Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Pragmatic CSO

Posted by samzenpus on from the the-practical-princess dept.

Ben Rothke writes "The Pragmatic CSO: 12 Steps to become a Pragmatic CSO is worth reading for one sentence on page 12 which states: It's not about technology — it's about business. The even better news is that the book is full of insightful ideas like that, on how information should work, and how to make it work in today's large enterprise organizations. One of the mistakes many security professionals make is that they think of security for its own sake, when security is simply meant to support the business. CxO's could care less about encryption key lengths and operating systems. While they don't care about the technical details, the people from information security often mistakenly communicate to them in those terms." Keep reading for the rest of Ben's review. The Pragmatic CSO: 12 Steps to become a Pragmatic CSO author Mike Rothman pages 235 publisher Security Incite rating 9 reviewer Ben Rothke ISBN None - self published summary Pragmatic, insightful and valuable looking into making security work The book notes that there are three main causes to the poor state that information security finds itself in today in far too many organizations: Security is viewed as a technical function - Security staff are often part of the technical teams, but not members of the management team. The bad guys are getting better - In years past, attackers would get your attention by playing music in the background as their virus infected your workstation. Today's attacks are built around stealth techniques. Attackers do their best to hide from your IDS, and often easily do so. Auditors are tougher- Both internal and external auditors are finally getting the power they deserve. The days of having them rubber stamp the audit are slowly coming to a close. The Pragmatic CSO:12 Steps to become a Pragmatic CSO details a 12-step program, which is a structured program on which to build a strong information security program. The book goes through those steps as a way to keep you, as the CSO, focused on the goal. That goal is to demonstrate the value of information security management and the level of security to the internal and external auditors.

The books 4 sections and 12 steps are structured similarly, beginning with what you will learn in the specific step, a dialogue-based introduction akin to an AA (Alcoholics Anonymous) session, and an action plan for each step. Personally, I found the AA dialogues a bit cheesy, and by step 6, found them a bit annoying. Aside from that issue, the book is a highly valuable guide in which a new CSO can use to directly assist them in their job. A new CSO is recommended to use the guide in their first 100 days in office. Such an approach can spell the difference between success and failure.

As its title implies, the book is all bout being pragmatic. This practical approach is needed, as step 2 notes that it is hard for many security professionals to get beyond the typical vulnerability-centric definition of success. It is not about how many vulnerabilities are found, rather the pragmatic way in which their are handled.

Part of this pragmatic approach is being realistic of the state of security in your origination. Step 7 underscores this when it shows how a CSO should never underestimate to things : the ability of the bad guys to make you look bad, and the ability of users to do something really stupid. The preceding is just one example of many where the book shows the reader what security is like in the real-world, as opposed to the often described pristine cryptographic world of security when Alice and Bob are involved.

Perhaps the most important point the book makes is that pragmatic CSO's have no religion when it comes to security and technology, besides doing the right thing for their business and protecting their assets. Far too many people in security and technology turn technology choices into religious wars, most of which center around Windows, Linux, Cisco and Juniper.

Step 11 details metrics and benchmarks and has a number of constructive questions in which to benchmark against. The areas of questions include effectiveness, awareness, attitude and financial. This is needed as metrics and benchmarking are needed to measure how you and your security team are doing, and to identify areas in need of improvement. Benchmarking can also point out areas which your organization differs from the norm. While that is not necessarily a bad thing, it is necessary to know when to follow so-called best practices, or whether to do what is specifically right for your organization.

The Pragmatic CSO:12 Steps to become a Pragmatic CSO is a most valuable book in that it provides fresh, real-world advice, as opposed to generics rehashed best practices. Author Mike Rothman's premise is that today's CSO's need to act more like business people in order to thrive. With firms laying-off back-office technology staff by the thousands, having this front-office approach is not only timely, it may just save your job.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

100 comments

  1. So who was the more pragmatic CSO?... by msauve · · Score: 4, Funny

    Spock or T'Pol?

    CSO means "Chief Science Officer," right? Because the article doesn't bother to define it.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:So who was the more pragmatic CSO?... by zeromorph · · Score: 1

      CSO

      I would opt for Combined Sewer Overflow , but it's Chief security officer.

      --
      "Hannibal's plans never work right. They just work." Amy/A-Team
    2. Re:So who was the more pragmatic CSO?... by jellomizer · · Score: 1

      There should be a karma modification if they post an article with a specialized acronym and don't define it they should loose points. CEO, CIO are common enough but CSO, CTO...
      I first though they were talking about the Chief Software Officer.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:So who was the more pragmatic CSO?... by Anonymous Coward · · Score: 0, Offtopic

      Is this a prison frat?

    4. Re:So who was the more pragmatic CSO?... by Anonymous Coward · · Score: 0

      Are you nuts? This is slashdot, we should know CSO and CTO more readily than we know CEO, COO and CIO. But really, in today's market, if you don't know what all five of the above are, your head is in the sand.

    5. Re:So who was the more pragmatic CSO?... by Jansingal · · Score: 1

      alas, the new gen of slashdotters who know not of these elemental acronyms :)

    6. Re:So who was the more pragmatic CSO?... by morgan_greywolf · · Score: 1

      I would opt for Combined Sewer Overflow [wikipedia.org] , but it's Chief security officer [wikipedia.org].

