Pragmatic CSO

Pragmatic CSO review on Slashdot

Submitted by Mike Rothman on Mon, 2008-07-28 13:35.

Nothing like getting a little present on a summer Monday. I wanted to point out that a review of the Pragmatic CSO was  posted today on Slashdot. You can check it out:

Overall, Ben Rothke provided a balanced and positive review of the book, which really hits on the key points I try to highlight not only in the process, but also in my weekly newsletters and podcasts.


Report Card: 2007 Incite #2 - CSO Next

Submitted by Mike Rothman on Mon, 2007-12-24 07:37.

Let's continue marching through the Incites. After this one, we'll be 20% done! Now that's a half-full viewpoint, if I ever saw one...

Incite #2 - CSO Next

A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisors and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically oriented CSO.

Days of Incite Link:
Incite Redux Link:

Final grade: A

The concept of this Incite is right on the money. All over the industry you continue to hear about how Chief Security Officers need to transcend the technology and really focus on how security plays within the business. Wait. Can you hear that? It must be the sound of one-hand clapping.

As much as I nail it relative to what CSO Next needs to be able to do, the cold, harsh reality is most security professionals are woefully unable to make this transition. The reality is that many security folks are not cut out to have a C-level title. It’s as simple as that.

So, the first thing on your list for 2008 needs to be a brutally honest assessment of whether you want to make the transition. It’s OK if you don’t. That’s cool, but to take the job and fail because you don’t want to deal with politics or focus on persuasion, just means you are going to stunt your own career.

That is not what you want under your tree during the holidays.

But if you are the type that wants to take that step, then start to take a crash course in your business. What are the revenue drivers? What are the cost levers? Do you understand the key imperatives for the CEO? How about how those imperatives map to the CIO’s strategy and thus, how they impact what security has to worry about?

Are you getting ahead of the curve and studying all about data security and this Web 2.0 stuff? If not, and you want to be CSO Next, you better get to work. No rest for the weary – get to it. There’s a big world out there that needs to be protected.

Check out the other posts in the Report Card series.

Inciting: May Speaking Gigs

Submitted by Mike Rothman on Tue, 2007-05-01 12:37.

As I've mentioned, I'm hitting the road pretty hard in May, much to the chagrin of the Boss. Some speaking gigs, some strategy sessions. Here is where you can see me in a public setting:

  • All Ohio InfoSec/InfraGard Event - May 17-18 in Columbus, OH

    I'll be doing two sessions here, one during the evening reception and I'll also be moderating a panel on security metrics. I'll also be available to sign books at the show.

  • CSI roadshow: New Vulnerability Management Tactics for IT Professionals

    May 8 - Los Angeles
    May 10 - San Francisco
    May 22 - Chicago
    May 24 - NYC

    I'll discuss a Pragmatic approach to vulnerability management and penetration testing, and there will be a hacker challenge, sponsored by Core Security, at the end of the day. Core is also raffling off 5 signed copies of the Pragmatic CSO at each location.

There will be more to come, so stay tuned to the blog.


All aboard - The P-CSO Bootcamp Maiden Voyage

Submitted by Mike Rothman on Fri, 2007-04-13 11:21.

When the Pragmatic CSO launched back in January, there were a number of companion offerings on the drawing board, including a Web community, a training program(s), and a coaching offering.

With the announcement of the Security Education Network (SEN) a few weeks back, rushing towards a late April launch, it's time to continue filling out the offerings. So I'm announcing the maiden voyage of the one-day P-CSO Bootcamp. This is planned for May 3 (which is a Thursday) in Atlanta. UPDATE: The session has been moved to JUNE 6 (which is a Wednesday).

Since this is the maiden voyage and I expect to learn a LOT relative to the curriculum and exercises, I'm going to offer this initial course at a substantial discount (think like 75% discount). But before I get into the specifics, let me outline how the P-CSO Bootcamps are going to work. There will be one-day and two-day offerings, depending on the level of work and exercises you need.

