Pragmatic CSO podcast

2:24

This week we'll focus on the 2nd half of Step 6: Buying Security Products, which get down and dirty in picking the product. We've already engaged with a long list of potential vendors (we discussed that last week) and now it's time to figure out what will work for you. Next we do a bake-off and actually test the products under real world conditions. Then we develop our short list (based on products that can meet the need), then we get to negotiate. Get out your bat because that's what you'll be using. Finally the selection should be obvious if you've done the other steps correctly. If you didn't get the Buying Security Products ebook , you can sign up for the Daily Incite email newsletter. If you read TDI via a blog feed, just send me an email and I'll forward the guide over to you. Running time: 6:56 Intro music is Jungle and to close the show I bust out a classic from the Pure Funk age called "Pick Up The Pieces" from the Average White Band. Yes, you remember it. Yes, you love it. Get funky!…

1
Pragmatic CSO Podcast #22 - Homework for Buying Security Products 2:26

17 years ago2:26

2:26

As we jump into Step 6: Buying Security Products, it makes sense to understand what kind of homework we are going to have to do prepare for the process. Remember, it's easy to buy something, it's hard to buy the right thing at the right time for the right price.So this week we discuss the first 4 steps of the Buying Security Products process I published back in 2006. The first step is to understand the business drivers for your project, then you assemble the team, then you educate YOURSELF on the market (don't let the vendors educate you), and only then are you ready to engage with a long list of vendors that can potentially meet the need.If you want to check out the Buying Security Products ebook , you can sign up for the Daily Incite email newsletter. If you read TDI via a blog feed, just send me an email and I'll forward the guide over to you.…

1
Pragmatic CSO Podcast #21 - Grass Roots Funding 3:12

17 years ago3:12

3:12

It's time to wrap up Step 5: Selling the Story. We finish the discussion by talking about how to get funding, when the budget monkeys have told you no. Basically we have to take a "grass roots funding" approach to go to the business leaders directly, make the case, and get the funding we need. It's kind of like selling cookies door to door. We have to be persistent and make the case as to why it would be a good purchase.This requires us to broaden our skills and likely move out of our comfort zone quite a bit. It's uncomfortable, but it's a good thing. Just remember to focus on the "customer" issues, and that the Reasons to Secure. The business leaders will respond to that. Ultimately you may not get the funding you need, but you won't go down like a whimpering puppy. You'll go down swinging, trying to do the right thing.Running time: 6:29Intro music is Jungle and I finish it up with Dire Straits "Money for Nothing," because that is an appropriate metaphor. There is no money for nothing. We have to work for it and sometimes that means being creative about the funding we can/should get.Photo Credit: weskimcom…

1
Pragmatic CSO Podcast #20 - The Sales Pitch 2:06

17 years ago2:06

2:06

July 30, 2008 - This week we talk about the sales pitch. This is the part that most security practitioners hate. Actually having to get in front of folks and ask for money. Although if you've followed the process up to now, then you should be in great shape to put together a compelling story and to deliver that message to the senior team.In this week's episode (can you believe it's #20 already?), I go into detail about how to structure the sales pitch and what you should discuss and why. We are reminded about what the goals are and also the importance of practice - especially if you are an inexperienced public speaker.Running time: 6:52Intro music is Jungle and since we are talking about making a "pitch" and it's the middle of summer (in the Northern Hemisphere anyway) I broke out John Fogerty's classic baseball anthem, "Centerfield." Enjoy!Photo Credit: XPLANE PS: My apologies for some spotty audio quality this week. You can hear everything, but I tried out a new headset and it didn't work out too well. Back to the old gear next week!…

