In the world of software development, we call the potential problems and actual support burden caused by cutting corners or patching when you should rewrite "technical debt." This is a useful concept because it forces us to acknowledge the long-term burdens imposed by short-term thinking. Without this concept it becomes difficult to make good short-term choices; without this concept the answer to "should we do it right but slowly or hack it quickly?" will always be "hack it quickly: why not?" In practicing cybersecurity there is a similar need to balance short-term practical requirements with long-term repercussions, otherwise the answer will always be "a quick hack is fine." In actually protecting cyber assets and monitoring that protection, there is the same tension between a near-infinite need (there is always something more you could do) and the very finite set of resources available to fill that need (you have "real" work to get do...

The  Protect  phase of a  NIST CSF -based Cybersecurity program is about implementing your risk management policy for whatever your  Identify  phase identified. In practice, this means moving from policy to procedure, from the abstract to the concrete. Along the way, you have to take into account that Cybersecurity is about how the members of your organization do things more than what the members of your organization do. Let's work through a simple example: you identify your network infrastructure (routers, bridges, hubs, switches, all those small boxes with the blinking lights and network cables or WiFi antennae) as a critical asset to protect. Simple enough. But how do you protect those easy-to-ignore boxes in their closets and other out-of-sight locations? One way to protect them is to make sure that their firmware is up-to-date. That is a reasonable policy, so what is the procedure? You could have whoever maintains your network infrastructure make a shared...

The Detect phase of a NIST CSF -based Cybersecurity program is about monitoring your Protect phase actions which protect what your Identify phase identified. In practice, this means looking at lots of log entries. Every damn day. If you look at your logs every day, you will quickly figure out that what you are seeing falls into one of a only a few categories: Notifications, e.g. "Web server shutdown at {time} {date}" Warnings, e.g. "process NNNN is unresponsive" Errors, e.g. "this program tried to use an object before creating that object" Notifications are, ideally, signposts or checkpoints of things are probably ok. If you restart your web server at midnight every night, then seeing that in the log tells you everything is working normally; if you see a restart at any other time, you might want to make sure that this was legit. Warnings are, ideally, just that: putting you on alert that something has happened which might be OK by itself, but it might a...

As discussed in other blog posts, there are five pillars, or categories, of the NIST CSF : Identify , Protect , Detect , Respond , and Recover . We have a short blog post on each of these which you can reach by following the links from the names above. Identify is the step most people just get without much explanation: make a list of all the software, data, devices and job descriptions that need some kind of protection. Protect is the step most people are most vague about: what does this actually mean? In this context, "protect an asset" means "assign a control to that asset." So what is a control in this context? Google's AI Overview answers this way, which is fine so far as it goes: A "NIST CSF control" refers to a specific security practice or guideline outlined within the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which serves as a set of best practices for organizations to manage and mitigate cybersecurity r...

This blog post is about Recover, one of five "pillars" of the NIST CSF . This blog post is one of a series of posts, one per pillar. Here links to the other posts in this series: Identify Protect Detect Respond (Recover). What is the NIST CSF and why does Pythia Cyber use it? The NIST CSF is the cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing a custom Cybersecurity Program (CSP). Pythia Cyber is guided by the NIST CSF for programs that are the modest first steps of new or small organizations, for programs that are formal, rigorous programs for mature, mid-sized organizations, and for programs anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. As we covered in the first post in this series (follow the "Identify" li...

At Pythia, we believe that relationship management is risk management. All business endeavors involve risk; most of the time, there is no reward without risk. Because there never is no risk, a prudent manager needs to manage risk. Risk management is an entire domain in any field of business. It spans a continuum: sometimes the risk manager is part of the leadership team, and sometimes risk management is a ‘box-check’ activity subsumed under “continuity of operations” (COOP) plans in Human Resources. Cybersecurity involves identifying and mitigating risk; see our posts about the NIST framework here . All organizations that connect devices to the Internet have a degree of cybersecurity risk. Thus, any organization of any size that connects to the Internet has a cybersecurity risk. How it manages that risk is the ‘business’ of all managers in the enterprise. There are two ways organizations can manage risk. One is to conduct internal benchmarking by comparing practices across bu...

This blog post is about Respond, one of five "pillars" of the NIST CSF . This blog post is one of a series of posts, one per pillar. Here links to the other posts in this series: Identify Protect Detect (Respond) Recover . What is the NIST CSF and why does Pythia Cyber use it? The NIST CSF is the cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing a custom Cybersecurity Program (CSP). Pythia Cyber is guided by the NIST CSF for programs that are the modest first steps of new or small organizations, for programs that are formal, rigorous programs for mature, mid-sized organizations, and for programs anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. As we covered in the first post in this series (follow the "Identify" l...