      "Captain! We are being hailed!"
      "On screen, Mr. Worf."

      --
      My blog
    7. Re:So who was the more pragmatic CSO?... by jellomizer · · Score: 1

      Not all organizations have a CSO, or CTO, many don't have CIO's either. but CEOs,CIOs are far more common and tend to be more published then the others. So they are immediately recognized by corporations, schools, non-profit organizations, and small corporations who the CSO, CTO and CIO are more often called Fred/Tech guy

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    8. Re:So who was the more pragmatic CSO?... by Jansingal · · Score: 1

      spock was logical, NOT pragmatic!

    9. Re:So who was the more pragmatic CSO?... by Jansingal · · Score: 1

      >>>specialized acronym

      since when is CSO a 'specialized acronym'??

      if you read any tech guide, its presumed that all knows what CSO/CISO stands for.

    10. Re:So who was the more pragmatic CSO?... by jellomizer · · Score: 1

      CSO is relatively new though. It use to be the domain of the CIO. And sure we all know what CISO is, they make routers and such :-).

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    11. Re:So who was the more pragmatic CSO?... by Jansingal · · Score: 1

      and that is the problem!!!

      most cio's are completely clueless when it comes to security.

      A CIO answers a security issue like this:

      80% of the time: my sysadmin can do that
      19% of the time: my firewall admin can do that
      1% of the time: and this is the answer of the small minority of smart CIO'S: I will have my security engineering team do that.

    12. Re:So who was the more pragmatic CSO?... by epee1221 · · Score: 1

      My first thought was "Chicago Symphony Orchestra."

      --
      "The use-mention distinction" is not "enforced here."
    13. Re:So who was the more pragmatic CSO?... by fm6 · · Score: 2, Insightful

      Somehow I keep thinking "Crime Scene Optimization".

      Here's why posting a bad article shouldn't affect your karma. Karma and moderation is Slashdot's way of giving good posts more visibility than bad ones. (It doesn't work that way currently, but that's the idea.) For articles, that same function is provided by the editors. Articles like this get posted because because the editors are sloppy. The accept stories where the language is unclear, where the story misrepresents (or even flatly contradicts) TFA, or where TFA is just a stupid blog entry that cites no facts beyond other stupid blog entries.

      What we need is for editors to take the time to read — and think about — the articles they see before they post them. Maybe even take a class in English or Journalism. Skipping the part on spelling, of course. Wouldn't want to break with tradition!

    14. Re:So who was the more pragmatic CSO?... by DracoNoir · · Score: 1

      CxO is a designation and a functional description. Many organizations choose not to designate a person as such, but still has some person or persons who perform the functions. In some states and countries, as well as for certain designations, the designee assumes certain legal responsibilities and can be held accountable as an [Official] representative of the organization, irrespective of any title the designee may hold. For example, in many orgs, the [senior] vp of finance is also the CFO, but in some the treasurer is. In one org I know of, the title of the COO was 'general manager'; in another it was 'head of plant'. In another, the Facilities Security Officer was the Director (not board level) of Special Projects. The FSO had responsibilities vis a vis DoD, DISCO, DoE and other government agencies, orthogonally to his internal chain of command.

    15. Re:So who was the more pragmatic CSO?... by morcego · · Score: 1

      The position of CSO is stated and defined on the ISO 17799 document, which is anything but new.
      For anyone working information security not to have read that document ... well, I don't think it is worth commenting. (Even if you read, but don't agree with it)

      --
      morcego
    16. Re:So who was the more pragmatic CSO?... by karmaflux · · Score: 1

      What, Worf and Tuvok aren't in the running?

      It's because they're black, right? You leave Star Trek out of your racist agenda.

      --

      REM Old programmers don't die. They just GOSUB without RETURN.

    17. Re:So who was the more pragmatic CSO?... by fm6 · · Score: 1

      T'Pol is sexier.

      No wait, I'm speaking as a straight male. I seem to recall that back in the 60s many women considered Spock the sexiest character on TV. It was all that torment caused by his inner human-vulcan conflict.

      Anyway, they're equally pragmatic. You have to deal with facts. To do otherwise would Not Be Logical(tm).

    18. Re:So who was the more pragmatic CSO?... by DeusExMach · · Score: 1

      Oh, so Tasha Yar was just alien food? I notice the blonde-haired white woman doesn't get a mention, since we're being all prejudicial. Hypocrisy, thy name is Trekkie.

    19. Re:So who was the more pragmatic CSO?... by Jansingal · · Score: 1

      17799 is soooooooooo important.
      but way toooooo few people know about it.

    20. Re:So who was the more pragmatic CSO?... by mikael_j · · Score: 1

      Personally I'm getting pretty tired of people just working in IT being expected to understand what goes on at the highest levels of management. I used to work in sales (yes, soulless drone hell) and it was actually possible to get your job done there with little to no knowledge of what went on outside of the sales department, but after finishing my degree in CE and getting a job in IT I suddenly found myself in a world even the "grunts" had to understand the politics of the company, not in the sense that we had to pitch every server upgrade to the CEO but in the sense that since the company regarded IT as purely an expense we would have to fight the red tape every time we wanted to do anything, in sales upper management seemed to just ignore us (and even major screwups that ended up costing the company a lot of money) because in their eyes we were what kept the company running...