  • The one-day session outlines the P-CSO process in great detail and goes through completed samples of the templates to understand the level of content required and quite a few tricks of the trade. This session will cost $995 and will include the P-CSO book and a 30 minute pre-class call to discuss your environment and prepare you for the training.
  • The two-day sessions are structured using the case-based educational method. I couldn't get into Harvard B-school, so I may as well copy their teaching style. Students will be actually building a Pragmatic Security Program for a fictional company. This includes interviewing executives, making presentations, and documenting findings. This session will list for $1895 and will also include the book and the 30 minute pre-class call.

In May I'll announce more specifics about an online course offering, as well as the coaching services that will go in tandem with the P-CSO training programs.

Hopefully I wet your whistle a bit when I mentioned discounts above and I'm offering the maiden voyages at a substantial discount. For $249 you can attend the maiden voyage and that INCLUDES the P-CSO book ($97 value). I'll also do the pre-call since that is part of the offerings. Let's just say when you include a 30 minute coaching session and the book, you are getting the training for next to nothing. That's a pretty good deal.

The maiden voyage is happening May 3 on my home turf in Atlanta. It will be a reasonable hotel (no Four Seasons, sorry) probably in the Perimeter or Buckhead areas a bit North of the city. More specifics to follow. Given the time frames you could get a cheap flight, if you aren't local.

I'm also capping the attendance at 10, so I can focus and really get some great feedback. Remember, I'm doing the session at such a discount to learn and make sure the content is exactly right before I start charging real money for these sessions. Secure your spot today, just click here.

I'll be doing a similar discount structure for the 2 day session that will be held in June. I'll set up the shopping cart for that offering and start taking registrations later this month, once the date is finalized.

I'm really excited about the training sessions, hopefully you are as well. Remember, there is only one maiden voyage for each training program, and you won't see discounts like this again. So sign up now and secure your seat on the SS P-CSO.


Sign up for the P-CSO bootcamp

Inciting: Milwaukee ISSA next week

Submitted by Mike Rothman on Tue, 2007-04-03 12:11.

I'm packing the bags and heading out on the road quite a bit over the next two months to spread the gospel of the Pragmatic CSO. There will be a mixture of ISSA and vendor-sponsored events. The first of these starts next week, when I'll be in Milwaukee to talk to the ISSA group there.

Clint Laskowski, a Pragmatic CSO himself, is the director of events there and has graciously invited me to spend some time with the group. I'm going to do an hour on the Pragmatic CSO and another hour basically just answering folks questions. You can get a full agenda and figure out where to register here.

I'll do separate posts, but in May I'll be in Cincinnati (for a Marshal seminar), in Columbus OH (for an ISSA meeting and other events) and I'll be doing a 4 city tour (LA, SF, NY, CHI) with Core Security. Hopefully I'll get a chance to do some meet-ups when I'm in your neck of the woods.

I hope to see you in Milwaukee. I'll put on a good show - I promise...


2007 DOI: Day 2 - CSO Next

Submitted by Mike Rothman on Thu, 2007-02-15 10:59.


A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisors and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically-oriented CSO.


The number of questions I get from readers and other industry contacts about the “type” of CSO that can be successful in today’s environment is shocking. But it indicates that the CSO role is in the middle of a significant transition - which is actually true. So in this Incite, I put together a little laundry list of the types of characteristics that I believe make up "CSO Next."

What the hell is CSO Next? Right, that doesn’t mean a hell of a lot, and many of these definitions are kind of motherhood and apple pie. But while you are asking, I figure I may as well eat some apple pie. Though I’m sure I’ll need to spend an extra 90 minutes or so on the treadmill to work it off.

Let’s also be clear that having all of these traits is not a requisite for success. But if you want to maximize your opportunity and have the most impact on your organization, you should probably start working on some of these skills, if they aren’t currently your forte.