This blog post is about Detect, one of five "pillars" of the NIST CSF . This blog post is one of a series of posts, one per pillar. Here links to the other posts in this series: Identify Protect (Detect) Respond Recover . What is the NIST CSF and why does Pythia Cyber use it? The NIST CSF is the cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing a custom Cybersecurity Program (CSP). Pythia Cyber is guided by the NIST CSF for programs that are the modest first steps of new or small organizations, for programs that are formal, rigorous programs for mature, mid-sized organizations, and for programs anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. As we covered in the first post in this series (follow the "Identify" li...

This blog post is about Protect, one of five "pillars" of the NIST CSF . This blog post is one of a series of posts, one per pillar. Here links to the other posts in this series: Identify (Protect) Detect Respond Recover . What is the NIST CSF and why does Pythia Cyber use it? The NIST CSF is the cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing a custom Cybersecurity Program (CSP). Pythia Cyber is guided by the NIST CSF for programs that are the modest first steps of new or small organizations, for programs that are formal, rigorous programs for mature, mid-sized organizations, and for programs anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. As we covered in the first post in this series (follow the "Identify" li...

This blog post is about Identify, one of five "pillars" of the NIST CSF . This blog post is one of a series of posts, one per pillar. Here links to the other posts in this series: (Identify) Protect   Detect Respond Recover . What is the NIST CSF and why does Pythia Cyber use it? The NIST CSF is the cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing a custom Cybersecurity Program (CSP). Pythia Cyber is guided by the NIST CSF for programs that are the modest first steps of new or small organizations, for programs that are formal, rigorous programs for mature, mid-sized organizations, and for programs anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. The Identify pillar identifies cyber assets (just “asset” henceforth) which are ...

A little while ago, in this video , our behavioral expert talked how a CISO's authority is limited, but in  order to do a good job, their influence must be wide. By this, Ted meant that a CISO has a limited number of direct reports but needs to change the behavior of large numbers of colleagues in order to succeed. The CIO or CTO has direct authority over the colleagues on whose performance the CIO's or CTO's success depends. Not so the CISO. This is why we at Pythia Cyber stress the leadership qualities and behavioral acumen a CISO needs to succeed. Picking a crackerjack techie is risky, unless they also have great people skills. Picking a people person with no technical chops is similarly risky. This got me thinking about what else is involved in being or choosing a CISO. First of all, there is not one-size-fits-all CISO manual. In my experience, there are race car driver CISOs, ambulance driver CISOs and school bus driver CISOs, because each of these modes is appropria...

One of the pillars of the Pythia Cyber philosophy is what one of our Founders, John Sebes, likes to call "reality-based consulting." As another one of our Founders, Ted Hayes, puts it: there are no Participation Trophies in cybersecurity. This harsh truth is something Pythia Cyber addresses head-on because we want to leave our clients with formal, provable, self-sustaining  cybersecurity programs. In our previous careers, we all suffered through Security by Obscurity and Security Theater, two leading ways people avoid reality in this arena. We don't want to be part of either. Your efforts either make you safer or they don't. It is not the thought that counts, at least not in this case. If your cybersecurity efforts  do not make you safer, then those efforts are a waste of time and money. Unless you merely want to feel safer instead of being safer. Security by Obscurity is relying on being too small or insignificant a target to bother much with cybersecurity. There are...

When Pythia Cyber shows up to help you elevate your cybersecurity, we always start by asking this question: What are you protecting? In the grossest terms, cybersecurity is about maximizing authorized access to computer systems or data and minimizing unauthorized access. This means that, to us, cybersecurity includes both Cyber Defense  (the Authorized part) and large swathes of System Administration (the Maximized part).  This means that, internally, we are comfortable talking about rather abstract concepts like Digital Assets and Access as an Asset and Uptime and Business Continuity (avoiding interruptions to doing business). However, we do not expect our clients, especially those new to cybersecurity, to be equally comfortable with these concepts and this vocabulary. So we keep it simple and avoid the jargon: What are you protecting? We ask executives this, because executive set the direction and tone of the organization and if they do not feel an asset is important, it wil...

When we talk to people who are new to cybersecurity (C/S), they tend to assume that all C/S attacks are obvious, and some are. But others are not. A Denial of Service attack is disruptive. It is the cyber equivalent of filling up your front door and hallways and offices with mannequins: dummy people who get in the way of you trying to do work. Of course you notice that you can't access your website. The point is the disruption. A Ransomware attack is unmistakable. It is the cyber equivalent of changing all the locks on your premises. You can't get in until you pay for the new key. Of course you notice that you can't access your data. The point is the lack of access--and the chance to pay to have that access restored. But what of the humble network intrusion? It is the cyber equivalent of someone finding a side door that doesn't latch properly or a window whose lock is broken. This allows whoever found the way in to enter your offices and roam around at night, looking at...

