Review of The Pragmatic CSO

While waiting in the airport, and flying between Ottawa and Washington Dulles, I read a copy of Mike Rothman's new book The Pragmatic CSO. I was somewhat suspicious of some of the early reviews, since they appeared so quickly after the book was published. You can rest assured that I read the whole book -- and I really liked it.

The most important feature of "P-CSO" (as it's called) is that it is a business book. P-CSO teaches readers (assumed to be techies, for the most part) how to think like a businessperson who reports and interacts with other businesspeople. I took business classes in college and graduate school, and I run my own business. Most of the time, however, I'm doing technical work. I usually stay so busy that I don't consciously consider the sorts of business issues Mike describes. Consider the following quote from pages 51-2:

The only way to get a seat at the table is by holding yourself to the same standards as everyone else. Operate a program, improve where necessary, track metrics, and report progress. Then repeat. Welcome to the wonderful world of business...

In business, perception is often more important than reality. Competence does the CSO little good unless senior management perceives him (or her) as competent. To do that, a Pragmatic CSO must learn to approach the job as a business manager does. The CSO job should be managed in the same way that the CFO manages finances, the CIO manages the IT department, and the CEO manages the business. This means identifying business goals, creating a step-by-step plan for achieving those goals, and executing on that plan, all the while communicating activities and success to senior management... instead of being treated as a security wonk.

Consider this from page 45:

When the CEO asked you if your security is effective, do you think he believed you... Since you haven't told the CEO what effective security is, why would he believe you?

In other words, frame perceptions. Furthermore, from page 70:

If there are no consequences for failure, you aren't a business unit.

So what is good security? Read pages 47-48:

No availability issues due to security problems. No loss of corporate intellectual property. No lawsuits because of policy violations. No problems that cause the PR spin-meisters to work overtime. Finally, a strong presentation to the auditors and examiners that you are in compliance with whatever regulation/policy is applicable...

You want show show improvement in the areas that are within your control. You want to see awareness going in the right direction. You want to make sure that security is not so onerous that it's getting in the way of business. You want to show that your environment is getting more secure via periodic penetration and vulnerability tests. And you want to show that you continue to improve how incidents are dealt with.

What, no tracking to show that 100% of machines are patched? Who cares! Mike is exactly right there, and here on pages 46-47:

Security is clearly overhead... the goals of any security program are to maintain availability, protect intellectual property, shepherd the brand, limit corporate liability, and ensure compliance. None of those activities directly contribute to the top line. But it can provide a strategic advantage...

[Y]ou are not going to put together a model that shows a positive ROI. That is fruitless and very hard to prove, so ultimately it's a waste of time. But we are trying to evangelize the mindset that an effective, programmatic approach to security will save the company money.

From the book I synthesized a few lists I plan to use in the future.

First, how to run a business or team:

  1. Set goals.

  2. Build a plan.

  3. Execute the plan.

  4. Track metrics and try to improve.

  5. Report progress.

The last item really only applies when you have upper or outside accountability.

Second, how to build a business plan using five elements:

  1. Position: Why does your group exist?

  2. Priorities: Where should you focus attention?

  3. Structure: How should you organize and operate?

  4. Service: What do you deliver to customers?

  5. Time: When are your deadlines?

None of this may make an impact unless you're in the middle of a project that involves contemplating such issues. As a small business owner I'm always grappling with these subjects. Even though P-CSO is written for Chief Security Officers in the corporate world, I found its business focus helpful for me as a consultant and business person. If any of what I wrote resonates with you, I strongly recommend buying and reading The Pragmatic CSO. All CSOs should also have a copy, period.


Unknown said…

Given the amount of books you read on a regular basis, the last paragraph of your review is incredibly high praise. Not that I disagree with you, but I'm not used to you speaking out so strongly for a book.

Anonymous said…
I'm still not convinced. Say more about that. Rothman's blog is kinda... uh... not as good as this one. You should write a $97 PDF about how to talk to business people.

Instead, I'll just use Trashmail(tm) to create accounts for me on Jigsaw while I glean personal information for people I'm about to interview in a business setting after stalking them for 12 hours. Yes, it freaks people out but at least they know where I stand on the food chain.
Anonymous said…
This topic should be a SANS course instead of "Malware removal expert."
Anonymous said…
That last sentence should be changed to read "All security professionals should also have a copy, period." It's my opinion that in today's security world a professional that has a balance of technical and business skills is going to be farther ahead of others and bring value to his/her organization. This doesn't mean packet monkeys need MBA's. This means have a basic understanding of what your business does and what your CEO and CFO are concerned about. The means have a basic understanding of the principles of risk management. Make sure you take that understanding and align your security practices to the goals of your business leaders. Sometimes that means educating them on the realities of techinal issues. If you take this approach, you are almost automatically creating and tracking your value to the company (metrics, not ROI). As someone who is a technical network security engineer, the NSA course on Information Assurance and Risk Management is one of the best security classes I've ever attended.
Anonymous said…
Minor quibble, re:

5. Report progress.

The last item really only applies when you have upper or outside accountability.

I disagree. If you're working for or with a team, it doesn't matter if your bosses care, your team does. So report progress to them. If you're managing the team, facilitate it.

And if it's just yourself... report it anyway. You can use the executive summaries you wrote to quickly remind yourself where you were x months ago, or y years ago.

My own job requires certain metrics; tracking time, which I do in our RT system. As a result, I can pull out all sorts of information about the kinds of work I was doing when, and how long it took me. I've come to love this so much that I would do so even if I were not absolutely required to, and I do it for work I do at home for myself now too. Next step was to write weekly summary reports to my weblog - for myself, but my boss now uses them at our bi-weekly meetings too, and we find them useful. Next step will be monthly summaries, which will make my performance reviews easier (and hopefully more likely to net me a raise ;) ).
Anonymous said…
Although I have not read the book yet, I've read several reviews of it. I'm sure the book is full of good leadership and management principles, but they weren't invented here. They are just concepts from other management texts applied to our field. Quite frankly, if you are in the position of CSO or something similar and you don't know many of these topics, then I have to ask, "How did you get there to start with?" No doubt the book makes a good reference, but come on, any good leader/manager should know most of these already.
Good grief. Isn't it enough that someone decided to apply these techniques to our field, using language we understand and context with which we're familiar?
Anonymous said…
As I said, I don't question the value of the book's topics. Nor do I question the application to our field. It should serve as a good reference. It just seems to me that if you are in this position you should already have a good idea about most of these topics. Although I know that is not true, as many times top technical performers get promoted into this role and don't have these skiils...or, as the saying goes, incompetence rises..
Anonymous said…
I have had the opportunity to examine a number of large and mid-sized organizations from the inside. They all have examples of the same thing; gaps.

Gaps between what information assets they should be protecting from a business-survival point of view and what they are protecting; gaps between what they say they do and what they really do; and gaps between their portrayed expertise and their achievements.

Is "Pragmatic CSO" the only path to improvement? Are the ideas unique, original, earth shattering? Clearly, no.

Would following the "Pragmatic CSO" improve each and every one of these organisations? Absolutely, yes.

I'll do what I can to help "Pragmatic CSO" reach a 'tipping point'; the time is ripe for organizations to embrace its concepts.
Anonymous said…
Thanks for the nice post!

Popular posts from this blog

MITRE ATT&CK Tactics Are Not Tactics

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4