  • High visibility – For better or worse, the CSO job is all about influence and persuasion. Thus you need to be out there, working with the business folks and celebrating your victories. That’s hard for many CSOs, but if you don’t toot your own horn, no one else is going to.

  • Setting milestones – No, getting through the day is not an adequate milestone. One of the hallmarks of the Pragmatic CSO approach is to run security like a business, and businesses have a plan and plans lay out milestones. Upgrading firewalls doesn’t qualify either. Locking down the most critical business system you have does.

  • Communicating progress – Once the meaning of success and the associate milestones are agreed upon, then you need to show that you are getting there. This means you need to stay in front of the power brokers and show that you are achieving your plan. Remember, general managers and other operational folks are held to task to achieve their plan – you should be too.

  • Prioritizing fiercely – The list is too long. You can’t get it all done. So prioritizing effectively is absolutely critical. ‘nuf said. I do delve into this in one of the “5 tips to be a better CSO.” You can get the tips by registering on the Pragmatic CSO site (

  • Outsourcing strategically – There is no award for doing everything yourself, so look to get help where necessary and prudent. Staff augmentation is a good thing, since no one I know has enough staff. But CSO Next maintains control of the program management function, since outsourcing strategy is a really bad idea.

  • Managing vendors aggressively – This is about more than beating vendors down to get the best price (though that is also a good thing to do). You need to hold vendors to their commitments and stamp your feet and potentially go somewhere else if they’ve sold you a bill of goods (which has been known to happen). There is an entire chapter on this in the P-CSO.
  • Embracing advisors and coaches – Pragmatic CSOs are not proud, they are just interested in getting the job done. So that usually means assembling a group of advisors that can help put everything in perspective, challenge your assumptions, and basically keep you on the straight and narrow. Most people are very generous with their time, if they feel they are helping you. Don’t be bashful, there is no crime in asking for help.

You may be good at some of these things and need some improvement in others. And don’t sweat it if you don’t have an MBA. I don’t (much to the chagrin of my Dad). An MBA-type is as much philosophy and perspective as anything else. So think like a business-person and you will be perceived as a business person, and that’s what CSO Next is all about.


Pragmatic CSO podcast -Part 1 is up

Submitted by Mike Rothman on Mon, 2007-01-29 18:54.

My buddy Alan Shimel slaved away all weekend working the sound editing on the special "Pragmatic" edition of his and Mitchell's podcast. He's posted Part 1 and Part 2 will appear later this week.

Check it out, I think it explains a lot more detail about the P-CSO process than you get even in the introduction. In this first section, I go through why I wrote the P-CSO and the first 6 steps of the process. You can't get this content anywhere else.

You can check out Alan's post here and use the cool ClickCaster player directly from his web page.

Or download the podcast directly here.

And then go buy the book at



The Pragmatic CSO - Book it, Danno

Submitted by Mike Rothman on Tue, 2007-01-09 22:57.
As promised, the hard copy version of the Pragmatic CSO is now available for ordering. Thanks to all of you who let me know that you wanted a BOOK, not just a PDF. It's hard to believe, but I actually listen every now and again.

A personalized PDF will still be bundled with the book, as it can take 3-5 days for you to get your book and I'm sure you'll want to start sooner than that. You'll still get the PDF within one business day via email.

Better yet, I'm keeping the price at $97. That's right, the book and the PDF for $97. If you just want the PDF, that will be $87.

So, there are no more excuses. Buy it today at

The Pragmatic CSO is HERE!

Submitted by Mike Rothman on Tue, 2007-01-02 05:41.

It is with great pleasure that I announce the availability of The Pragmatic CSO: 12 Steps to Being a Security Master. It's been an interesting process and I learned a lot. I'm sure you will be pleased with the outcome.

So, what now? Go back to and check out the new site. You can buy the book RIGHT NOW, by navigating down the page a bit and clicking on the "BUY NOW" button. It'll cost you $97 and there are some volume discounts for those that want to "gift" the P-CSO to friends and colleagues.

