And eventually -- it stops. They move on. You are victorious, but frazzled. Now is the time to take stock, rebuild relationships, and prepare for the next engagement. Time for the final NIST CSF pillar, Recover. Let's let Brendan discuss it : Recover is the step you take to undo the damage or restore the service. Recover is a bit more deliberate and thoughtful than Respond. You have time pressure, almost always, but there is rather less of it. The cybersecurity crisis is over, but if you need to keep your systems down for the recovery, then the operations crisis has just begun: how long can the downtime continue, in the name of preventing future problems and gathering evidence? The answer depends on your situation. Your ability to arrive at that answer often depends on how well thought-out your IRP is. Recover should always end with a review that considers how to be better in the future. This is a crucial step to making you safer than you were before. It is very common to just want...

It's time to break the glass -- don't just stand there, do something! This is no time to find out whether your cybersecurity governance is adequate, or whether you have identified all the right assets, or whether your protection protocols are in place. Your systems have detected a problem and it's time for action. Let's let Brendan discuss it : Both the Respond pillar the Recover pillar are unlike the other three, they are triggered by an incident and different from the other steps because the other steps are part of normal operations. Respond and Recover also always happen in tandem, which is why we group them together as part of the Incident Response Plan (IRP). The IRP formalizes incident handling, so that everyone knows what their role is in advance. The IRP covers both the Respond step (halting the problem and trying to restore normal operations) and the Recover step (undoing as much of the damage as possible, preventing a recurrence). The IRP gives us a Respond ch...

  Detecting cyber-intrusions or threats to information systems falls naturally in the NIST CSF sequence after you've identified what assets you're going to defend and you've developed a process to defend those assets. Let's let Brendan discuss detection : The Detect pillar is where daily Cybersecurity operations come into play. Someone has to do the monitoring, and not simply watch the events go by, but confirm that the activity being monitored is either expected or appropriate. Most importantly, the Detect step is about separating the worrisome from the normal, and then taking appropriate action to either confirm that there is an issue or to discover that there is a good explanation. If there is a problem, then we have “an incident” so we go to the Respond pillar (and Incident Response Plan (IRP)). As part of Detect, you gather evidence. Sometimes the evidence shows you that all is well. Sometimes the evidence shows you that something odd is happening. Sometimes the ev...

Cybersecurity fundamentally is about managing risks to information system assets through the protection of those assets. Sure, there are many parts and processes related to protection but it's the core ethos of cybersecurity. Let's let Brendan discuss it : As we covered in the first post in this series, the Identify pillar gives us a list of assets (what we are protecting) and for each asset, a risk (what we are trying to avoid). The Protect pillar is mitigating each of the risks for each of the assets. The procedure or method or technology that we use to do the mitigating is called “a control” and we say that the Protect pillar “assigns a control to each risk.” A control should produce evidence that it is working, otherwise monitoring that control is difficult and overseeing the monitoring is impossible. It can be tricky to distinguish assets from controls. In cybersecurity, an asset is a resource that an organization needs to protect, like hardware, software, data, or networ...

  This is Part 2 of our series on mapping the Pythia Cyber Cybersecurity Leadership Talent Stack to the NIST CSF 2.0 pillars*. Part 1, on mapping cybersecurity leadership talent to Governance, is here .  Maybe the most obvious part of cybersecurity is identifying what needs protecting. This is where the NIST CSF starts also.  Let's let Brendan discuss it : The Identify pillar identifies cyber assets (just “asset” henceforth) which are on the "Must Protect Now" list. We recommend that, as you go along, you keep a "Must Protect ASAP" list and a "Should Protect Someday" list. Why isn’t there a single Asset List? Because no one has all the time and money and experts that they could possibly need to protect anything and everything of value to their organization. What is an asset in this context? An asset has to meet all of these requirements: An asset is “critical” by which we mean its absence would severely limit operations (It can be tricky to distinguish...

Today is a day in the US to celebrate the Emancipation Proclamation . The commemoration started in Texas because it took from 1 January 1863 until 19 June 1865 for the news to reach Texas that slaves were freed. Why that long? Because -- Texas. Also there was a war and Texas was a Rebel state, and there was no Internet. And DC is a long ways away from Galveston, TX where the news was announced. Here are two lessons to take from this holiday. First, all people are created equal. Sure, some are taller, some better at coding, others more empathetic or better-looking or more adept at poetry. But we're all equal.  "Buit wait!," you exclaim, "Isn't that what the Declaration of Independence says and not the Emancipation Proclamation?" We'll get to the DoI in a few weeks but think of it this way. The Declaration of Independence does indeed capture the novel idea that "We hold these truths to be self-evident, that all men are created equal, that they are en...