let's address some of your specific issues at the bootcamp.

I'm also going to try to get the 2 day P-CSO bootcamp scheduled for late June, probably two weeks later. I'll keep everyone updated. and in meantime, you can still sign up by clicking the link below. If you need more information, check out the announcement on the Security Incite blog here and sign up today. Remember, this "maiden voyage" of the one-day seminar ON JUNE 6 in Atlanta is being offered at a special introductory price of $249.

This is a 75% discount on the list price of $995 for the seminar and it INCLUDES the P-CSO book and a 30 minute pre-call with me. There are only 10 spots, so sign up today. You won't get this price again, EVER.

Newsflash: The first return

Five months into it, I finally had my first return. The buyer was very gracious about it, but made it clear that he didn't see the value in my approach. It was just common sense and he knew everything in there already.

I offered my congratulations and sent his money back. Clearly this was a guy who knew how to get security done and had a great relationship with his executives. Hat's off to this guy because it's pretty rare. Why am I telling you this? First off, I'm proud that over 5 months into this journey (this is the 20th weekly newsletter), I've had one book returned. I'm pretty happy about that.

The other key reason is to once again make the point that the Pragmatic CSO is NOT for everyone. Folks that have learned many of these lessons in the school of hard knocks may not need it. That being said, I know a lot of salty old pros that like to be reminded of the stuff they already know. And lots of folks that are getting into the business need a road map, so they can hopefully learn from other people's pain and misery.

Over time, there will be more returns - and I'm cool with that. But if you know everything, then the P-CSO is probably not for you.

New Program: Selling to the Pragmatic CSO

Most sales and marketing teams in the security business are awful. They don't understand differentiation, they don't get the space, and they don't have the confidence to engage a buyer and solve their problem. And this is costing you money - every single day. I wish I was smart enough to see the potential of turning the P-CSO process inside out and use it as a metaphor to teach sales teams how to sell security. But I'm not. It was a client that suggested it to me.

It's a great idea. I'm currently refining a first draft of the program with a few clients, and I'm happy to share what I'm thinking. The sessions will be heavily customized to your environment and can be packaged as 2, 4 or full day sessions depending on the level of interactivity and sessions you need. Sales and marketing teams will emerge with the background and positioning they need to successfully sell to this new breed of CSO. Drop me a note if you want to hear more.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

---