      And while this may seem a bit off-topic I suspect in many places it's at the core of the "problem" with IT people having to understand how to deal with every part of the company, we actually interact with every part of the company and if we fuck up it gets expensive, but any money made thanks to us isn't made directly by us but instead by other departments that rely on us to get their jobs done. IT is the whipping boy of your average corporation and IT workers are more and more expected to understand more than just their own job while many other employees can get away with knowing only one thing (I have met people in my current job who have spent the last 10+ years doing nothing but handle 2-3 different types of forms, it's essentially checking that the OCR software didn't screw up, and most of these people are getting paid as much as I am, and have fairly "fancy" titles (meaning that if they ever lose their jobs their job title from their current job is enough to make them interesting)).

      --
      Greylisting is to SMTP as NAT is to IPv4
  2. Security by Wiarumas · · Score: 2, Insightful

    Security is vital knowledge... as time passes, the criminals get smarter. It is impossible to mitigate all possible threats 100% of the time, but in order to keep the probability of these threats low, you have to be on the same playing field as the criminals. If not, well, you've seen what happened to the Death Star.

    --
    I will bend like a reed in the wind.
    1. Re:Security by MR.Mic · · Score: 1

      Oh crap, you're right! I don't want my office building to explode due to an open exhaust port! I better get on the roof and start duct taping over those air conditioning units today!

  3. Am I the only one by Anonymous Coward · · Score: 0

    who read this as " The Pragmatic SCO"?

    1. Re:Am I the only one by Jansingal · · Score: 1

      no one!!!! :) SCO is the anti-pragmatic software company.

  4. ack by Trailer+Trash · · Score: 3, Funny

    I read the headline as "the pragmatic SCO", and was thinking "where?"

    --
    Do you have ESP?
    1. Re:ack by betterunixthanunix · · Score: 1

      I was expecting something about a court case. I'm still a little confused.

      --
      Palm trees and 8
    2. Re:ack by ArcadeX · · Score: 1

      At least I'm not the only one with this problem. First thought was 'what now...'

      --
      An I.T. motto in the hands of an idiot is a dangerous thing...
  5. Meh. by clang_jangle · · Score: 1

    The only link relevant to the new book in TFS demands my email address in order to see anything. Not terribly motivating.
    Besides, 12 steps? I'm recovering from that, thanks.

    --
    Caveat Utilitor
    1. Re:Meh. by clang_jangle · · Score: 1

      The only link relevant to the new book in TFS demands my email address in order to see anything.

      Correction, the page just requires scrolling down to see the 12 steps. Damn, foiled by my own pessimism! But at nearly $100 for a download, couldn't you at least buy an ISBN?

      --
      Caveat Utilitor
    2. Re:Meh. by Jansingal · · Score: 1

      speaking of people who use acronyms w/o (without) defining them...

      what is TFS?

    3. Re:Meh. by ed.mps · · Score: 1

      You must be new here. welcome.

      --
      !sig
    4. Re:Meh. by Jansingal · · Score: 1

      no idea at all what you mean.

      please explain.

    5. Re:Meh. by Jansingal · · Score: 1

      so be a man and tell me what it stands for.

    6. Re:Meh. by Anonymous Coward · · Score: 0

      RTFFAQ

    7. Re:Meh. by Ethanol-fueled · · Score: 1
      Especially because there's only one real noteworthy step:

      Step 9: Train the Users

      Users are the weakest link in the security chain, so all the technology in the world will not help if a user gives up a password to the bad guys. In Step 9, you learn why a structured user awareness training process is critical to educate users to think and act securely and avoid many of the easy attacks used every day.

      I think that's being a little easy on the users, though ;)

  6. Gah! Not just for security by zappepcs · · Score: 2, Funny

    FTFS:

    Step 7 underscores this when it shows how a CSO should never underestimate to things : the ability of the bad guys to make you look bad, and the ability of users to do something really stupid.

    Emphasis is mine. Speaking of things that make you look stupid? Irony?

    Seriously, this advice works for anything.

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:Gah! Not just for security by DaveAtFraud · · Score: 1

      It is not about how many vulnerabilities are found, rather the pragmatic way in which their are handled.

      Yeah. It's hard to be taken seriously when you make stupid grammatical errors. Your typical /. post is one thing but a book review is another.

      Hopefully, this guy had a good editor for his own book. They're invaluable.

      Cheers,
      Dave

      --
      They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
      Ben
    2. Re:Gah! Not just for security by Jansingal · · Score: 1

      Sounds like someone used M$ Wurd with the autokorrect feature a bit too much.

    3. Re:Gah! Not just for security by Jansingal · · Score: 1

      their you go!!! :)

    4. Re:Gah! Not just for security by Anonymous Coward · · Score: 0

      speaking of people who use acronyms w/o (without) defining them...

      what is M$?

  7. It's not just security by pzs · · Score: 4, Insightful

    This idea of people focussing on their own job role to the detriment of the overall organisation is very common.

