This week we talk about service levels within the context of your security business plan. That's right, this is about setting the bar. Too high and you can't get there and you will be viewed upon as a failure in the executive wing. Too low and you may open yourself up to a breach on your watch. So we are looking for something "just right."

We also need to start thinking about how to quantify some of the stuff we are doing, and now is not the time to look for innovative means of pulling security metrics. We need to take some data the powers that be are already used to and then set some achievable service levels. Remember, this is about building credibility, not showing how cool you are.

Running time: 6:50

Intro music is Jungle and the exit music is "Elevation" from U2.  

Ah the mysteries of architecture. I can remember back to my days in college at Cornell. We had a great architecture school, but those folks seemed like magicians. They weren't around too much and it seemed like they were doing cool things, we engineers just didn't understand what it was.

Understanding how to build your security architecture isn't all that different. So this week, I delve into the nuances of architecture vs. design and also provide a brief description of the "Pragmatic Security Architecture," (click on the link to see the picture) which is my attempt to break the world into some domains that make sense.

The picture to the right is of the Cornell Architecture school, where they have a Dragon Day tradition that involves building a giant dragon and then marching over to the Engineering Quad and setting it on fire on the Arts Quad (I think). I guess there is rivalry between the two schools, but I was too busy funneling beers to notice.

Running time: 6:53

Intro music is Jungle and sign off with Sarah McLachlan's "Building a Mystery." The sad truth is that most of us don't really get how to build much of anything, and this security stuff is truly a mystery - so that seemed pretty fitting.

This week we are going to dig a bit deeper into the business plan and deal with the first two sections of the plan. Initially we need to POSITION our securirty organization. What are we doing and why is it important? Then we need to make our PRIORITIES very clear. What do we focus on first and why?

The business plan is as much for them (meaning your senior executives and the like) as it is for you. So you need to start the plan off with a bunch of information about them, before you get back to what you are going to do.

Running time: 6:45

Intro music is Jungle and we end with Ben Folds' "Don't Change Your Plans." Obviously the plan must adapt given the dynamic nature of our businesses, but by building the plan with the customer in mind you won't be changing it based upon the way the wind blows.

This week we get back into the Pragmatic CSO methodology, and jump into Section 2: Building Your Pragmatic Security Environment. The first step in S2 is Step 4 or Building Your Security Business Plan. Why do we need a business plan anyway? What's the point?

All is revealed in podcast #12. Well OK, not all - but I lay the groundwork on why the business plan is probably the most important of the 12 steps and what goes into building it. Over the next 2 months or so, we'll be delving deeply into the business plan and the associated efforts to "sell" the strategy to the senior team.

So, buckle up as we take off for the next leg of the P-CSO journey.

Running time: 5:52

Intro music is Jungle and I sign off with Acquiesce from Oasis' Masterplan album. Since the security business plan is YOUR Masterplan, I thought that was appropriate.