July 23, 2008 - #62

Mike's Pep Talk:

"I found there was only one way to look thin, hang out with fat people." - Rodney Dangerfield

No, I'm not coming clean about being a little too festive on my vacation. Although I was. Today's pep talk is about the inevitability of your boss (or maybe even your bosses boss) coming to you and asking about cutting your budget. That's right, you'll probably be faced with tightening your belt over the next few quarters.

Which is OK because that chocolate cake (and 3/4 of a pizza) are over-rated anyway...

After the first few announcements from public security companies, and some of the other information sources I track - it seems that the security budget is still reasonably safe. At least relative to other things (perhaps like virtualization?). But to make the assumption that because our budget seems safe today, that it will be safe tomorrow is pretty much dumb.

You didn't become a Pragmatic CSO by being dumb. You have spent a lot of time building relationships and that means the senior folks may come and ask for a favor. Cut out some of the "nice to have" expenses built into the budget, and take a few for the team.

Can you do it? Where would you cut? What doesn't absolutely, positively need to get done yesterday? Of course, you already know the answer. Just go back to Step 1 and remind yourself what is important. Make sure those resources are protected, and let everything else slip a bit.

Of course it's sub-optimal, but it's reality. I personally (and no I'm not an economist and I've proven to be pretty crappy at predicting much of anything) believe that the second half of the year is going to be pretty bumpy and that security budgets will be cut as well. So get out ahead of it and start revisiting your 2H spending plans and see what can be moved to 2009.

A bunch of folks are increasingly talking about this reality. eWeek has some suggestions to defend your budget. Things like metrics (no, I'm not going to get started on that) and comparing your baseline to others (via things like CIS benchmarks), but in reality the answer isn't to fight for every last penny. It's to be a member of the team and cut like everyone else.

Some of the best advice I've seen on the topic comes from Stuart King, who reminds us that we can "negotiate" better with vendors (they need to hit their numbers too) and also that we need to really assess what is GOOD ENOUGH security.

We have the opportunity to win big points with the senior team by helping out when budgets get tight. You can squander it and alienate yourself from the rest of your management team. Or you can do the right thing for your business. The choice is yours.

CAVEAT: OK, to talk out of the other side of my mouth for a second, make sure that you really can cut before you willingly cut. If your security program is in shambles and it's just a matter of time before you have a huge breach, then obviously make it very clear that cuts in security spending put the organization at risk and in jeopardy. But make sure that is the case, not you just trying to save your cushy little security empire.

Photo credit: toffer

April 30, 2008 - #53

Mike's Pep Talk:

"When choosing between two evils, I always like to try the one I've never tried before." - Mae West

A lot of security folks like to think of the daily battle as a good vs. evil type of thing. You know, the bad guys are evil (and wear black hats) and we - the security professionals - are the good guys. We wear white hats and ride on a fine stallion called Silver.

Let's get one thing straight. You are not the Lone Ranger. This is not about good and evil. This is about dealing with the lesser of two evils. The reality is that your environment will be compromised, and you have been entrusted by your organization to stop it.

In a nutshell, you are in a lose-lose situation. We all are. That is the cold harsh reality of practicing security. Whether it's physical security, cyber-security, or any other type of security - ultimately this is not a game we play to "win." It's a game we play to survive.

Why the dour tone today? Did someone piss in my Wheaties? Not exactly, since this is a concept I discuss pretty frequently in all of my publications. I read news clipping like this one in NetworkWorld about most employees intentionally skirting enterprise security controls, and part of me wants to hold my hands up and start serving Blizzards at Dairy Queen.

At least then I know I'll have a job, since DQ is owned by Berkshire Hathaway and they aren't going anywhere.

Every time I start to feel this way, I need to purge a bit. I need to rant and I need to get it out of my system. Here's the deal: Our customers don't know who is good and who is evil. They can't tell the difference. If they are intentionally going around our controls, then WE ARE SCREWING UP. We are at a fork in the proverbial road, and we need to figure out how to get more relevant and work better within the context of our business. It's as simple as that.

I understand that little things like PCI and SarBox make a certain set of controls totally necessary, but ultimately we have to start thinking a bit more like risk managers and not draconian control freaks. We have to start understanding where the breakpoints are in our organizations. How tightly can you really lock something down, before the natives start getting restless?

Do you know the answer to that question? Do your corporate policies reflect that reality? If not, then you have a lot of Pragmatic work ahead of you. If the employees can't tell whether you wear a black or a white hat, then you better start looking for a more palatable middle ground.

Photo credit: Buggs

Thinking out loud: A new type of IR practice

Sometimes I have random thoughts, and although I tend to vet many of these ideas with my trusted circle of contacts, I want to bounce some ideas around in a more public forum. Thus a new section here called "Thinking out loud." I'll just throw something out there, and it would be great to hear whether you think I'm nuts (or not).

