Review of The Pragmatic CSO
While waiting in the airport, and flying between Ottawa and Washington Dulles, I read a copy of Mike Rothman's new book The Pragmatic CSO. I was somewhat suspicious of some of the early reviews, since they appeared so quickly after the book was published. You can rest assured that I read the whole book -- and I really liked it.
The most important feature of "P-CSO" (as it's called) is that it is a business book. P-CSO teaches readers (assumed to be techies, for the most part) how to think like a businessperson who reports and interacts with other businesspeople. I took business classes in college and graduate school, and I run my own business. Most of the time, however, I'm doing technical work. I usually stay so busy that I don't consciously consider the sorts of business issues Mike describes. Consider the following quote from pages 51-2:
The only way to get a seat at the table is by holding yourself to the same standards as everyone else. Operate a program, improve where necessary, track metrics, and report progress. Then repeat. Welcome to the wonderful world of business...
In business, perception is often more important than reality. Competence does the CSO little good unless senior management perceives him (or her) as competent. To do that, a Pragmatic CSO must learn to approach the job as a business manager does. The CSO job should be managed in the same way that the CFO manages finances, the CIO manages the IT department, and the CEO manages the business. This means identifying business goals, creating a step-by-step plan for achieving those goals, and executing on that plan, all the while communicating activities and success to senior management... instead of being treated as a security wonk.
Consider this from page 45:
When the CEO asked you if your security is effective, do you think he believed you... Since you haven't told the CEO what effective security is, why would he believe you?
In other words, frame perceptions. Furthermore, from page 70:
If there are no consequences for failure, you aren't a business unit.
So what is good security? Read pages 47-48:
No availability issues due to security problems. No loss of corporate intellectual property. No lawsuits because of policy violations. No problems that cause the PR spin-meisters to work overtime. Finally, a strong presentation to the auditors and examiners that you are in compliance with whatever regulation/policy is applicable...
You want show show improvement in the areas that are within your control. You want to see awareness going in the right direction. You want to make sure that security is not so onerous that it's getting in the way of business. You want to show that your environment is getting more secure via periodic penetration and vulnerability tests. And you want to show that you continue to improve how incidents are dealt with.
What, no tracking to show that 100% of machines are patched? Who cares! Mike is exactly right there, and here on pages 46-47:
Security is clearly overhead... the goals of any security program are to maintain availability, protect intellectual property, shepherd the brand, limit corporate liability, and ensure compliance. None of those activities directly contribute to the top line. But it can provide a strategic advantage...
[Y]ou are not going to put together a model that shows a positive ROI. That is fruitless and very hard to prove, so ultimately it's a waste of time. But we are trying to evangelize the mindset that an effective, programmatic approach to security will save the company money.
From the book I synthesized a few lists I plan to use in the future.
First, how to run a business or team:
The last item really only applies when you have upper or outside accountability.
Second, how to build a business plan using five elements:
None of this may make an impact unless you're in the middle of a project that involves contemplating such issues. As a small business owner I'm always grappling with these subjects. Even though P-CSO is written for Chief Security Officers in the corporate world, I found its business focus helpful for me as a consultant and business person. If any of what I wrote resonates with you, I strongly recommend buying and reading The Pragmatic CSO. All CSOs should also have a copy, period.
The most important feature of "P-CSO" (as it's called) is that it is a business book. P-CSO teaches readers (assumed to be techies, for the most part) how to think like a businessperson who reports and interacts with other businesspeople. I took business classes in college and graduate school, and I run my own business. Most of the time, however, I'm doing technical work. I usually stay so busy that I don't consciously consider the sorts of business issues Mike describes. Consider the following quote from pages 51-2:
The only way to get a seat at the table is by holding yourself to the same standards as everyone else. Operate a program, improve where necessary, track metrics, and report progress. Then repeat. Welcome to the wonderful world of business...
In business, perception is often more important than reality. Competence does the CSO little good unless senior management perceives him (or her) as competent. To do that, a Pragmatic CSO must learn to approach the job as a business manager does. The CSO job should be managed in the same way that the CFO manages finances, the CIO manages the IT department, and the CEO manages the business. This means identifying business goals, creating a step-by-step plan for achieving those goals, and executing on that plan, all the while communicating activities and success to senior management... instead of being treated as a security wonk.
