It is very tempting to assume that putting together a cybersecurity team is like assembling individual photos to create an intact image. Once again , assumptions are dangerous. Groups of people are not teams. It's very easy for managers to think that people in a group will behave like a team because you've all had lunch together or you're all Sagittariuses or something like that. Wrong. A team requires roles, shared responsibilities, rules, and enforcers. Maybe it's obvious but teams also need a mission. Your cybersecurity program is the mission. But as Brendan's discourses on the NIST CSF makes clear (e.g., here and here ), there are different parts of the mission. Different parts require different specializations. Formally put, there are six phases of the NIST CSF. We advise managers to not hire people to fill all size functions. Our talent assessment work with very effective leaders shows that even at the elite levels of cybersecurity leadership, different tale...

There is an old military pilot's saying that sky diving is like practicing bleeding. The point is that bleeding is unpleasant, often unavoidable and something that you can probably just figure out as you go along, so why worry about it before then? Except that you absolutely should not just figure it out as you go along. You absolutely should know basic first aid and have an idea of how to stop bleeding should it occur. Alas, this same attitude often makes a hard job harder: implementing your  NIST CSF  Respond Plan or Recover Plan in the face of an outage. And yes, this is another example of how behavioral science greatly improves cybersecurity. Human beings avoid negative stimuli and seek out positive stimuli. We all know this, but many of us pretend that this isn't true or worse, that it isn't true of us or our team . But it is true and if you don't actively make this work for you it will absolutely work against you. What does this have to do with cybersecurity, you...

As part of our continuing series about how and why we bring behavioral science to cybersecurity let us consider that cybersecurity is a team sport. How so?  To start, your organization has a team engaged in direct competition with other teams. The other teams are criminals, vandals, spies and disasters such as hardware failure, software bugs and bad weather. Underestimate your competition at your peril. Like a sports team you cybersecurity team has members with different talents. This is fine because the game you are playing has different positions (roles) as laid out by the  NIST CSF : Identify--requires analytic skills to identify what is really important Protect--requires management to set priorities and IT understanding to make policy & procedure Detect--requires a dogged determination to remain vigilant at all times Respond--requires a good plan and the ability to execute under pressure in an ad hoc team Recover--requires a good plan and the ability to balance the co...

Building on our current elevator pitch this post will talk about how and why we apply behavioral science to the Identify pillar of the  NIST CSF . On the face of it, the Identity pillar is the pillar that everyone "gets" because it is so delightfully straightforward and lacking in veils of technological mystery: list all the digital assets your cybersecurity is supposed to protect. There are at least three complicating factors here when I watch this process in action in the wild: the problem of obviousness, the problem of obscurity and the problem of command. Each of these problems has their solution in behavioral science, not technology or methodology. What Is A Digital Asset? In this context, a digital asset is a data set or computer system that you need to do your job. Sounds pretty simple, doesn't it? The Obvious Is Not Always Obvious The commonplace gets overlooked, we all know this. This facet of human nature bites you twice in this process. First, you will tend to...

Like everyone else, we get asked "what's your elevator pitch?" We always have one, but we find it a useful exercise to revisit and revise ours to better fit this ever-changing world of cybersecurity. Here is our latest elevator pitch.

A previous post decried the sad state of the common company-wide mandatory annual cybersecurity training. This training is ineffective and sometimes even counterproductive. We say "counterproductive" in that it reduces cybersecurity awareness to mindless adherence to simple rules such as "don't click on stuff in email." In that post we talked about what we feel such training should contain . In this post we will describe what we feel such training should achieve . Cybersecurity training for the masses should enlist those masses in the cybersecurity cause. Instead of hoping that people don't do anything dangerous the goal should be reports of oddness, of the unexpected or the strange. As dull as it sounds, looking into the odd, the unexpected or the strange is a great way to track down actual problems. For example I recently saw an email that was very sophisticated  spear phishing attack. This email was shown to me as a curiosity by another IT professional....