This post is part of a series about aspects of cybersecurity which are not obvious, especially to newcomers. This post is about the cybersecurity aspects of the humble job description. What does cybersecurity have to do with job descriptions? To answer that question, let us go down the cybersecurity chain from start to finish. (1) Senior management signs off on a cyber asset as critical, which means that the asset is to be protected from at least one specific risk. This is Identify in the NIST CSF . (2) Someone in the cybersecurity program (CSP) assigns a "control" to that risk for that asset. This is Protect in the NIST CSF. This step includes agreeing on what constitutes proof that the control is effective. (3) Monitoring that control becomes part of someone's job. This is Detect in the NIST CSF. (4) Sharing the results of that monitoring, the evidence which makes your CSP evidenced-based, with a supervisor becomes part of the same someone's job on which their per...

This post is part of a series about aspects of cybersecurity which are not obvious, especially to newcomers. This post is about the cybersecurity aspects of the humble performance review. What does cybersecurity have to do with performance reviews? To answer that question, let us go down the cybersecurity chain from start to finish. (1) Senior management signs off on a cyber asset as critical, which means that the asset is to be protected from at least one specific risk. This is Identify in the NIST CSF . (2) Someone in the cybersecurity program (CSP) assigns a "control" to that risk for that asset. This is Protect in the NIST CSF. This step includes agreeing on what constitutes proof that the control is effective. (3) Monitoring that control becomes part of someone's job . This is Detect in the NIST CSF. (4) Sharing the results of that monitoring, the evidence which makes your CSP evidenced-based, with a supervisor becomes part of the same someone's job on which thei...

One of the reasons we founded Pythia Cyber was to provide cybersecurity (C/S) that included the behavioral aspects of C/S. All of our founders were all to aware that human behavior plays a large role in how well C/S works, but so rarely saw that reality reflected in how C/S is rolled out in the real world. At long last, the Cybersecurity Framework from the National Institute of Standards & Technology has been expanded to include at least some of this under "Govern." Govern function joins the familiar five pillars of Identify, Protect, Detect, Respond & Recover. This function is what you would expect and a great step toward what is needed. Adding this function validates Pythia Cyber's top-down approach in which we start at the top of the organization to set the priorities, the budget and the goals. This function makes the link to Risk Management clearer as well. We hope that this official recognition of this concept will help move the needle on the tendency of CEOs...

(This blog post is the second of two; the first one is here .) Respond and Recover are different from the other pillars in that they are not something you do on a regular basis: rather, you do them on an as-needed basis. Ideally, you never need them but no one can count on that. Respond and Recover are two parts of what you do when there is an incident. Note that an incident can be the result of a threat, such as an attack act by a malicious human being. An incident can also be the result of a vulnerability, such as a power outage not covered by battery backup. Respond is what you do in the short-term and Recover is what you do in the long-term. This difference in time frame is why Respond and Recover are separate: Respond is about moving as quickly as possible to restore access to whatever systems or data were affected. Recover is about moving as deliberately as possible to undo as much damage as possible. Recover also has a review component aimed at figuring out what to do to pr...

(This blog post is the first of two; the second one is here. ) You are an organization without any formal Cybersecurity Program (CSP), but you have decided that the time has come to remedy that lack. What do you do now? The first thing you do is review that basic concepts behind Cybersecurity (C/S), which we assume that you have done by reading the appropriate posts of this blog. That means that you are familiar with these pillars from the NIST CSF: Identify, Protect, Detect, Respond, Recover As a quick review, here are the concepts we will use in this post, presented in a form that is meant to show you how these concepts relate to each other: The obvious way to approach this process would be to start with Identify, and work your way through the list to Recover, but that is actually not what we recommend when starting from scratch.  Instead, we recommend that you take stock of what you are already doing. In effect, we recommend that you start with Detect and work backwards through ...

