In the world of software development, we call the potential problems and actual support burden caused by cutting corners or patching when you should rewrite "technical debt." This is a useful concept because it forces us to acknowledge the long-term burdens imposed by short-term thinking. Without this concept it becomes difficult to make good short-term choices; without this concept the answer to "should we do it right but slowly or hack it quickly?" will always be "hack it quickly: why not?" In practicing Cyber Security there is a similar need to balance short-term practical requirements with long-term repercussions, otherwise the answer will always be "a quick hack is fine." In actually protecting cyber assets and monitoring that protection, there is the same tension between a near-infinite need (there is always something more you could do) and the very finite set of resources available to fill that need (you have "real" work to get d...

The  Protect  phase of a  NIST CSF -based Cyber Security program is about implementing your risk management policy for whatever your  Identify  phase identified. In practice, this means moving from policy to procedure, from the abstract to the concrete. Along the way, you have to take into account that Cyber Security is about how the members of your organization do things more than what the members of your organization do. Let's work through a simple example: you identify your network infrastructure (routers, bridges, hubs, switches, all those small boxes with the blinking lights and network cables or WiFi antennae) as a critical asset to protect. Simple enough. But how do you protect those easy-to-ignore boxes in their closets and other out-of-sight locations? One way to protect them is to make sure that their firmware is up-to-date. That is a reasonable policy, so what is the procedure? You could have whoever maintains your network infrastructure make a shar...

The Detect phase of a NIST CSF -based Cyber Security program is about monitoring your Protect phase actions which protect what your Identify phase identified. In practice, this means looking at lots of log entries. Every damn day. If you look at your logs every day, you will quickly figure out that what you are seeing falls into one of a only a few categories: Notifications, e.g. "Web server shutdown at {time} {date}" Warnings, e.g. "process NNNN is unresponsive" Errors, e.g. "this program tried to use an object before creating that object" Notifications are, ideally, signposts or checkpoints of things are probably ok. If you restart your web server at midnight every night, then seeing that in the log tells you everything is working normally; if you see a restart at any other time, you might want to make sure that this was legit. Warnings are, ideally, just that: putting you on alert that something has happened which might be OK by itself, but it might ...

As discussed in other blog posts, there are five pillars, or categories, of the NIST CSF : Identify , Protect , Detect , Respond , and Recover . We have a short blog post on each of these which you can reach by following the links from the names above. Identify is the step most people just get without much explanation: make a list of all the software, data, devices and job descriptions that need some kind of protection. Protect is the step most people are most vague about: what does this actually mean? In this context, "protect an asset" means "assign a control to that asset." So what is a control in this context? Google's AI Overview answers this way, which is fine so far as it goes: A "NIST CSF control" refers to a specific security practice or guideline outlined within the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which serves as a set of best practices for organizations to manage and mitigate cybersecurity r...

In order to foster trust in our work Pythia Cyber uses the Cyber Security Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing Cyber Security Programs. We are guided by the NIST CSF if those programs are the modest first steps of new or small organizations, or if those programs are formal, rigorous programs for mature, mid-sized organizations, or anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. There will be one blog post for each "pillar" as NIST calls them. This blog post is about Recover. Recover is the step you take after Respond; Respond is your immediate reaction to whatever Detect has detected; Detect is monitoring whatever you built in the Protect step; Protect is what you built once you finished the Identify step. What is the differen...

At Pythia, we believe that relationship management is risk management. All business endeavors involve risk; most of the time, there is no reward without risk. Because there never is no risk, a prudent manager needs to manage risk. Risk management is an entire domain in any field of business. It spans a continuum: sometimes the risk manager is part of the leadership team, and sometimes risk management is a ‘box-check’ activity subsumed under “continuity of operations” (COOP) plans in Human Resources. Cybersecurity involves identifying and mitigating risk; see our posts about the NIST framework here . All organizations that connect devices to the Internet have a degree of cybersecurity risk. Thus, any organization of any size that connects to the Internet has a cybersecurity risk. How it manages that risk is the ‘business’ of all managers in the enterprise. There are two ways organizations can manage risk. One is to conduct internal benchmarking by comparing practices across bu...