Based on my rant above about employees not knowing who the good guys are anymore, let me suggest perhaps a different way to "educate" our trusty employees. The reality is most employees will do the right thing, if they understand what is right and what is wrong. They go around security controls and flout policies, not because they are bad people (although statistically some will be), but rather because they don't really understand what is so wrong about what they are doing.

So I suggest we show them, in a way they haven't seen before.

You should have a defined incident response plan (discussed in Step 8 of the P-CSO) and you should be practicing it frequently. Or at least practicing sometimes. Most of that practice is for you and your team, to make sure the security (and risk and ops, etc.) team will respond appropriately when the brown stuff hits the fan.

What if we brought a few more folks into the "practice?" What if you staged a "data breach" within your organization, and played it out? What if you sent out a note to all of your employees talking about how your private data was breached, where the data handling errors were, and that some employees have been terminated due to those actions. Then you take the opportunity to remind them of the policies.

Of course, the breach didn't really happen. It would be staged. But that would seem to me to be a very powerful means to get the point across to the employees about WHY they need to follow the policies.

I know, I know. Intentionally deceiving employees is kind of an April Fool's joke gone wild. I'm sure there would be a number of folks pretty steamed when the truth that the breach was staged gets disclosed. And you'd need approval at the highest levels to pull off something like this, and how many CEOs would go for this kind of plan?

The odds are long that this kind of thing would work, but something tells me this idea may have some legs. Let me know if the comments section about my "thinking out loud."

March 26, 2008 - #50

Mike's Pep Talk:

Over the past 4 months or so, I've given the "How Focusing on Compliance Can Get You Killed" pitch, which focuses on the audit process and how to do it "right." The most recent version was presented at the Source Boston show. My bud RSnake writes up a little ditty that mentions the session and basically asks if auditors are "scarier" than hackers themselves.

That's actually an interesting question. Many of the folks that work with security professionals every day tend to see this dysfunctional behavior and perspective frequently. The problem is that most practitioners are too deep in the muck to realize how screwy that is.

Auditors are scary because we think of the audit like a 5 round fight with Anderson Silva. We figure we are going to get pummeled, look like an idiot, and have a list 4 times as long when the findings report comes back. Maybe if it goes well, only our heads will pop off. The fact is, security professionals can both influence the audit process and make it a productive experience.

That's right, an audit can be a productive experience. Now before you figure I'm on crack and send this newsletter to the circular bin, hear me out a bit. We seem to forget that auditors on the same team we are. Seriously, they want to make sure the data of the organization is protected.

We also forget that auditors see an awful lot of stuff. They are in a different environment almost weekly. They see the good, the bad, and the ugly. Did you ever consider asking the auditor for help? Figuring out how they would recommend you solve a problem? You are probably too busy ducking, weaving and counter-punching.

For me personally, I think the hackers are a hell of a lot scarier than auditors. The hackers are trying to break my stuff and steal my private information and intellectual property. The auditors are working their asses off to protect it. You tell me which is the right side of the coin.

Think about this the next time you are prepping for an audit. Do you want it to be the equivalent of a root canal or a day in the park? OK, maybe not a day in the park, but at least the auditor will use novacaine - if you ask nicely.

Photo credit: WhiskeyTangoFoxtrot

If they don't want a YES man, they want a YES man

When I'm kibbutzing with practitioners at shows or in other venues, I usually try to understand how and why they ended up in security. Although a lot of folks enter the business because they think it's cool, or that they will have assured employment (both are true) - they don't realize how hard it is. Why is it hard? Because of the scenario that Sharky describes in this blog post.

The fact is, we security folks tend to fight as many battles inside our walls than we do outside. And I'm not even talking about the insider threat. I'm talking about the politics of making security, if not urgent, at least a consideration. The Sharky scenario scares the crap out of me because the poor support guy that gets saddled with the security title may as well leave today. He CANNOT be successful.

Why? Because the CIO wants a yes man. The first indication that someone wants a yes man is that they go out of their way to tell you that they don't want yes men. I've been there sports fans and that is indication #1. Folks that are interested in your opinion don't even think to mention about yes men because that line of thinking is totally contrary to how they work. They EXPECT you to challenge them and they covet your perspectives. That stuff goes without saying.

Talk is cheap. And if they need to talk about treating you well, then they probably aren't doing it in practice.

The truth is that most executives are weak and they surround themselves with people that are weaker. They hoard information, keep their folks in the dark and try to position themselves as indispensable. Do any of those traits sound familiar? If so, get out now. You may as well be working for Mike Myers. You will end up with an ax in your head, sooner or later.

