12 Steps to become a Pragmatic CSO
What’s your plan?Today’s CSOs need a plan. You must execute on a structured program that keeps you focused on the Reasons to Secure. Showing the value of security to the organization and proving the safety of the computing environment to internal and external auditors are no longer optional activities; your longevity in the CSO position is directly related to how well you sell your strategy, show progress, and manage to your budget.
 |
Want to check out the Introduction to the Pragmatic CSO? Fill out the form and it's yours, plus you'll get a special tip on how to be a Better CSO for the next 5 days. Best of all, it's free! If you sign up, we
will never share your information, and you'll also receive the
Pragmatic CSO Weekly newsletter.
Check out the latest edition  |
Section 1 – Plan to be Pragmatic |
|
 |
Step 1: Assess the Value of Your Business SystemsYou can’t protect what you don’t know about, so the first step is to figure out what you have. Likewise, you don’t want to spend $50,000 protecting a $2,000 business system, so in Step 1 you talk to senior management and discern how important each system is to the operations of the business. Then you can figure out how much to invest in protecting it. |
 |
Step 2: Baseline Your EnvironmentIf you don’t know where you are, it’s pretty unlikely you’ll know that you’ve made progress. In Step 2, you gather data to understand your current state, where your most significant exposures are, and how much work you need to do. |
 |
Step 3: Manage ExpectationsManaging executive expectations are the most critical responsibilities of the CSO. You must be very clear about what you are going to accomplish and how you are going to do it. In Step 3 you see the power of speaking security in the language of business, and how you can get everyone on the same page regarding what the security program does. |
Section 2 – Build a Pragmatic Security Environment |
|
 |
Step 4: Build Your Security Business PlanEvery business needs a plan, and yours is no exception. In Step 4, you prepare a high-level business plan, laying out the reasons your business exists and presents a high level architecture, committed service levels, and the milestones that you plan to achieve. |
 |
Step 5: Sell the StoryYou need money to secure anything, in Step 5 you package your business plan, associated service levels and milestones and sell the program to senior executives getting the funding you need to protect your corporate assets. |
 |
Step 6: Procure the SolutionA structured procurement process is critical to getting the right products, at the right time, for the right price. In Step 6, you learn about Security Incite’s Buying Security Products methodology and how that should be applied to how you buy the products and services you need for the Pragmatic CSO process. |
Section 3 – Run Your Security Organization Pragmatically |
|
 |
Step 7: Operate/MonitorNow that parts of the solution are implemented, you need to make sure they’re doing what they’re supposed to. In Step 7, you learn how to fortify your perimeter defenses, what you should be monitoring, and how to navigate the change control process. |
 |
Step 8: Contain the ProblemInevitably you will have a compromise or breach situation. Dealing with that will make the difference between a CSO with a job and one collecting unemployment. In Step 8, you learn how to recover as gracefully as possible and use a structured incident response process to make sure you live to fight another day. |
 |
Step 9: Train the UsersUsers are the weakest link in the security chain, so all the technology in the world will not help if a user gives up a password to the bad guys. In Step 9, you learn why a structured user awareness training process is critical to educate users to think and act securely and avoid many of the easy attacks used every day. |
 |
Step 10: Assure Your DefensesIt doesn’t matter if you say something is secure, you need third-party validation. In Step 10, you’ll engage third parties to try to penetrate your defenses, both to see where you are really exposed and also to make the case for more funding. |
Section 4 – Communicate your Value |
|
 |
Step 11: Benchmark Your ProgressQuantitative measurements prove your worth and ensure your program is moving in the right direction. In Step 11, you’ll benchmarking your program by tracking the right metrics and comparing what you are doing relative to your peer group and other businesses your size. |
 |
Step 12: Comply without Going NutsCompliance with a variety of both internal policies and legislative regulations is a critical aspect of every CSO’s job. In Step 12, you see how compliance is a benefit of implementing the Pragmatic CSO program and how by generating a set of hard-hitting reports, the auditors will be gone in a fraction of the time it used to take. |
Of course, not all steps within the Pragmatic CSO methodology will make sense for your organization. You need to figure out for yourself how to build your own program to achieve your own goals. The Pragmatic CSO will outline a framework to kick-start your efforts, and you’ll also have an opportunity to participate in the web-based Pragmatic CSO community, which provides access to templates and discussion forums for each step in the process, as well as getting security research from Security Incite.
The key message you should take away is you are not alone. Everyone involved in the Pragmatic CSO is vested in your success. Good luck and get ready to change pretty much everything you know about security. So take the first step RIGHT NOW, click on the link below - buy the book - and start on your own journey. You have nothing to lose, but the status quo (and a good amount of heartburn).
"No Bias. No Bull. Real
Incite."
© 2006-2007 Security Incite, a Geronimo Enterprises LLC company
© 2006-2007 Security Incite, a Geronimo Enterprises LLC company