Posts

Better, Cheaper, Faster -- Can Your Cybersecurity Consultants Give You All Three?

Image
The long-running joke in consulting is that there is better, cheaper, and faster -- pick two.  I admit that I have muttered this same line in my consulting career. All consultants know that clients at times try to get more than what is specified in the contract -- sometimes unintentionally by for example not understanding the contract. Sometimes clients intentionally try to get more than bargained for, faster, or for less; unfortunatley that puts everyone in Alice's Wonderland . The Internet and television dramas, especially medical dramas, have exacerbated this problem. People believe that they can expect delivery overnight and that executing a project or getting results happens before the commercial break, certainly by the end of the two-part episode. We also all understand that this is not reality. But believing things that are not real are in fact real is a human thing, also known as a cognitive bias . Cybersecurity requires better, cheaper, and faster. But wait you say, we jus...
Post a Comment
Read more

Fear, Uncertainty, Dread, And You

Image
Fear and uncertainty and dread sell.  You have a lot to fear, there is always uncertainty, and therefore you dread. It's how your brain is wired. Don't fight it. Instead, manage it. Let's think about this from a cybersecurity perspective. Leaders or managers : Does your company have business dealings regarding socially controversial products (e.g., guns or alcohol or tobacco)? Does it have supply chains or significant exposure in "global hot spots" ( Eastern Europe , "blood diamonds," use of potential child/slave labor, rare-earth minerals mining, or gas pipelines over tribal lands)? Does your company publicly support political causes/candidates? If so, your company can be targeted by people who are against that -- whatever that is. Investors : Does your model involve disrupting or closing business? Do you do business with countries with less than stellar reputations for, you know, human rights, etc.? If so, your company can be targeted by people who a...
Post a Comment
Read more

What Does Pythia Cyber Do For the Investor (4 of 4)

Image
(This post is the fourth in a series of four; the first post is general and the other posts are each directed at different roles:  general ,  CEO , CISO .) This post is directed at anyone tasked with assess a potential investment or acquisition. Once upon a time, Mergers & Acquisitions were the province of MBAs, with the occasional domain expert. Now it is hard to image effective Due Diligence without a hefty cybersecurity component. We provide that component.We give you same kind of assessment and assurance in the cybersecurity domain that has long been standard in the finance domain. Pythia Cyber gives you much more than the usual letter grades on a "cybersecurity report card." We show you where the prospect is on a cybersecurity continuum and estimate what it would take to elevate their cybersecurity to whatever level you deem to be an appropriate investment. Our secret sauce is that we have a behavioral string to our bow: cybersecurity is as much about human behavior ...
Post a Comment
Read more

What Does Pythia Cyber Do For the CISO (3 of 4)

Image
(This post is the third in a series of four; the first post is general and the other posts are each directed at different roles:  general , CEO ,  Investor .) This post is directed at you, the CISO or part-time CISO or fractional CISO or CTO or CIO or CISO or whatever your organization calls the person heading up cybersecurity. Why would you hire Pythia Cyber and if you did, what would you get for your money? What sets Pythia Cyber apart in the cybersecurity consulting space is that we have two areas of focus: classic cybersecurity and behavioral cybersecurity. We are structured this way because there is a large behavioral component to cybersecurity. In fact, there are two such components: the behavior of colleagues when they are users of technology and the conversations you should be having with senior management about cybersecurity. It is likely that your career before you got this job did not prepare you either to influence people you do not directly manage or to frame this...
Post a Comment
Read more

What Does Pythia Cyber Do For the CEO? (2 of 4)

Image
(This post is the second in a series of four; the first post is general and the other posts are each directed at different roles: general ,  CISO ,  Investor .) This post focuses on what Pythia Cyber sells to the CEO (and other members of the C-suite). In order to keep this description of what we do as concrete as possible, let us first define the goal that our services exist to reach: a rigorous and formal cybersecurity program (CSP) based on the  NIST CSF . More specifically, we mean a CSP that does the following: Extends Risk Management into the cyber domain ID assets, risks to assets, policies for risks, procedures for policies Links senior management to cyber defenders in a formal way Management priorities (time and money) flow downward Monitoring results flow upward Ensures that the Incident Response Plan is updated and validated As a senior manager, you have two roles in the CSP: You validate the list of cyber assets and the priority of their protection. You overs...
Post a Comment
Read more

What Does Pythia Cyber Do For You? (1 of 4)

Image
(This post is the first in a series of four; the other posts are each directed at different roles:  CEO ,  CISO ,  Investor .) Because Pythia Cyber does not fit into any standard management consulting box, we are often asked exactly what it is that we are selling. The answer to that question is much clearer if we answer another question first: to whom are we selling? We are selling to you if you have a vague feeling that you know you should be doing more in the way of cybersecurity, but you don't know what that would be. We are selling to you if you feel the ice getting a bit thin under your feet, but you are overwhelmed by the options. Maybe you are a relatively new organization that has put off getting serious about cybersecurity a bit too long. Maybe you are a growing organization that has prioritized growing over cybersecurity for a bit too long. However you got here, here is where you are: you need to take the next step but you do not know enough to know what the ne...
Post a Comment
Read more

To Pay Or Not To Pay

Image
One of our founders has been keeping track of who gets hacked in his on-going series " The Litany Of the Hacked ." As he intended, this series has made me think more about who gets hacked and why. So I was horrified recently to hear a fellow cybersecurity professional describe his planned response to a theoretical ransomware attack as "ask the Board whether or not they want to pay it." He viewed this as a moral question for management, not a technical question to be addressed by his own Incident Response Plan. To my on-going horror, it is true that paying your way out of a ransomware attack is probably legal, depending on where you operate and some other circumstances. To quote the FBI themselves: The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in thi...
Post a Comment
Read more