The Pythia Cyber Approach to Cybersecurity

At Pythia Cyber we believe in that Cybersecurity (C/S) should be aligned to your organization's business goals. In other words, more than simply rejecting putting C/S in the IT department, we strongly feel that you have to engage with the top, with senior management--executives, the C-Suite, whoever is at the top. We call those people "senior leadership" in order to encompass all the various structures one finds in actual organizations.When Cybersecurity is aligned to business goals, senior leadership can have confidence that resources are being well-spent - neither over-committed flavor-of-the-month, nor leaving dangerous gaps in the company's protections.

In order to explain why "top down," we need to explain what we mean by C/S. We use the NIST CSF model, which gives us a context for the explanation. When we say "cybersecurity" we mean extending your Risk Management program to include your critical computer systems and data. Risk Management isn't an IT function, it is a leadership function. So we start with the leadership.

That is pretty abstract, so let's get concrete. Following the NIST CSF, we help you take the following actions:

  1. Identify what you are protecting (we call these "assets")
  2. Protect what you have identified as critical systems and data
  3. Detect threats and vulnerabilities
  4. Respond to whatever problems you have detected
  5. Recover from whatever damage was caused by the problems
The Identify step starts with leadership, not IT, because without leadership's commitment, there is no program. When possible we lead brief working sessions with leadership (45 minutes maximum) to get the list of valuables. We repeat this process with each department, just to confirm that everyone is on the same page. We have a final feedback-based session with leadership, to bridge any gaps between the various visions of what must be protected.

The Protect step is a mostly technology-based step, so we work with whoever does your Cyber Defending--your own C/S group, your IT department (if internal), your IT vendor (if external). Note that we are not coming in to bring enlightenment: we assume that you are already doing many things and that most of these things are the right things. This is more of a survey and confirmation with advice only as needed.

Why is this step mostly technology-based? Because technology only goes so far: the rest is human behavior and changing human behavior is not something one should as the technologists to do. We survey your people's openness to change and your manager's leadership style in order to assess the best ways to get as many people as possible behaving as safely as possible.

The Detect step is also a heavily technology-oriented step: the painstaking work of monitoring technology usage patterns and technology performance in order to quickly spot the unusual and then to determine whether or not the unusual is pathological. This work is important and it needs to be someone's job and part of their performance review and documented in case proof is needed in an audit or an Incident Report. Pythia helps you to frame this work as clear evidence-producing processes, which allows senior leadership to  provide oversight without needing to understand the technology details.

The Respond step is short-term: "stop the bleeding" is a somewhat gory but popular way to characterize this step. The Respond step is often NOT a purely technology step: for one thing, the response often touches users who are generally not part of IT. For another, the plan that you follow in order to respond usually needs sign-off from other departments and needs to be well-understood outside of IT. Pythia helps you to ensure your Incident Process is documented and understood, and (again) produces evidence that leadership can consume without getting bogged down.

The Recover step is the "start the healing" step, focused on the long-term. It may lead to new processes that must be implemented, or it may identify new risks to protect against, and in rare cases it will identify new assets to be protected. Pythia will help refine or create your Respond template, separating the long-term actions from the short-term Response.

In a nutshell, your C/S program has to span nearly your entire organization in order to be effective; your leadership must understand and support the goals, your managers must understand and direct the plans and your rank-and-file has to be aware of possible problems and their parts in the solutions. Managers must define processes that not only protect the identified assets, but also produce evidence that allow leadership to maintain confidence and oversight in the system.


Comments