At Pythia Cyber we believe in that Cybersecurity (C/S) should be aligned to your organization's business goals. In other words, more than simply rejecting putting C/S in the IT department, we strongly feel that you have to engage with the top, with senior management--executives, the C-Suite, whoever is at the top. We call those people "senior leadership" in order to encompass all the various structures one finds in actual organizations.When Cybersecurity is aligned to business goals, senior leadership can have confidence that resources are being well-spent - neither over-committed flavor-of-the-month, nor leaving dangerous gaps in the company's protections. In order to explain why "top down," we need to explain what we mean by C/S. We use the NIST CSF model, which gives us a context for the explanation. When we say "cybersecurity" we mean extending your Risk Management program to include your critical computer systems and data. Risk Management isn...

"Chief Information Security Officer" or CISO has become something that everyone seems to know about, but we want to address the concept for those who are not exactly sure what a CISO does. Ideally, a CISO links your cybersecurity program to your senior management and, through senior management, to the organization as a whole. This function is important because of the large part human behavior plays in cybersecurity: not just boneheads clicking on phishing links in emails, but super geniuses going through the unglamorous work of monitoring network activity, checking backup statuses and updating firmware. To make cybersecurity work, we want to go beyond mere compliance ("don't click on that") to commitment ("thanks for warning us about that scam"). Maybe you don't have a CISO and are wondering if that is the right call in your particular situation. In order to decide that, you need to know what a CISO is supposed to do, and what they often end up do...

At Pythia Cyber we are often asked two questions which seem different but are really the same question: We don't have a CISO, so how can we need cybersecurity consulting? We have a CISO, so why would we need cybersecurity consulting? The short answer is that you need to elevate your cybersecurity to an iterative process of  continuous improvement.  Unless you have a formal program, however small, that covers the bases on a regular basis, you are falling behind.  The good news is that no matter who you are, you are probably doing some things right and perhaps more than you realized. The bad news is that no matter who you are, you probably cannot reasonably ignore cybersecurity. You can start where you are, you can be better today than you were yesterday and you can spend the time and money that you can afford. But doing nothing, or doing the same thing, is not a reasonable approach to cybersecurity. We like to use the NIST CSF 's structure, which works whether or not you h...

We have two kinds of clients who have no CISO: those who are too small and those who are new to cybersecurity. Too small is a good reason; new to cybersecurity is rarely a good reason. I recently spoke with the IT director of a small school about what Pythia Cyber could do for her. The short answer is “give you the checklist below.” The longer answer is that she perceives herself to have no cybersecurity adversaries–who would want to hack a small school? She isn’t very interested in combating non-existent threats. (We are planning an entire video on why the assumption that no one is out to get you is not a great idea for many organizations, but for now let us assume that she is right. She has years of experience in this job, after all, and so far there have been no detected cybersecurity incidents.) That just leaves vulnerabilities, which in her mind meant power outages and equipment failures. She outsources her IT to a firm that she trusts to handle the vulnerabilities, so she is done...

There are no participation trophies for cybersecurity: your efforts either help maximize authorized access to your vital systems and data while minimized unauthorized access, or your effort do not. Sadly, it doesn't matter how much time or effort or money you spend on cybersecurity, all that matters are the results. Much of what is written about cybersecurity is theoretical because the practice of cybersecurity is messy and doesn't make for good sound bites or pretty pictures. A large part of what makes cybersecurity effective (or ineffective) is human behavior; even if your technology game is top notch, you are still as vulnerable as every one of your colleague's behavior makes you. This is why Pythia Cyber's unique approach is to build in the Behavioral Science from the start. No dropping in technology or policy and walking away. We do the usual surveys of your technology and follow the NIST CSF cybersecurity model ( Identify, Protect, Detect, Respond, Recover) but we...

Pythia Cyber combines classic cybersecurity ( NIST CSF -based) for the trusted rigor, Behavioral Science to address the large role that human behavior plays in cybersecurity and IT infrastructure experience to address the technological challenges. Each of these ingredients is headed up within our organization by a domain expert: John Sebes for the classic cybersecurity Ted Hayes for the Behavioral Science Brendan Hemingway for the IT infrastructure We have all had decades of experience consulting in our separate fields. We had all reached the point in our separate careers where we can be a little choosy about which projects we undertake and which we do not. Brendan and John have known each other for many years, being in broadly similar lines of work. John's work has been at the top of the management pyramid, working with executives to set priorities and policies. Brendan's work has been in the thick of IT, developing and deploying software which required him to actually follow ...

People take on CISO roles for different reasons. Some do it because they feel they are good at doing it, or they value providing a service like that to an organization, or they see it as a challenge. Sometimes people do it because it’s seen as an entry into organizational leadership v. staying in the cube farm. Maybe you get paid more than you were used to, or because you got recruited from elsewhere to build a function. Power, money, intellectual challenge -- these are all different sets of values that led you to become a CISO. All of them are valid reasons to enter the role. Regardless of why you started, once you’re in the CISO role you discover quickly that your authority is limited, but your capacity to influence is very broad. Your motivations also reflect where you spend your time, what you think is important, and how you maintain your competence. For example is this job like a true crime movie or spy novel? What role do you want to play? Your program will be successful be...