The High End of the CISO Continuum

This post is about what Pythia Cyber can do for prospects who are at the high end of the CISO Continuum.

"The CISO Continuum" refers to the combination of two phenomena: the fact that people tend to use "CISO" (short for Chief Information Security Officer) as shorthand for "cybersecurity program" and the fact that cybersecurity programs fall somewhere on a spectrum. (For more about this, see out CISO Continuum post).

In this context, "cybersecurity program" means "a formal effort to protect your cyber assets." Many organizations do not have a cybersecurity program, but almost all organizations are engaged in some kind of cybersecurity. Having your IT department engage in some kind of IT security is not a cybersecurity program but it is cybersecurity.

Note that "high end" is descriptive, not laudatory. It means "having more management involvement in cybersecurity." Being at the high end does not mean that your organization is doing everything it should and doing it effectively; rather, it means that you are doing a lot. Alas, cybersecurity is about achievement, not activity and the goal posts aren't just being moved, they are being whisked away.

Organizations on the high end are usually way ahead of the game: their managers are committed to a formal cybersecurity program, which is great. The question then becomes: is your current program effective?

This is a sincere question, not the start of witch hunt. We do not feel that we have to bring IT or cybersecurity scalps to the C-Suite in order to get paid. Instead, we feel that on the cybersecurity side we bring fresh eyes and eyes with the freedom from Super Important Projects that allows us to see clearly. On the leadership side we bring expertise in a neglected area: changing human behavior to support cybersecurity.

You already have a formal cybersecurity program and that is great. We assume that your program is well-grounded, but we will check so don't take offense. You already have some kind of linkage between management and the cybersecurity practices, but we will confirm that these linkages are working for both ends. Is the reporting burden on the cybersecurity practitioners appropriate? Does the reporting actually land on the management ears?

And in keeping with our emphasis on achievement over activity, we will ensure that your existing efforts are effective and well-founded by asking the same questions we always ask the same questions to kick off an engagement:

• Are the right things being protected?
• Is that protection actually happening?
• Is that protection effective? 
• Is that protection self-sustaining?

In an ideal engagement, the answer to all these questions is "yes." That is fine by us: there are is an awful lot of cybersecurity consulting to be done. We do not need to make a career out of any particular engagement. In fact, we set milestones and dates at the beginning and pride ourselves on keeping to both.

If the answer to any of these questions is "no" then, at the high end, we expect that the bulk of our efforts will be in precisely and concisely describing the gaps and then letting the in-house apparatus do its thing. We end with a quick confirmation that the gaps have been closed and then celebrate (briefly).

Being at the high end of the CISO Continuum is generally a fine place to be. If, in addition to your great past planning and your excellent execution you have also found time and energy to update and adapt, then huzzah! If not, we can help you close whatever gaps you have.