P-CSO Weekly

Pragmatic CSO Bootcamp #2 (and book discount offer)

Submitted by Mike Rothman on Wed, 2009-10-07 15:34.

Pragmatic CSO Weekly

October 7, 2009 - Bootcamp #2

Mike RothmanMike's Pep Talk:

"It would be better if you begin to teach others only after you yourself have learned something."
-- Albert Einstein

I am a fortunate guy. The journey I'm on continues to amaze and astound me. I viewed The Pragmatic CSO as my opportunity to give a little back based on all of the great people that have taught me the ropes through the years. Though I've been pretty much silent over the past year on P-CSO activities, I still like to give back and when the opportunity presents itself to give folks that haven't been exposed another chance to get Pragmatic.

Once again, I'm happy to partner with the folks at the Business of Security site to run a series of webcasts and virtualYou're in the army now... peer group sessions to run folks through the boot camp I put together a few years ago. In this kind of economic environment, it's all the more critical that every security professional be focused on adding value and selling the benefits of security. Being Pragmatic is certainly a time-proven method to doing that.

The first session doesn't cost anything and will be held this Tuesday via webcast. I'll run through the P-CSO process and then dive into the first section of the P-CSO - "Plan to be Pragmatic." I'll also go into the beginning of Section 2 - "Building Your Pragmatic Security Environment."

Even better, through the generosity of the Business of Security folks (and my employer, eIQ) I'm able to offer attendees to the session a 50% discount on the book and/or PDF. But to get the discount, you'll need a special discount code that will be provided during the session. 

SO, if you've been waiting to for the price of the P-CSO to come down - this is your chance.

There will also be a special discount for folks that want to participate in the follow-on sessions when I present the rest of the boot camp. More details will be available during the session.

Here is the link to the registration page. I hope to see you on Tuesday.

Photo credit: Army.mil

 

Pragmatic CSO Newsletter #69 - Management Training

Submitted by Mike Rothman on Mon, 2008-12-08 08:55.
Pragmatic CSO Weekly

December 8, 2008 - Management Training - #69

Mike RothmanMike's Pep Talk:

"It would be better if you begin to teach others only after you yourself have learned something."
-- Albert Einstein

I am a fortunate guy. The journey I'm on continues to amaze and astound me. I viewed The Pragmatic CSO as my opportunity to give a little back based on all of the great people that have taught me the ropes through the years. Though I don't have as much time to devote to P-CSO pursuits as I'd like, which is clearly evidenced by the lack of newsletters and podcasts of late, it's time to revisit the content and give folks that haven't been exposed to it another chance to get Pragmatic.

I've partnered with the folks at the Business of Security site to run a series of webcasts and virtualYou're in the army now... peer group sessions to run folks through the boot camp I put together a year ago. In this kind of economic environment, it's all the more critical that every security professional be focused on adding value and selling the benefits of security. Being Pragmatic is certainly a time-proven method to doing that.

The first session doesn't cost anything and will be held this Thursday via webcast. I'll run through the current state of security, and go into depth on the first section of the P-CSO - "Plan to be Pragmatic."

Even better, through the generosity of the Business of Security folks (and my employer, eIQ) I'm able to offer attendees to the session a 50% discount on the book and/or PDF. But to get the discount, you need to attend the session. 

SO, if you've been waiting to for the price of the P-CSO to come down - this is your chance.

There will also be a special discount for folks that want to participate in the peer group sessions. More details will be available during the session.

Here is the link to the registration page. I hope to see you on Thursday.

Photo credit: Army.mil

Pragmatic CSO Newsletter #68 - Cost Containment

Submitted by Mike Rothman on Wed, 2008-10-22 09:47.
Pragmatic CSO Weekly

October 22, 2008 - Cost Containment - #68

Mike RothmanMike's Pep Talk:

"In our personal ambitions we are individualists. But in our seeking for economic and political progress as a nation, we all go up or else all go down as one people. "
-- Franklin D. Roosevelt

I got a question the other day that made me take a step back and really think. It was an innocent enough question, mostly about how to protect the security budget. Given the economic malaise spreading around the world, it's a safe assumption that budgets across the board are going to be cut.

We all know that even in the best of times, security doesn't get enough investment to really "protect" everything that is important. We are always robbing Peter to pay Paul and hoping that we don't get nailed taking a necessary short cut. If the funding spigot turns off for everything, what's a security professional to do?