In order to foster trust in our work Pythia Cyber uses the Cyber Security Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing Cyber Security Programs. We are guided by the NIST CSF if those programs are the modest first steps of new or small organizations, or if those programs are formal, rigorous programs for mature, mid-sized organizations, or anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. There will be one blog post for each "pillar" as NIST calls them. This blog post is about Respond. Respond is the step you take after Detect tells you that there is an issue and that issue might signal an incident. Respond is the step we all know is important and time-critical. If the issue that was detected is an incident then every second counts. Some...

In order to foster trust in our work Pythia Cyber uses the Cyber Security Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing Cyber Security Programs. We are guided by the NIST CSF if those programs are the modest first steps of new or small organizations, or if those programs are formal, rigorous programs for mature, mid-sized organizations, or anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. There will be one blog post for each "pillar" as NIST calls them. This blog post is about Detect. Detect is the step no one outside of System Administration ever thinks about. The Sys Admins live and breathe Detect, so this blog post is not for them, they don't need it. This blog post is for those who work with them, or who manage them, or who manag...

In order to foster trust in our work Pythia Cyber uses the Cyber Security Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing Cyber Security Programs. We are guided by the NIST CSF if those programs are the modest first steps of new or small organizations, or if those programs are formal, rigorous programs for mature, mid-sized organizations, or anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. There will be one blog post for each "pillar" as NIST calls them. This blog post is about Protect. Protect is the step everyone seems to have at least a vague idea about, which means that lots of people nod when we mention it but have never really thought about it. The rest of our audience lives and breathes Protect and they are your Cyber Defenders. Th...

In order to foster trust in our work Pythia Cyber uses the Cyber Security Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing Cyber Security Programs. We are guided by the NIST CSF if those programs are the modest first steps of new or small organizations, or if those programs are formal, rigorous programs for mature, mid-sized organizations, or anywhere in between. The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. There will be one blog post for each "pillar" as NIST calls them. This blog post is about Identify. In a nutshell, the Identify step should result in a list of computer systems and data which are to be protected. Not simply a manifest of what one would, ideally, hope to protect, but a list of, specifically, what you are willing to protect given your tim...

A little while ago, in this video , our behavioral expert talked how a CISO's authority is limited, but in  order to do a good job, their influence must be wide. By this, Ted meant that a CISO has a limited number of direct reports but needs to change the behavior of large numbers of colleagues in order to succeed. The CIO or CTO has direct authority over the colleagues on whose performance the CIO's or CTO's success depends. Not so the CISO. This is why we at Pythia Cyber stress the leadership qualities and behavioral acumen a CISO needs to succeed. Picking a crackerjack techie is risky, unless they also have great people skills. Picking a people person with no technical chops is similarly risky. This got me thinking about what else is involved in being or choosing a CISO. First of all, there is not one-size-fits-all CISO manual. In my experience, there are race car driver CISOs, ambulance driver CISOs and school bus driver CISOs, because each of these modes is appropria...

One of the pillars of the Pythia Cyber philosophy is what one of our Founders, John Sebes, likes to call "reality-based consulting." As another one of our Founders, Ted Hayes, puts it: there are no Participation Trophies in Cyber Security. This harsh truth is something Pythia Cyber addresses head-on because we want to leave our clients with formal, provable, self-sustaining  Cyber Security programs. In our previous careers, we all suffered through Security by Obscurity and Security Theater, two leading ways people avoid reality in this arena. We don't want to be part of either. Your efforts either make you safer or they don't. It is not the thought that counts, at least not in this case. If your Cyber Security efforts  do not make you safer, then those efforts are a waste of time and money. Unless you merely want to feel safer instead of being safer. Security by Obscurity is relying on being too small or insignificant a target to bother much with Cyber Security. There...

When Pythia Cyber shows up to help you elevate your Cyber Security, we always start by asking this question: What are you protecting? In the grossest terms, Cyber Security is about maximizing authorized access to computer systems or data and minimizing unauthorized access. This means that, to us, Cyber Security includes both Cyber Defense  (the Authorized part) and large swathes of System Administration (the Maximized part).  This means that, internally, we are comfortable talking about rather abstract concepts like Digital Assets and Access as an Asset and Uptime and Business Continuity (avoiding interruptions to doing business). However, we do not expect our clients, especially those new to Cyber Security, to be equally comfortable with these concepts and this vocabulary. So we keep it simple and avoid the jargon: What are you protecting? We ask executives this, because executive set the direction and tone of the organization and if they do not feel an asset is important, it...

