This week we are going to dig a bit deeper into the business plan and deal with the first two sections of the plan. Initially we need to POSITION our securirty organization. What are we doing and why is it important? Then we need to make our PRIORITIES very clear. What do we focus on first and why?

The business plan is as much for them (meaning your senior executives and the like) as it is for you. So you need to start the plan off with a bunch of information about them, before you get back to what you are going to do.

Running time: 6:45

Intro music is Jungle and we end with Ben Folds' "Don't Change Your Plans." Obviously the plan must adapt given the dynamic nature of our businesses, but by building the plan with the customer in mind you won't be changing it based upon the way the wind blows.

This week we get back into the Pragmatic CSO methodology, and jump into Section 2: Building Your Pragmatic Security Environment. The first step in S2 is Step 4 or Building Your Security Business Plan. Why do we need a business plan anyway? What's the point?

All is revealed in podcast #12. Well OK, not all - but I lay the groundwork on why the business plan is probably the most important of the 12 steps and what goes into building it. Over the next 2 months or so, we'll be delving deeply into the business plan and the associated efforts to "sell" the strategy to the senior team.

So, buckle up as we take off for the next leg of the P-CSO journey.

Running time: 5:52

Intro music is Jungle and I sign off with Acquiesce from Oasis' Masterplan album. Since the security business plan is YOUR Masterplan, I thought that was appropriate.

This week I take another tangential journey to discuss a concept I call "The Fixer." You know, when a senior staffer is airlifted in to "fix" security. The Fixer knows how to get things done in your organization, and can certainly be viewed as a threat and as indicative of the fact that security is broken.

How should you deal with the Fixer? Why is he (or she) there? Can you turn this into an advantage?

Check out podcast #11 and find out...

Running time: 6:40

Intro music is Jungle and I sign off with the classic Kool and the Gang anthem "Jungle Boogie," which is the song I associate most with Pulp Fiction. Yes, that's where I stole the term "The Fixer."

April 16 2008 -

Today I go on a bit of a tirade. Basically, just coming back from RSA - I'm a bit sensitive to vendor claims vs. reality. Thus, after I've been pounded by a webcast announcement from AlertLogic for the past week about "PCI Compliance made Easy." After I cleaned the puke off my desk, I needed to rant a bit. So this week's podcast is a little different. All rant, no filler.

Here is the invite, so you have some context... The event is today, so you can figure out just how "easy" security is.

Pre-Register for this Upcoming Webcast on SearchSecurity.com:

* Simple & Affordable PCI Compliance with Alert Logic

====================================================================

VENDOR WEBCAST: Simple & Affordable PCI Compliance with Alert Logic

====================================================================

WHEN:    LIVE! April 16, 2008 at 2:00 PM EDT (1800 GMT)

SPEAKER: Nick Ignatiev, Sales Engineer, Alert Logic

SPONSOR: Alert Logic

        http://go.techtarget.com/r/3435132/6133928

ABOUT THIS VENDOR WEBCAST:

In this webcast, you will discover:

* An easy solution for addressing the PCI DSS requirements for

 intrusion protection, vulnerability management, and log management

* Strategies for compliance that don't strain employee or budget

 resources

* The ways that your company can pass an audit quickly and easily

* And more...

This week we wrap up our stop in Step 3: Managing Expectations by talking about the long term plan. The first step of the managing expectations presentation is all about providing the context of the program and educating the senior team about why it's important. Then next step is about triage. Based on the baseline, what are the most important things that need to be tackled RIGHT NOW. Finally, we are in a position to start accepting responsibility for the long term success of the security program and ensure they senior team understands YOU are accountable for it's results. This final aspect of the presentation is all about mapping out the next few steps, setting milestones and starting to make those deposits in the credibility bank.

Running time: 5:22

Intro music is Jungle and I sign off with Madness' "Our House," mostly because today is the first day of the NCAA basketball tournament, so there is a lot of March Madness going around Incite Central.

This week we continue our journey through Step 3: Managing Expectations and talk about how to present the "bad news," as part of your efforts to ensure the senior team knows what you are up to and why. The triage part of the discussion is also pretty important because it will indicate whether you have a snowball's chance in hell of actually making progress on the program. If you can't get agreement on the 2 or 3 things you think are most important to do TODAY - then it doesn't bode well for the stuff you want to do tomorrow and the day after that.

Running time: 6:27

Intro music is Jungle (get used to it, it's not changing unless the copyright police come to visit), and we finish up with a live excerpt of Bon Jovi's "Bad Medicine," since that's the news we tend to deliver during triage. 

This week we dive into Step 3: Managing Expectations and investigate why one of the most important things a security professional can do is to give the senior team the PERCEPTION that you're in CONTROL of the situation. Reality means little, perception means everything.

A couple of the topics covered include:
- Why managing expectations around security is hard
- How to provide context about what a security program is about
- The 3 most important ideas to convincing someone you have your act together.

Running time: 6:35

Intro music is Jungle, and we send you on your merry way with Alice Cooper's "School's Out."

This week we wrap up on Step 2: Taking the Baseline by being candid with ourselves and really understanding if we have a skills gap. This is one of the most brutal parts of being a manager, but it needs to be done.

I refer to a few books from the Gallup Organization, so you can understand what may be a different way of thinking about management. First, Break All the Rules and Now, Discover Your Strengths.

I don't have to manage much of anything nowadays, but these resources and philosophy were instrumental in being able to build great teams when I had to, and at the end of the day if you team isn't great - you can't be.

Running time: 6:57

Next week, we'll start up with Step 3: Managing Expectations.

Photo credit: Márcio Cabral de Moura

This week, we continue our journey through Step 2: Baseline Your Environment. Here are a couple of the topics covered:

Finding the holes in your perimeter

Looking at your applications (the most IMPORTANT one's anyway)

The softer side of security: User perception and user awareness

Also make sure to listen for Dr. No. He makes a special guest appearance in today's show.

Time: 5:43

Intro music is Jungle and I sign off with Ozzy's No More Tears. Yes, one of the classic bass lines in rock.

Image credit: hello_heiko

February 8, 2008:
This week's show starts to delve into Step 2: Establishing the Baseline.

Why you need to do this, what you are trying to achieve, and a little bit on policies (such as a monitoring policy and a communications plan).

Intro music is once again "Welcome to the Jungle" and I send you on your way with Aerosmith's "Get a Grip," since that is what taking the baseline is all about.