No CISO: Trust But Verify

We have two kinds of clients who have no CISO: those who are too small and those who are new to Cyber Security. Too small is a good reason; new to Cyber Security is rarely a good reason.

I recently spoke with the IT director of a small school about what Pythia Cyber could do for her. The short answer is “give you the checklist below.”

The longer answer is that she perceives herself to have no Cyber Security adversaries–who would want to hack a small school? She isn’t very interested in combating non-existent threats.

(We are planning an entire video on why the assumption that no one is out to get you is not a great idea for many organizations, but for now let us assume that she is right. She has years of experience in this job, after all, and so far there have been no detected Cyber Security incidents.)

That just leaves vulnerabilities, which in her mind meant power outages and equipment failures.

She outsources her IT to a firm that she trusts to handle the vulnerabilities, so she is done, right? Well, almost. Trust is good, but verification is better. Or, as we like to say at Pythia Cyber, trust is good but faith is risky. In other words, the step she is missing is proof. She should be verifying her confidence, to be even more confident. All she would have to do is the following:

1. Figure out what data and systems she has to protect (this includes credentials!)

2. Confirm with her vendor that these are being protected (they may have a different list)

3. Decide on a schedule: monthly? Quarterly? Annually?

4. Negotiate proof with her vendor; presumably the vendor already does this internally.

5. Make getting & reviewing the proof part of her job, ie something she reports to her boss

6. Start the reviewing process and keep doing it

Related video: {url}on this topic on our YouTube channel.