Management, compliance & auditing

Tips for Being a Pragmatic CSO

October 21, 2015 by Joey Cusimano

The cybersecurity landscape is ever-changing, with new threats and technologies appearing every single day. There are more data breaches than ever, more compliance guidelines, and more new technology to secure in the workplace that has the potential to be misused by untrained employees. So why, then, does senior management tend to see security as an overhead function? How can CSOs convince them that security is important and worth the budget needed to adequately protect their critical business systems? How can users be trained in a way that convinces them of the importance of secure practices in their job function? Mike Rothman addresses these issues and more in his book, “The Pragmatic CSO”. Here are a couple key takeaways from the book that any CSO should heed:

#1: Find Out What Is Most Important to the Company

Communication is important for a CSO. Most importantly, CSOs need to communicate with the company’s business leaders to find out which systems matter most to them. This includes the other chief executives, but also can include the lead management figures of sales, marketing, and other departments in the company. By knowing what is important to your company leaders, CSOs can think about security in a business context and focus on protecting those systems that the business needs to operate. By talking to senior management and the VPs of other departments, CSOs can rank business systems in order of importance to the company’s business process and figure out what systems warrant the most attention and budget.

#2: Educate Users in Security

While end users will always make mistakes and cause security incidents, that is no reason to take shortcuts or procrastinate when it comes to their training. As soon as employees are hired, educate them about acceptable behavior on company machines, common risks (give an example of a phishing email), what to do in case they suspect a security issue, and what the consequences are if they fail to follow security policies set forth by the company. Allow employees to complete the training at their own pace online, and inform them of an incentive for doing so and a consequence for not doing so. Training can be done as needed, but should be done at least once a year for all users. Track progress and results to present the effectiveness to senior management and to justify training frequency. If training occurs 4 times a year due to users not “getting it”, change things up and show your results to prove what you’re doing has worked!

#3: Have a Detailed Incident Response Plan

While it would be nice to never have any incidents, the reality is that it will eventually happen. Have a detailed incident response plan prepared and reviewed/approved by senior management, and make sure it includes who to notify of an incident and when – once a situation introduces potential corporate liability, other people such as the General Counsel and the CEO need to get involved. Who is notified and when will vary on the organization, but be sure to include law enforcement in your considerations. Follow the plan closely during incidents, but deviate if necessary. If your security team deviates from the plan, make sure they record a full explanation as to why the plan wasn’t appropriate for the situation. Train your security team on the incident response plan, and talk about reasons they may need to deviate from the plan in order to protect the company. Make sure your team knows they need to do whatever it takes to contain the issue, and they may have to decide whether to follow the exact plan in the moment, without time to get management approval. This is why team training is especially important. The CSO may take heat or receive praise for choices made to stop an incident, and strong team training ensures CSOs are prepared to stand behind the actions of their security team. Any response should be carefully documented and explained. CSOs risk the potential to become scapegoats for not being able to justify their actions during an incident, and this can happen due to not following the incident response plan or following one that no one else in the company knew about. Above all, they need to be honest about what happened, what is being done to contain the situation, and how bad it looks – doing this from the start can save a CSO’s credibility and prevent later accusations that the CSO didn’t properly communicate during the incident.

To learn the entire 12-step process to being a Pragmatic CSO, visit Mike Rothman’s website:

Posted: October 21, 2015
Joey Cusimano
View Profile

Joey Cusimano is currently a Software Engineer Intern at Thycotic while also pursuing a degree in Cyber and Information Security from Capitol Technology University. He participates regularly in security competitions such as National Cyber League and the Collegiate Cyber Defense Competition. When not thinking about IT security, he claims tinkering with Ford Mustangs as his guilty pleasure.