November 13, 2007 - #36

Mike's Pep Talk:

"You make me dizzy
Running circles in my head
One of these days I'll chase you down
Well look who's going crazy now" 

- Foo Fighters, Breakout

There are a lot of security professionals that believe security is a means to an end. It's basically a stepping stone to fame and fortune elsewhere in the organization. I think this is a predictable outcome given that security continues to be seen as "hot" and will attract not only folks that are passionate about security, but those opportunists that believe climbing the ranks will be easier because security has pretty high visibility within the organization.

Boy are those folks in for a shock. The reality of the situation is much different, which I'm sure you know because you read this newsletter and are pulling the splinters out of your ass every day to prove it.

That being said, even those passionate about security can and should think about what's next. Do you want to climb into more general IT management, or more general management of business functions? I found this NetworkWorld article about "How to break out of the CISO role in five easy steps" kind of interesting. The only problem is that there is nothing easy about it.

The don'ts are pretty straight forward. Basically it comes down to DON'T PREACH and don't be an asshole. That's not too hard is it? Actually, for a lot of security folks I'm not sure which is harder - not preaching or not being an asshole. We tend to be pretty sarcastic, witty folks that have figured out how to cope with the fact that we spend all day trying not to get killed. We tend to make fun of the situation. That's fine, as long as you are friendly company. You start making wise-ass comments in the executive suite and your stay will be short.

The Do's are also pretty simple as well. Don't just be a technology wonk, take an interest in your business, and run your operation as a business. Shocking. It all sounds pretty pragmatic to me. But I guess that's the point. Part of me gets annoyed every time I hear someone parrot my spiel. Yet, the other part of me is pretty happy in that some of the core tenets of what I've been preaching for two years are starting (slowly but surely) to make it's way into the conversation. 

That's a good thing.

In this week's issue:

• This week's P-CSO Tip: Be careful what you wish for

This week's P-CSO Tip

Be Careful What You Wish For

Since I'm talking about "breaking out" of the security role today, let's examine a bit about what happens if you are actually successful and do get a position that is broader than security. Maybe you drew the short straw and got put into a "compliance" or "risk management" role, outside of the security group. Maybe they put some problem child under your guidance, since you did such a good job with the security team. 

Regardless of where you end up, you need to once again replicate the lessons of the Pragmatic CSO. Figure out what's important to the folks making the decisions (assess value). Figure out where you are (baseline). Manage expectations and then build your business plan. Sound familiar? Of course it is.

I'll let you in on a little secret. The P-CSO isn't only about security. It's a general management guide. The 12-steps (well most of them) can be applied to almost any management issue. Imagine that. I used a very similar process when I took over marketing at both TruSecure and Ciphertrust. The lessons in the book are fairly universal. Since I do security now, I wrote it from the viewpoint of a security professional.

Having done more than security during my journey, I can say that there were times when I longed to go back to the simple life. When I just had to do one thing and I could focus entirely on doing it well. Being airlifted into a broken environment isn't fun. It's exhilarating, but not fun.

So as much as the perceived drudgery of your day to day existence may make you nuts and have you longing to break out, be careful what you wish for - you may just get it.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

---