February 9, 2007 - #6

Mike's Pep Talk:

"Baby, you make me wish I had three hands."
- Benny in Total Recall

Being at RSA this week and roaming the show floor a bit made me think of that great scene in Total Recall, where Doug Quaid (our hero Arnold) goes into a "bar" on the Mars outpost looking for Melina. That bar, with the dancing girls, drinking and everyone trying to sell something definitely resembled the RSA show floor.

If you had a couple of bucks, it seemed you could buy pretty much anything you wanted. And with all that hot air in one room, I'm just glad it wasn't Mars so I could go outside and get a breath of fresh air and get the stench of all that horse-puckey being spewed on the floor out of my nose.

Which goes to the topic of this week's pep talk - don't believe everything you hear. For those of you familiar with my research at Security Incite - you know I'm pretty cynical about pretty much everything. I'll admit I was born cynical and sarcastic, but being in the security and networking business for the past 15 years hasn't really helped soften my edge.

That was very apparent on the show floor, where vendors were resorting to all sorts of tricks (including of all horrors, booth babes) to gain the attention of potential buyers. And once they have your attention, their objective is to keep it. And sometimes they make claims on the show floor that don't necessarily hold up in the lab. Empty claims don't help you to do your job any better.

Maybe this advice comes in a day late and a dollar short, given the show is over. But I suspect many of you will go to another trade show or two at some point. As you are interacting with vendor personnel, cast a wary eye on what they are saying. Make sure you describe your situation and make sure they understand how they would help you. When you get back to your home base, the ones that stacked up best deserve a deeper look.

It was great to see so many of you Pragmatic CSOs at RSA this week. Thanks for the feedback, both positive and negative. I really appreciate you reading and participating. It makes my research better and my job more fulfilling. Still don't have a copy yet? Head on over to The Pragmatic CSO website and pull the trigger. If you don't plan to, let me know why? You know where to find me.

In this week's issue:

• This week's P-CSO Tip: Managing up
• Mailbag: The confidentiality question
  
• Mailbag: How to get more detail

This week's P-CSO Tip

Managing Up

As I did the P2P session at RSA called "Successfully Selling Security Strategy," it occured to me that much of my perspective is very focused on the CSO and senior security personnel. That's who the Pragmatic CSO is written for. But that's not the only person that can benefit from the P-CSO approach and perspectives.

You see, even if you are an administrator type, your boss needs to sell the strategy that you will execute. So you can take an active role in the process, giving your boss both perspective and an idea of priorities that can help manage your group pragmatically. You can maintain a very customer-centric perspective and you can learn all about your business.

Though you may be an administrator today, you may get the call up to the big leagues at some point. Understand your business, prioritize fiercely, and think programatically and you'll be ready.

Mailbag: Who the hell are you?

I got a note wondering who I was from a new subscriber on the list. So for those of you that don't know my background (and this is Mike Rothman for any of you still confused between me and the character in the introduction/book) can check it out here.

Being at a show like RSA reminds me how long I've been in this space. I ran into many people I've known for over 10 years, in a business where one year is a lifetime. Of course, security was quite a bit different back in the early 90's (before there was even an RSA conference), but I've been either doing, researching, or marketing/selling security for about 15 years. Now that's scary. 

To be clear, that an about $4 will be me a cup of coffee. But hopefully it's a bit of an answer for someone trying to understand my credentials to write the Pragmatic CSO. 

Mailbag: How to get more detail

I got another message from a Pragmatic CSO, who has completed the book and was hoping for more detail in what exactly to do. Unfortunately that is not something I could have written in 1000 pages. A security program needs to be optimized for a specific organization. 

Though the steps will be similar, some will be more applicable than others. Maybe you already have a baseline or your CIO/CFO are totally on board with your approach. It's as much a philosophy to be Pragmatic as anything else.

As the P-CSO community gets lift and folks of all shapes and sizes start to participate I do think there will be lot more detail about how to do the various steps and what folks have done well and what hasn't worked as well. I'll be jamming thoughout the rest of February to get the site launched and then let it fly.

I'm also not done writing yet. There will at least 3 follow-on pieces that delve deeper into the process and get more specific. Expect some new stuff after the summer. And the community will largely be helping me to determine how to expand the content base.

Keep the comments coming. I'd like to be able to do a mailbag question or two every week.

Buy it now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

 

---