I was very lucky in that I was able to recruit great people to work with me. Not everyone (I did hire some stinkers over the years as well), but most. And I let them do their things. I'd challenge them and they'd challenge me. I wanted their opinion because I knew they were better at what they were doing than I was - or else they wouldn't be there.

Best of all, I learned from almost everyone that's ever worked on my teams. That's the thing that weak managers don't get. They think they know everything and since they tend to hire doofuses, they usually do know more than those around them. But they are on the express train to nowhere, and you deserve better. Make sure you are working for someone that will help you and teach you. Or else you are wasting your time.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

February 20, 2008 - #45

Mike's Pep Talk:

In a perfect world, security begins at the beginning of time. Unfortunately, as AndyITGuy points out, the world is far from perfect.

In today's Pep Talk, let's revisit the skills that are absolutely critical to being a successful security professional. First, let's focus on the technical stuff. You need to understand web applications and a bit about web application security. That is going to be the attack vector that is most commonly used for the next few years.

Go get that JavaScript book and make sure you understand the fundamentals of AJAX and can see how an XSS happens. You'll also want to familiarize yourself with CSRF attacks.

But that's the easy stuff. As I mentioned in the 2007 Incite called ["CSO Next"] - the technical stuff is not going to determine success or failure for today's security professional. It's the ability to persuade, cajole, stiff-arm, and ultimately get the other senior managers (both within and outside of IT) on board with the need to think about security early in the process.

Back to Andy's situation because we can all learn from his post. First of all, change doesn't happen overnight. Yet with persistence and consistent effort, it will happen. Andy started with a few project managers, and then got some structural process change (his signature required to deploy an application).

As long as he doesn't position security as Dr. No or yet another hurdle to jump over, his rock is rolling downhill. It will gather speed and within a reasonable planning horizon (it could be months or years depending on the culture) security will be an intrinsic part of all technology efforts. And that is definitely a hallmark of CSO Next.

Photo credit: Gari.baldi

The importance of awareness training

Since we are revisiting a couple of Pragmatic CSO hallmarks this week, let's touch on security awareness training as well. I dug through my archives and found this survey from last year covered in InformationWeek. It's horrifying for a guy that evangelizes the need to have layers of defense deployed to stop as many attacks as possible.

YOUR END USERS ARE A LAYER. Just like a firewall, that is in front of an IPS, that is front of a web application firewall, that is in front of a network security monitor, that is in front of a database monitor, that is in front of a partially encrypted database - you want a number of synergistic layers in place to ensure that if one control fails - things don't go south. Your end users can be another important layer of defense against a world of increasingly malicious client-side attacks.

Unfortunately, your users are not born with an instinct to defend themselves against cyber-predators. They've got to be taught. And you have to teach them.

It's easier to just buy a product, or outsource a function and hope the problem goes away. Yet you know that hope is not a strategy. You need to use all of the resources at your disposal, and your end users are certainly one of them.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

---

January 29, 2008 - #42

Mike's Pep Talk:

I remember many years ago when my Dad was teaching me how to throw and catch. He'd say countless times "keep your eye on the ball." Now the tables are turned and I say a similar mantra as the (thankfully) soft ball bounces off my boys face, chest, and arms.

But this is also an important lesson to learn for not just security folks, but risk managers around the world. The big news this week is the SocGen fraud, where a rogue trader built a fraudulent audit trail to cover $7 BILLION in trading losses. And I though 2001 was a bad year in the market for me.

First of all, I want to make it very clear what this fraud was NOT, and that is an information security issue. When something like this happens, it's amazing how many messages I get from vendors saying, "You need to write something about how [Product X] would have stopped this travesty!"

Not so much. It seems that SocGen had plenty of warnings that the trader was unstable and that he was doing strange things. They just decided to ignore the signs. The information was there, the fact that this guy had a detailed understanding of the risk management process should also have set off alarms.

Even though I haven't seen the show (because I don't get Showtime), I think Dexter is kind of like this. A crime scene investigator would know how to cover up a crime. Likewise, a risk manager would know how to cover up a fraud.

Which once again gets back to the main point, this is not a technology issue. It's a philosophical one. An organization needs to be committed to investigating potential issues, or suffering the consequences. In this case, the consequences come with 9 zeros at the end of it. And other banks around the world shudder and are thankful that it wasn't them. This time, anyway.

Photo credit: Brookenovak

A couple of P-CSO Reviews

The hype around the P-CSO has ebbed and flowed in the 12 months since it's publication. But that doesn't mean folks aren't talking about it. Check out these reviews to get a little more detail on the process and why it's appropriate for even technical folks.