As noted in this blog post , we were recently reminded that when you ask CEOs the question "how much do you think about cybersecurity" the frequent answer is "not much." For many CEOs cybersecurity (C/S) is box that must be checked, of course, but a box that can be safely left to IT. In other words, to them, C/S is Someone Else's Problem (SEP). If you are the person running IT, effectively the CISO or actually the CISO, or the part-time CISO, this carte blanche  may seem like a great deal: you get a blank check and the CEO (and the rest of the management team) gets a pass on thinking about C/S. In practice, this is deal is not as great for you as it first appears. In a nutshell, the level of support indicated by "I trust you to do whatever it is that you do" may not be enough support for you to survive a C/S incident. Or two. Or three. You can certainly spin the wheel and hope that nothing too bad happens on your watch. You can even take all reasonabl...

The most basic layperson definition of cybersecurity is this: the balance of maximum authorized systems access with the greatest amount of denial of unauthorized access. Even if you're technically inclined, the details of cybersecurity get dizzyingly technical after that.  Face it: if you're running a business (or looking to invest in one) you aren't focused on technical details. Let's do some bench-marking. Here's what CEO's talk about when they talk about cybersecurity; see if this is what you talk about: Cybercriminals are more sophisticated than the Board; what do we do about that There's a lack of appropriate controls -- typically cybersecurity is a rear-view mirror Our critical assets are out there & accessible (e.g., product details or design leaks); too many leaders playing catch-up Nearly all CEOs need to feel in control so they defer cybersecurity to IT experts, but are their priorities your priorities? Are they overspending? What's your re...

The other day we had a team meeting with an external partner of ours about CEO priorities and cybersecurity. Most CEOs do not have expertise in cybersecurity and defer to their IT department. The question we discussed was: does IT set up the cybersecurity program based on organizational priorities or based on IT's priorities? Whose 'values proposition' is it? The answer in nearly any case is that IT will set up a program based on its priorities, and those may not fully reflect the CEO's or Board's priorities. As an executive or Board member, you know that you need to align the organization's priorities and resources with the goals you have set. Have you had that discussion with your IT department? As the CIO or CTO, you know that you need to create the organization's cybersecurity risk management priorities with the resources and organizational goals that have been set by the Board and CEO.  Have you had that discussion with your IT department, or with other...

Some businesses have not created a cybersecurity risk management process. They also are likely to have enough IT vulnerabilities that when they find just enough bad luck they will blow up your investment. How would you know and what would you do? Some businesses we've worked with are fooling themselves. They believe that since no bad cybersecurity incidents (that they know of) have happened yet, why would anything bad happen in the future?  As the great investment guru Warren Buffett put it , you don't find out who's been swimming naked until the tide goes out. Just as with beaches, so as with cybersecurity risk management.  The only way to find out whether a prospect has an adequate cybersecurity risk management approach is to do an audit . It's quite simply the only way. Taking people's word for it, claiming compliance with some set of standards, etc., amounts to nothing but a bad business risk. This is when you can envision the timer on the bomb ticking down...01...

  Cybersecurity risk management audits are a way to ensure that the risk management plan is proceeding as planned and on schedule. When should the audit take place? All business processes require planning, executing, evaluating, and repeating. Cybersecurity risk management is about relationship management and good relationships require maintenance. In business, relationships are critical -- and so is the perception of competence. For important business decisions -- and cybersecurity risk management is an important business decision -- wouldn't you rather work with a partner that is highly competent compared to one that is pleasant but not terribly effective? So let's discuss when to maintain that cybersecurity relationship. First, your plan should be scalable to address the right risks . There is no value in having "checked the box" back when you were growing the business, or a few CEOs ago, when the business and the threats you faced were different. The plan needs t...

(This post is part of a series about asking the right questions about your cybersecurity. Questions any one is qualified to ask.) Are your cybersecurity (C/S) efforts adapting effectively? We all nod sagely when someone says something like "the cybersecurity threat environment is always changing!" Or "the bad guys are adapting all the time, so we have to adapt too!" But how does that vague sense of agreement translation into action? In other words, how often should you review your C/S priorities and procedures? The answer, maddeningly, is "as often as is required" but that isn't useful and we at Pythia Cyber strive to be useful, practical and helpful. Let's take the oil in a car as an analogy. How often should you change the oil in your car? You should change the oil in your car as soon as that oil is dirty enough or broken down enough that it is no longer providing adequate lubrication. This answer is correctly, but utterly unhelpful  which remind...