1
Pragmatic CSO Podcast #19 - Resetting Expectations 2:01

17 years ago2:01

2:01

This week we continue with Step 5: Selling the Story by reiterating the need to manage expectations appropriately. As you know, this is a common theme throughout the Pragmatic CSO, but when we are selling senior management on the security program, strategy, outputs, milestones, and funding requirements - now is really the last time we'll have to truly set expectations. If you screw this up now, you will not be successful. Now is the time to stand firm with your milestones and what you can (and can't get done) given the funding scenarios (that we described last week). I use the old parable about the 3 envelopes to illustrate how you need to constantly go back and reset expectations based upon what is happening out there. Running time: 6:02 Intro music is Jungle and I'll wrap with the classic Steely Dan tune "Do it Again" because as many times as we think we are managing expectations, go back and do it again. It's very hard to manage expectations too much.…

1
Pragmatic CSO Podcast #18 - Finding the Bags of Money 2:07

17 years ago2:07

2:07

June 25, 2008 - This week we start into Step 5: Selling the Story by discussing funding scenarios. This is a technique that Pragmatic CSOs use to provide some alternatives and make the scenario we want (the likely one) a bit more tangible by providing alternatives.In the show, I discuss how to develop these scenarios using your Security Architecture Matrix and then why it's important to discuss what won't get done, as part of these funding scenarios.Running time: 6:20Intro music is Jungle and you are sent on your merry way with the fine sounds of "Put Your Money Where Your Mouth Is" from an Australian band called Jet. That's pretty appropriate because in Step 5 we ask the senior team to start writing checks, and then we'll figure out if they really will put up. Photo Credit: drewm…

1
Pragmatic CSO Podcast #17 - Back to the Future 2:20

17 years ago2:20

2:20

Finally we come to the end of the line on building the security business plan. It was a long time coming, but again this is the most important step in effecting long lasting change in your security organization. First I talk about defining the future state, and setting priorities relative to what you must have, should have, and is nice to have. Then it's all about setting up the migration plan, which needs to be in alignment with the timelines and milestones that we discussed last week. A lot of this stuff happens simultaneously, but it's very important to manage expectations appropriately at this stage of the game. Running time: 6:50 Intro music is Jungle and I'll let you go listening to the fine sounds of "Future says Run" from a band called Tonic. You may not have heard of Tonic, but you've heard a bunch of their songs. It's good stuff - if I do say so myself.…

1
Pragmatic CSO Podcast #16 - Time and Milestones 2:27

17 years ago2:27

2:27

This week we delve into the art of setting timelines and milestones within your business plan. After we discussed the importance of setting the bar (in terms of service levels), it's the timelines that really will determine your ultimate credibility with the senior team.Once you define the key timelines, it's also important to have a process to revisit the project plans and to communicate variances. You need to expect that some of the initiatives will run off the track a bit and ensure you are aggressive about communicating the issues. Running time: 7:05Intro music is Jungle and the exit music is "Time" from Pink Floyd. Like you expected anything else.…

1
Pragmatic CSO Podcast #15 - Setting the bar 2:18

17 years ago2:18

2:18

This week we talk about service levels within the context of your security business plan. That's right, this is about setting the bar. Too high and you can't get there and you will be viewed upon as a failure in the executive wing. Too low and you may open yourself up to a breach on your watch. So we are looking for something "just right." We also need to start thinking about how to quantify some of the stuff we are doing, and now is not the time to look for innovative means of pulling security metrics. We need to take some data the powers that be are already used to and then set some achievable service levels. Remember, this is about building credibility, not showing how cool you are. Running time: 6:50 Intro music is Jungle and the exit music is "Elevation" from U2.…

1
Pragmatic CSO Podcast #14 - Architecture vs. Design 2:19

17 years ago2:19

2:19

Ah the mysteries of architecture. I can remember back to my days in college at Cornell. We had a great architecture school, but those folks seemed like magicians. They weren't around too much and it seemed like they were doing cool things, we engineers just didn't understand what it was. Understanding how to build your security architecture isn't all that different. So this week, I delve into the nuances of architecture vs. design and also provide a brief description of the " Pragmatic Security Architecture ," (click on the link to see the picture) which is my attempt to break the world into some domains that make sense.The picture to the right is of the Cornell Architecture school, where they have a Dragon Day tradition that involves building a giant dragon and then marching over to the Engineering Quad and setting it on fire on the Arts Quad (I think). I guess there is rivalry between the two schools , but I was too busy funneling beers to notice.Running time: 6:53Intro music is Jungle and sign off with Sarah McLachlan's "Building a Mystery." The sad truth is that most of us don't really get how to build much of anything, and this security stuff is truly a mystery - so that seemed pretty fitting.…