1. RSnake - Application security afficianado Robert Hansen (also known as RSnake) published a review of the P-CSO on the ha.ckers.org site. Money quote:
   
   "It’s not a technical book, it’s a book on changing your thinking to get you ahead of the assailant, in the good graces of your executive staff and into auditory compliance. I’ve run into countless people in the industry who desperately need to read this book so that they too can get a clue. It’s not rocket science. It’s the art of running security like a business. Five stars, Mike!"
   
   
2. Josh Richards - Josh checks out the P-CSO introduction and thinks it's "promising." Cool.
   
   "This appears to be a promising resource with some good food for thought and practical approaches all collected together in one place. And, to boot, the approaches that look to be discussed should be readily applicable beyond IT security, to any IT project."
   
   Yes, it's true. The P-CSO methodology can be applied to almost any IT problem, although it was built with security in mind.
   
   

Thanks guys!

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

---

December 12, 2007 - #38

Mike's Pep Talk:

"May a weird holy man drop a cactus down your shorts." 

- Carnac the Magnificent

It's that time of year again, sports fans. It's time where those that can't, predict. So I'll give you some food for thought in this fine holiday season for things that you need to think about and focus on for 2008.

Of course, Carnac the Magnificent is a wonderful proxy to channel as I give you my thoughts on 2008, so without further ado - let me hold up the first envelope to my head.

Answer: A Carmel Macchiato

I want to thank my trust side-kick, Security Mike for opening up the envelopes and playing my foil during this game.

Security Mike: And the question is, "What the Pragmatic predications and $4 will buy you at the Starbucks."

The first thing that I think is of concern for Pragmatic CSO's in 2008 is to continue to focus on being relevant and manage expectations appropriately. That means working the plan and communicating what you've done. You have a security business plan, right? You get face time with the senior team, right? There is a big risk to fall into old habits, and once again backslide into your addiction of just reacting to what happens to you and throwing products at the problem. It means get back to a "Security Products Anonymous" meeting and get out from behind your desk and reinforce those relationships you've built over the past year. 

For my next prediction, the envelope please. [Security Mike hands Pragmatic Carnac the envelope] "1313 Mockingbird Lane"

Security Mike: The question this time is "Where to send the deeds to all the machines the bad guys own."

In 2008, if anything the focus of the bad guys on owning machines and turning them into bot armies will intensify. That means you need to both make sure you are constantly testing your environment (that's Step 10: Security Assurance), as well as making sure you are effectively monitoring your environment to pinpoint when bad actors have entered your environment. That's Step 7. Remember, we are looking to reduce the number of surprises and that means you need to know what the bad guys are going to know. We also want to REACT FASTER, so monitoring is absolutely key to that effort.

Let's do one more, before you bean the Pragmatic Carnac with a fast ball. This answer is "Caesar, Brutus, and Bubba." Security Mike, please do the honors.

Security Mike: The final question is, "Your CEOs new roommates in the big house."

Yes, in 2008 security folks will continue to focus on compliance - much to the exclusion of the simple blocking and tackling to properly secure the environment. Pragmatic CSOs think of SECURITY FIRST, and my hope is that in 2008 we will continue that practice. The reality is that it isn't going to be easy, since many security "empires" will be dismantled as resources continue to migrate to the operational groups. Budgets are going to be flat and trending down, so it's not like we are going to have all sorts of money at our disposal anymore either.

We have to get back to basics, make sure your security business plan is solid, communicated, and executed. Security professionals will continue to have fastballs thrown at our head all year, but we've got to stick to the Pragmatic plan, watch the backslides on our addictions and ultimately try to have some fun. If we aren't having fun, it's time to find something else to do.

In this week's issue:

• This week's P-CSO Tip: If you fail to plan, you plan to fail
• Blog post: The changing role of the CSO

This week's P-CSO Tip

If you fail to plan, you plan to fail

Since the pep talk was all about the security business plan this week, let me highlight a good post by Dre on the TS/SCI blog about, amazingly enough, "Building your security plan." Now Dre is about as wordy as Chris Hoff, but there are lot of good nuggets in here - and he even mentions the old P-CSO as a framework to build your plan around. 

As you read through the post, it's very easy to become overwhelmed. You have all sorts of plans to put together and don't forget to overlay the idea of risk (meaning economics) to make sure that whatever you are doing is really relevant to the organization. Then there is the nasty business of measuring and counting what you do and lots of other gotchas, which make the daily existence of security professionals pretty hard.

Ultimately, the general complexity of the task will make most folks stop and abort the process before it even gets going. My objective in writing the P-CSO was to build a methodology that DOES NOT get bogged down in a lot of the details in precisely valuing assets or trying to really estimate the impact of a breach. That is a fool's errand. 

