Pragmatic CSO Podcast Mike Rothman

This week we'll focus on the 2nd half of Step 6: Buying
Security Products, which get down and dirty in picking the product.
We've already engaged with a long list of potential vendors (we
discussed that last week) and now it's time to figure out what will
work for you.

Next we do a bake-off and actually test the products under
real world conditions. Then we develop our short list (based on
products that can meet the need), then we get to negotiate. Get out
your bat because that's what you'll be using. Finally the selection
should be obvious if you've done the other steps correctly.

If you didn't get the Buying
Security Products ebook,
you can sign up for the Daily Incite email newsletter. If you read TDI
via a blog feed, just send me an email and I'll forward the guide over
to you.



Running time: 6:56

Intro music is Jungle and to close the show I bust out a classic from
the Pure Funk age called "Pick Up The Pieces" from the Average White
Band. Yes, you remember it. Yes, you love it. Get funky! 

As we jump into Step 6: Buying Security Products, it makes sense to understand what kind of homework we are going to have to do prepare for the process. Remember, it's easy to buy something, it's hard to buy the right thing at the right time for the right price.

So this week we discuss the first 4 steps of the Buying Security Products process I published back in 2006. The first step is to understand the business drivers for your project, then you assemble the team, then you educate YOURSELF on the market (don't let the vendors educate you), and only then are you ready to engage with a long list of vendors that can potentially meet the need.

If you want to check out the Buying Security Products ebook, you can sign up for the Daily Incite email newsletter. If you read TDI via a blog feed, just send me an email and I'll forward the guide over to you.

It's time to wrap up Step 5: Selling the Story. We finish the discussion by talking about how to get funding, when the budget monkeys have told you no. Basically we have to take a "grass roots funding" approach to go to the business leaders directly, make the case, and get the funding we need. It's kind of like selling cookies door to door. We have to be persistent and make the case as to why it would be a good purchase.

This requires us to broaden our skills and likely move out of our comfort zone quite a bit. It's uncomfortable, but it's a good thing. Just remember to focus on the "customer" issues, and that the Reasons to Secure. The business leaders will respond to that. Ultimately you may not get the funding you need, but you won't go down like a whimpering puppy. You'll go down swinging, trying to do the right thing.

Running time: 6:29

Intro music is Jungle and I finish it up with Dire Straits "Money for Nothing," because that is an appropriate metaphor. There is no money for nothing. We have to work for it and sometimes that means being creative about the funding we can/should get.

Photo Credit: weskimcom

July 30, 2008 - This week we talk about the sales pitch. This is the part that most security practitioners hate. Actually having to get in front of folks and ask for money. Although if you've followed the process up to now, then you should be in great shape to put together a compelling story and to deliver that message to the senior team.

In this week's episode (can you believe it's #20 already?), I go into detail about how to structure the sales pitch and what you should discuss and why. We are reminded about what the goals are and also the importance of practice - especially if you are an inexperienced public speaker.

Running time: 6:52

Intro music is Jungle and since we are talking about making a "pitch" and it's the middle of summer (in the Northern Hemisphere anyway) I broke out John Fogerty's classic baseball anthem, "Centerfield." Enjoy!

Photo Credit: XPLANE

PS: My apologies for some spotty audio quality this week. You can hear everything, but I tried out a new headset and it didn't work out too well. Back to the old gear next week!

This week we continue with Step 5: Selling the Story by
reiterating the need to manage expectations appropriately. As you know,
this is a common theme throughout the Pragmatic CSO, but when we are
selling senior management on the security program, strategy, outputs,
milestones, and funding requirements - now is really the last time
we'll have to truly set expectations.


If you screw this up now, you will not be successful. Now is
the time to stand firm with your milestones and what you can (and can't
get done) given the funding scenarios (that we described last week). I
use the old parable about the 3 envelopes to illustrate how you need to
constantly go back and reset expectations based upon what is happening
out there.





Running time: 6:02



Intro music is Jungle and I'll wrap with the classic Steely Dan tune
"Do it Again" because as many times as we think we are managing
expectations, go back and do it again. It's very hard to manage
expectations too much. 

June 25, 2008 - This week we start into Step 5: Selling the Story by discussing funding scenarios. This is a technique that Pragmatic CSOs use to provide some alternatives and make the scenario we want (the likely one) a bit more tangible by providing alternatives.

In the show, I discuss how to develop these scenarios using your Security Architecture Matrix and then why it's important to discuss what won't get done, as part of these funding scenarios.

Running time: 6:20

Intro music is Jungle and you are sent on your merry way with the fine sounds of "Put Your Money Where Your Mouth Is" from an Australian band called Jet. That's pretty appropriate because in Step 5 we ask the senior team to start writing checks, and then we'll figure out if they really will put up. 

Photo Credit: drewm