(This post is part of a series about asking the right questions about your cybersecurity. Questions any one is qualified to ask.) Are your cybersecurity (C/S) efforts cost-effective? If you are senior management, especially in the IT department, you should be able to answer that question pretty easily because you should be reviewing the success and scope of your organization's Cyber Defense efforts against not only the budget but against reasonable and customary levels of success. (Yes, there is an acceptable failure rate for C/S, just as there is for everything human beings do. Would you like to stop all attacks and recover flawlessly from all disasters? Of course you would. Are you a failure if an attack ever gets through or a disaster disrupts operations even for a moment? No, of course you are not.) We assume that your organization can answer the first two questions in this series, which were "Is your C/S addressing the right risks?" and "Is your C/S effective?...

(This post is part of a series about asking the right questions about your cybersecurity. Questions any one is qualified to ask.) Are your Cybersecurity (C/S) efforts effective? If you are a Cyber Defender, you should be able to answer that question pretty easily because you should be checking the logs and the status of backups and should be able to say how many attacks you get per week/month/quarter, how many of those succeed and how often you back up your data and how you know that your backups are valid and useful. Ideally, you know how to communicate your evidence so that your colleagues can share you confidence. If you are not a Cyber Defender, you still should be able to answer that question, although at a much lower level of detail. At Pythia Cyber we always ask that question and we rarely get a good answer. We get answers, of course. All too often the answer is "I guess so; we don't have ransomware attacks." A close second is "Sure it is, because I like/trust...

(This post is part of a series about asking the right questions about your cybersecurity. Questions any one is qualified to ask.) Are your cybersecurity (C/S) efforts protecting you from the right risks? In order to answer that, you need to know what makes a risk worthy of being avoided. Not all risks are worthy and not all risks are equally worthy. After all, there is never enough time and enough money to do everything that you might want to do: you have to choose your battles. This is just as true of C/S as it is of any other part of anything that human beings every do. The first step is to list all of your critical systems and data. Your limited time and attention dictate that you worry about critical systems first. Remember that "critical" has nothing to do with "expensive" or "cool." Some workplaces need  to be able to print in order to function, in which case your printers are critical systems. Boring, but critical. What does "critical" mea...

  The most important question in any organization is: who should lead ? It’s not philosophical: a leader’s characteristics account for differences in company performance . We at Pythia Cyber propose that the impact of leadership on cybersecurity is greater than the impact of general leadership on overall firm performance. Cybersecurity leadership involves technical skill, organizational savvy, the capacity and willingness to engage the technical and general workforce, and the insight to anticipate future threats. It’s hard work. We solve the problems that arise in leading for cybersecurity risk management assurance in two ways. First, we are developing collaborations with world-recognized experts in leadership talent assessment (names to be announced soon!). We expertly assess the qualities of leaders with cybersecurity responsibility in your organization, or your prospect’s organization. Our partners' clients are either in C-suites or in private equity. Second, we at Pythia...

In their wonderful recent book  Not With A Bug, But With A Sticker: Attacks on Machine Learning Systems and What To Do About Them , Siva Kumar and Anderson note that "major AI systems remain vulnerable to the exploits of bad actors of all stripes."  Including yours. Siva Kumar and Anderson note three fatal flaws of managerial thinking when it comes to preparing for cybersecurity attacks by artificial intelligence (AI) agents. First, they note, cybersecurity managers have a "romanticized view" of attackers (e.g., hoodie-wearing nerdy teens living in mommy's basement). The authors recommend that cybersecurity managers broaden their view of who their adversaries could be. Separately we note that any and all organizations are potential AI-based cybersecurity targets -- something alluded to by Siva Kumar and Anderson. Second, the authors state that most people are AI-illiterate. Proof? Oh sure, you can ask an AI to create a deviled eggs recipe, but do you know how t...