It's time to start clipping coupons...Basically, we need to remember that we are team players. That means we've got to tighten our belts just like everyone else. Yes, that's right. It's not about fighting like hell to protect OUR budget. It's about figuring out what's the best path for our company. As FDR says, "we all go up or else all go down as one people."

The most important two words for the remainder of 2008 and through most of 2009 is COST CONTAINMENT. That's right, any projects that we try to push through better be focused on how it saves the company money. It's all good and well to think about growth and protecting all of those new systems that are going in, but it's not going to happen.

So take a look at the following buckets and see if/how you can streamline the operation and remove some costs.

  • People - It's going to be hard, but there will be reductions in staff. Pretty much everywhere. So look at how you can automate certain processes to eliminate the need to add people. Maybe look into a compliance automation/reporting engine to facilitate preparing for those audits, that will continue to go on. As a manager, you'll also need to figure out how you can do without some hands on deck.

  • CapEx - That new campus build-out? Not so much. It's going to be very hard to get capital budget with out a very clear payoff from a cost reduction standpoint. So if you can show how you reduce expenses (maybe people or allow your people to do a lot more), then you have a chance. If you can't build that case for any specific project that requires capital - don't waste your time. It will be rejected at the senior level. Of course, smart companies invest during a downturn. But most of us don't work for smart companies, so scrutinize your CapEx plans and figure out how you can spin each within a COST CONTAINMENT context.

  • OpEx - I figure it's going to be a banner year for outsourcers and service providers. In the short run, looking at service to do some of the operational responsibilities can definitely work. In the long run, it's probably an economic wash. But the fact remains that if you don't get through the short run - there is no long run. If someone else can do it cheaper NOW, and maybe allow you to trade some CapEx for OpEx, it's a decent trade-off to consider.

Remember, I'm not a Chicken Little type of guy. But I am overly Pragmatic. Maybe you're senior team will decide now is the time to invest and take market share. That's awesome. But we can't guarantee that, so we have to plan for as many contingencies as we can. Whatever your plans and projects were slated for early 2009, go back and revisit them. Continue to weigh them relative to the stuff that we know is important (discovered in Step 1) and see how you can make things more efficient.

We all have to pitch in. Even security.

Photo credit: Roadsidepictures

Pragmatic CSO Newsletter #65

Submitted by Mike Rothman on Wed, 2008-09-10 07:02.
Pragmatic CSO Weekly

September 10, 2008 - #65

Mike RothmanMike's Pep Talk:

"It's one thing not to see the forest for the trees, but then to go on to deny the reality of the forest is a more serious matter."
-- Paul Weiss

Can you see the forest for the trees? Take a look at the picture below. Is it a thundering ocean? Or is it a electron microscope image of a piece of fabric? I don't know, it may be both.

But that isn't really the point. One of the hallmarks of the P-CSO is to think about the PROGRAM of security and to emrace the reality that the senior security professionals job is NOT to configure firewalls or ensure 99.999% AV coverage anymore. It's about managing the process of security. It's about persuading your peers on the executive team that security is important and they need to factor that into their own operations.

Micro or Macro? You be the judge...Per usual, Richard Bejtlich summarizes the concepts much more effectively than I could by breaking security up into macro and micro-security disciplines. I tend to work (and think and write) from the macro perspective. This is all about the BUSINESS of security. It involves positioning the value of the security program, evangelizing it, and then selling it to the folks that actually do things.

Micro-security is about what gets done. The day to day operations that drive the security process and hopefully repel the attackers for one more day.

To be clear, both are important. Many folks opt to focus on micro-security because that's what they know and they tend to feel more comfortable with their technical hats on. Even Richard admits: "I think I prefer microsecurity issues but spend time on the macro side when I have to justify my work to management."

And you can get through most days just focusing on the micro. But we need to keep in context that macro security is about more than justifying work to the money men (and women). The work you do on the macro side is about credibility. If you don't have that, you'll likely be sunk when the inevitable incident happens.

And then you'll have a lot of time to figure out the forest from the trees.

Photo credit: Bewdlerian

The Greatest Asset (and Threat)

As Matthew Rosenquist points out on the Intel blog, it's our people that are both our greatest asset and threat. That's why education and evangelizing the importance of security are so important. Your employees don't want to think about security, they want to do their job. But they can do their job with a healthy respect for attackers and a consideration for protecting private data and intellectual property, or not.

