The Ashimmy Blog

Section 1 – Plan to be Pragmatic

Step 1: Assess the Value of Your Business Systems

You
can’t protect what you don’t know about, so the
first step is to figure out what you have. Likewise, you
don’t want to spend $50,000 protecting a $2,000 business
system, so in Step 1 you talk to senior management and discern how
important each system is to the operations of the business. Then you
can figure out how much to invest in protecting it.

Step
2: Baseline Your Environment

If
you don’t know where you are, it’s pretty unlikely
you’ll know that you’ve made progress. In Step 2,
you gather data to understand your current state, where your most
significant exposures are, and how much work you need to do.

Step
3: Manage Expectations

Managing
executive expectations are the most critical responsibilities of the
CSO. You must be very clear about what you are going to accomplish and
how you are going to do it. In Step 3 you see the power of speaking
security in the language of business, and how you can get everyone on
the same page regarding what the security program does.

Section
2 – Build a Pragmatic Security Environment

Step 4: Build Your Security Business Plan

Every business needs a plan, and yours is no exception. In Step 4, you
prepare a high-level business plan, laying out the reasons your
business exists and presents a high level architecture, committed
service levels, and the milestones that you plan to achieve.

Step 5: Sell the Story

You need money to secure anything, in Step 5 you package your business
plan, associated service levels and milestones and sell the program to
senior executives getting the funding you need to protect your
corporate assets.

Step 6: Procure the Solution

A structured procurement process is critical to getting the right
products, at the right time, for the right price. In Step 6, you learn
about Security Incite’s Buying Security Products methodology
and how that should be applied to how you buy the products and services
you need for the Pragmatic CSO process.

Section 3 – Run Your Security Organization
Pragmatically

Step 7: Operate/Monitor

Now that parts of the solution are implemented, you need to make sure
they’re doing what they’re supposed to. In Step 7,
you learn how to fortify your perimeter defenses, what you should be
monitoring, and how to navigate the change control process.

Step 8: Contain the Problem

Inevitably you will have a compromise or breach situation. Dealing with
that will make the difference between a CSO with a job and one
collecting unemployment. In Step 8, you learn how to recover as
gracefully as possible and use a structured incident response process
to make sure you live to fight another day.

Step 9: Train the Users

Users are the weakest link in the security chain, so all the technology
in the world will not help if a user gives up a password to the bad
guys. In Step 9, you learn why a structured user awareness training
process is critical to educate users to think and act securely and
avoid many of the easy attacks used every day.

Step 10: Assure Your Defenses

It doesn’t matter if you say something is secure, you need
third-party validation. In Step 10, you’ll engage third
parties to try to penetrate your defenses, both to see where you are
really exposed and also to make the case for more funding.

Section 4 – Communicate your Value

Step 11: Benchmark Your Progress

Quantitative measurements prove your worth and ensure your program is
moving in the right direction. In Step 11, you’ll
benchmarking your program by tracking the right metrics and comparing
what you are doing relative to your peer group and other businesses
your size.

Step 12: Comply without Going Nuts

Compliance with a variety of both internal policies and legislative
regulations is a critical aspect of every CSO’s job. In Step
12, you see how compliance is a benefit of implementing the Pragmatic
CSO program and how by generating a set of hard-hitting reports, the
auditors will be gone in a fraction of the time it used to take.