Consider this from page 45:
When the CEO asked you if your security is effective, do you think he believed you... Since you haven't told the CEO what effective security is, why would he believe you?
In other words, frame perceptions. Furthermore, from page 70:
If there are no consequences for failure, you aren't a business unit.
So what is good security? Read pages 47-48:
No availability issues due to security problems. No loss of corporate intellectual property. No lawsuits because of policy violations. No problems that cause the PR spin-meisters to work overtime. Finally, a strong presentation to the auditors and examiners that you are in compliance with whatever regulation/policy is applicable...
You want show show improvement in the areas that are within your control. You want to see awareness going in the right direction. You want to make sure that security is not so onerous that it's getting in the way of business. You want to show that your environment is getting more secure via periodic penetration and vulnerability tests. And you want to show that you continue to improve how incidents are dealt with.
What, no tracking to show that 100% of machines are patched? Who cares! Mike is exactly right there, and here on pages 46-47:
Security is clearly overhead... the goals of any security program are to maintain availability, protect intellectual property, shepherd the brand, limit corporate liability, and ensure compliance. None of those activities directly contribute to the top line. But it can provide a strategic advantage...
[Y]ou are not going to put together a model that shows a positive ROI. That is fruitless and very hard to prove, so ultimately it's a waste of time. But we are trying to evangelize the mindset that an effective, programmatic approach to security will save the company money.
From the book I synthesized a few lists I plan to use in the future.
First, how to run a business or team:
- Set goals.
- Build a plan.
- Execute the plan.
- Track metrics and try to improve.
- Report progress.
The last item really only applies when you have upper or outside accountability.
Second, how to build a business plan using five elements:
- Position: Why does your group exist?
- Priorities: Where should you focus attention?
- Structure: How should you organize and operate?
- Service: What do you deliver to customers?
- Time: When are your deadlines?
None of this may make an impact unless you're in the middle of a project that involves contemplating such issues. As a small business owner I'm always grappling with these subjects. Even though P-CSO is written for Chief Security Officers in the corporate world, I found its business focus helpful for me as a consultant and business person. If any of what I wrote resonates with you, I strongly recommend buying and reading The Pragmatic CSO. All CSOs should also have a copy, period.
Comments
Given the amount of books you read on a regular basis, the last paragraph of your review is incredibly high praise. Not that I disagree with you, but I'm not used to you speaking out so strongly for a book.
Martin
Instead, I'll just use Trashmail(tm) to create accounts for me on Jigsaw while I glean personal information for people I'm about to interview in a business setting after stalking them for 12 hours. Yes, it freaks people out but at least they know where I stand on the food chain.
5. Report progress.
The last item really only applies when you have upper or outside accountability.
I disagree. If you're working for or with a team, it doesn't matter if your bosses care, your team does. So report progress to them. If you're managing the team, facilitate it.
And if it's just yourself... report it anyway. You can use the executive summaries you wrote to quickly remind yourself where you were x months ago, or y years ago.
My own job requires certain metrics; tracking time, which I do in our RT system. As a result, I can pull out all sorts of information about the kinds of work I was doing when, and how long it took me. I've come to love this so much that I would do so even if I were not absolutely required to, and I do it for work I do at home for myself now too. Next step was to write weekly summary reports to my weblog - for myself, but my boss now uses them at our bi-weekly meetings too, and we find them useful. Next step will be monthly summaries, which will make my performance reviews easier (and hopefully more likely to net me a raise ;) ).
Gaps between what information assets they should be protecting from a business-survival point of view and what they are protecting; gaps between what they say they do and what they really do; and gaps between their portrayed expertise and their achievements.
Is "Pragmatic CSO" the only path to improvement? Are the ideas unique, original, earth shattering? Clearly, no.
Would following the "Pragmatic CSO" improve each and every one of these organisations? Absolutely, yes.
I'll do what I can to help "Pragmatic CSO" reach a 'tipping point'; the time is ripe for organizations to embrace its concepts.