Your job is not to make their life hard, but to always be there to remind them about right and wrong. Especially when they first join the company. There I go again, talking about evangelizing and selling. If you want to focus on the micro (see above piece), that's fine - but understand that someone has to focus on the macro, bigger picture security program stuff.

Your job is also to save the employees from themselves by putting layers of defense in to make sure that even when they do stupid things, they don't put themselves or your organization at risk. But we don't need to tell them that, do we?

Pragmatic CSO Newsletter #62

Submitted by Mike Rothman on Wed, 2008-07-23 09:09.
Pragmatic CSO Weekly

July 23, 2008 - #62

Mike RothmanMike's Pep Talk:

"I found there was only one way to look thin, hang out with fat people." - Rodney Dangerfield

No, I'm not coming clean about being a little too festive on my vacation. Although I was. Today's pep talk is about the inevitability of your boss (or maybe even your bosses boss) coming to you and asking about cutting your budget. That's right, you'll probably be faced with tightening your belt over the next few quarters.

Which is OK because that chocolate cake (and 3/4 of a pizza) are over-rated anyway...

After the first few announcements from public security companies, and some of the other information sources I track - it seems that the security budget is still reasonably safe. At least relative to other things (perhaps like virtualization?). But to make the assumption that because our budget seems safe today, that it will be safe tomorrow is pretty much dumb.

Time to tighten the beltYou didn't become a Pragmatic CSO by being dumb. You have spent a lot of time building relationships and that means the senior folks may come and ask for a favor. Cut out some of the "nice to have" expenses built into the budget, and take a few for the team.

Can you do it? Where would you cut? What doesn't absolutely, positively need to get done yesterday? Of course, you already know the answer. Just go back to Step 1 and remind yourself what is important. Make sure those resources are protected, and let everything else slip a bit.

Of course it's sub-optimal, but it's reality. I personally (and no I'm not an economist and I've proven to be pretty crappy at predicting much of anything) believe that the second half of the year is going to be pretty bumpy and that security budgets will be cut as well. So get out ahead of it and start revisiting your 2H spending plans and see what can be moved to 2009.

A bunch of folks are increasingly talking about this reality. eWeek has some suggestions to defend your budget. Things like metrics (no, I'm not going to get started on that) and comparing your baseline to others (via things like CIS benchmarks), but in reality the answer isn't to fight for every last penny. It's to be a member of the team and cut like everyone else.

Some of the best advice I've seen on the topic comes from Stuart King, who reminds us that we can "negotiate" better with vendors (they need to hit their numbers too) and also that we need to really assess what is GOOD ENOUGH security.

We have the opportunity to win big points with the senior team by helping out when budgets get tight. You can squander it and alienate yourself from the rest of your management team. Or you can do the right thing for your business. The choice is yours.

CAVEAT: OK, to talk out of the other side of my mouth for a second, make sure that you really can cut before you willingly cut. If your security program is in shambles and it's just a matter of time before you have a huge breach, then obviously make it very clear that cuts in security spending put the organization at risk and in jeopardy. But make sure that is the case, not you just trying to save your cushy little security empire.

Photo credit: toffer

Pragmatic CSO Newsletter #53

Submitted by Mike Rothman on Wed, 2008-04-30 07:58.
Pragmatic CSO Weekly

April 30, 2008 - #53

Mike RothmanMike's Pep Talk:

"When choosing between two evils, I always like to try the one I've never tried before." - Mae West

A lot of security folks like to think of the daily battle as a good vs. evil type of thing. You know, the bad guys are evil (and wear black hats) and we - the security professionals - are the good guys. We wear white hats and ride on a fine stallion called Silver.

Let's get one thing straight. You are not the Lone Ranger. This is not about good and evil. This is about dealing with the lesser of two evils. The reality is that your environment will be compromised, and you have been entrusted by your organization to stop it.

Fork in the RoadIn a nutshell, you are in a lose-lose situation. We all are. That is the cold harsh reality of practicing security. Whether it's physical security, cyber-security, or any other type of security - ultimately this is not a game we play to "win." It's a game we play to survive.

Why the dour tone today? Did someone piss in my Wheaties? Not exactly, since this is a concept I discuss pretty frequently in all of my publications. I read news clipping like this one in NetworkWorld about most employees intentionally skirting enterprise security controls, and part of me wants to hold my hands up and start serving Blizzards at Dairy Queen.

