I fear the AI hype and the groupthink of"the bad guys are using AI so we have to use AI" without an assessment, a plan and specific goals. Failing to plan is planning to fail after all. So I was surprised to hear from an experienced Risk Management executive that his conservative financial institution is using AI internally to bolster their cybersecurity stance. We discussed needing to make sure that once your pet AI is an expert on your weaknesses that it doesn't blab about them to the wrong people. He was pretty sure that they were keeping their AI in line and seemed to be doing all the right things to ensure that. I look forward to hearing more some day. In the meantime, let's review what AI can do for you, what it cannot and what it should not. Let The Buyer Beware Keep in mind the fact that training an AI is a difficult task and keeping one up-to-date is harder. Your choices for this are not great: have your AI get ever more out-of-date, carefully curate the in...

Of all the BORING parts of cybersecurity, or maybe of any process such as ruling in Medieval England, start the counter with governance. It's not why you went into comp sci or systems administration work or anything like that. Seems only like people who can't code go there. Surprise! This is one of the most important touchpoints a technical leader has with the organization. Remember, you may know how to code but the general managers in the organization do not -- and they know how to do governance.  In fact NIST didn't have governance originally on its CSF pillars list. But it's there now. Let's let Brendan discuss it : This function is what you would expect and a great step toward what is needed. Adding this function validates Pythia Cyber's top-down approach in which we start at the top of the organization to set the priorities, the budget and the goals. This function makes the link to Risk Management clearer as well. We hope that this official recognition of t...

It is very tempting to assume that putting together a cybersecurity team is like assembling individual photos to create an intact image. Once again , assumptions are dangerous. Groups of people are not teams. It's very easy for managers to think that people in a group will behave like a team because you've all had lunch together or you're all Sagittariuses or something like that. Wrong. A team requires roles, shared responsibilities, rules, and enforcers. Maybe it's obvious but teams also need a mission. Your cybersecurity program is the mission. But as Brendan's discourses on the NIST CSF makes clear (e.g., here and here ), there are different parts of the mission. Different parts require different specializations. Formally put, there are six phases of the NIST CSF. We advise managers to not hire people to fill all size functions. Our talent assessment work with very effective leaders shows that even at the elite levels of cybersecurity leadership, different tale...

There is an old military pilot's saying that sky diving is like practicing bleeding. The point is that bleeding is unpleasant, often unavoidable and something that you can probably just figure out as you go along, so why worry about it before then? Except that you absolutely should not just figure it out as you go along. You absolutely should know basic first aid and have an idea of how to stop bleeding should it occur. Alas, this same attitude often makes a hard job harder: implementing your  NIST CSF  Respond Plan or Recover Plan in the face of an outage. And yes, this is another example of how behavioral science greatly improves cybersecurity. Human beings avoid negative stimuli and seek out positive stimuli. We all know this, but many of us pretend that this isn't true or worse, that it isn't true of us or our team . But it is true and if you don't actively make this work for you it will absolutely work against you. What does this have to do with cybersecurity, you...

As part of our continuing series about how and why we bring behavioral science to cybersecurity let us consider that cybersecurity is a team sport. How so?  To start, your organization has a team engaged in direct competition with other teams. The other teams are criminals, vandals, spies and disasters such as hardware failure, software bugs and bad weather. Underestimate your competition at your peril. Like a sports team you cybersecurity team has members with different talents. This is fine because the game you are playing has different positions (roles) as laid out by the  NIST CSF : Identify--requires analytic skills to identify what is really important Protect--requires management to set priorities and IT understanding to make policy & procedure Detect--requires a dogged determination to remain vigilant at all times Respond--requires a good plan and the ability to execute under pressure in an ad hoc team Recover--requires a good plan and the ability to balance the co...

Building on our current elevator pitch this post will talk about how and why we apply behavioral science to the Identify pillar of the  NIST CSF . On the face of it, the Identity pillar is the pillar that everyone "gets" because it is so delightfully straightforward and lacking in veils of technological mystery: list all the digital assets your cybersecurity is supposed to protect. There are at least three complicating factors here when I watch this process in action in the wild: the problem of obviousness, the problem of obscurity and the problem of command. Each of these problems has their solution in behavioral science, not technology or methodology. What Is A Digital Asset? In this context, a digital asset is a data set or computer system that you need to do your job. Sounds pretty simple, doesn't it? The Obvious Is Not Always Obvious The commonplace gets overlooked, we all know this. This facet of human nature bites you twice in this process. First, you will tend to...