It's all about the relationships you build and the credibility you gain in doing the right things consistently, in managing expectations effectively and in communicating your efforts, to the people that matter. The P-CSO has a very streamlined planning phase because I'm probably a lot like you, I'd rather spend my time doing things - as opposed to talking about doing things. 

But if you don't have the structure of a plan, if only to communicate what you are doing to the powers that be, it's going to be very very hard to achieve success.

Blog Post: The Changing Role of the CSO

It's nice when the market comes to you. I've been talking about the need for Chief Security Officers to become more business oriented, rather than technically focused, for a long time. Now it seems this is the discussion that the "cool kids" are having at conferences and other venues. TechTarget's Dennis Fisher talks about a panel at their recent Information Security Decisions show that basically say the skill set of the CSO needs to rapidly expand.

No kidding. Security is a critical BUSINESS function and therefore the senior security officer needs to be more focused on how attacks impact that business than the technology that is used to either launch or defend against the attacks. 

To be clear, there will certainly be professionals that don't want to muck with the business folks and engage at that level. That's fine, but that precludes those folks from ever having the senior security role. As part of everyone's career management process, you should be figuring out whether you want to stay technically-focused or whether you want to climb the management ladder, which will require more and enhanced business skills.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

---

December 4, 2007 - #37

Mike's Pep Talk:

"Jerry: Like when a man goes swimming... afterwards...
Elaine: It shrinks?
Jerry: Like a frightened turtle!" 

- Seinfeld, Episode 85 - The Hamptons

Back in mid-October a good discussion broke out relative to what security is supposed to do and whether we can be successful. The Mogull weighed in with his "Optimistically Fatalistic View of Security" post, which made a lot of great points.

Then the Hoff decided that "security" was out, but "survivability" is in. He had a series of posts and took a few head shots given that survivability does entail a bit of a lower bar relative to the promise of "security." Probably the best and most clarifying post is this one, where Chris responds to many of the detractors. Amrit is never one to back down from a scrap, so he jumped in as well. 

All of these guys have good points and the reality is that many security practitioners are having an identity crisis. The tried and tested technical skills are not yielding the credibility that we need to become players in the corporate structure and to be taken seriously. Yet, many security folks would rather have a root canal without Novocaine than have to get into the political muck that accompanies operating at a senior level in a large organization.

But all of this stuff has been covered before, ad nauseum. I want to get back to Hoff's original contention that our practice should be more focused on surviving than on securing. I generally agree that the idea of working towards true "security" is a fool's errand. What we are really trying to do is contain the damage and make sure our businesses can operate. Is that survivability? To a point.

The best metaphor I could come up with comes out of the retail business. It turns out there are a long line of Rothmans that have done retail pharmacy in some way, shape or form, so I've been around Mom and Pop pharmacies since I could barely walk. One of the key metrics that a retailer tracks is "shrinkage." Or how much stuff just kind of disappears. 

I think the metaphor of shrinkage is a good one for security. We are trying to minimize the shrinkage we have due to security issues, which results in possible downtime, intellectual property loss, corporate liability, brand damage or compliance exposures. That's right, if we minimize shrinkage, we can go a long way towards achieving the "reasons to secure" as described in the Pragmatic CSO.

Another reason I like the idea of shrinkage is that it involves a decision on the part of business people relative to the amount of loss that they are willing to tolerate. You can certainly build defenses that mostly eliminate shrinkage, but that also pretty much eliminates your ability to do business as well. So it gets back to a classic risk decision. How much risk is your organization willing to accept relative to the amount of the potential loss.

Shrinkage. I kind of like that - as long as it's not me getting out of the pool a bit too quickly.

In this week's issue:

• This week's P-CSO Tip: Zen and the art of the audit
• Blog post: Luck has nothing to do with it

This week's P-CSO Tip

Zen and the art of the Audit

The day the auditor shows up is perhaps one of the most stressful for security professionals. Will your defenses be good enough? Will the auditor get what you are trying to do and how your layers make for a tight defense? But the reality is that many many professionals blow the audit, not because your defenses suck, but your ability to handle the audit is sub-par. 

In flies the Security Monkey with a number of great ideas for making the audit go smoothly. The idea of being prepared is a no-brainer, but you'd be shocked at the number of folks that basically print out some reports and let it fly. Not taking the auditors questions personally and getting defensive is another key technique. I've said this before and I'll say it again, you may actually be able to learn from the auditor - imagine that. So there is no reason to be defensive.

I associate all of these behaviors with a Zen-type existence. The auditor will show up and the auditor will find things that are wrong. You need to accept that reality and not get all wrapped up in it. Of course, you need to stand your ground where appropriate, but a few deep breaths while the auditor is in the middle of his/her examination will do you a world of good.

