AI & Cybersecurity What role should AI play in cybersecurity? Driven by the quick and effective adoption of AI by cyber criminals cybersecurity professionals are under pressure to react somehow, as Ted has already discussed in this post . In that post Ted points out that the business side of the house and the Cybersecurity group (C/S) have very different wants and needs from AI, and that C/S will allow the business side to dictate strategy at their peril. This post is about how C/S can frame that discussion so as to be productive rather than combative. You can't do whatever they are doing because AI means different things to C/S than it does to them. The Business Side Let us consider how AI looks to the business side of the house so that we can define some of those differences and better communicate those differences. Utopian View AI will usher in a new era of workplace productivity and satisfaction because it will handle all the white collar drudgery that plagues our workdays....

And eventually -- it stops. They move on. You are victorious, but frazzled. Now is the time to take stock, rebuild relationships, and prepare for the next engagement. Time for the final NIST CSF pillar, Recover. Let's let Brendan discuss it : Recover is the step you take to undo the damage or restore the service. Recover is a bit more deliberate and thoughtful than Respond. You have time pressure, almost always, but there is rather less of it. The cybersecurity crisis is over, but if you need to keep your systems down for the recovery, then the operations crisis has just begun: how long can the downtime continue, in the name of preventing future problems and gathering evidence? The answer depends on your situation. Your ability to arrive at that answer often depends on how well thought-out your IRP is. Recover should always end with a review that considers how to be better in the future. This is a crucial step to making you safer than you were before. It is very common to just want...

It's time to break the glass -- don't just stand there, do something! This is no time to find out whether your cybersecurity governance is adequate, or whether you have identified all the right assets, or whether your protection protocols are in place. Your systems have detected a problem and it's time for action. Let's let Brendan discuss it : Both the Respond pillar the Recover pillar are unlike the other three, they are triggered by an incident and different from the other steps because the other steps are part of normal operations. Respond and Recover also always happen in tandem, which is why we group them together as part of the Incident Response Plan (IRP). The IRP formalizes incident handling, so that everyone knows what their role is in advance. The IRP covers both the Respond step (halting the problem and trying to restore normal operations) and the Recover step (undoing as much of the damage as possible, preventing a recurrence). The IRP gives us a Respond ch...

  Detecting cyber-intrusions or threats to information systems falls naturally in the NIST CSF sequence after you've identified what assets you're going to defend and you've developed a process to defend those assets. Let's let Brendan discuss detection : The Detect pillar is where daily Cybersecurity operations come into play. Someone has to do the monitoring, and not simply watch the events go by, but confirm that the activity being monitored is either expected or appropriate. Most importantly, the Detect step is about separating the worrisome from the normal, and then taking appropriate action to either confirm that there is an issue or to discover that there is a good explanation. If there is a problem, then we have “an incident” so we go to the Respond pillar (and Incident Response Plan (IRP)). As part of Detect, you gather evidence. Sometimes the evidence shows you that all is well. Sometimes the evidence shows you that something odd is happening. Sometimes the ev...

Cybersecurity fundamentally is about managing risks to information system assets through the protection of those assets. Sure, there are many parts and processes related to protection but it's the core ethos of cybersecurity. Let's let Brendan discuss it : As we covered in the first post in this series, the Identify pillar gives us a list of assets (what we are protecting) and for each asset, a risk (what we are trying to avoid). The Protect pillar is mitigating each of the risks for each of the assets. The procedure or method or technology that we use to do the mitigating is called “a control” and we say that the Protect pillar “assigns a control to each risk.” A control should produce evidence that it is working, otherwise monitoring that control is difficult and overseeing the monitoring is impossible. It can be tricky to distinguish assets from controls. In cybersecurity, an asset is a resource that an organization needs to protect, like hardware, software, data, or networ...

  This is Part 2 of our series on mapping the Pythia Cyber Cybersecurity Leadership Talent Stack to the NIST CSF 2.0 pillars*. Part 1, on mapping cybersecurity leadership talent to Governance, is here .  Maybe the most obvious part of cybersecurity is identifying what needs protecting. This is where the NIST CSF starts also.  Let's let Brendan discuss it : The Identify pillar identifies cyber assets (just “asset” henceforth) which are on the "Must Protect Now" list. We recommend that, as you go along, you keep a "Must Protect ASAP" list and a "Should Protect Someday" list. Why isn’t there a single Asset List? Because no one has all the time and money and experts that they could possibly need to protect anything and everything of value to their organization. What is an asset in this context? An asset has to meet all of these requirements: An asset is “critical” by which we mean its absence would severely limit operations (It can be tricky to distinguish...