When we talk to people who are new to Cyber Security (C/S), they tend to assume that all C/S attacks are obvious, and some are. But others are not. A Denial of Service attack is disruptive. It is the cyber equivalent of filling up your front door and hallways and offices with mannequins: dummy people who get in the way of you trying to do work. Of course you notice that you can't access your website. The point is the disruption. A Ransomware attack is unmistakable. It is the cyber equivalent of changing all the locks on your premises. You can't get in until you pay for the new key. Of course you notice that you can't access your data. The point is the lack of access--and the chance to pay to have that access restored. But what of the humble network intrusion? It is the cyber equivalent of someone finding a side door that doesn't latch properly or a window whose lock is broken. This allows whoever found the way in to enter your offices and roam around at night, looking a...

 At Pythia Cyber we believe in a top down approach to Cyber Security (C/S). In other words, more than simply rejecting putting C/S in the IT department, we strongly feel that you have to start at the top, with senior management--executives, the C-Suite, whoever is at the top. We call those people "leadership" in order to encompass all the various structures one finds in actual organizations. In order to explain why "top down," we need to explain what we mean by C/S.. We use the NIST CSF model, which gives us a context for the explanation. When we say "Cyber Security" we mean extending your Risk Management program to include your critical computer systems and data. Risk Management isn't an IT function, it is a leadership function. So we start with the leadership. That is pretty abstract, so let's get concrete. Following the NIST CSF, we help you take the following actions: Identify what you are protecting Protect what you have identified as critica...

"Chief Information Security Officer" or CISO has become something that everyone seems to know about, but we want to address the concept for those who are not exactly sure what a CISO does. Ideally, a CISO links your Cyber Security program to your senior management and, through senior management, to the organization as a whole. This function is important because of the large part human behavior plays in Cyber Security: not just boneheads clicking on phishing links in emails, but super geniuses going through the unglamorous work of monitoring network activity, checking backup statuses and updating firmware. To make Cyber Security work, we want to go beyond mere compliance ("don't click on that") to commitment ("thanks for warning us about that scam"). Maybe you don't have a CISO and are wondering if that is the right call in your particular situation. In order to decide that, you need to know what a CISO is supposed to do, and what they often end up...

At Pythia Cyber we are often asked two questions which seem different but are really the same question: We don't have a CISO, so how can we need Cyber Security consulting? We have a CISO, so why would we need Cyber Security consulting? The short answer is that you need to elevate your Cyber Security to an iterative process of  continuous improvement.  Unless you have a formal program, however small, that covers the bases on a regular basis, you are falling behind.  The good news is that no matter who you are, you are probably doing some things right and perhaps more than you realized. The bad news is that no matter who you are, you probably cannot reasonably ignore Cyber Security. You can start where you are, you can be better today than you were yesterday and you can spend the time and money that you can afford. But doing nothing, or doing the same thing, is not a reasonable approach to Cyber Security. We like to use the NIST CSF 's structure, which works whether or not ...

We have two kinds of clients who have no CISO: those who are too small and those who are new to Cyber Security. Too small is a good reason; new to Cyber Security is rarely a good reason. I recently spoke with the IT director of a small school about what Pythia Cyber could do for her. The short answer is “give you the checklist below.” The longer answer is that she perceives herself to have no Cyber Security adversaries–who would want to hack a small school? She isn’t very interested in combating non-existent threats. (We are planning an entire video on why the assumption that no one is out to get you is not a great idea for many organizations, but for now let us assume that she is right. She has years of experience in this job, after all, and so far there have been no detected Cyber Security incidents.) That just leaves vulnerabilities, which in her mind meant power outages and equipment failures. She outsources her IT to a firm that she trusts to handle the vulnerabilities, so she is ...

