tag:blogger.com,1999:blog-4088979.post3888746399039610377..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Review of The Pragmatic CSORichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4088979.post-41528155867628906722007-09-03T19:16:00.000-04:002007-09-03T19:16:00.000-04:00Thanks for the nice post!Thanks for the nice post!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-56944390037828995482007-04-04T00:09:00.000-04:002007-04-04T00:09:00.000-04:00I have had the opportunity to examine a number of ...I have had the opportunity to examine a number of large and mid-sized organizations from the inside. They all have examples of the same thing; gaps.<BR/><BR/>Gaps between what information assets they should be protecting from a business-survival point of view and what they are protecting; gaps between what they say they do and what they really do; and gaps between their portrayed expertise and their achievements. <BR/><BR/>Is "Pragmatic CSO" the only path to improvement? Are the ideas unique, original, earth shattering? Clearly, no.<BR/><BR/>Would following the "Pragmatic CSO" improve each and every one of these organisations? Absolutely, yes.<BR/><BR/>I'll do what I can to help "Pragmatic CSO" reach a 'tipping point'; the time is ripe for organizations to embrace its concepts.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-18804146598158799642007-01-26T19:43:00.000-05:002007-01-26T19:43:00.000-05:00As I said, I don't question the value of the book'...As I said, I don't question the value of the book's topics. Nor do I question the application to our field. It should serve as a good reference. It just seems to me that if you are in this position you should already have a good idea about most of these topics. Although I know that is not true, as many times top technical performers get promoted into this role and don't have these skiils...or, as the saying goes, incompetence rises..Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-44681663742740036702007-01-25T22:43:00.000-05:002007-01-25T22:43:00.000-05:00Good grief. Isn't it enough that someone decided ...Good grief. Isn't it enough that someone decided to apply these techniques to our field, using language we understand and context with which we're familiar?Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-37557015503989693762007-01-25T10:10:00.000-05:002007-01-25T10:10:00.000-05:00Although I have not read the book yet, I've read s...Although I have not read the book yet, I've read several reviews of it. I'm sure the book is full of good leadership and management principles, but they weren't invented here. They are just concepts from other management texts applied to our field. Quite frankly, if you are in the position of CSO or something similar and you don't know many of these topics, then I have to ask, "How did you get there to start with?" No doubt the book makes a good reference, but come on, any good leader/manager should know most of these already.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-54396335642873904842007-01-24T17:41:00.000-05:002007-01-24T17:41:00.000-05:00Minor quibble, re:
5. Report progress.
The last ...Minor quibble, re:<br /><br /><i>5. Report progress.<br /><br />The last item really only applies when you have upper or outside accountability.</i><br /><br />I disagree. If you're working for or with a team, it doesn't matter if your bosses care, your team does. So report progress to them. If you're managing the team, facilitate it.<br /><br />And if it's just yourself... report it anyway. You can use the executive summaries you wrote to quickly remind yourself where you were x months ago, or y years ago.<br /><br />My own job requires certain metrics; tracking time, which I do in our RT system. As a result, I can pull out all sorts of information about the kinds of work I was doing when, and how long it took me. I've come to love this so much that I would do so even if I were not absolutely required to, and I do it for work I do at home for myself now too. Next step was to write weekly summary reports to my weblog - for myself, but my boss now uses them at our bi-weekly meetings too, and we find them useful. Next step will be monthly summaries, which will make my performance reviews easier (and hopefully more likely to net me a raise ;) ).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-9544284607125595312007-01-23T19:12:00.000-05:002007-01-23T19:12:00.000-05:00That last sentence should be changed to read "All ...That last sentence should be changed to read "All security professionals should also have a copy, period." It's my opinion that in today's security world a professional that has a balance of technical and business skills is going to be farther ahead of others and bring value to his/her organization. This doesn't mean packet monkeys need MBA's. This means have a basic understanding of what your business does and what your CEO and CFO are concerned about. The means have a basic understanding of the principles of risk management. Make sure you take that understanding and align your security practices to the goals of your business leaders. Sometimes that means educating them on the realities of techinal issues. If you take this approach, you are almost automatically creating and tracking your value to the company (metrics, not ROI). As someone who is a technical network security engineer, the NSA course on Information Assurance and Risk Management is one of the best security classes I've ever attended.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-56011615681389323862007-01-23T13:16:00.000-05:002007-01-23T13:16:00.000-05:00This topic should be a SANS course instead of "Mal...This topic should be a SANS course instead of "Malware removal expert."Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-84083604216321722812007-01-23T00:48:00.000-05:002007-01-23T00:48:00.000-05:00I'm still not convinced. Say more about that. Ro...I'm still not convinced. Say more about that. Rothman's blog is kinda... uh... not as good as this one. You should write a $97 PDF about how to talk to business people.<br /><br />Instead, I'll just use Trashmail(tm) to create accounts for me on Jigsaw while I glean personal information for people I'm about to interview in a business setting after stalking them for 12 hours. Yes, it freaks people out but at least they know where I stand on the food chain.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-86793167736925178372007-01-22T23:06:00.000-05:002007-01-22T23:06:00.000-05:00Richard,
Given the amount of books you read on a ...Richard,<br /><br />Given the amount of books you read on a regular basis, the last paragraph of your review is incredibly high praise. Not that I disagree with you, but I'm not used to you speaking out so strongly for a book. <br /><br />MartinUnknownhttps://www.blogger.com/profile/06868635611351474163noreply@blogger.com