The most important feature of "P-CSO" (as it's called) is that it is a business book. P-CSO teaches readers (assumed to be techies, for the most part) how to think like a businessperson who reports and interacts with other businesspeople. I took business classes in college and graduate school, and I run my own business. Most of the time, however, I'm doing technical work. I usually stay so busy that I don't consciously consider the sorts of business issues Mike describes. Consider the following quote from pages 51-2:
The only way to get a seat at the table is by holding yourself to the same standards as everyone else. Operate a program, improve where necessary, track metrics, and report progress. Then repeat. Welcome to the wonderful world of business...
In business, perception is often more important than reality. Competence does the CSO little good unless senior management perceives him (or her) as competent. To do that, a Pragmatic CSO must learn to approach the job as a business manager does. The CSO job should be managed in the same way that the CFO manages finances, the CIO manages the IT department, and the CEO manages the business. This means identifying business goals, creating a step-by-step plan for achieving those goals, and executing on that plan, all the while communicating activities and success to senior management... instead of being treated as a security wonk.
Consider this from page 45:
When the CEO asked you if your security is effective, do you think he believed you... Since you haven't told the CEO what effective security is, why would he believe you?
In other words, frame perceptions. Furthermore, from page 70:
If there are no consequences for failure, you aren't a business unit.
So what is good security? Read pages 47-48:
No availability issues due to security problems. No loss of corporate intellectual property. No lawsuits because of policy violations. No problems that cause the PR spin-meisters to work overtime. Finally, a strong presentation to the auditors and examiners that you are in compliance with whatever regulation/policy is applicable...
You want show show improvement in the areas that are within your control. You want to see awareness going in the right direction. You want to make sure that security is not so onerous that it's getting in the way of business. You want to show that your environment is getting more secure via periodic penetration and vulnerability tests. And you want to show that you continue to improve how incidents are dealt with.
What, no tracking to show that 100% of machines are patched? Who cares! Mike is exactly right there, and here on pages 46-47:
Security is clearly overhead... the goals of any security program are to maintain availability, protect intellectual property, shepherd the brand, limit corporate liability, and ensure compliance. None of those activities directly contribute to the top line. But it can provide a strategic advantage...
[Y]ou are not going to put together a model that shows a positive ROI. That is fruitless and very hard to prove, so ultimately it's a waste of time. But we are trying to evangelize the mindset that an effective, programmatic approach to security will save the company money.
From the book I synthesized a few lists I plan to use in the future.
First, how to run a business or team:
- Set goals.
- Build a plan.
- Execute the plan.
- Track metrics and try to improve.
- Report progress.
The last item really only applies when you have upper or outside accountability.
Second, how to build a business plan using five elements:
- Position: Why does your group exist?
- Priorities: Where should you focus attention?
- Structure: How should you organize and operate?
- Service: What do you deliver to customers?
- Time: When are your deadlines?
None of this may make an impact unless you're in the middle of a project that involves contemplating such issues. As a small business owner I'm always grappling with these subjects. Even though P-CSO is written for Chief Security Officers in the corporate world, I found its business focus helpful for me as a consultant and business person. If any of what I wrote resonates with you, I strongly recommend buying and reading The Pragmatic CSO. All CSOs should also have a copy, period.