How We Work With CISOs

At Pythia Cyber we are often asked two questions which seem different but are really the same question:

1. We don't have a CISO, so how can we need cybersecurity consulting?
2. We have a CISO, so why would we need cybersecurity consulting?

The short answer is that you need to elevate your cybersecurity to an iterative process of  continuous improvement.  Unless you have a formal program, however small, that covers the bases on a regular basis, you are falling behind. 

The good news is that no matter who you are, you are probably doing some things right and perhaps more than you realized. The bad news is that no matter who you are, you probably cannot reasonably ignore cybersecurity. You can start where you are, you can be better today than you were yesterday and you can spend the time and money that you can afford. But doing nothing, or doing the same thing, is not a reasonable approach to cybersecurity.

We like to use the NIST CSF's structure, which works whether or not you have a CISO and even if you are a tiny organization or an organization just starting on you cybersecurity journey.

• Identify your assets in a formal list
• Protect those assets with a policy and a procedure
• Detect suspicious activity by reviewing all activity
• Respond to the threat or vulnerability by following your Response Plan
• Recover from the Incident by following your Response Plan
• Rinse and repeat

We have a short video on this top which has more on this topic on our YouTube channel.