The best advice of all in this piece is to just BE QUIET. There is a time to talk and a time to listen. If you spend much more of your time during the audit listening, your experience will be a lot better. Or you can try the other way and see the monkey flinging dung at you for the entire audit.

Blog Post: Luck has nothing to do with it

On McAfee's rip-off "Security Insights" blog (maybe they have some insights, but certainly not INCITE), Charles Ross talks about not building security on "luck." But luck really has nothing to do with it, he talks more about knowing what's important and simulating what can go wrong. These are two very important steps of the Pragmatic CSO process. Step 1 has you go through a regimented approach to figure out what's important (and here's a hint, you have no idea what the answer is). Step 8 is all about containing the damage and that means building and practicing your incident response plan.

Luck is a strange phenomenon. I definitely believe that some of us are lucky. A lot of us make our own luck. Those of you that work the program, do the right stuff consistently, and pay attention to what's important seem to be lucky a lot more frequently - which is no coincidence.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

---

November 13, 2007 - #36

Mike's Pep Talk:

"You make me dizzy
Running circles in my head
One of these days I'll chase you down
Well look who's going crazy now" 

- Foo Fighters, Breakout

There are a lot of security professionals that believe security is a means to an end. It's basically a stepping stone to fame and fortune elsewhere in the organization. I think this is a predictable outcome given that security continues to be seen as "hot" and will attract not only folks that are passionate about security, but those opportunists that believe climbing the ranks will be easier because security has pretty high visibility within the organization.

Boy are those folks in for a shock. The reality of the situation is much different, which I'm sure you know because you read this newsletter and are pulling the splinters out of your ass every day to prove it.

That being said, even those passionate about security can and should think about what's next. Do you want to climb into more general IT management, or more general management of business functions? I found this NetworkWorld article about "How to break out of the CISO role in five easy steps" kind of interesting. The only problem is that there is nothing easy about it.

The don'ts are pretty straight forward. Basically it comes down to DON'T PREACH and don't be an asshole. That's not too hard is it? Actually, for a lot of security folks I'm not sure which is harder - not preaching or not being an asshole. We tend to be pretty sarcastic, witty folks that have figured out how to cope with the fact that we spend all day trying not to get killed. We tend to make fun of the situation. That's fine, as long as you are friendly company. You start making wise-ass comments in the executive suite and your stay will be short.

The Do's are also pretty simple as well. Don't just be a technology wonk, take an interest in your business, and run your operation as a business. Shocking. It all sounds pretty pragmatic to me. But I guess that's the point. Part of me gets annoyed every time I hear someone parrot my spiel. Yet, the other part of me is pretty happy in that some of the core tenets of what I've been preaching for two years are starting (slowly but surely) to make it's way into the conversation. 

That's a good thing.

In this week's issue:

• This week's P-CSO Tip: Be careful what you wish for

This week's P-CSO Tip

Be Careful What You Wish For

Since I'm talking about "breaking out" of the security role today, let's examine a bit about what happens if you are actually successful and do get a position that is broader than security. Maybe you drew the short straw and got put into a "compliance" or "risk management" role, outside of the security group. Maybe they put some problem child under your guidance, since you did such a good job with the security team. 

Regardless of where you end up, you need to once again replicate the lessons of the Pragmatic CSO. Figure out what's important to the folks making the decisions (assess value). Figure out where you are (baseline). Manage expectations and then build your business plan. Sound familiar? Of course it is.

I'll let you in on a little secret. The P-CSO isn't only about security. It's a general management guide. The 12-steps (well most of them) can be applied to almost any management issue. Imagine that. I used a very similar process when I took over marketing at both TruSecure and Ciphertrust. The lessons in the book are fairly universal. Since I do security now, I wrote it from the viewpoint of a security professional.

Having done more than security during my journey, I can say that there were times when I longed to go back to the simple life. When I just had to do one thing and I could focus entirely on doing it well. Being airlifted into a broken environment isn't fun. It's exhilarating, but not fun.

So as much as the perceived drudgery of your day to day existence may make you nuts and have you longing to break out, be careful what you wish for - you may just get it.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

---

November 6, 2007 - #35

Mike's Pep Talk:

"The Borg: Strength is irrelevant. Resistance is futile. We wish to improve ourselves. We will add your biological and technological distinctiveness to our own. Your culture will adapt to service ours." 

- Star Trek, The Next Generation

Lots of vendors fancy themselves to the eponymous Borg from Star Trek TNG. It resulted in one of my first "Incites" back in February 2006 called "Big is the New Small." Some folks disagreed with the inevitability that most customers, all other things being equal, will choose to buy from a big technology vendor, as opposed to a start-up. If history equals the last two years, then I'm being proven right - almost every day. Yes, I'm referring to Symantec flexing their checkbook to buy Vontu, which I covered on the Security Incite blog.

