Cybersecurity Effectiveness

(This post is part of a series about asking the right questions about your cybersecurity. Questions any one is qualified to ask.)

Are your Cybersecurity (C/S) efforts effective?

If you are a Cyber Defender, you should be able to answer that question pretty easily because you should be checking the logs and the status of backups and should be able to say how many attacks you get per week/month/quarter, how many of those succeed and how often you back up your data and how you know that your backups are valid and useful. Ideally, you know how to communicate your evidence so that your colleagues can share you confidence.

If you are not a Cyber Defender, you still should be able to answer that question, although at a much lower level of detail. At Pythia Cyber we always ask that question and we rarely get a good answer. We get answers, of course. All too often the answer is "I guess so; we don't have ransomware attacks." A close second is "Sure it is, because I like/trust our IT department." My least favorite is "Yes, because we constantly bombard our people with warnings about clicking on links in emails."

The problem with these very common answers it that these answers are faith-based. In other words, there is no proof asked or offered. Worse, some people feel that it is rude or disrespectful to expect or ask for proof. 

What would a good answer be? Our favorite answer is "Well, our C/S is pretty good, actually. It stopped 98% of attacks last month and they are adjusting to handle that 2%. We have regularly scheduled downtime to test our backups, so we know that they work in case of disaster."

C/S is everyone's business, because C/S failures can affect anyone in the company. Asking for proof is not rude. Offering proof is not obnoxious. Faith has its place and can elevate your spiritual life, but faith is an unreliable way to elevate your C/S.