Cybersecurity Adaptation

(This post is part of a series about asking the right questions about your cybersecurity. Questions any one is qualified to ask.)

Are your cybersecurity (C/S) efforts adapting effectively?

We all nod sagely when someone says something like "the cybersecurity threat environment is always changing!" Or "the bad guys are adapting all the time, so we have to adapt too!" But how does that vague sense of agreement translation into action? In other words, how often should you review your C/S priorities and procedures?

The answer, maddeningly, is "as often as is required" but that isn't useful and we at Pythia Cyber strive to be useful, practical and helpful.

Let's take the oil in a car as an analogy. How often should you change the oil in your car? You should change the oil in your car as soon as that oil is dirty enough or broken down enough that it is no longer providing adequate lubrication. This answer is correctly, but utterly unhelpful which reminds me of this joke. This answer is so unhelpful because there is no easy or straightforward way to asses the current effectiveness of the oil in your car. Since there is no way to assess your oil, mechanics give estimates with warnings: change your oil every 3,000 (or 5,000 or whatever) miles of operation, but more frequently if you live in a harsh climate or drive like a lunatic. Or every 3 months. Or whatever other proxy they can come up with.

The principle is the same for C/S: you should change your Cyber Defense and systems administration policies and procedures just before you need to. However, there is a big difference between oil changes and C/S programs: it is relatively easy and straightforward to assess the current effectiveness of your cybersecurity program. If you are engaged in evidence-based C/S not faith-based C/S then you have a sense of who is coming knocking on your defenses and how comfortably your data protection software and hardware is handling your data. So we can give you an estimate and a warning that is actionable: review your C/Sas part of every budget cycle, since it is a business function, or whenever your evidence tells you that your defenses are straining, whichever comes first. Like gardening, C/S is a reality-based activity, not a calendar-based one. The calendar can give you a general idea, but estimates are no substitute for knowledge.