Slashdot Mirror


The Pragmatic CSO

Ben Rothke writes "The Pragmatic CSO: 12 Steps to become a Pragmatic CSO is worth reading for one sentence on page 12 which states: It's not about technology — it's about business. The even better news is that the book is full of insightful ideas like that, on how information should work, and how to make it work in today's large enterprise organizations. One of the mistakes many security professionals make is that they think of security for its own sake, when security is simply meant to support the business. CxO's could care less about encryption key lengths and operating systems. While they don't care about the technical details, the people from information security often mistakenly communicate to them in those terms." Keep reading for the rest of Ben's review. The Pragmatic CSO: 12 Steps to become a Pragmatic CSO author Mike Rothman pages 235 publisher Security Incite rating 9 reviewer Ben Rothke ISBN None - self published summary Pragmatic, insightful and valuable looking into making security work The book notes that there are three main causes to the poor state that information security finds itself in today in far too many organizations: Security is viewed as a technical function - Security staff are often part of the technical teams, but not members of the management team. The bad guys are getting better - In years past, attackers would get your attention by playing music in the background as their virus infected your workstation. Today's attacks are built around stealth techniques. Attackers do their best to hide from your IDS, and often easily do so. Auditors are tougher- Both internal and external auditors are finally getting the power they deserve. The days of having them rubber stamp the audit are slowly coming to a close. The Pragmatic CSO:12 Steps to become a Pragmatic CSO details a 12-step program, which is a structured program on which to build a strong information security program. The book goes through those steps as a way to keep you, as the CSO, focused on the goal. That goal is to demonstrate the value of information security management and the level of security to the internal and external auditors.

The books 4 sections and 12 steps are structured similarly, beginning with what you will learn in the specific step, a dialogue-based introduction akin to an AA (Alcoholics Anonymous) session, and an action plan for each step. Personally, I found the AA dialogues a bit cheesy, and by step 6, found them a bit annoying. Aside from that issue, the book is a highly valuable guide in which a new CSO can use to directly assist them in their job. A new CSO is recommended to use the guide in their first 100 days in office. Such an approach can spell the difference between success and failure.

As its title implies, the book is all bout being pragmatic. This practical approach is needed, as step 2 notes that it is hard for many security professionals to get beyond the typical vulnerability-centric definition of success. It is not about how many vulnerabilities are found, rather the pragmatic way in which their are handled.

Part of this pragmatic approach is being realistic of the state of security in your origination. Step 7 underscores this when it shows how a CSO should never underestimate to things : the ability of the bad guys to make you look bad, and the ability of users to do something really stupid. The preceding is just one example of many where the book shows the reader what security is like in the real-world, as opposed to the often described pristine cryptographic world of security when Alice and Bob are involved.

Perhaps the most important point the book makes is that pragmatic CSO's have no religion when it comes to security and technology, besides doing the right thing for their business and protecting their assets. Far too many people in security and technology turn technology choices into religious wars, most of which center around Windows, Linux, Cisco and Juniper.

Step 11 details metrics and benchmarks and has a number of constructive questions in which to benchmark against. The areas of questions include effectiveness, awareness, attitude and financial. This is needed as metrics and benchmarking are needed to measure how you and your security team are doing, and to identify areas in need of improvement. Benchmarking can also point out areas which your organization differs from the norm. While that is not necessarily a bad thing, it is necessary to know when to follow so-called best practices, or whether to do what is specifically right for your organization.

The Pragmatic CSO:12 Steps to become a Pragmatic CSO is a most valuable book in that it provides fresh, real-world advice, as opposed to generics rehashed best practices. Author Mike Rothman's premise is that today's CSO's need to act more like business people in order to thrive. With firms laying-off back-office technology staff by the thousands, having this front-office approach is not only timely, it may just save your job.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

3 of 100 comments (clear)

  1. Re:Thanks for playing, please try again. by Anonymous Coward · · Score: -1, Flamebait

    Perfect. IT will stand in the way of progress to the end. Thanks for showing us your dork local 129 card.

    IT is the new HR.

  2. A book for CSOs? by tuomoks · · Score: 0, Flamebait

    How you can be a CSO if you already don't know what this book describes? This book is more like wannabe CSO handbook.

    Now - I don't blame the book, it is good (IMHO), but it states facts that have been know 30+ years? Maybe forgotten? But for CxOs or even security managers - how the heck did they get their jobs if they don't already know this?

    That seems to be the problem today, the basics! For example security never was, isn't and never will be technology - it is a business fact, much bigger than IT, securing whatever you don't want to be misused or what you want to keep secure/secret/safe. Methods and implementations change day by day but basics don't! New vulnerabilities are found and not all them have anythig to do with IT and can not be prevented by some "miracle" tool or toy but by strategy, planning, design, etc.

  3. Re:Business types who refuse to listen to techies. by Anonymous Coward · · Score: -1, Flamebait

    "Executive management (except CIO/CSO obviously) shouldn't need to understand anything about the technical detail" - by dissipative_struct (312023) on Monday July 28, @11:26AM (#24369581)

    What a CROCK OF CRAP - then, what the hell ARE THEY GOOD FOR? "Making decisions"?? Any fool can do THAT, & for less than 5-6 figure salaries (and, golden parachutes etc. et al)...

    NOW - What if they get 'bad or misinformation' from their advisors (their lackies they hire is more like it, to cover the kind you note's incompetent asses). They wouldn't be able to determine IF IT IS BAD INFORMATION... case in point?

    I had some "superiors" over time that told our entire teams, verbatim once even, this:

    "I HAVE NEVER EVEN INSTALLED DOS"

    WTF? What are YOU doing, leading ME & mine on this team then? For one thing?? I don't respect that person, right off the bat, & secondly, they are a DRAG - no abilities to contribute to finishing projects even @ times (they can't DO THE JOB themselves) & yes, there are times, when EVERY WORKING HAND, helps (deadline looming? Assign the parts that aren't done to all concerned on team of course, BUT, a "good mgt. person" can help there too, IF THEY KNOW HOW TO CODE (or whatever)).

    No, no way... I wonder if stockholders would like to know they are kicking out WHO KNOWS HOW MUCH on these '50 VP's who send emails all day & that is about it' & CIO's that make decisions, but do NOT KNOW WHAT THE HELL IT IS THEY ARE MAKING DECISIONS ON (& their mistakes/bad decisions (due to the fact they don't understand who/what it is they are "managing", costs HUGE)).

    My guess is they don't, or that these 'boards of directors' (often composed of mgt. types, who make these 6 figure salaries, but for what? I have NO idea, because anyone can make 'decisions', after all, we ALL do, everyday)

    In fact, it gets folks fired (since payroll IS THE EASIEST COST TO CONTROL).

    Best way? I'd say it would be to "promote from within the ranks", but most coders/techies? LOVE THEIR JOBS - why go mgt., in other words, other than for money?? Yes, it's a POWERFUL motivator, but... then again, there is having to like what it is you do everyday, too.

    APK

    P.S.=> Hiring of external mgt. is 1 thing - IF they have done the job for years to decades themselves, hands-on professionally, in the trenches (as to the jobs of their subordinates that is, so they UNDERSTAND the field itself in detail AND their subordinates to know how to motivate them etc. & more)... but, hiring some "MBA" with NO CLUE AS TO THE JOB & FIELD ITSELF? S T U P I D - but, that's what you get in a field full of 'frat boys' hiring their pals to 'surround & insulate themselves' acting in cliques, ripping companies off BLIND in the doing of it, due to their sheer incompetence... apk