Posts

Mapping Leadership Talent To Cybersecurity: Part 6, Recover

Image
And eventually -- it stops. They move on. You are victorious, but frazzled. Now is the time to take stock, rebuild relationships, and prepare for the next engagement. Time for the final NIST CSF pillar, Recover. Let's let Brendan discuss it : Recover is the step you take to undo the damage or restore the service. Recover is a bit more deliberate and thoughtful than Respond. You have time pressure, almost always, but there is rather less of it. The cybersecurity crisis is over, but if you need to keep your systems down for the recovery, then the operations crisis has just begun: how long can the downtime continue, in the name of preventing future problems and gathering evidence? The answer depends on your situation. Your ability to arrive at that answer often depends on how well thought-out your IRP is. Recover should always end with a review that considers how to be better in the future. This is a crucial step to making you safer than you were before. It is very common to just want...
Post a Comment
Read more

Mapping Leadership Talent To Cybersecurity: Part 5, Respond

Image
It's time to break the glass -- don't just stand there, do something! This is no time to find out whether your cybersecurity governance is adequate, or whether you have identified all the right assets, or whether your protection protocols are in place. Your systems have detected a problem and it's time for action. Let's let Brendan discuss it : Both the Respond pillar the Recover pillar are unlike the other three, they are triggered by an incident and different from the other steps because the other steps are part of normal operations. Respond and Recover also always happen in tandem, which is why we group them together as part of the Incident Response Plan (IRP). The IRP formalizes incident handling, so that everyone knows what their role is in advance. The IRP covers both the Respond step (halting the problem and trying to restore normal operations) and the Recover step (undoing as much of the damage as possible, preventing a recurrence). The IRP gives us a Respond ch...
Post a Comment
Read more

Mapping Leadership Talent To Cybersecurity: Part 4, Detect

Image
  Detecting cyber-intrusions or threats to information systems falls naturally in the NIST CSF sequence after you've identified what assets you're going to defend and you've developed a process to defend those assets. Let's let Brendan discuss detection : The Detect pillar is where daily Cybersecurity operations come into play. Someone has to do the monitoring, and not simply watch the events go by, but confirm that the activity being monitored is either expected or appropriate. Most importantly, the Detect step is about separating the worrisome from the normal, and then taking appropriate action to either confirm that there is an issue or to discover that there is a good explanation. If there is a problem, then we have “an incident” so we go to the Respond pillar (and Incident Response Plan (IRP)). As part of Detect, you gather evidence. Sometimes the evidence shows you that all is well. Sometimes the evidence shows you that something odd is happening. Sometimes the ev...
Post a Comment
Read more

Mapping Leadership Talent to Cybersecurity: Part 3, Protect

Image
Cybersecurity fundamentally is about managing risks to information system assets through the protection of those assets. Sure, there are many parts and processes related to protection but it's the core ethos of cybersecurity. Let's let Brendan discuss it : As we covered in the first post in this series, the Identify pillar gives us a list of assets (what we are protecting) and for each asset, a risk (what we are trying to avoid). The Protect pillar is mitigating each of the risks for each of the assets. The procedure or method or technology that we use to do the mitigating is called “a control” and we say that the Protect pillar “assigns a control to each risk.” A control should produce evidence that it is working, otherwise monitoring that control is difficult and overseeing the monitoring is impossible. It can be tricky to distinguish assets from controls. In cybersecurity, an asset is a resource that an organization needs to protect, like hardware, software, data, or networ...
Post a Comment
Read more

Mapping Leadership Talent To Cybersecurity: Part 2, Identify

Image
  This is Part 2 of our series on mapping the Pythia Cyber Cybersecurity Leadership Talent Stack to the NIST CSF 2.0 pillars*. Part 1, on mapping cybersecurity leadership talent to Governance, is here .  Maybe the most obvious part of cybersecurity is identifying what needs protecting. This is where the NIST CSF starts also.  Let's let Brendan discuss it : The Identify pillar identifies cyber assets (just “asset” henceforth) which are on the "Must Protect Now" list. We recommend that, as you go along, you keep a "Must Protect ASAP" list and a "Should Protect Someday" list. Why isn’t there a single Asset List? Because no one has all the time and money and experts that they could possibly need to protect anything and everything of value to their organization. What is an asset in this context? An asset has to meet all of these requirements: An asset is “critical” by which we mean its absence would severely limit operations (It can be tricky to distinguish...
Post a Comment
Read more

Happy Juneteenth!

Image
Today is a day in the US to celebrate the Emancipation Proclamation . The commemoration started in Texas because it took from 1 January 1863 until 19 June 1865 for the news to reach Texas that slaves were freed. Why that long? Because -- Texas. Also there was a war and Texas was a Rebel state, and there was no Internet. And DC is a long ways away from Galveston, TX where the news was announced. Here are two lessons to take from this holiday. First, all people are created equal. Sure, some are taller, some better at coding, others more empathetic or better-looking or more adept at poetry. But we're all equal.  "Buit wait!," you exclaim, "Isn't that what the Declaration of Independence says and not the Emancipation Proclamation?" We'll get to the DoI in a few weeks but think of it this way. The Declaration of Independence does indeed capture the novel idea that "We hold these truths to be self-evident, that all men are created equal, that they are en...
Post a Comment
Read more

AI-Augmented Cybersecurity: They Use It So We Use It?

Image
I fear the AI hype and the groupthink of"the bad guys are using AI so we have to use AI" without an assessment, a plan and specific goals. Failing to plan is planning to fail after all. So I was surprised to hear from an experienced Risk Management executive that his conservative financial institution is using AI internally to bolster their cybersecurity stance. We discussed needing to make sure that once your pet AI is an expert on your weaknesses that it doesn't blab about them to the wrong people. He was pretty sure that they were keeping their AI in line and seemed to be doing all the right things to ensure that. I look forward to hearing more some day. In the meantime, let's review what AI can do for you, what it cannot and what it should not. Let The Buyer Beware Keep in mind the fact that training an AI is a difficult task and keeping one up-to-date is harder. Your choices for this are not great: have your AI get ever more out-of-date, carefully curate the in...
Post a Comment
Read more