The first 100 customers will get a limited edition Pragmatic CSO poster to hang on their wall. It's kind of like having a devil (or angel) riding on your shoulder at all times to keep you on the straight and narrow.

For the next day or so, you'll need to process the payment through PayPal (you can still use your credit card) asThe Pragmatic CSO I work through the nuances of merchant accounts and shopping carts. Told you I learned a lot.

If you aren't ready to buy yet, you can check out the introduction. That will give you a flavor of the content and writing style. You'll also get to see the 12-steps in all their glory. You'll need to opt in on the web site and you'll get an email with the download information. You'll also get "5 tips on being a Better CSO" for your trouble.

I had a number of folks review the manuscript, and perhaps the most interesting tidbit of feedback was that the P-CSO is bigger than the CSO. Security and VoIP blogger Ken Camp told me that he thinks anyone that has to manage CSOs should read the book as well. So if you are a CSO great. If you manage a CSO, you should read it too.

And I know that a lot of my vendor and PR readers have been looking for some ways to do business. Well, now you have it - and it's pretty cheap. So even if you aren't an end-user type - maybe you know some that would appreciate the book (it's a great gift). Or maybe you like the Daily Incite and want to make sure I can pay the bills to keep writing it. Either way, I appreciate the business.

So what's next? The Pragmatic CSO community will launch in February. Not only will there be templates and forums focused on the book, but at long last I'll be publishing some Security Incite research for subscribers. I'll also be doing interviews and vendor "hot seat" podcasts on the site each month as well.

And yes, there is more. With a purchase of the book, you get a 30-day trial in the community (value: $97). So basically you are getting the book for free. So watch this space. It'll be a busy January, but I'm excited about what's next for the Pragmatic CSO.

Finally, I couldn't do much of anything without all of you that read my stuff every day. Thanks for that, and I am looking forward to your feedback on the book.

Let's make 2007 the year of the Pragmatic CSO!


Year-end webcast and seminar promotion

Submitted by Mike Rothman on Mon, 2006-11-06 17:12.

To celebrate the announcement of the new Pragmatic CSO: 12 Steps to Becoming a Security Master, I'm running a promotion between now and the end of the year. Basically, I want to be anywhere and everywhere over the first half of 2007 to evangelize the Pragmatic CSO methodology.

I've done a fair number of webcasts and speaking gigs this year, but I want to do more and I'm willing to make it very very attractive for vendors and associations to bring me in to speak. My standard price for a webcast is $4000, but until the end of the year - I'm reducing the price to $2000 for the first and $1500 for any subsequent events. This is about 25% of what it costs to have any of the "name brand" analyst (read Big Research) firms participate in your event, and I put on a better show.

For live seminars, I'll do a flat $2500 plus travel. Again, this is less than 30% of what it would cost you to get a Big Research analyst and they are pretty finicky about when and where they do events. You can't beat the value.

So, you probably want to do a series, maybe one per month or every other month to delve into topics that are important to you and your company. All I ask is that get a minute or two to discuss the Pragmatic CSO project at the beginning of the session, during my intro. So I'll talk about pretty much anything relating to information security, and all I ask is a little time to introduce my book and methodology at the beginning of the pitch.

Associations should also consider having me as a speaker. I'll do those gigs for free. All you have to do is pay my travel expenses to your location, and I travel cheap. So all of you ISSA or InfraGuard chapters, sign up now.

What's the catch? Events need to involve a crowd of end users (sorry, sales meeting pitches aren't eligible) and must be completed by June 30, 2007 (use it or lose it). Payment must be received by December 29, 2006, which is the last business day of 2006. This gives you a great way to both burn up all of that extra marketing programs budget, and also make sure you have compelling events and offers to generate lots of leads throughout the first half of 2007.

So if you are interested, drop me a note (mike.rothman (at) securityincite (dot) com) or call. I suspect there will be a lot of interest in this promotion, so in order to get your pick of dates, sign up now.