At least then I know I'll have a job, since DQ is owned by Berkshire Hathaway and they aren't going anywhere.

Every time I start to feel this way, I need to purge a bit. I need to rant and I need to get it out of my system. Here's the deal: Our customers don't know who is good and who is evil. They can't tell the difference. If they are intentionally going around our controls, then WE ARE SCREWING UP. We are at a fork in the proverbial road, and we need to figure out how to get more relevant and work better within the context of our business. It's as simple as that.

I understand that little things like PCI and SarBox make a certain set of controls totally necessary, but ultimately we have to start thinking a bit more like risk managers and not draconian control freaks. We have to start understanding where the breakpoints are in our organizations. How tightly can you really lock something down, before the natives start getting restless?

Do you know the answer to that question? Do your corporate policies reflect that reality? If not, then you have a lot of Pragmatic work ahead of you. If the employees can't tell whether you wear a black or a white hat, then you better start looking for a more palatable middle ground.

Photo credit: Buggs

Thinking out loud: A new type of IR practice

Sometimes I have random thoughts, and although I tend to vet many of these ideas with my trusted circle of contacts, I want to bounce some ideas around in a more public forum. Thus a new section here called "Thinking out loud." I'll just throw something out there, and it would be great to hear whether you think I'm nuts (or not).

Based on my rant above about employees not knowing who the good guys are anymore, let me suggest perhaps a different way to "educate" our trusty employees. The reality is most employees will do the right thing, if they understand what is right and what is wrong. They go around security controls and flout policies, not because they are bad people (although statistically some will be), but rather because they don't really understand what is so wrong about what they are doing.

So I suggest we show them, in a way they haven't seen before.

You should have a defined incident response plan (discussed in Step 8 of the P-CSO) and you should be practicing it frequently. Or at least practicing sometimes. Most of that practice is for you and your team, to make sure the security (and risk and ops, etc.) team will respond appropriately when the brown stuff hits the fan.

What if we brought a few more folks into the "practice?" What if you staged a "data breach" within your organization, and played it out? What if you sent out a note to all of your employees talking about how your private data was breached, where the data handling errors were, and that some employees have been terminated due to those actions. Then you take the opportunity to remind them of the policies.

Of course, the breach didn't really happen. It would be staged. But that would seem to me to be a very powerful means to get the point across to the employees about WHY they need to follow the policies.

I know, I know. Intentionally deceiving employees is kind of an April Fool's joke gone wild. I'm sure there would be a number of folks pretty steamed when the truth that the breach was staged gets disclosed. And you'd need approval at the highest levels to pull off something like this, and how many CEOs would go for this kind of plan?

The odds are long that this kind of thing would work, but something tells me this idea may have some legs. Let me know if the comments section about my "thinking out loud."

Pragmatic CSO Newsletter #50

Submitted by Mike Rothman on Wed, 2008-03-26 09:54.
Pragmatic CSO Weekly

March 26, 2008 - #50

Mike RothmanMike's Pep Talk:

Over the past 4 months or so, I've given the "How Focusing on Compliance Can Get You Killed" pitch, which focuses on the audit process and how to do it "right." The most recent version was presented at the Source Boston show. My bud RSnake writes up a little ditty that mentions the session and basically asks if auditors are "scarier" than hackers themselves.

That's actually an interesting question. Many of the folks that work with security professionals every day tend to see this dysfunctional behavior and perspective frequently. The problem is that most practitioners are too deep in the muck to realize how screwy that is.

Rock 'em Sock 'em RobotsAuditors are scary because we think of the audit like a 5 round fight with Anderson Silva. We figure we are going to get pummeled, look like an idiot, and have a list 4 times as long when the findings report comes back. Maybe if it goes well, only our heads will pop off. The fact is, security professionals can both influence the audit process and make it a productive experience.

That's right, an audit can be a productive experience. Now before you figure I'm on crack and send this newsletter to the circular bin, hear me out a bit. We seem to forget that auditors on the same team we are. Seriously, they want to make sure the data of the organization is protected.

We also forget that auditors see an awful lot of stuff. They are in a different environment almost weekly. They see the good, the bad, and the ugly. Did you ever consider asking the auditor for help? Figuring out how they would recommend you solve a problem? You are probably too busy ducking, weaving and counter-punching.

