Pragmatic CSO Weekly #21

Submitted by Mike Rothman on Fri, 2007-05-25 09:50.
::
Pragmatic CSO Weekly

May 25, 2007 - #21

Mike RothmanMike's Pep Talk:

"No matter what anybody tells you, words and ideas can change the world."

- John Keating in Dead Poets Society

Dead Poets Society

I have a lot of respect for teachers. Given that the Boss (my wife for those new to the P-CSO lingo) is a teacher, unless I want to sleep in the garage for a few weeks, I better show the proper respect. The reality is there is no more important job than making sure the next generation is ready to deal with the complexity of life.

I was recently doing a seminar and there were quite a few (probably 15-20) students taking information security courses in attendance. It was really great and my "business first" approach went over real well with them. But in talking with them after the session, I got a bit disturbed that much of their curriculum continues to be focused on tools and defensive techniques. These kids have been playing with computers and hacking things together since about the time they were toilet-trained. Technical skills are the least of their problems.

The reality is that tools change, but the ability to solve problems and to think never goes out of style. As John Keating's character said in Dead Poets Society, "I thought the purpose of education was to learn to think for yourself." I know that's what my education taught me. How to find the answers and I still use those skills every single day.

I fear that this next generation is so enamored with shiny lights that they aren't learning the fundamental blocking and tackling of defining a problem space and evaluating appropriate solutions. Maybe I'm wrong, maybe I'm selling them short, but given the fact that my presentation was eye-opening to many of the students, I think I'm right on the money.

But we can change this, we can help the next generation get ready for life in the real world. I wish someone would have told me about the importance of understanding the business when I was just getting started. Fortunately I was able to get exposed to a lot of different industries very early in my career, and that gave me perspective as to what is important to different types of businesses. I got lucky, most of these kids won't have the same luck.

What I'm really trying to highlight is the importance of mentors. If you are an experienced security professional, take a junior person under your wing. Teach them lessons you learned the hard way. Help them understand what's required to climb the ladder of success, whether it's on the technical or the business side. Take an interest in helping them be successful. There is nothing more gratifying than seeing someone use your advice and prosper because of it.

If you are early in your career, find someone you can learn from. Spend time with them and ask questions. Ask lots of questions. Ask so many questions you become borderline annoying. That's the only way you learn. I guess you can screw things up because you are afraid to ask questions. There is no honor in making the same mistakes as your more experienced colleagues.

UPDATE: ONLY 2 SLOTS LEFT!!!!!!
The Maiden Voyage of the P-CSO boot camp has been moved to June 6. Don't get shut out. Sign up today. More details HERE.

In this week's issue:

This week's P-CSO Tip

Play to your audience

One of the most challenging things about gaining credibility in a security role is to tune your message. If you present patching and AV update statistics to a senior executive crowd, I can tell you it'll go over like a lead balloon. Likewise, if you focus on key business objectives with your operational team, they'll glaze over and start to think about their weekend plans.

I was recently on a panel regarding security metrics and a point was made that you need to track metrics that are both relevant to your security business and those metrics are largely around operational measures. You also need to track metrics relative to the business that will be relevant to the executive crowd.

How do you know which is which? That's actually pretty straight forward, think decision support. What guidelines do you need to understand how you should allocate your resources? For operational stuff, you are looking at traffic/monitoring data, various update stats, and maybe some user awareness training results, amongst others. The executives want to know about uptime on their key systems (at least relative to security issues), they want to know about data leakage, compliance issues, and the like.

The data is the data. But whether your message gets across has everything to do with how you position it for your crowd.

P-CSO Bootcamp Update: Session moved to June 6

The P-CSO bootcamp - maiden voyage is now locked and loaded for June 6. Location is still up in the air, but the date is now locked down. Forget those G-guys (they'll just huff and puff for 3 days), get some real perspective and let's address some of your specific issues at the bootcamp.

I'm also going to try to get the 2 day P-CSO bootcamp scheduled for late June, probably two weeks later. I'll keep everyone updated. and in meantime, you can still sign up by clicking the link below. If you need more information, check out the announcement on the Security Incite blog here and sign up today. Remember, this "maiden voyage" of the one-day seminar ON JUNE 6 in Atlanta is being offered at a special introductory price of $249.

This is a 75% discount on the list price of $995 for the seminar and it INCLUDES the P-CSO book and a 30 minute pre-call with me. There are only 2 spots left, so sign up today. You won't get this price again, EVER.

 

Sign up for the P-CSO bootcamp

Good News: CSOs last 3 years now

Who says we aren't making progress. As reported by NetworkWorld, a survey of attendees at a CSO bootcamp showed that only a few years ago the average tenure was 24 months and now it's up to 36. WOW! That's a 50% increase. Personally, I think the numbers are self-selecting, but the idea of more "business-oriented" security professionals is certainly adding to the longevity of the position.

See, I'm not making this stuff up. But the conclusion of the article is that inherently a security job is one of limited life-span because we have to shake things up. I think that's bullshit. You can shake things up and do it in a collaborative way that the powers that be actually appreciate what's been shaken.

If you take a scorched earth approach, you may get short term results, but you'll lose the war in the long term. A culture takes years to change and cycling out CSO every 2-3 years because they run out of Napalm isn't the right approach. The Pragmatic approach isn't like that. Try it yourself and you'll see.

The Biggest Security Challenge: A Pretty Pragmatic List

Thanks to Rob Newby, who in this post pointed me to a survey done by the ISC2 trying to identify the "biggest challenge in regard to information security." Here are the top 3:

  1. Lack of Management Buy-In
  2. Lack of Education
  3. Insufficient funding

Now go back and re-read the Introduction to the Pragmatic CSO, that you all received when you signed up for this newsletter. Strange correlation? No. And I'm not just trying to pat myself on the back here.

The fact remains, configuring firewalls or vendor consolidation or even application security ARE NOT the biggest challenges we face. Management doesn't appreciate what we do and the users don't give a rats-ass.

You ready to try to be Pragmatic yet? As I said (and proved with my first return), if you hate the book - then send it back to me. You have nothing to lose, but to look at these surveys year after year and say, "glad I figured it out."

New Program: Selling to the Pragmatic CSO

Most sales and marketing teams in the security business are awful. They don't understand differentiation, they don't get the space, and they don't have the confidence to engage a buyer and solve their problem. And this is costing you money - every single day. I wish I was smart enough to see the potential of turning the P-CSO process inside out and use it as a metaphor to teach sales teams how to sell security. But I'm not. It was a client that suggested it to me.

I'm currently refining a first draft of the program with a few clients, and I'm happy to share what I'm thinking. The sessions will be heavily customized to your environment and can be packaged as 2, 4 or full day sessions depending on the level of interactivity and sessions you need. Sales and marketing teams will emerge with the background and positioning they need to successfully sell to this new breed of CSO. Drop me a note if you want to hear more.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

BUY the Book Buy the PDF