I am a fan of sketchplanations.com  in general and this sketch in particular caught my eye for two reasons. First, I love me some hair-splitting (ask me about the difference between "virulent pathogens" and "infectious pathogens"). Second, this gives me a great way to talk about a big deal in cybersecurity. Before diving into that big deal I want to apply the point of the sketch to cybersecurity. The field of cybersecurity is a branch of Risk Management. The people running the organization have to set priorities and budgets. The people running the organization have to sign off on the policies which decide which risks are worth mitigating. The people running cybersecurity have to write procedures which implement those policies and then police activity to ensure that the procedures are active and effective. By analogy, the policies are accuracy: are you trying to protect what you need protected? The procedures are precision: are you effectively protecting whatever it ...

Everyone wants to be successful. Defining what "success" is may vary person to person, and deciding whether someone is successful may not be up to any of us, but we can find contentment and professional pride in everyday work over a career.  It's very difficult to define success in a career such as cybersecurity apart from the big picture issue of "nothing happened." Ultimately, if "nothing happens" you are successful, because nothing bad happened. But for cybersecurity, "nothing bad happened" is not the same as "nothing happened." In fact "nothing bad happened" because something good happened in cybersecurity. Lots of "something" may be happening as a matter of fact and success means that none of it resulted in a win for your adversaries. Lack of IT or cyber-systems failure is a sign that your cyber-defense processes performed well. Let's focus on that. Cybersecurity is the process by which you create maximu...

We read a recent post by Tracy Lawrence that gave us hope for a better cybersecurity leadership hiring process...until the end. But the journey through her post is worth your time as long as you take a detour. As Tracy  notes : For decades, a long track record has been the gold standard for executive hiring. In today’s disruptive business environment, over-indexing on experience may actually be working against you. As an executive recruiter and CEO coach, I’ve seen the same well-intentioned mistake play out more times than I can count. Boards and senior teams filling critical leadership roles focus on the candidate with the deepest industry background, the longest tenure, the most impressive titles. They’ve ‘seen it all before.’ On paper, they look like exactly the right hire. Then, six months in, the organization is struggling. The new leader keeps reaching for solutions that worked in their last job, even though the current business environment has moved past them. Go Tracy Go! ...

The United States of America has taken military action against the Islamic Republic of Iran. Unforeseen or unforeseeable? In the cybersecurity context, it doesn't really matter: either you were prepared for this or you were prepared for something like this or you have the talent and bandwidth to pivot or you are a cautionary tale waiting to happen. By "something like this" I mean the risk of cyber attacks from foreign operatives as opposed to criminals or vandals. Vandals are mostly thrill-seeking. Criminals want to get money. Operators want to either lurk or disable your systems. Vandals are often as unsophisticated in their thinking as they are sophisticated in their hacking. It has been a long time since they were the top threat. Just keep your defenses up-to-date and your monitoring current and you should be able to keep them out. Criminals are getting every more sophisticated in their scams and their use of stolen information. But they don't want to get caught an...

When you as a cyber-professional think of planning for war, you probably have in mind some order of battle map such as the one above. It shows the front lines, terrain, forces in opposition, troop movements, etc.  Your thought process is wrong. And, when you as a cyber-professional think of war you probably think of engaging with the enemy and taking and holding territory, or bombing, or drones and missiles. Well that thought process is wrong too.  But you're in a war anyway. How is it going for you? War is serious business and cyber-warfare is not like other wars, especially when you're almost always on defense at all times. All of us have models, scripts, or even memories based on experience and education for endeavors such as wars. These models and scripts come from family lore, movies, books, military service, and so on. They are all valid as far as that goes. Problem is, you're in a cyber-war and you don't have a model or script, probably not even personal experien...

You get hacked. What can Pythia Cyber do for you? Once you have addressed the immediate problem and then done what you can to repair the damage, it is time to figure out what happened. That is when we can help. (If you follow the NIST CSF, we come in right after the Recover phase .) In the Respond phase you address the immediate problem. In the Recover phase you do what you can to repair the damage. Then you fight off the temptation to rest and you go back to the Identify phase because you need to figure out what went wrong so you can make sure that it doesn't happen again. As part of that investigation you have a very important question to answer: was the root of your problem systemic or not ? This should involve a top-to-bottom review of your cybersecurity program. It is tempting to keep this in-house--who wants to air their dirty laundry?--but we recommend an objective, external, expert observer. "Expert" is obvious. "External" because...