For me personally, I think the hackers are a hell of a lot scarier than auditors. The hackers are trying to break my stuff and steal my private information and intellectual property. The auditors are working their asses off to protect it. You tell me which is the right side of the coin.

Think about this the next time you are prepping for an audit. Do you want it to be the equivalent of a root canal or a day in the park? OK, maybe not a day in the park, but at least the auditor will use novacaine - if you ask nicely.

Photo credit: WhiskeyTangoFoxtrot

If they don't want a YES man, they want a YES man

When I'm kibbutzing with practitioners at shows or in other venues, I usually try to understand how and why they ended up in security. Although a lot of folks enter the business because they think it's cool, or that they will have assured employment (both are true) - they don't realize how hard it is. Why is it hard? Because of the scenario that Sharky describes in this blog post.

The fact is, we security folks tend to fight as many battles inside our walls than we do outside. And I'm not even talking about the insider threat. I'm talking about the politics of making security, if not urgent, at least a consideration. The Sharky scenario scares the crap out of me because the poor support guy that gets saddled with the security title may as well leave today. He CANNOT be successful.

Why? Because the CIO wants a yes man. The first indication that someone wants a yes man is that they go out of their way to tell you that they don't want yes men. I've been there sports fans and that is indication #1. Folks that are interested in your opinion don't even think to mention about yes men because that line of thinking is totally contrary to how they work. They EXPECT you to challenge them and they covet your perspectives. That stuff goes without saying.

Talk is cheap. And if they need to talk about treating you well, then they probably aren't doing it in practice.

The truth is that most executives are weak and they surround themselves with people that are weaker. They hoard information, keep their folks in the dark and try to position themselves as indispensable. Do any of those traits sound familiar? If so, get out now. You may as well be working for Mike Myers. You will end up with an ax in your head, sooner or later.

I was very lucky in that I was able to recruit great people to work with me. Not everyone (I did hire some stinkers over the years as well), but most. And I let them do their things. I'd challenge them and they'd challenge me. I wanted their opinion because I knew they were better at what they were doing than I was - or else they wouldn't be there.

Best of all, I learned from almost everyone that's ever worked on my teams. That's the thing that weak managers don't get. They think they know everything and since they tend to hire doofuses, they usually do know more than those around them. But they are on the express train to nowhere, and you deserve better. Make sure you are working for someone that will help you and teach you. Or else you are wasting your time.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

BUY the Book Buy the PDF

 


Pragmatic CSO Weekly #45

Submitted by Mike Rothman on Wed, 2008-02-20 14:18.
Pragmatic CSO Weekly

February 20, 2008 - #45

Mike RothmanMike's Pep Talk:

In a perfect world, security begins at the beginning of time. Unfortunately, as AndyITGuy points out, the world is far from perfect.

In today's Pep Talk, let's revisit the skills that are absolutely critical to being a successful security professional. First, let's focus on the technical stuff. You need to understand web applications and a bit about web application security. That is going to be the attack vector that is most commonly used for the next few years.

Big BangGo get that JavaScript book and make sure you understand the fundamentals of AJAX and can see how an XSS happens. You'll also want to familiarize yourself with CSRF attacks.

But that's the easy stuff. As I mentioned in the 2007 Incite called ["CSO Next"] - the technical stuff is not going to determine success or failure for today's security professional. It's the ability to persuade, cajole, stiff-arm, and ultimately get the other senior managers (both within and outside of IT) on board with the need to think about security early in the process.

Back to Andy's situation because we can all learn from his post. First of all, change doesn't happen overnight. Yet with persistence and consistent effort, it will happen. Andy started with a few project managers, and then got some structural process change (his signature required to deploy an application).

As long as he doesn't position security as Dr. No or yet another hurdle to jump over, his rock is rolling downhill. It will gather speed and within a reasonable planning horizon (it could be months or years depending on the culture) security will be an intrinsic part of all technology efforts. And that is definitely a hallmark of CSO Next.

Photo credit: Gari.baldi

The importance of awareness training

Since we are revisiting a couple of Pragmatic CSO hallmarks this week, let's touch on security awareness training as well. I dug through my archives and found this survey from last year covered in InformationWeek. It's horrifying for a guy that evangelizes the need to have layers of defense deployed to stop as many attacks as possible.

