December 12, 2007 - #38
Mike's
Pep Talk:
"May a weird holy man drop a cactus down your
shorts."
- Carnac the Magnificent [1]
It's that time of year again, sports fans. It's time where those that can't, predict. So I'll give you some food for thought in this fine holiday season for things that you need to think about and focus on for 2008.
Of course, Carnac the Magnificent is a wonderful proxy to channel as I give you my thoughts on 2008, so without further ado - let me hold up the first envelope to my head.
Answer: A Carmel Macchiato
I want to thank my trust side-kick, Security Mike for opening up the envelopes and playing my foil during this game.
Security Mike: And the question is, "What the Pragmatic predications and $4 will buy you at the Starbucks."
The first thing that I think is of concern for Pragmatic CSO's in 2008 is to continue to focus on being relevant and manage expectations appropriately. That means working the plan and communicating what you've done. You have a security business plan, right? You get face time with the senior team, right? There is a big risk to fall into old habits, and once again backslide into your addiction of just reacting to what happens to you and throwing products at the problem. It means get back to a "Security Products Anonymous" meeting and get out from behind your desk and reinforce those relationships you've built over the past year.
For my next prediction, the envelope please. [Security Mike hands Pragmatic Carnac the envelope] "1313 Mockingbird Lane"
Security Mike: The question this time is "Where to send the deeds to all the machines the bad guys own."
In 2008, if anything the focus of the bad guys on owning machines and turning them into bot armies will intensify. That means you need to both make sure you are constantly testing your environment (that's Step 10: Security Assurance), as well as making sure you are effectively monitoring your environment to pinpoint when bad actors have entered your environment. That's Step 7. Remember, we are looking to reduce the number of surprises and that means you need to know what the bad guys are going to know. We also want to REACT FASTER, so monitoring is absolutely key to that effort.
Let's do one more, before you bean the Pragmatic Carnac with a fast ball. This answer is "Caesar, Brutus, and Bubba." Security Mike, please do the honors.
Security Mike: The final question is, "Your CEOs new roommates in the big house."
Yes, in 2008 security folks will continue to focus on compliance - much to the exclusion of the simple blocking and tackling to properly secure the environment. Pragmatic CSOs think of SECURITY FIRST, and my hope is that in 2008 we will continue that practice. The reality is that it isn't going to be easy, since many security "empires" will be dismantled as resources continue to migrate to the operational groups. Budgets are going to be flat and trending down, so it's not like we are going to have all sorts of money at our disposal anymore either.
We have to get back to basics, make sure your security business plan is solid, communicated, and executed. Security professionals will continue to have fastballs thrown at our head all year, but we've got to stick to the Pragmatic plan, watch the backslides on our addictions and ultimately try to have some fun. If we aren't having fun, it's time to find something else to do.
In this week's issue:
- This week's P-CSO Tip: If you fail to plan, you plan to fail [1]
- Blog post: The changing role of the CSO [1]
Building your security plan [2]." Now Dre is about as wordy as Chris Hoff, but there are lot of good nuggets in here - and he even mentions the old P-CSO as a framework to build your plan around.
As you read through the post, it's very easy to become overwhelmed. You have all sorts of plans to put together and don't forget to overlay the idea of risk (meaning economics) to make sure that whatever you are doing is really relevant to the organization. Then there is the nasty business of measuring and counting what you do and lots of other gotchas, which make the daily existence of security professionals pretty hard.
Ultimately, the general complexity of the task will make most folks stop and abort the process before it even gets going. My objective in writing the P-CSO was to build a methodology that DOES NOT get bogged down in a lot of the details in precisely valuing assets or trying to really estimate the impact of a breach. That is a fool's errand.
It's all about the relationships you build and the credibility you gain in doing the right things consistently, in managing expectations effectively and in communicating your efforts, to the people that matter. The P-CSO has a very streamlined planning phase because I'm probably a lot like you, I'd rather spend my time doing things - as opposed to talking about doing things.
But if you don't have the structure of a plan, if only to communicate what you are doing to the powers that be, it's going to be very very hard to achieve success.
TechTarget's Dennis Fisher talks about a panel at their recent Information Security Decisions [3] show that basically say the skill set of the CSO needs to rapidly expand.
No kidding. Security is a critical BUSINESS function and therefore the senior security officer needs to be more focused on how attacks impact that business than the technology that is used to either launch or defend against the attacks.
To be clear, there will certainly be professionals that don't want to muck with the business folks and engage at that level. That's fine, but that precludes those folks from ever having the senior security role. As part of everyone's career management process, you should be figuring out whether you want to stay technically-focused or whether you want to climb the management ladder, which will require more and enhanced business skills.
Buy It Now!
Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.
[4]
[5]