All prudent investors qualify their prospects in terms of cash flow, P&L, management team, industry standing, and growth potential. Why wouldn't you do the same qualification for cybersecurity risk management? Investors speak the language of business. We at Pythia speak the language of cybersecurity. All (100%) businesses with a digital function -- payment system, advertising, email address, data center, online sales or product development platform, etc. -- have some degree of cybersecurity risk. We assess the extent to which companies have managed their cybersecurity risk. This includes policies, systems, and leadership. You deserve to know how much investment your prospects needs to make in its cybersecurity risk management. And if they don't or can't do it, you need to know what you will need to invest. Pythia's assessment report for investors includes an expert review and summary of the three following cybersecurity risk components: Cybersecurity policies: how e...

This blog post is aimed at people working in organizations either too small or too new to have much of a cybersecurity (C/S) program. you know who you are: you have the sneaking suspicious that you are out on some thin ice, but you don't know what do next. There is no shame in not being a C/S expert. Most people are not. Nearly all people are not. But if you are part of the management team of a company, you rarely have the luxury of simply ignoring C/S altogether. After all, every management team member has, at one time or another, had to manage people engaged in work that the manager does not really understand. In fact, staying current with the lower level details of work can be a real weakness in a manager. That said, there is no excuse for burying your head in the sand when it comes to C/S. It may be a mystery to you, but many people cannot explain how GPS works and yet somehow manage to use systems based on it. If you have decided that you can avoid knowing anything about C/S b...

Once upon a time, as I began to move from young adult to just plain adult, I found myself in a very familiar position: I needed more but gentler exercise to stay in shape but I had less time to exercise. The result of this dynamic was an ever-declining level of fitness, but I had an ace in the hole: a friend who was an exercise physiologist. I explained to her my plight and my old exercise routine and what I considered to be my strengths and weaknesses. She listened without paying the rapt attention that I had assumed would attend my detailed exercise history. She asked no probing questions. When I was done, I asked her what the best exercise for me would be. "The best exercise for you is the kind that you actually do" was her response. At the time, I was rather put out. This was not the kind of detailed and data-based and medically-appropriate response that I expected. As time has gone by, the clear wisdom of her reply has shone through my expectations ever more brightly: th...

Rank has its privileges is such a strong part of military life that this concept goes by its acronym: RHIP. Alas, this concept is not limited to the military. Plenty of civilian workplaces have cultures that encourage leaders to use at least some of their power to make their lives easier and more convenient. This tendency is often more annoying to the rank-and-file than anything else. After parking in my unprivileged parking spot and walked a good long way in the cold or rain, I have felt a stab of bitterness as I slog by the cars which are parked closer to the building and under some kind of shelter. If that were all RHIP ever did to an organization, we could just shrug it off. A little resentment by underlings isn't going to hurt the organization much and perhaps that resentment spurs some people's ambition, which might be good for the organization. Alas, in the cybersecurity (C/S) realm, RHIP does much more damage than cause a little resentment or bitterness or jealousy. As ...

Since we emphasize behavior here at Pythia Cyber, let's talk about it and answer this question: what do cybersecurity engineers actually do? Suppose you wanted to hire one right now. What would you expect to advertise for? Let's set this cybersecurity workforce ecosystem up correctly. There is at least a cybersecurity engineer and a manager. Maybe there is also a CISO , though this person might not manage cybersecurity engineers. First, then, as the employer, know what personnel you're actually hiring. You as the executive/hiring manager/HR guru need to define what you need done. Do you need systems management, or web security, or does this person do acquisitions, or deal with a vendor? How about developing a cybersecurity risk management plan? All of that? Two: OK now let's look at competencies and skills. Best place to start is with, yes really, the US government. Here is a link to the government's O*NET site -- think of it as a bank of continually validated jo...