YOUR END USERS ARE A LAYER. Just like a firewall, that is in front of an IPS, that is front of a web application firewall, that is in front of a network security monitor, that is in front of a database monitor, that is in front of a partially encrypted database - you want a number of synergistic layers in place to ensure that if one control fails - things don't go south. Your end users can be another important layer of defense against a world of increasingly malicious client-side attacks.

Unfortunately, your users are not born with an instinct to defend themselves against cyber-predators. They've got to be taught. And you have to teach them.

It's easier to just buy a product, or outsource a function and hope the problem goes away. Yet you know that hope is not a strategy. You need to use all of the resources at your disposal, and your end users are certainly one of them.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

BUY the Book Buy the PDF

 



Pragmatic CSO Newsletter #42

Submitted by Mike Rothman on Tue, 2008-01-29 08:05.
Pragmatic CSO Weekly

January 29, 2008 - #42

Mike RothmanMike's Pep Talk:

I remember many years ago when my Dad was teaching me how to throw and catch. He'd say countless times "keep your eye on the ball." Now the tables are turned and I say a similar mantra as the (thankfully) soft ball bounces off my boys face, chest, and arms.

But this is also an important lesson to learn for not just security folks, but risk managers around the world. The big news this week is the SocGen fraud, where a rogue trader built a fraudulent audit trail to cover $7 BILLION in trading losses. And I though 2001 was a bad year in the market for me.

With Friends Like These

First of all, I want to make it very clear what this fraud was NOT, and that is an information security issue. When something like this happens, it's amazing how many messages I get from vendors saying, "You need to write something about how [Product X] would have stopped this travesty!"

Not so much. It seems that SocGen had plenty of warnings that the trader was unstable and that he was doing strange things. They just decided to ignore the signs. The information was there, the fact that this guy had a detailed understanding of the risk management process should also have set off alarms.

Even though I haven't seen the show (because I don't get Showtime), I think Dexter is kind of like this. A crime scene investigator would know how to cover up a crime. Likewise, a risk manager would know how to cover up a fraud.

Which once again gets back to the main point, this is not a technology issue. It's a philosophical one. An organization needs to be committed to investigating potential issues, or suffering the consequences. In this case, the consequences come with 9 zeros at the end of it. And other banks around the world shudder and are thankful that it wasn't them. This time, anyway.

Photo credit: Brookenovak

A couple of P-CSO Reviews

The hype around the P-CSO has ebbed and flowed in the 12 months since it's publication. But that doesn't mean folks aren't talking about it. Check out these reviews to get a little more detail on the process and why it's appropriate for even technical folks.

  1. RSnake - Application security afficianado Robert Hansen (also known as RSnake) published a review of the P-CSO on the ha.ckers.org site. Money quote:

    "It’s not a technical book, it’s a book on changing your thinking to get you ahead of the assailant, in the good graces of your executive staff and into auditory compliance. I’ve run into countless people in the industry who desperately need to read this book so that they too can get a clue. It’s not rocket science. It’s the art of running security like a business. Five stars, Mike!"

  2. Josh Richards - Josh checks out the P-CSO introduction and thinks it's "promising." Cool.

    "This appears to be a promising resource with some good food for thought and practical approaches all collected together in one place. And, to boot, the approaches that look to be discussed should be readily applicable beyond IT security, to any IT project."

    Yes, it's true. The P-CSO methodology can be applied to almost any IT problem, although it was built with security in mind.

Thanks guys!

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

BUY the Book Buy the PDF

 



Pragmatic CSO Weekly #38

Submitted by Mike Rothman on Wed, 2007-12-12 10:36.
Pragmatic CSO Weekly

December 12, 2007 - #38

Mike RothmanMike's Pep Talk:

"May a weird holy man drop a cactus down your shorts." 

- Carnac the Magnificent

Carnac the Magnificent

It's that time of year again, sports fans. It's time where those that can't, predict. So I'll give you some food for thought in this fine holiday season for things that you need to think about and focus on for 2008.

Of course, Carnac the Magnificent is a wonderful proxy to channel as I give you my thoughts on 2008, so without further ado - let me hold up the first envelope to my head.

Answer: A Carmel Macchiato

I want to thank my trust side-kick, Security Mike for opening up the envelopes and playing my foil during this game.

Security Mike: And the question is, "What the Pragmatic predications and $4 will buy you at the Starbucks."

