A Top Down Approach to Cyber Security

 At Pythia Cyber we believe in a top down approach to Cyber Security (C/S). In other words, more than simply rejecting putting C/S in the IT department, we strongly feel that you have to start at the top, with senior management--executives, the C-Suite, whoever is at the top. We call those people "leadership" in order to encompass all the various structures one finds in actual organizations.

In order to explain why "top down," we need to explain what we mean by C/S.. We use the NIST CSF model, which gives us a context for the explanation. When we say "Cyber Security" we mean extending your Risk Management program to include your critical computer systems and data. Risk Management isn't an IT function, it is a leadership function. So we start with the leadership.

That is pretty abstract, so let's get concrete. Following the NIST CSF, we help you take the following actions:

1. Identify what you are protecting
2. Protect what you have identified as critical systems and data
3. Detect threats and vulnerabilities
4. Respond to whatever problems you have detected
5. Recover from whatever damage was caused by the problems

The Identify step starts with leadership, not IT, because without leadership's commitment, there is no program. So we lead brief working sessions with leadership (45 minutes maximum) to get the list of valuables. We repeat this process with each department, just to confirm that everyone is on the same page. We have a final feedback-based session with leadership, to bridge any gaps between the various visions of what must be protected.

The Protect step is a mostly technology-based step, so we work with whoever does your Cyber Defending--your own C/S group, your IT department (if internal), your IT vendor (if external). Note that we are not coming in to bring enlightenment: we assume that you are already doing many things and that most of these things are the right things. This is more of a survey and confirmation with advice only as needed.

Why is this step mostly technology-based? Because technology only goes so far: the rest is human behavior and changing human behavior is not something one should as the technologists to do. We survey your people's openness to change and your manager's leadership style in order to assess the best ways to get as many people as possible behaving as safely as possible.

The Detect step is also a heavily technology-oriented step: the painstaking work of monitoring technology usage patterns and technology performance in order to quickly spot the unusual and then to determine whether or not the unusual is pathological. This work is important and it needs to be someone's job and part of their performance review and documented in case proof is needed in an audit or an Incident Report.

The Respond step is often NOT a purely technology step: for one thing, the response often touches users who are generally not part of IT. For another, the plan that you follow in order to respond usually needs sign-off from other departments and needs to be well-understood outside of IT. The Respond step is short-term: "stop the bleeding" is a somewhat gory but popular way to characterize this step.

The Recover step is the "start the healing" step, focused on the long-term and also requires an agreed upon plan which is well-understood because it is a rare C/S incident whose recorvery does not have a significant impact on users outside of IT.

In a nutshell, your C/S program has to span nearly your entire organization in order to be effective; your leadership must understand and support the goals, your managers must understand and direct the plans and your rank-and-file has to be aware of possible problems and their parts in the solutions.