Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Pragmatic CSO

Posted by samzenpus on from the the-practical-princess dept.

Ben Rothke writes "The Pragmatic CSO: 12 Steps to become a Pragmatic CSO is worth reading for one sentence on page 12 which states: It's not about technology — it's about business. The even better news is that the book is full of insightful ideas like that, on how information should work, and how to make it work in today's large enterprise organizations. One of the mistakes many security professionals make is that they think of security for its own sake, when security is simply meant to support the business. CxO's could care less about encryption key lengths and operating systems. While they don't care about the technical details, the people from information security often mistakenly communicate to them in those terms." Keep reading for the rest of Ben's review. The Pragmatic CSO: 12 Steps to become a Pragmatic CSO author Mike Rothman pages 235 publisher Security Incite rating 9 reviewer Ben Rothke ISBN None - self published summary Pragmatic, insightful and valuable looking into making security work The book notes that there are three main causes to the poor state that information security finds itself in today in far too many organizations: Security is viewed as a technical function - Security staff are often part of the technical teams, but not members of the management team. The bad guys are getting better - In years past, attackers would get your attention by playing music in the background as their virus infected your workstation. Today's attacks are built around stealth techniques. Attackers do their best to hide from your IDS, and often easily do so. Auditors are tougher- Both internal and external auditors are finally getting the power they deserve. The days of having them rubber stamp the audit are slowly coming to a close. The Pragmatic CSO:12 Steps to become a Pragmatic CSO details a 12-step program, which is a structured program on which to build a strong information security program. The book goes through those steps as a way to keep you, as the CSO, focused on the goal. That goal is to demonstrate the value of information security management and the level of security to the internal and external auditors.

The books 4 sections and 12 steps are structured similarly, beginning with what you will learn in the specific step, a dialogue-based introduction akin to an AA (Alcoholics Anonymous) session, and an action plan for each step. Personally, I found the AA dialogues a bit cheesy, and by step 6, found them a bit annoying. Aside from that issue, the book is a highly valuable guide in which a new CSO can use to directly assist them in their job. A new CSO is recommended to use the guide in their first 100 days in office. Such an approach can spell the difference between success and failure.

As its title implies, the book is all bout being pragmatic. This practical approach is needed, as step 2 notes that it is hard for many security professionals to get beyond the typical vulnerability-centric definition of success. It is not about how many vulnerabilities are found, rather the pragmatic way in which their are handled.

Part of this pragmatic approach is being realistic of the state of security in your origination. Step 7 underscores this when it shows how a CSO should never underestimate to things : the ability of the bad guys to make you look bad, and the ability of users to do something really stupid. The preceding is just one example of many where the book shows the reader what security is like in the real-world, as opposed to the often described pristine cryptographic world of security when Alice and Bob are involved.

Perhaps the most important point the book makes is that pragmatic CSO's have no religion when it comes to security and technology, besides doing the right thing for their business and protecting their assets. Far too many people in security and technology turn technology choices into religious wars, most of which center around Windows, Linux, Cisco and Juniper.

Step 11 details metrics and benchmarks and has a number of constructive questions in which to benchmark against. The areas of questions include effectiveness, awareness, attitude and financial. This is needed as metrics and benchmarking are needed to measure how you and your security team are doing, and to identify areas in need of improvement. Benchmarking can also point out areas which your organization differs from the norm. While that is not necessarily a bad thing, it is necessary to know when to follow so-called best practices, or whether to do what is specifically right for your organization.

The Pragmatic CSO:12 Steps to become a Pragmatic CSO is a most valuable book in that it provides fresh, real-world advice, as opposed to generics rehashed best practices. Author Mike Rothman's premise is that today's CSO's need to act more like business people in order to thrive. With firms laying-off back-office technology staff by the thousands, having this front-office approach is not only timely, it may just save your job.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

10 of 100 comments (clear)

  1. Security by Wiarumas · · Score: 2, Insightful

    Security is vital knowledge... as time passes, the criminals get smarter. It is impossible to mitigate all possible threats 100% of the time, but in order to keep the probability of these threats low, you have to be on the same playing field as the criminals. If not, well, you've seen what happened to the Death Star.

    --
    I will bend like a reed in the wind.
  2. It's not just security by pzs · · Score: 4, Insightful

    This idea of people focussing on their own job role to the detriment of the overall organisation is very common.

    Finance people think hours filling in expenses claims over £30 lunches, support who won't let you install a vital and harmless piece of software because it's against regulations, managers who call so many status report meetings it's impossible to get any real work done... this kind of stuff happens all the time.

    A lot of people are self important, narrow minded and don't see the big picture. In other news, water is wet.

    1. Re:It's not just security by Notquitecajun · · Score: 4, Insightful

      The worst part is when it's your JOB to perform said role, and you get in trouble for both not doing it AND doing it. Security jobs are a catch-22 - you can get blamed when things go wrong, but when you try to do your job, it can be seen as getting in the way.

    2. Re:It's not just security by silanea · · Score: 2, Insightful

      [...] support who won't let you install a vital and harmless piece of software because it's against regulations [...]