    Finance people think hours filling in expenses claims over £30 lunches, support who won't let you install a vital and harmless piece of software because it's against regulations, managers who call so many status report meetings it's impossible to get any real work done... this kind of stuff happens all the time.

    A lot of people are self important, narrow minded and don't see the big picture. In other news, water is wet.

    1. Re:It's not just security by Notquitecajun · · Score: 4, Insightful

      The worst part is when it's your JOB to perform said role, and you get in trouble for both not doing it AND doing it. Security jobs are a catch-22 - you can get blamed when things go wrong, but when you try to do your job, it can be seen as getting in the way.

    2. Re:It's not just security by pzs · · Score: 1

      In a previous University job, I was responsible for a server that got hacked. It was entirely my fault for installing services carelessly but even so, they were really good about it. Instead of bollocking me or cutting off my privileges, they told me exactly what to do to clean the machine along with some really useful documentation to prevent it from happening again.

      Their attitude seemed to that at a University, you need flexibility to get stuff done so bad things are bound to happen occasionally. This outbreak of common sense gave me a big boost in confidence in University sysadmins.

    3. Re:It's not just security by Anonymous Coward · · Score: 0

      In other news, water is wet.

      Odd, water feels very sticky whenever I rug up against any skin exposed to water. However, the rain does make me feel wet, but in reality I am just sticky. ;-)

    4. Re:It's not just security by silanea · · Score: 2, Insightful

      [...] support who won't let you install a vital and harmless piece of software because it's against regulations [...]

      Has it never occured to you that they might simply be protecting their jobs? Someone put those regulations in place, and IT/tech support are required to make sure those regulations are followed. If some lowly grunt at helpdesk allows you to install a "vital and harmless[1] piece of software" and anything goes wrong, it's not so much your ass on the line as theirs. So next time think twice before laying blame.

      Find out who's responsible for IT regulations and make your case to them for the permission of your vital software.

      [1] Am I the only one to whom those two terms seem mutually exclusive? If it's vital to the company, it has to be 100% functional and so ought to be managed centrally by IT. If it's unimportant enough to let individual users play around with it, it shouldn't be anywhere near the company's systems other than in a testbed maintained and supervised by IT so as to keep it from interfering with the vital components.

      --
      Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
    5. Re:It's not just security by jgtg32a · · Score: 1

      Where I work Security is tied closely to Internal Audit so naturally we are hated, but it gives us leverage to get our job done. We are viewed as getting in the way but my boss gives people a BARF (Business Acceptance of Risk Form)any time they give us lip "we've always done it this way." They always back down because its their ass now

    6. Re:It's not just security by Red+Flayer · · Score: 1

      Finance people think hours filling in expenses claims over £30 lunches

      If it takes you hours to do this, you're doing it wrong.

      Furthermore, which only adds to your point, there are reasons that controls on those claims exist that you might not be aware of. Sure, it seems like a waste of time to you, but have you considered the potential cost to the company for not complying with regulations requiring that documentation?

      There is potential liability when claims are not reported properly, or when there is a deviation from process. That liability can be far more costly than your wasted time... even when multiplied by all the people who need to file expense claims. I personally know of one company fined over $350k US because of improperly documented expense claims were not reported, or taxed, as taxable income, which is required by law.

      My point is that you might be only seeing part of the big picture, just as you make the claim that finance, or support, does not see the big picture. It's a two-way street, and without an understanding of all the factors involved, how can you make the claim that no one else sees the big picture?

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    7. Re:It's not just security by myowntrueself · · Score: 1

      Always include time spent filling in timesheets on your timesheets.

      It may seem recursive but its important that its included... if the timesheeting or accounting system is so bone-headed that it takes hours to complete then this should be accounted for.

      --
      In the free world the media isn't government run; the government is media run.
  8. Not all of the certifications are pragmatic by Anonymous Coward · · Score: 3, Interesting

    I tried discussing security "pragmatically" with our PCI level 1 auditor, and it didn't go well.

    He wanted to see an example of all 200+ recommendations, even if it made no sense for our environment.

    So yes, don't be arbitrary if you get to make up the rules. But as long as there are large fines assessed by auditors who cling to arbitrary rules than arbitrary security rules are here to stay.

    1. Re:Not all of the certifications are pragmatic by Jansingal · · Score: 1

      that is def. not a pragmatic pci auditor, rather a newbie one.

  9. Thanks for playing, please try again. by pla · · Score: 4, Insightful

    It's not about technology -- it's about business.

    No.

    The entire IT world currently exists for its own sake. The business world has discovered they can use it, to some extent, but let's not take that too far in ascribing a raison d'etre to all things tech.

    We have computers because geeks like toys. In order to afford more toys, we whore ourselves out to the business world... But the relationship ends there. If we can help our employers make more shiny colorful reports measuring how much money we waste on blue vs green widget paint, great, good for them (and the landfills). If not... I can't speak for everyone on Slashdot, but at the end of the day, I go home and do my best not to think about work.

    Yet, I still go home, fire up my PC, and continue improving the very skills that make me valuable to my employer (I'll skip the obvious gaming and porn jokes here). I, as I believe of most geeks, do it for its own sake, because I love technology and toys - Not because I have some BS "compelling business case" to dedicate much of my life to technology for the gain of CEOs who wouldn't give me the time of day to spit on me if they came across me dying in the desert.