1
Pragmatic CSO Podcast #13 - Digging Deeper into the Business Plan 2:30

17 years ago2:30

2:30

This week we are going to dig a bit deeper into the business plan and deal with the first two sections of the plan. Initially we need to POSITION our securirty organization. What are we doing and why is it important? Then we need to make our PRIORITIES very clear. What do we focus on first and why? The business plan is as much for them (meaning your senior executives and the like) as it is for you. So you need to start the plan off with a bunch of information about them, before you get back to what you are going to do.Running time: 6:45Intro music is Jungle and we end with Ben Folds' "Don't Change Your Plans." Obviously the plan must adapt given the dynamic nature of our businesses, but by building the plan with the customer in mind you won't be changing it based upon the way the wind blows.…

1
Pragmatic CSO Podcast #12 - Why do we need a business plan? 2:01

17 years ago2:01

2:01

This week we get back into the Pragmatic CSO methodology, and jump into Section 2: Building Your Pragmatic Security Environment. The first step in S2 is Step 4 or Building Your Security Business Plan. Why do we need a business plan anyway? What's the point?All is revealed in podcast #12. Well OK, not all - but I lay the groundwork on why the business plan is probably the most important of the 12 steps and what goes into building it. Over the next 2 months or so, we'll be delving deeply into the business plan and the associated efforts to "sell" the strategy to the senior team.So, buckle up as we take off for the next leg of the P-CSO journey. Running time: 5:52Intro music is Jungle and I sign off with Acquiesce from Oasis' Masterplan album. Since the security business plan is YOUR Masterplan, I thought that was appropriate.…

1
Pragmatic CSO Podcast #11 - The Fixer 2:15

17 years ago2:15

2:15

This week I take another tangential journey to discuss a concept I call "The Fixer." You know, when a senior staffer is airlifted in to "fix" security. The Fixer knows how to get things done in your organization, and can certainly be viewed as a threat and as indicative of the fact that security is broken.How should you deal with the Fixer? Why is he (or she) there? Can you turn this into an advantage?Check out podcast #11 and find out... Running time: 6:40Intro music is Jungle and I sign off with the classic Kool and the Gang anthem "Jungle Boogie," which is the song I associate most with Pulp Fiction. Yes, that's where I stole the term "The Fixer."…

1
Pragmatic CSO Podcast #10 - It's So Easy 2:03

17 years ago2:03

2:03

April 16 2008 - Today I go on a bit of a tirade. Basically, just coming back from RSA - I'm a bit sensitive to vendor claims vs. reality. Thus, after I've been pounded by a webcast announcement from AlertLogic for the past week about "PCI Compliance made Easy." After I cleaned the puke off my desk, I needed to rant a bit. So this week's podcast is a little different. All rant, no filler.Here is the invite, so you have some context... The event is today, so you can figure out just how "easy" security is. Pre-Register for this Upcoming Webcast on SearchSecurity.com: * Simple & Affordable PCI Compliance with Alert Logic ==================================================================== VENDOR WEBCAST: Simple & Affordable PCI Compliance with Alert Logic ==================================================================== WHEN: LIVE! April 16, 2008 at 2:00 PM EDT (1800 GMT) SPEAKER: Nick Ignatiev, Sales Engineer, Alert Logic SPONSOR: Alert Logic http://go.techtarget.com/r/3435132/6133928 ABOUT THIS VENDOR WEBCAST: In this webcast, you will discover: * An easy solution for addressing the PCI DSS requirements for intrusion protection, vulnerability management, and log management * Strategies for compliance that don't strain employee or budget resources * The ways that your company can pass an audit quickly and easily * And more...…

1
Pragmatic CSO Podcast #9 - Making Deposits in the Credibility Bank 1:44

17 years ago1:44