So what? Besides taking an uncharacteristic minute to gloat, why do you care about all these acquisitions? Unless you hold stock in the start-up, of course. Basically Pragmatic CSOs look to solve their problems, not buy from a big company or a small company. Company size doesn't matter, ability to solve the problem and support the solution is paramount.

That means in a lot of cases you'll be buying from innovative start-ups that are focused on solving fairly specific problems. Those start-ups will eventually be bought or go out of business. That means you need to add a "nimble" gene to your procurement repertoire. It's not enough to buy for the best price the solution that meets your needs from a vendor that can support it. You need to have Plan B and sometimes even Plan C, to ensure you will still be able to operate when your vendor gets bought.

To be clear, acquisitions are not always bad for the customers of the start-up. Just most of the time. So you need to have your contingency plans set up to ensure that you can still operate (dare I say "survive") and keep focused on the other 4 Reasons to Secure.

So let's say, for example, you are one of the couple hundred companies that have built your data leakage strategy around Vontu. Since they are now part of the Yellow Borg (or will be sometime before the end of the year), what do you do? Just wait and hope that the deal works out? You know I don't think hope is a strategy, so we are going to take the bull buy the horns and make sure we are driving the relationship - not the other way around.

1. Wait for the deal to close - Until the deal closes, there is nothing really to talk about. Lots of SYMC people and Vontu people will be sitting in meetings, talking about integration and the like. But until the papers are formalized, nothing is going to happen.
   
2. Ask for a sit-down with your Vontu rep - If they are still there after the close, then you'll want to have a sit down with your Vontu account team. Remember, you spent an average of over $400,000 for the software, so you deserve to hear what the integration plans are, if/how the product strategy is changing, and what benefits you will see from the deal.
   
3. Sit down with your SYMC rep -  Just in case they forget to show up at the last meeting, you should also meet separately with the Big Yellow rep. He/she needs to be able to explain to you how your Vontu purchase and continued support (read maintenance renewal) will impact your current volume deals. $400,000 is a lot of AV renewals, so you should have a bit of leverage. Every market in security is competitive, so use that leverage to save some coin.
   
4. Invite Competitors B and C back in - Since you want to make sure you continue to have Plan B and C, re-establish the dialog with the DLP vendors that didn't win the deal the first time around. They know why they are there, and make it clear that no decision is forever and if SYMC bungles the integration, you'll be in the market for another solution. Learn what kind of pricing concessions are on the table and also how the migration process would work.
   
5. Hope a bit - Hope isn't a strategy, but it can't hurt - can it? So pull for the integration to go well and your previously small vendor to have lots more resources to support you better and bring new capabilities to market. There are clear advantages to having a big bankroll, maybe they'll take advantage of them.

But don't sit around and wait for things to go South. There is no honor in that. Yes, resistance is futile, but that doesn't mean that you don't fight the good fight every day.

In this week's issue:

• This week's P-CSO Tip: Remembering the Golden Rule

This week's P-CSO Tip

Remembering the Golden Rule

The converse of your start-up being acquired is if/how a Pragmatic CSO should work with small companies. Since the dogma of the P-CSO is all about solving the problem, there is a likelihood that the only companies capable will be small. Is there risk in working with a small company? Sure. But if you set the right tone and build the right relationships with your account team - you can get a lot better support from a small company. 

That's right. Even if you spend $400,000 with Symantec, you may not be a big deal for them. They close quite a few million dollar deals every quarter. But a $200,000 deal (just making that number up) for a start-up is a big deal. You will get access to the folks that build the software and also the CEO if/when you need it. If you work for a small company, then you don't have any leverage in either case, so you are probably better off with the big company, if only because they'll be around.

So like you need to build a good rapport and relationship with your colleagues on the senior team, you also need to have good relations with your key vendors. That means you treat them as you would want to be treated: fairly and with respect. That doesn't mean you take crap, accept fabrications relative to delivery timetables or functionality, or let them off the hook if something doesn't work.

But beating them down, just to show you are boss is the wrong thing to do as well. Remember, this is a small industry and the folks that you may screw over today will show up, at the most inopportune time. I guess the Golden Rule still holds.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

---

October 31, 2007 - #34

Mike's Pep Talk:

"Patty Frost: Michael... Myers.
Zach 'Z-Man' Garrett: Trick or treat, baby!"

- Halloween (2007)

BOO! It's Halloween and that's always a lot of fun. The kids get all dressed up and the Boss and I prepare for the inevitable sugar crash and burn that results from kids that collect at least their weight in candy.

For this week, let's deal with a downright spooky topic and one that pretty much scares the crap out of everyone. That's the idea of walking into the office one day and finding that our boss is dressed as Michael Myers and proceeds to cleave your head clear off.

