The Kind You Actually Do

Once upon a time, as I began to move from young adult to just plain adult, I found myself in a very familiar position: I needed more but gentler exercise to stay in shape but I had less time to exercise. The result of this dynamic was an ever-declining level of fitness, but I had an ace in the hole: a friend who was an exercise physiologist. I explained to her my plight and my old exercise routine and what I considered to be my strengths and weaknesses. She listened without paying the rapt attention that I had assumed would attend my detailed exercise history. She asked no probing questions. When I was done, I asked her what the best exercise for me would be.

"The best exercise for you is the kind that you actually do" was her response.

At the time, I was rather put out. This was not the kind of detailed and data-based and medically-appropriate response that I expected. As time has gone by, the clear wisdom of her reply has shone through my expectations ever more brightly: the best kind of exercise is the kind you actually do.

I assume that there is an unspoken clause at the end, so I think of her advice as "The best kind of exercise for you is the kind that you actually do on a regular basis." If so, this is also a near-perfect mantra for the potential Pythia Cyber client who is looking to elevate their Cyber Security. Ask not what is the coolest, most cutting edge or newest technique or technology. Instead, ask "what is the process that will, if faithfully and constantly followed, produce the program that is not only theoretically effective but practically feasible." In other words, what is the Cyber Security program that you will actually do?

Sometimes people ask us "what do you mean by actually do?" and that is a reasonable question, best answered with some examples.

If you don't do anything, but instead have your IT department buy and deploy some kind of technology which is supposed to fix all your problems, that is a program you don't actually do. You are relying on technology to handle all possible forms of human behavior and that is...optimistic. People are ingenious. Technology can help, but leadership is always a key ingredient. (We have a post more focused on leadership.)

If you shoot for perfection, you will mostly be discovering the ways in which your people are ingenious. For example, one of my clients decreed "no cell phones at work" but they did not do anything to make that policy feasible. Instead, they relied upon the fact that the company had a WiFi dead spot in their offices. One of their newer hires, in all innocence, thought that this was a technological issue and so kindly brought in a Wireless Access Point (WAP) from home, connected said WAP to the wired network, and presto! WiFi at work! Smart phones unleashed! Unclear and unsupported policy defeated! And there was much rejoicing (until we found out about it).

Another of my clients tried having their email server block all email from outside the organization, except for sales people and customer support. A reasonable policy in the abstract. A comically unworkable policy in the concrete. Every valid reason to communicate with the outside world gave their employees license to go around this policy, which lead to people gradually just ignoring the policy for everything. Then their web master blocked Gmail, so people started using their smart phones for work email. Things went downhill from there. This was a policy that leadership did not actually implement, they just issued a decree and assumed success.

Creating policies that translate into effective, feasible policies is hard, but Pythia Cyber can help. Leading by example does not come naturally to many people, which is why Pythia Cyber's engagement always include leadership coaching as needed. The kind of Cyber Security Program that is best for you is the one you actually do.