What Are You Protecting?

When Pythia Cyber shows up to help you elevate your Cyber Security, we always start by asking this question:

What are you protecting?

In the grossest terms, Cyber Security is about maximizing authorized access to computer systems or data and minimizing unauthorized access. This means that, to us, Cyber Security includes both Cyber Defense  (the Authorized part) and large swathes of System Administration (the Maximized part).  This means that, internally, we are comfortable talking about rather abstract concepts like Digital Assets and Access as an Asset and Uptime and Business Continuity (avoiding interruptions to doing business).

However, we do not expect our clients, especially those new to Cyber Security, to be equally comfortable with these concepts and this vocabulary. So we keep it simple and avoid the jargon:

What are you protecting?

We ask executives this, because executive set the direction and tone of the organization and if they do not feel an asset is important, it will be hard to convince everyone else that the asset is worth protecting.

We ask IT this, because in the absence of a formal Cyber Security program, IT is the default Cyber Defender. If IT isn't protecting it, it isn't being protected, no matter how important other people may feel that it is.

We ask managers this, because manager should be protecting systems from people misusing those systems for counterproductive mischief.

We ask the question in general terms because the specific answers give us strong clues about your culture and your values and your focus.

The simple act of asking this question of different groups at different levels is a powerful way to start the conversations that are required to get everyone on the same page. And everyone has to be on the same page in order to make Cyber Security work because Cyber Security, like gravity, has to work everywhere all the time. No days off. No sick days. No special circumstances.

When Pythia Cyber talks about Cyber Security being "everyone's job" we mean this is both senses: within a given organization, it touches every employee's activities and between organizations, we mean that every organization with any digital footprint has to think about Cyber Security in order to ensure business continuity.

Of course, not every employee is equally involved in Cyber Security, or involved at the same level. The receptionist has to avoid clicking on phishing emails. The CEO has to commit to funding and supporting Cyber Security. The SysAdmin has to do the hands-on work as a large part of their job. Different levels of involvement, different kinds of involvement, but universal involvement all the same.

If you want to take the temperature of your own Cyber Security posture, you could start asking this question in meetings, and ask other people to ask it, and compare the answers.

What are you protecting?