    1. Re:Thanks for playing, please try again. by tb()ne · · Score: 1

      I have not read the book but I don't think the "it" in the quote refers to your reasons for you performing your job. It refers to the reason your job exists.

    2. Re:Thanks for playing, please try again. by pla · · Score: 3, Insightful

      Perfect. IT will stand in the way of progress to the end.

      "Shareholder value" does NOT equal "Progress".

      Repeat as necessary or until dead.

    3. Re:Thanks for playing, please try again. by CowTipperGore · · Score: 4, Insightful

      The entire IT world currently exists for its own sake.

      First, the argument is made in the context of the business world, not about what you do with your free time. Further, your whole comment reflects the conflicts in attitudes that the book is attempting to address. Too many individuals are unable to think outside of their silo, seeing themselves and their work as inherently important without considering the business goals and how they impact them. I've seen attitudes like yours ruin IT departments (and research departments, and facility service departments, and accounting departments, etc) as the department becomes a fiefdom concerned more with protecting and growing its kingdom. In most businesses, IT and all other ancillary departments, exist only to facilitate the primary business processes of the company.

      I recently watched a large electric utility outsource their IT functions to EDS. This decision was made primarily because their IT structure was out of control and no one knew how to check it. Everyone in IT was transferred to EDS or they left the company altogether. In the two years since, EDS has trimmed the their staffing on the contract by at least 50%. My prediction is that in another year or two, the company will bring IT services back in house again and will do it with staffing about 25% of what it was before they outsourced. As an IT manager, I make sure that this isn't a good option for our department by communicating regularly with upper management, by always tying our work to company goals, by maintaining quality support, and by never allowing the department to become obviously overstaffed. IT employees who can't tie their toys to our goals do not survive in this culture.

    4. Re:Thanks for playing, please try again. by rugatero · · Score: 1

      Repeat as necessary or until dead.

      Redundancy?

      --
      This comment is for entertainment purposes only. Any similarity to real insight or information is purely coincidental.
    5. Re:Thanks for playing, please try again. by homer_s · · Score: 1

      We have computers because geeks like toys. In order to afford more toys, we whore ourselves out to the business world.

      Most of the IT world is a bit more mature than you seem to be.

    6. Re:Thanks for playing, please try again. by orasio · · Score: 1

      The GP raises an interesting point. He says that IT jobs are superfluous, and only exist due to the easiness of selling tech stuff to CxO's.
      Everything else gets built to support and improve installed IT systems.
      While I don't think it's exactly like that, I think it's an insightful point.

    7. Re:Thanks for playing, please try again. by The+End+Of+Days · · Score: 1

      Corporations don't exist to meet your personal definition of progress. If that's what you want, you're free to start all the companies you want dedicated to your vision. Just don't expect that you get to impose your desires on the world at large just because you consider your morality to be superior.

    8. Re:Thanks for playing, please try again. by pla · · Score: 1

      don't expect that you get to impose your desires on the world at large just because you consider your morality to be superior.

      Corporations, as legal-fictional entities, have no morality.

      Pol Pot, Hitler, Stalin, and Nero all had "superior" morality to even the most apparently-benevolent corporation that has ever existed.

      So yes, my morality trumps any corporate vision of "progress" in the form of next quarter's numbers.

  10. Business value and risk by xrayspx · · Score: 3, Informative

    That's a tough thing for security professionals to draw a distinction with. Everything a company does should weigh the business value of a proposed technology vs the risk of what happens if that technology breaks. So if you have an old firewall or licensing restrictions that won't let you use 3DES or AES for your VPN, and are stuck with DES, the company (CSO) should be weighing the cost of upgrading vs the risk of loss to the company if your DES VPN is broken.

    If you have credit data passing across, there may very well be PCI/DSS issues and fines, but if the VPN is just there to pass pictures of kittens from one site to another, you might not care and may not need 3DES or better.

    Many security professionals see this as sub-optimal, and will bitch. However as long as the senior management is aware of the risk and has decided it's a risk worth taking, then you've done your job as a security person.

    --
    I like music
    1. Re:Business value and risk by OriginalArlen · · Score: 1

      Do please explain how you quantify the probability of your single-DES VPN being compromised. I'm all ears. ("Well, none of us are perfect, D.M.!")

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    2. Re:Business value and risk by MadMidnightBomber · · Score: 2, Interesting
      That's the problem. Return On Investment asks you to arrive at a figure by multiplying a bunch of numbers YOU DON'T KNOW TO START WITH:

      "Most textbooks will tell you to compute the expected return on investment, by working out the annual cost of not doing X ( annual probability of occurrence times average loss if something bad happens ) minus the cost of not doing X. If you save money by implementing a safeguard, do it.

      The problem is that you don't know any of these numbers very well at all, but you're pretty sure that putting an Intrusion Detection System in will be good for the company..."

      -- http://www.systemstates.net/wordpress/return-on-investment/

      My solution is to err on the side of caution, and remember that when the possible loss exceeds the value of your company, you should be taking ALL reasonable safeguards. That and appealing to "best practice" helps.