There are no participation trophies for Cyber Security: your efforts either help maximize authorized access to your vital systems and data while minimized unauthorized access, or your effort do not. Sadly, it doesn't matter how much time or effort or money you spend on Cyber Security, all that matters are the results. Much of what is written about Cyber Security is theoretical because the practice of Cyber Security is messy and doesn't make for good sound bites or pretty pictures. A large part of what makes Cyber Security effective (or ineffective) is human behavior; even if your technology game is top notch, you are still as vulnerable as every one of your colleague's behavior makes you. This is why Pythia Cyber's unique approach is to build in the Behavioral Science from the start. No dropping in technology or policy and walking away. We do the usual surveys of your technology and follow the NIST CSF Cyber Security model ( Identify, Protect, Detect, Respond, Recover) ...

Pythia Cyber combines classic Cyber Security ( NIST CSF -based) for the trusted rigor, Behavioral Science to address the large role that human behavior plays in Cyber Security and IT infrastructure experience to address the technological challenges. Each of these ingredients is headed up within our organization by a domain expert: John Sebes for the classic Cyber Security Ted Hayes for the Behavioral Science Brendan Hemingway for the IT infrastructure We have all had decades of experience consulting in our separate fields. We had all reached the point in our separate careers where we can be a little choosy about which projects we undertake and which we do not. Brendan and John have known each other for many years, being in broadly similar lines of work. John's work has been at the top of the management pyramid, working with executives to set priorities and policies. Brendan's work has been in the thick of IT, developing and deploying software which required him to actually foll...

People take on CISO roles for different reasons. Some do it because they feel they are good at doing it, or they value providing a service like that to an organization, or they see it as a challenge. Sometimes people do it because it’s seen as an entry into organizational leadership v. staying in the cube farm. Maybe you get paid more than you were used to, or because you got recruited from elsewhere to build a function. Power, money, intellectual challenge -- these are all different sets of values that led you to become a CISO. All of them are valid reasons to enter the role. Regardless of why you started, once you’re in the CISO role you discover quickly that your authority is limited, but your capacity to influence is very broad. Your motivations also reflect where you spend your time, what you think is important, and how you maintain your competence. For example is this job like a true crime movie or spy novel? What role do you want to play? Your program will be successful be...

At Pythia Cyber, we believe in using the tried-and-true methodology laid out by the National Institute of Standards and Technology (NIST) in their Cyber Security Framework (CSF). We use this standard tool because novelty and style points are not what you want in Cyber Security: you want proven, tested, trusted methods to build a provable, self-sustaining program with minimal organizational change. Note the "minimal organizational change" because it is important. Many vendors in the Cyber Security space gloss over the fact that you need some  organizational change in order to be effective; many other vendors want you to embrace radical organizational change (reorganization, massive mandatory training, etc). We understand that whatever we do for you has to work for you, as you are right now. We understand that you have limited resources. We want you to be better, not perfect. Never let the perfect be the enemy of the better. We want to elevate your Cyber Security but in a feas...

Pythia Cyber's main audience are mid-sized companies looking to elevate their Cyber Security. But in our years of experience before forming Pythia Cyber, we kept running into organizations which felt that they were too small or too new to Cyber Security to be able make much headway protecting themselves. Certainly none of the more mainstream consulting companies were interested in small fish or newbies, so this group is generally terrifyingly unprotected. And while we understand why larger, less flexible consulting companies can't accommodate these organizations as clients, we don't understand why so many of these small or new organizations are so afraid of taking that first step. If your organization is getting too big or too mature for your current Cyber Security posture, it is time for an upgrade. If you need to work with a team that will sell you only as much as you can afford, without letting the perfect be the enemy of the good, give us a call. There is a minimum amou...

In my long career as a technologist I have often not felt comfortable telling my boss that I had to take time and effort to do something, pretty much whether my boss liked it or not. I felt that there was only one right answer, so I was reluctant to ask the question in case I got the wrong answer. As the old saying goes, "it is easier to ask for forgiveness than permission." But in my heart of hearts, I know that ignoring or manipulating other people, especially people above me in the hierarchy, isn't really a long-term solution. So I put this question to our Behavioral Science expert, Ted Hayes, and he explained why this dynamic occurs and what I should do instead. Ted explained that not trusting my boss to make the right decision likely stems from not feeling that my boss is going to give me a fair hearing and not going to respect my expertise. Bad boss behavior likely comes from not being comfortable with ceding control (making the decision) to an underling. On the oth...