      Has it never occured to you that they might simply be protecting their jobs? Someone put those regulations in place, and IT/tech support are required to make sure those regulations are followed. If some lowly grunt at helpdesk allows you to install a "vital and harmless[1] piece of software" and anything goes wrong, it's not so much your ass on the line as theirs. So next time think twice before laying blame.

      Find out who's responsible for IT regulations and make your case to them for the permission of your vital software.

      [1] Am I the only one to whom those two terms seem mutually exclusive? If it's vital to the company, it has to be 100% functional and so ought to be managed centrally by IT. If it's unimportant enough to let individual users play around with it, it shouldn't be anywhere near the company's systems other than in a testbed maintained and supervised by IT so as to keep it from interfering with the vital components.

      --
      Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
  3. Thanks for playing, please try again. by pla · · Score: 4, Insightful

    It's not about technology -- it's about business.

    No.

    The entire IT world currently exists for its own sake. The business world has discovered they can use it, to some extent, but let's not take that too far in ascribing a raison d'etre to all things tech.

    We have computers because geeks like toys. In order to afford more toys, we whore ourselves out to the business world... But the relationship ends there. If we can help our employers make more shiny colorful reports measuring how much money we waste on blue vs green widget paint, great, good for them (and the landfills). If not... I can't speak for everyone on Slashdot, but at the end of the day, I go home and do my best not to think about work.

    Yet, I still go home, fire up my PC, and continue improving the very skills that make me valuable to my employer (I'll skip the obvious gaming and porn jokes here). I, as I believe of most geeks, do it for its own sake, because I love technology and toys - Not because I have some BS "compelling business case" to dedicate much of my life to technology for the gain of CEOs who wouldn't give me the time of day to spit on me if they came across me dying in the desert.

    1. Re:Thanks for playing, please try again. by pla · · Score: 3, Insightful

      Perfect. IT will stand in the way of progress to the end.

      "Shareholder value" does NOT equal "Progress".

      Repeat as necessary or until dead.

    2. Re:Thanks for playing, please try again. by CowTipperGore · · Score: 4, Insightful

      The entire IT world currently exists for its own sake.

      First, the argument is made in the context of the business world, not about what you do with your free time. Further, your whole comment reflects the conflicts in attitudes that the book is attempting to address. Too many individuals are unable to think outside of their silo, seeing themselves and their work as inherently important without considering the business goals and how they impact them. I've seen attitudes like yours ruin IT departments (and research departments, and facility service departments, and accounting departments, etc) as the department becomes a fiefdom concerned more with protecting and growing its kingdom. In most businesses, IT and all other ancillary departments, exist only to facilitate the primary business processes of the company.

      I recently watched a large electric utility outsource their IT functions to EDS. This decision was made primarily because their IT structure was out of control and no one knew how to check it. Everyone in IT was transferred to EDS or they left the company altogether. In the two years since, EDS has trimmed the their staffing on the contract by at least 50%. My prediction is that in another year or two, the company will bring IT services back in house again and will do it with staffing about 25% of what it was before they outsourced. As an IT manager, I make sure that this isn't a good option for our department by communicating regularly with upper management, by always tying our work to company goals, by maintaining quality support, and by never allowing the department to become obviously overstaffed. IT employees who can't tie their toys to our goals do not survive in this culture.

  4. Re:Business types who refuse to listen to techies. by dissipative_struct · · Score: 2, Insightful

    Executive management (except CIO/CSO obviously) shouldn't need to understand anything about the technical details. The technical groups should be doing the necessary analysis and giving them the necessary information to make choices about technology initiatives.

    The problems come when the execs ignore what their direct reports are telling them, or if the technical people aren't providing the execs the information they need to make the decisions. I don't think trying to educate the execs on the technical details is a very efficient solution to either of those problems, although I suppose it may work with certain managers.

  5. just one sentence, eh? by petes_PoV · · Score: 3, Insightful
    Well thanks for letting the cat out of the bag. If that's the best sentence in the book I think I'll pass.

    Everybody who's worked/working in business (as opposed to academia, where your success is really just the weight of papers you put out - right?) for any length of time and isn't still doing the job they started with knows this implicitly. None of IT is about anything except the business - it's merely a means to an end, or a necessary evil depending on how good your IT organisation is.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  6. Re:So who was the more pragmatic CSO?... by fm6 · · Score: 2, Insightful

    Somehow I keep thinking "Crime Scene Optimization".

    Here's why posting a bad article shouldn't affect your karma. Karma and moderation is Slashdot's way of giving good posts more visibility than bad ones. (It doesn't work that way currently, but that's the idea.) For articles, that same function is provided by the editors. Articles like this get posted because because the editors are sloppy. The accept stories where the language is unclear, where the story misrepresents (or even flatly contradicts) TFA, or where TFA is just a stupid blog entry that cites no facts beyond other stupid blog entries.

    What we need is for editors to take the time to read — and think about — the articles they see before they post them. Maybe even take a class in English or Journalism. Skipping the part on spelling, of course. Wouldn't want to break with tradition!