      --
      "It doesn't cost enough, and it makes too much sense."
    3. Re:Business value and risk by xrayspx · · Score: 1

      It's not about the probability of someone breaching 56-bit DES, it's about the consequences.

      How about Hannaford or TJX using weak keys? Their CSO should be weighing the cost of changing their infrastructure to not use wireless, or using strong keys, MAC Filtering and firewalls to mitigate their exposure vs the risk of losing 47,000,000 credit and debit card numbers.

      The CSOs of those companies would need to weigh different factors than businesses with no B&M retail outlets. It's about deciding "How much is my data worth", "What are the consequences of that data being exposed" and "Based on those two answers, here's the broad strokes of our Information Security strategy".

      Does that risk belong to the company alone, as in the case of a manufacturing company making proprietary widgets, or is the risk shared with the general public, as in the case of a supermarket with a horrific and weak wireless policy? Those are the kinds of questions CSOs should worry about, not "What model of firewall do we use", as the summary was saying.

      The VPN example was flawed, sure. But if you think in terms of the consequences it makes more sense. If you're sending credit card data over a 56-bit DES tunnel, and someone intercepts and decrypts that traffic, that's horrible. More horrible will be the impact to the company when the department is shown as negligent for having relatively weak crypto.

      --
      I like music
    4. Re:Business value and risk by Firehed · · Score: 1

      That's a very interesting viewpoint, but how much actually came out of the Hannaford debacle? A whole lot of bad press for a week or so, and then nothing at all. I, for one, have not changed my shopping habits, nor have any of my family - and they tend to shop at Hannaford more often than I do. Of course this anecdotal evidence can only go so far (which is to say, not far at all), but all things considered I'd suggest that losing some ungodly amount of financial information was actually the cheaper option. That's obviously not a GOOD thing, but if we're going to talk about numbers alone then let's get crunching.

      --
      How are sites slashdotted when nobody reads TFAs?
    5. Re:Business value and risk by xrayspx · · Score: 1

      From a PCI DSS compliance standpoint, the fines for being a non-compliant tier 1 were pretty strict. Hannaford stated that it was fully PCI compliant. From what little I know of Hannaford's actual operation, it's hard to say, but I would think they should have had to answer "no" to a few more checkbox items.

      The problem is that credit card processing companies will threaten non-compliant retailers with shutting down their authorization until they achieve compliance, or are making provable headway. So Hannaford may have had to make some quick decisions to get themselves certified, and some of those decisions seem to have bitten them. PCI DSS requires that a retailer is audited by a certified third party vendor. This amounts to the most expensive NMAP report you will ever see. This report, along with your self-evaluation checklist, are the proof of compliance.

      The true cost of these breaches to the companies isn't known yet. The consumer lawsuits for Hannaford are just getting off the ground, and I don't know of any bank suits yet. This is why Hannaford is touting their compliance, "Hey, we were certified and in full compliance with regulations, therefore, it's not our fault, blame the insufficient regulations". In TJX's case, they offered a choice of $30 gift card or $15 cash to every customer involved in the breach. I've seen 45MM cards in the media, and reports of up to 90MM cards in reality. So if everyone takes the cash, they're looking at over a billion dollars just in cash payouts to customers. That's about 7% of their annual revenue.

      It is pretty discouraging though that there aren't more visible signs of real change happening at these two chains. There is no real incentive for companies to protect consumer data, and that's a shame. Hopefully the large lawsuits carry some real penalties.

      --
      I like music
    6. Re:Business value and risk by Jansingal · · Score: 1

      Exactly!

      my guess is that there are maybe 5 security pros in the US who know how to deal with ROSI.

      All others make up their own data as they go along.

    7. Re:Business value and risk by OriginalArlen · · Score: 1

      Quite so. What peeves me (as a practioner in the field) is the people who try to decide where to spend their security dollars by doing absurd calculations using such unmeasurable values. (not to mention all the certs that require you to parrot such nonsense as if you believed it.) "...you're pretty sure that... " comes down to gut feel, experience, and professional judgement. This is bad news for the attempts to put infosec on a similar professional basis to business functions like audit or accountancy (or plain ol' engineering, not to mention attempts to reduce it to a teachable subject. You can learn a lot from studying of course (and if you don't study, you won't be much good), but experience and... I hate to say it, but "talent" come into play.

      --

      Everything I needed to know about life, I learnt from Blake's Seven
  11. Business types who refuse to listen to techies... by dpbsmith · · Score: 4, Interesting

    Business-side executives who think they can manage without understanding anything at all about the technical details are just as arrogant and dangerous to the bottom line as techies who think they don't need to understand anything about the business.

    In a wonderful Dilbert cartoon, the PHB says "Reasoning that anything I don't understand must be easy..." and assigns Dilbert an impossible task predestined for failure.

    People on both the money side and the technical side need to work for mutual respect and understanding, and both need to be patient enough to listen to, and understand, material that doesn't fall within their specialty.

    --

    "How to Do Nothing," kids activities, back in print!