That's right, what happens if you've been canned? That's pretty spooky, no? Since I've got a fair bit of experience in this very topic, I'm going to give you some thoughts that have served me well in a very stressful situation.

1. This too shall pass - I know it will feel like your world is ending and you aren't sure whether you'll ever work again. Since you are in a security role, I can pretty much guarantee that you'll find another job. Whether you want it is more of the more appropriate question.
2. Take some time off - I know a lot of folks that get so freaked out about not having a job that they jump at the first thing that is offered. I suggest you take at least a week off. That's right, don't start you job search for a week or more. Why? Because you need to get over your anger at getting canned (or laid off, etc). The last thing you want is to be seen as desperate, angry, or bitter. Let the road rash begin to heal before you jump back into the fray.
3. Figure out what you want to be when you grow up - This is critical. You need to candidly and dispassionately assess your last job and pinpoint what you liked and what you didn't. Look to do more of the things that you like, and less of the things you didn't like. I know it sounds simple, but most people don't take the time to really figure that out. So they keep making the same mistakes over and over again.
4. Leverage your network - Since you've all been good at meeting other security professionals in your area (RIGHT?), then you send out a little message that indicates you are looking for new opportunities and asking for referrals. For the folks that you know are super connected in your region, call them directly. See what's going on, what's happening in the area. There may not be anything immediately, but you won't know if you haven't cultivated your network.
5. Believe - It's hard when you are going through a dark time to continue to have faith and confidence in your abilities. But you have to or you won't get that job. Make sure you can clearly communicate the circumstances that caused your exit and what you learned from it. As a manager, I looked for people with some battle scars - as long as they could tell me what they learned.

I truly believe that change is good and sometimes forced change needs to happen. Obviously it's better if you have something else lined up before you leave your current gig, but sometimes that just isn't an option. As opposed to fretting about it (which doesn't really accomplish much of anything), you need to stay focused, believe in yourself, and look for the best fit. Not just the first thing that comes along.

In this week's issue:

• This week's P-CSO Tip: Market Thyself
• Blog post: Online service shuts down to fix security breach

This week's P-CSO Tip

Market Thyself

As a follow-up to the spooky scenario described above, how do you go about "marketing yourself" so that when you need to look for a job, you hit the ground running and maximize your chances to be successful. First of all, get involved in your local security community. Whether it's ISSA, InfraGard, ISACA, IIA or any other security/audit networking group - make sure you know the power brokers and they also know you.

Second, you should be quantifying your successes and analyzing your failures and be able to present a great case relative to how you'll handle your next job. That's where the Pragmatic CSO methodology is so powerful. By definition, you are focused on BUSINESS RESULTS and telling a compelling management-level story about your security program, including defining success, managing to objectives and hitting milestones.

When it comes time to meet with prospective employers, you take a two phase approach. In the first phase, you are describing you qualifications and learning about their environment. So you come armed with presentations you've given (without violating NDAs and other confidentiality agreements) and detail about how you've structured your "security business."

You need to also be aware of the challenges of the prospective employer and what BUSINESS problems they are trying to solve. Ask good questions and make sure you understand what they believe the challenges to be. DON'T ASSUME you know, even if they are exactly like your former employer. Just like when you go through Step 1 in the P-CSO, what you think doesn't matter. It's all about what THEY think.

When they invite you back for a second interview make sure you have mapped out a 100-day plan. If you've listened well and know your business, you'll have a great idea about what needs to be done. Don't be arrogant (like you know all the answers), but offer up a few suggestions about what you will do, when you get the job. Define milestones and make it very clear that you are willing and expect to be accountable for the results you map out.

Not only did I like to hire folks with battle scars and something to prove, but I also liked folks that took initiative and were willing to stick their necks out. It also makes your first 3 months easier because you already know what needs to get done.

Blog post: Measuring the "right" stuff

My last thought on the job search is to be able to substantiate the results you've gotten in your past gigs. Again, going through the P-CSO process will give you all the ammo that you need. If it's good enough for your former senior management, then it will most likely be good enough for the next one. At least to show that you know what you are doing and have walked the walk before.

This fairly dated post on the Intel blog makes a couple of good points about security measurement. Basically you want to measure just enough to achieve your objective. Just like you don't spend $10,000 to secure a $500 asset (though many of us probably do), you shouldn't spend tons of money gathering data and generating reports on things that your management doesn't care about.

So what are those metrics? I can't tell you, you need to figure that out for yourself. How? By talking to your senior management (Step 1) and going through the P-CSO process. As you are looking for your next gig, you need to be able to explain why the metrics you gathered were important to your former employer. They may not be important to your new employer, but again you trying to convince them you have done the job before and can be successful in this new environment.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

---