invisible hit counter The Pragmatic CSO

12 Steps to become a Pragmatic CSO

What’s your plan?

Today’s CSOs need a plan. You must execute on a structured program that keeps you focused on the Reasons to Secure. Showing the value of security to the organization and proving the safety of the computing environment to internal and external auditors are no longer optional activities; your longevity in the CSO position is directly related to how well you sell your strategy, show progress, and manage to your budget.

The Pragmatic CSO process has been designed to achieve these goals. It’s about economy of effort and leverage. You’ll be setting goals and systematically achieving them. You’ll define success within the context of your security program and you’ll show how you get there, every step of the way. It’s about protecting your environment, safeguarding your data, and communicating what you’ve done to the business leaders that need to know.

BUY the Book  Buy the PDF

Want to check out the Introduction to the Pragmatic CSO?

Fill out the form and it's yours, plus you'll get a special tip on how to be a Better CSO for the next 5 days. Best of all, it's free!

If you sign up, we will never share your information, and you'll also receive the Pragmatic CSO Weekly newsletter.

Check out the latest editionPragmatic CSO Weekly

Section 1 – Plan to be Pragmatic

Pragmatic CSO Step 1

Step 1: Assess the Value of Your Business Systems

You can’t protect what you don’t know about, so the first step is to figure out what you have. Likewise, you don’t want to spend $50,000 protecting a $2,000 business system, so in Step 1 you talk to senior management and discern how important each system is to the operations of the business. Then you can figure out how much to invest in protecting it.
Pragmatic CSO Step 2

Step 2: Baseline Your Environment

If you don’t know where you are, it’s pretty unlikely you’ll know that you’ve made progress. In Step 2, you gather data to understand your current state, where your most significant exposures are, and how much work you need to do.
Pragmatic CSO Step 3

Step 3: Manage Expectations

Managing executive expectations are the most critical responsibilities of the CSO. You must be very clear about what you are going to accomplish and how you are going to do it. In Step 3 you see the power of speaking security in the language of business, and how you can get everyone on the same page regarding what the security program does.

Section 2 – Build a Pragmatic Security Environment

Pragmatic CSO Step 4

Step 4: Build Your Security Business Plan

Every business needs a plan, and yours is no exception. In Step 4, you prepare a high-level business plan, laying out the reasons your business exists and presents a high level architecture, committed service levels, and the milestones that you plan to achieve.
Pragmatic CSO Step 5

Step 5: Sell the Story

You need money to secure anything, in Step 5 you package your business plan, associated service levels and milestones and sell the program to senior executives getting the funding you need to protect your corporate assets.
Pragmatic CSO Step 6

Step 6: Procure the Solution

A structured procurement process is critical to getting the right products, at the right time, for the right price. In Step 6, you learn about Security Incite’s Buying Security Products methodology and how that should be applied to how you buy the products and services you need for the Pragmatic CSO process.

Section 3 – Run Your Security Organization Pragmatically

Pragmatic CSO Step 7

Step 7: Operate/Monitor

Now that parts of the solution are implemented, you need to make sure they’re doing what they’re supposed to. In Step 7, you learn how to fortify your perimeter defenses, what you should be monitoring, and how to navigate the change control process.
Pragmatic CSO Step 8

Step 8: Contain the Problem

Inevitably you will have a compromise or breach situation. Dealing with that will make the difference between a CSO with a job and one collecting unemployment. In Step 8, you learn how to recover as gracefully as possible and use a structured incident response process to make sure you live to fight another day.
Pragmatic CSO Step 9

Step 9: Train the Users

Users are the weakest link in the security chain, so all the technology in the world will not help if a user gives up a password to the bad guys. In Step 9, you learn why a structured user awareness training process is critical to educate users to think and act securely and avoid many of the easy attacks used every day.
Pragmatic CSO Step 10

Step 10: Assure Your Defenses

It doesn’t matter if you say something is secure, you need third-party validation. In Step 10, you’ll engage third parties to try to penetrate your defenses, both to see where you are really exposed and also to make the case for more funding.

Section 4 – Communicate your Value

Pragmatic CSO Step 11

Step 11: Benchmark Your Progress

Quantitative measurements prove your worth and ensure your program is moving in the right direction. In Step 11, you’ll benchmarking your program by tracking the right metrics and comparing what you are doing relative to your peer group and other businesses your size.
Pragmatic CSO Step 12

Step 12: Comply without Going Nuts

Compliance with a variety of both internal policies and legislative regulations is a critical aspect of every CSO’s job. In Step 12, you see how compliance is a benefit of implementing the Pragmatic CSO program and how by generating a set of hard-hitting reports, the auditors will be gone in a fraction of the time it used to take.

Of course, not all steps within the Pragmatic CSO methodology will make sense for your organization. You need to figure out for yourself how to build your own program to achieve your own goals. The Pragmatic CSO will outline a framework to kick-start your efforts, and you’ll also have an opportunity to participate in the web-based Pragmatic CSO community, which provides access to templates and discussion forums for each step in the process, as well as getting security research from Security Incite.

The key message you should take away is you are not alone. Everyone involved in the Pragmatic CSO is vested in your success. Good luck and get ready to change pretty much everything you know about security. So take the first step RIGHT NOW, click on the link below - buy the book - and start on your own journey. You have nothing to lose, but the status quo (and a good amount of heartburn).

BUY the Book  Buy the PDF

Security Incite Logo
"No Bias. No Bull. Real Incite."
© 2006-2007 Security Incite, a Geronimo Enterprises LLC company
Privacy Policy | Integrity Policy