  12. Anybody misread the title too? by UnknowingFool · · Score: 0, Redundant

    I read the title as "The Pragmatic SCO" and was about to write angry comments. Loud ones with torches and pitchforks. :P

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  13. CSO - Combined Sewer Overflow ? by Punko · · Score: 2, Funny

    A CSO is a combined sewer overflow. Where a sewer system is old, is was designed to carry both stormwater (rain fall off houses and streets) and sanitary sewage (from inside houses) to an outfall (and later to treatment plants). Modern systems have separated sewers, one for stormwater one for sanitary. Only the sanitary goes to the treatment plant. In the city where I live, the outer parts are modern, but the centuries-old infrastructure downtown is still served by combined sewers. Dry days, the sewage is all sanitary, but rainfall increases the flow. The treatment plant or pumping station capacity would be exceeded and the combined sewage discharged directly to the lake. Now, combined sewer overflow tanks have been installed to store the surcharged sewage until the storm is over, and then pump the sewage back into the system to be treated. Until the combined sewers are eventually replaced, this is the best way to help eliminate the release of untreated sewage to the environment. A pragmatic CSO? Most CSO's don't operate at all in normal conditions, but instantly jump into action the moment the sh!t levels rise beyond the system's ability to deal with it. Is this pragmatic?

    --
    If only we could fall into a woman's arms without falling into her hands
    1. Re:CSO - Combined Sewer Overflow ? by Anonymous Coward · · Score: 1, Funny

      They want to deliver vast amounts of sh!+ over the sewer. And again, the sewer is not something that you just dump something on. It's not a big truck. It's a series of tubes. And if you don't understand, those tubes can be filled and if they are filled, when you put your sh!+ in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of stormwater, enormous amounts of sh!+.

    2. Re:CSO - Combined Sewer Overflow ? by TerranFury · · Score: 1

      One billion points for the Anonymous Coward.

  14. I don't care details, can we be hacked or not? by justdrew · · Score: 0, Troll

    overgrown crybaby CxO's need to go fuck themselves.

    1. Re:I don't care details, can we be hacked or not? by Anonymous Coward · · Score: 0

      "Can we be hacked or not?" is exactly the kind of naive, badly defined and completely useless criteria security amateurs like to ask, thinking they understand what they are talking about.

    2. Re:I don't care details, can we be hacked or not? by Jansingal · · Score: 2, Interesting

      every company
      every host
      every every every

      thing can be hacked!!!

      isnt that what /. is all about?

  15. Not quite that simple by gweihir · · Score: 1

    As soon as security is reduces from the maximum (which is typically sensibkle to do if it has business advantages), techniological quastions like keylengths become very important. There is one large financial institution in Swizerland, that had to fear all ist banking cards being broken, because they had too short keys. So, it is important to have business and technolocical facts and understand both.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  16. The best part about the review by Osurak · · Score: 1

    is that the term CSO wasn't defined anywhere. Apparently the reviewer was mistakenly communicating to use in security terms, which is one of the things IN THE REVIEW that he warns about.

    1. Re:The best part about the review by Jansingal · · Score: 1

      well, i read a review where the reviewer used the term 'ok', and he never defined it!

  17. Re:Business types who refuse to listen to techies. by dissipative_struct · · Score: 2, Insightful

    Executive management (except CIO/CSO obviously) shouldn't need to understand anything about the technical details. The technical groups should be doing the necessary analysis and giving them the necessary information to make choices about technology initiatives.

    The problems come when the execs ignore what their direct reports are telling them, or if the technical people aren't providing the execs the information they need to make the decisions. I don't think trying to educate the execs on the technical details is a very efficient solution to either of those problems, although I suppose it may work with certain managers.

  18. just one sentence, eh? by petes_PoV · · Score: 3, Insightful
    Well thanks for letting the cat out of the bag. If that's the best sentence in the book I think I'll pass.

    Everybody who's worked/working in business (as opposed to academia, where your success is really just the weight of papers you put out - right?) for any length of time and isn't still doing the job they started with knows this implicitly. None of IT is about anything except the business - it's merely a means to an end, or a necessary evil depending on how good your IT organisation is.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  19. Couldn't Care Less! by Anonymous Coward · · Score: 0

    I fail English? That's unpossible!

  20. disappointed by PopeRatzo · · Score: 1

    Was I the only one who thought this was an article about the Chicago Symphony Orchestra when seeing "CSO" in the headline?

    --
    You are welcome on my lawn.
  21. Roles by micromuncher · · Score: 1

    CSO = Chief Security Officer
    CIO = Chief Information Officer
    CTO = Chief Technology Officer

    At the end of the day, these roles are defined by the business and only marginally the same from company to company. Security is usually part of a broader IT strategy (so no specific corporate officer, but an IT lead.)

    In any event, IT is almost always a service to business, and so top level organizational problems trickle down (as sometimes infrastructure politics bubble up.)

    Here is a fun rant, from the armchair cio.

    --
    /\/\icro/\/\uncher
  22. Re:Business types who refuse to listen to techies. by silanea · · Score: 1

    Executive management (except CIO/CSO obviously) shouldn't need to understand anything about the technical details. [...]

