Today is a day in the US to celebrate the Emancipation Proclamation . The commemoration started in Texas because it took from 1 January 1863 until 19 June 1865 for the news to reach Texas that slaves were freed. Why that long? Because -- Texas. Also there was a war and Texas was a Rebel state, and there was no Internet. And DC is a long ways away from Galveston, TX where the news was announced. Here are two lessons to take from this holiday. First, all people are created equal. Sure, some are taller, some better at coding, others more empathetic or better-looking or more adept at poetry. But we're all equal.  "Buit wait!," you exclaim, "Isn't that what the Declaration of Independence says and not the Emancipation Proclamation?" We'll get to the DoI in a few weeks but think of it this way. The Declaration of Independence does indeed capture the novel idea that "We hold these truths to be self-evident, that all men are created equal, that they are en...

I fear the AI hype and the groupthink of"the bad guys are using AI so we have to use AI" without an assessment, a plan and specific goals. Failing to plan is planning to fail after all. So I was surprised to hear from an experienced Risk Management executive that his conservative financial institution is using AI internally to bolster their cybersecurity stance. We discussed needing to make sure that once your pet AI is an expert on your weaknesses that it doesn't blab about them to the wrong people. He was pretty sure that they were keeping their AI in line and seemed to be doing all the right things to ensure that. I look forward to hearing more some day. In the meantime, let's review what AI can do for you, what it cannot and what it should not. Let The Buyer Beware Keep in mind the fact that training an AI is a difficult task and keeping one up-to-date is harder. Your choices for this are not great: have your AI get ever more out-of-date, carefully curate the in...

Of all the BORING parts of cybersecurity, or maybe of any process such as ruling in Medieval England, start the counter with governance. It's not why you went into comp sci or systems administration work or anything like that. Seems only like people who can't code go there. Surprise! This is one of the most important touchpoints a technical leader has with the organization. Remember, you may know how to code but the general managers in the organization do not -- and they know how to do governance.  In fact NIST didn't have governance originally on its CSF pillars list. But it's there now. Let's let Brendan discuss it : This function is what you would expect and a great step toward what is needed. Adding this function validates Pythia Cyber's top-down approach in which we start at the top of the organization to set the priorities, the budget and the goals. This function makes the link to Risk Management clearer as well. We hope that this official recognition of t...

It is very tempting to assume that putting together a cybersecurity team is like assembling individual photos to create an intact image. Once again , assumptions are dangerous. Groups of people are not teams. It's very easy for managers to think that people in a group will behave like a team because you've all had lunch together or you're all Sagittariuses or something like that. Wrong. A team requires roles, shared responsibilities, rules, and enforcers. Maybe it's obvious but teams also need a mission. Your cybersecurity program is the mission. But as Brendan's discourses on the NIST CSF makes clear (e.g., here and here ), there are different parts of the mission. Different parts require different specializations. Formally put, there are six phases of the NIST CSF. We advise managers to not hire people to fill all size functions. Our talent assessment work with very effective leaders shows that even at the elite levels of cybersecurity leadership, different tale...

There is an old military pilot's saying that sky diving is like practicing bleeding. The point is that bleeding is unpleasant, often unavoidable and something that you can probably just figure out as you go along, so why worry about it before then? Except that you absolutely should not just figure it out as you go along. You absolutely should know basic first aid and have an idea of how to stop bleeding should it occur. Alas, this same attitude often makes a hard job harder: implementing your  NIST CSF  Respond Plan or Recover Plan in the face of an outage. And yes, this is another example of how behavioral science greatly improves cybersecurity. Human beings avoid negative stimuli and seek out positive stimuli. We all know this, but many of us pretend that this isn't true or worse, that it isn't true of us or our team . But it is true and if you don't actively make this work for you it will absolutely work against you. What does this have to do with cybersecurity, you...

As part of our continuing series about how and why we bring behavioral science to cybersecurity let us consider that cybersecurity is a team sport. How so?  To start, your organization has a team engaged in direct competition with other teams. The other teams are criminals, vandals, spies and disasters such as hardware failure, software bugs and bad weather. Underestimate your competition at your peril. Like a sports team you cybersecurity team has members with different talents. This is fine because the game you are playing has different positions (roles) as laid out by the  NIST CSF : Identify--requires analytic skills to identify what is really important Protect--requires management to set priorities and IT understanding to make policy & procedure Detect--requires a dogged determination to remain vigilant at all times Respond--requires a good plan and the ability to execute under pressure in an ad hoc team Recover--requires a good plan and the ability to balance the co...