So much catching up to do. I’ve been out of band the past few days due to the Mother Of All Ohio Security Events. I had a good time, meeting new folks and catching up with other friends - it’s just too bad that some of the better content was cut short, and some of the duller content was too long. But more on that later.
One of the best parts of the whole thing, for me, was the ISSA bringing in Mike Rothman to speak. We had a closed door session roundtable with Mike, a Pragmatic CSO presentation, and a session in which he moderated. You know, I’ve been meaning to give my thoughts on Pragmatic CSO and such for a while, and now seems like a very good time.
THE PRAGMATIC PRESENTATION
First, his presentation Thursday night was a highlight. Usually, infosec presentations are either high on FUD (guess what, we know that there are bad guys out there), particularly technical (I’m going to present a white paper), or somewhat esoteric to security management. Mike’s presentation was different.
Even if you weren’t a CSO, it was a humorous but topical presentation that left you nodding your head in agreement. Now it was a bit sales-y (he’s selling books, duh) but it was more entertaining than just a sales pitch for “why you need to buy my book”.
THE PRAGMATIC BOOK
First, I have to get this off my chest. Now maybe I’m the only aesthete in the infosec community, but if you’re reading this Mike, hire an illustrator for the next printing. Go to your local art school, find some struggling student with a really good portfolio and drop $500 for some better pretties.
That said, I see a whole world of people that could use the Pragmatic CSO *cough*. You know, there number of InfoSec MBA’s is probably remarkably disproportionate to the number of InfoSec managers out there. There are a lot of firewall admins or mainframe security guys who have had the security manager hat placed on their head simply because they kind of knew that sort of thing already. There are entire industries where the movement of security tech to manager is endemic *cough*. I had one guy tell me that the CEO just wanted to hire an ex-law enforcement kind of guy, and so this individuals background coupled with an MCSE made him the Director of Information Security.
But these days with laws, regulations, and real penalties, InfoSec groups (even groups of one) need real business management acumen. The Pragmatic CSO is a great book for getting the “network guy” started on the road to “real” CSO. Now you would think that this would only apply to the SMB market, but I actually know of enterprise managers that could really use some pragmatic help.
One potential downside I could see to the P-CSO being useful is a lack of follow on. P-CSO the book is heavy on, “hey you need to be a business manager, and now here’s what business managers do” but light on, “and here’s how you do it as a nice repeatable process”.
Now I believe that Mike is working on this, but some sort of David Seah-esque notebook/binder/minder would be a really good additional product to the P-CSO to help focus the new manager on those “soft skill” tasks that are now part of their job description.
Who MUST Get This Book:
Technical people, now in a management role, who are frustrated that their companies don’t “get it”.
Who Can Skip This Book:
Most enterprise security department managers (unless you fit the profile above). Analysts those departments want to groom for management positions should be given a copy.
(via RiskAnalys.is)May 22, 2007, 10:10am Comments