    I disagree. A CEO doesn't need to know how to code, but they need to have a grasp of what IT is. Their business - by now, just about any business regardless of its industry sector - depends to a varying degree on software. The larger this degree, the more important it is for the top brass to understand what IT consists of and how to manage it. Not in detail, mind you. But they ought to understand the basic principles and processes behind it. Just like they ought to have an understanding of economics, even though their bean-counters handle all the petty details.

    --
    Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
  23. Re:Business types who refuse to listen to techies. by wzzzzrd · · Score: 1

    Business-side executives who think they can manage without understanding anything at all about the technical details are just as arrogant and dangerous to the bottom line as techies who think they don't need to understand anything about the business.

    No, it is just fine for a business executive to don't understand any technical detail. However, it is not fine for a business executive to not trust people assigned to understand all the technical details and worry about them. That is arrogant. But to say "Well, I don't have a clue what all this fuss is about, but when the architect says we need this layer of security, so be it, after all it is his job to know such things" is pragmatic and therefore good.

    --
    On second thought, let's not go to Camelot. It is a silly place.
  24. Re:Business types who refuse to listen to techies. by Jansingal · · Score: 1

    >>Executive management (except CIO/CSO obviously) shouldn't need to understand anything about the technical details. Bull!! Imagine saying the head of a hospital shouldn't need to understand anything about the technical details. We would not tolerate this in any other industry, why IT????

  25. Re:Business types who refuse to listen to techies. by Bodrius · · Score: 1

    Their business also depends to a varying degree on accounting, human resources, legal departments, and janitorial services.

    For most businesses, all of the above have a longer history as indispensable resources - and for most businesses, any of the above is far more indispensable.

    Yet you wouldn't expect a CEO has to understand the technical details of the legal cases, recruitment processes, or cleaning supplies - *unless* that happens to be the core business of the company.

    Taking care of the technical details is *our job* as techies. Our discipline is not unique on that regard - although sometimes it seems like the sense of self-importance is.

    --
    Freedom is the freedom to say 2+2=4, everything else follows...
  26. A book for CSOs? by tuomoks · · Score: 0, Flamebait

    How you can be a CSO if you already don't know what this book describes? This book is more like wannabe CSO handbook.

    Now - I don't blame the book, it is good (IMHO), but it states facts that have been know 30+ years? Maybe forgotten? But for CxOs or even security managers - how the heck did they get their jobs if they don't already know this?

    That seems to be the problem today, the basics! For example security never was, isn't and never will be technology - it is a business fact, much bigger than IT, securing whatever you don't want to be misused or what you want to keep secure/secret/safe. Methods and implementations change day by day but basics don't! New vulnerabilities are found and not all them have anythig to do with IT and can not be prevented by some "miracle" tool or toy but by strategy, planning, design, etc.

  27. Re:Business types who refuse to listen to techies. by Bodrius · · Score: 1

    That's a bad analogy for two reasons:

    - Most companies are not IT/Software companies - they have IT departments and CIO/CSOs as part of their corporate infrastructure.
        For most cases, that's like demanding from the hospital administrator an understanding of the details of the cafeteria food production.

    - That aside, health administrators may be a particularly bad example because they can be from a business background (so apparently we do tolerate it) - and because medicine leads to high degrees of specialization.
        Demanding from your hospital head to understand the technical details when most fields require 10+ years of specialization is not only challenging - it may be a supremely bad idea. As in the 'provides opportunity for second-guessing and bad judgements based on overestimating an incomplete education' kind of bad idea.
       

    --
    Freedom is the freedom to say 2+2=4, everything else follows...
  28. Re:Business types who refuse to listen to techies. by Jansingal · · Score: 1

    ok, so its not a perfect analogy, that does not map perfectly.

    but.... in IT, there is way too far of a disconnect. you dont have such disconnect
    in other industries.

  29. Re:Business types who refuse to listen to techies. by Bodrius · · Score: 1

    Yes you do!

    *Unless* you work on a software / IT company, only then does this argument even apply.

    Most IT shops exist in corporations that have a different core business.

    Fundamentally, what the CEO needs to understand is the core business of the company - if that happens to be technology, then great, but if they're making widgets then his expertise and time spent better be on the industry and market of widgets - not on IT.

    I'd be most interested in some examples of this 'disconnect' you talk about - how it is not tolerated in other industries.

    --
    Freedom is the freedom to say 2+2=4, everything else follows...
  30. Re:Business types who refuse to listen to techies. by Jansingal · · Score: 1

    >>I'd be most interested in some examples of this 'disconnect' you talk about - how it is not tolerated in other industries.

    Read some issues of HBR. Articles where the connect is best between the tech and biz people, profits are also better. /jay

  31. Sorry, I won't buy a self-published PDF for $87 by Anonymous Coward · · Score: 0

    If the content is worth that much money, it would be worth it for a publisher with a production and editorial staff to put it together. A book or resource that's "published" without real editors will always have issues (ahem).

  32. IT vs. Business by Anonymous Coward · · Score: 0

    Only the inexperienced or woefully ignorant would say IT exists to serve itself. This is precisely the attitude the book is trying to counter.

    IT always exists to serve the business. If it was more cost efficient to use paper, pens and faxes as opposed to computers and the Internet, the business would switch in a heartbeat.

    Your job security is only as strong as the business believes it requires your skills. Operative word being "believes"....