Cybersecurity fundamentally is about managing risks to information system assets through the protection of those assets. Sure, there are many parts and processes related to protection but it's the core ethos of cybersecurity. Let's let Brendan discuss it : As we covered in the first post in this series, the Identify pillar gives us a list of assets (what we are protecting) and for each asset, a risk (what we are trying to avoid). The Protect pillar is mitigating each of the risks for each of the assets. The procedure or method or technology that we use to do the mitigating is called “a control” and we say that the Protect pillar “assigns a control to each risk.” A control should produce evidence that it is working, otherwise monitoring that control is difficult and overseeing the monitoring is impossible. It can be tricky to distinguish assets from controls. In cybersecurity, an asset is a resource that an organization needs to protect, like hardware, software, data, or networ...

  This is Part 2 of our series on mapping the Pythia Cyber Cybersecurity Leadership Talent Stack to the NIST CSF 2.0 pillars*. Part 1, on mapping cybersecurity leadership talent to Governance, is here .  Maybe the most obvious part of cybersecurity is identifying what needs protecting. This is where the NIST CSF starts also.  Let's let Brendan discuss it : The Identify pillar identifies cyber assets (just “asset” henceforth) which are on the "Must Protect Now" list. We recommend that, as you go along, you keep a "Must Protect ASAP" list and a "Should Protect Someday" list. Why isn’t there a single Asset List? Because no one has all the time and money and experts that they could possibly need to protect anything and everything of value to their organization. What is an asset in this context? An asset has to meet all of these requirements: An asset is “critical” by which we mean its absence would severely limit operations (It can be tricky to distinguish...

Today is a day in the US to celebrate the Emancipation Proclamation . The commemoration started in Texas because it took from 1 January 1863 until 19 June 1865 for the news to reach Texas that slaves were freed. Why that long? Because -- Texas. Also there was a war and Texas was a Rebel state, and there was no Internet. And DC is a long ways away from Galveston, TX where the news was announced. Here are two lessons to take from this holiday. First, all people are created equal. Sure, some are taller, some better at coding, others more empathetic or better-looking or more adept at poetry. But we're all equal.  "Buit wait!," you exclaim, "Isn't that what the Declaration of Independence says and not the Emancipation Proclamation?" We'll get to the DoI in a few weeks but think of it this way. The Declaration of Independence does indeed capture the novel idea that "We hold these truths to be self-evident, that all men are created equal, that they are en...

I fear the AI hype and the groupthink of"the bad guys are using AI so we have to use AI" without an assessment, a plan and specific goals. Failing to plan is planning to fail after all. So I was surprised to hear from an experienced Risk Management executive that his conservative financial institution is using AI internally to bolster their cybersecurity stance. We discussed needing to make sure that once your pet AI is an expert on your weaknesses that it doesn't blab about them to the wrong people. He was pretty sure that they were keeping their AI in line and seemed to be doing all the right things to ensure that. I look forward to hearing more some day. In the meantime, let's review what AI can do for you, what it cannot and what it should not. Let The Buyer Beware Keep in mind the fact that training an AI is a difficult task and keeping one up-to-date is harder. Your choices for this are not great: have your AI get ever more out-of-date, carefully curate the in...

Of all the BORING parts of cybersecurity, or maybe of any process such as ruling in Medieval England, start the counter with governance. It's not why you went into comp sci or systems administration work or anything like that. Seems only like people who can't code go there. Surprise! This is one of the most important touchpoints a technical leader has with the organization. Remember, you may know how to code but the general managers in the organization do not -- and they know how to do governance.  In fact NIST didn't have governance originally on its CSF pillars list. But it's there now. Let's let Brendan discuss it : This function is what you would expect and a great step toward what is needed. Adding this function validates Pythia Cyber's top-down approach in which we start at the top of the organization to set the priorities, the budget and the goals. This function makes the link to Risk Management clearer as well. We hope that this official recognition of t...

It is very tempting to assume that putting together a cybersecurity team is like assembling individual photos to create an intact image. Once again , assumptions are dangerous. Groups of people are not teams. It's very easy for managers to think that people in a group will behave like a team because you've all had lunch together or you're all Sagittariuses or something like that. Wrong. A team requires roles, shared responsibilities, rules, and enforcers. Maybe it's obvious but teams also need a mission. Your cybersecurity program is the mission. But as Brendan's discourses on the NIST CSF makes clear (e.g., here and here ), there are different parts of the mission. Different parts require different specializations. Formally put, there are six phases of the NIST CSF. We advise managers to not hire people to fill all size functions. Our talent assessment work with very effective leaders shows that even at the elite levels of cybersecurity leadership, different tale...