Trusted: Proof vs Faith

At Pythia Cyber, one of our founders likes to distinguish between faith-based Cyber Security and evidence-based Cyber Security. In either case you, the senior management of the organization, trust that Cyber Security is being done and done right.

Faith-based trust is based on the fact that it is Someone Else's Problem (usually someone in the IT department) and you generally trust that someone else.

Evidence-based trust is based on the fact that you have been shown evidence by those you manage, who have been show evidence by those they manage, until you get down the person actually doing the work. And at every tier of this cake every subordinate offers appropriate evidence which is understood by the superior. If you require that it be proved to you, then you can prove it to others, should the need arise. What others? Your superiors. Your business partners. Your clients or customers. Your insurer. Your investors. Your bank.

Note that we do not advocate the same proof at every level, any more than any other kind of reporting is the same at every level. The board does not get detailed listings of financial transactions, they get summaries. We advocate a pyramid of proof just as everyone uses a pyramid of reporting. By this we mean that the higher up you are, the more summarized the reporting and the lower the level of detail for any given aspect of your organization.

Another way of looking at this is that we advocate closing the loop on Cyber Security. If you practice Cyber Security as a program under Risk Management, the loop goes like this:

1. Senior Management determines what must be protected ("risk" is " protected from what")
2. Risk Manager determine the appropriate controls (protected how?)
3. Cyber Defender implements the control
4. Cyber Defender monitors the system to ensure that the control is working
5. Monitoring creates detailed evidence (close loop to Cyber Defender Managers)
6. Detailed evidence is summarized for Risk Manager (close loop to Risk Manager)
7. Summary is further summarized for Senior Management (close loop to Senior Management)

And thus is evidence-based Cyber Security achieved. We all agree on what "proof" means at our specific level, and we all agree that either the proof is there or it isn't.

What if the proof isn't there? Have we failed? No Cyber Security is 100%. We have failed only in the trivial sense that all human processes fail at some point. In more practical terms, we have succeeded in finding something we can do better. If during the next review cycle this failure persists, then perhaps we are not doing as well as we can. But the goal is not perfect Cyber Security, the goal is ever-elevated Cyber Security. In an ever-escalating threat environment, this is a worthy goal indeed.

If you want to join the ranks of those who enjoy proven Cyber Security, visit our website at www.pythiacyber.com or contact us and see what we can do for you.