The first thing that I think is of concern for Pragmatic CSO's in 2008 is to continue to focus on being relevant and manage expectations appropriately. That means working the plan and communicating what you've done. You have a security business plan, right? You get face time with the senior team, right? There is a big risk to fall into old habits, and once again backslide into your addiction of just reacting to what happens to you and throwing products at the problem. It means get back to a "Security Products Anonymous" meeting and get out from behind your desk and reinforce those relationships you've built over the past year. 

For my next prediction, the envelope please. [Security Mike hands Pragmatic Carnac the envelope] "1313 Mockingbird Lane"

Security Mike: The question this time is "Where to send the deeds to all the machines the bad guys own."

In 2008, if anything the focus of the bad guys on owning machines and turning them into bot armies will intensify. That means you need to both make sure you are constantly testing your environment (that's Step 10: Security Assurance), as well as making sure you are effectively monitoring your environment to pinpoint when bad actors have entered your environment. That's Step 7. Remember, we are looking to reduce the number of surprises and that means you need to know what the bad guys are going to know. We also want to REACT FASTER, so monitoring is absolutely key to that effort.

Let's do one more, before you bean the Pragmatic Carnac with a fast ball. This answer is "Caesar, Brutus, and Bubba." Security Mike, please do the honors.

Security Mike: The final question is, "Your CEOs new roommates in the big house."

Yes, in 2008 security folks will continue to focus on compliance - much to the exclusion of the simple blocking and tackling to properly secure the environment. Pragmatic CSOs think of SECURITY FIRST, and my hope is that in 2008 we will continue that practice. The reality is that it isn't going to be easy, since many security "empires" will be dismantled as resources continue to migrate to the operational groups. Budgets are going to be flat and trending down, so it's not like we are going to have all sorts of money at our disposal anymore either.

We have to get back to basics, make sure your security business plan is solid, communicated, and executed. Security professionals will continue to have fastballs thrown at our head all year, but we've got to stick to the Pragmatic plan, watch the backslides on our addictions and ultimately try to have some fun. If we aren't having fun, it's time to find something else to do.

In this week's issue:

This week's P-CSO Tip

If you fail to plan, you plan to fail

Since the pep talk was all about the security business plan this week, let me highlight a good post by Dre on the TS/SCI blog about, amazingly enough, "Building your security plan." Now Dre is about as wordy as Chris Hoff, but there are lot of good nuggets in here - and he even mentions the old P-CSO as a framework to build your plan around. 

As you read through the post, it's very easy to become overwhelmed. You have all sorts of plans to put together and don't forget to overlay the idea of risk (meaning economics) to make sure that whatever you are doing is really relevant to the organization. Then there is the nasty business of measuring and counting what you do and lots of other gotchas, which make the daily existence of security professionals pretty hard.

Ultimately, the general complexity of the task will make most folks stop and abort the process before it even gets going. My objective in writing the P-CSO was to build a methodology that DOES NOT get bogged down in a lot of the details in precisely valuing assets or trying to really estimate the impact of a breach. That is a fool's errand. 

It's all about the relationships you build and the credibility you gain in doing the right things consistently, in managing expectations effectively and in communicating your efforts, to the people that matter. The P-CSO has a very streamlined planning phase because I'm probably a lot like you, I'd rather spend my time doing things - as opposed to talking about doing things. 

But if you don't have the structure of a plan, if only to communicate what you are doing to the powers that be, it's going to be very very hard to achieve success.

 

Blog Post: The Changing Role of the CSO

It's nice when the market comes to you. I've been talking about the need for Chief Security Officers to become more business oriented, rather than technically focused, for a long time. Now it seems this is the discussion that the "cool kids" are having at conferences and other venues. TechTarget's Dennis Fisher talks about a panel at their recent Information Security Decisions show that basically say the skill set of the CSO needs to rapidly expand.

No kidding. Security is a critical BUSINESS function and therefore the senior security officer needs to be more focused on how attacks impact that business than the technology that is used to either launch or defend against the attacks. 

To be clear, there will certainly be professionals that don't want to muck with the business folks and engage at that level. That's fine, but that precludes those folks from ever having the senior security role. As part of everyone's career management process, you should be figuring out whether you want to stay technically-focused or whether you want to climb the management ladder, which will require more and enhanced business skills.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

BUY the Book Buy the PDF