The Low End of the CISO Continuum

This post is about what Pythia Cyber can do for prospects who are at the low end of the CISO Continuum.

"The CISO Continuum" refers to the combination of two phenomena: the fact that people tend to use "CISO" (short for Chief Information Security Officer) as shorthand for "cybersecurity program" and the fact that cybersecurity programs fall somewhere on a spectrum. (For more about this, see our CISO Continuum post).

In this context, "cybersecurity program" means "a formal effort to protect your cyber assets." Many organizations do not have a cybersecurity program, but almost all organizations are engaged in some kind of cybersecurity. Having your IT department engage in some kind of IT security is not a cybersecurity program but it is cybersecurity (and puts you on the low end of the continuum).

Note that "low end" is descriptive, not pejorative. It means "having less management involvement in cybersecurity." Having no management involvement is questionable. Being at the low end is often entirely appropriate for an organization. As a rule of thumb, we at Pythia Cyber say that if you do not have a CFO, you probably don't need a CISO. If you have relatively few financial controls, you probably need relatively few cybersecurity controls.

Organizations on the low end are often there by choice: their managers have determined that the organization is either too small or too new to need a cybersecurity program. The question then becomes: is this determination still valid? Specifically, are your people doing the right cybersecurity things? If they are doing the right things, are they doing those things effectively?

We do not assume that every organization needs to be on the high end. We do not assume that every informal effort is either ineffective or cost-ineffective. We do assume that these questions need to be asked because human beings are bad at updating their assumptions. So we ask the questions and then are a bit picky about having evidence to back up the answers.

Often there is a defensive undertone to this interaction because prospects are under the mistaken impression that we are looking to find fault with their current IT Security efforts. This is the opposite of what we are looking to do: our first step is always to figure out what you are already doing right and then build on that if what they are doing right is not enough. If their current efforts are enough, then we focus on creating the bridge between management and IT security so that management can execute the oversight function that is part of their job.

What distinguishes a formal cybersecurity program from "that's the IT department's problem" approach is that the loop is closed between the cyber defenders (the IT security folks) and management. The actual front-line work is done by the same people in each scenario, but management has input into what is protected and has proof (evidence that they understand) that the protection is happening and is effective.

There are pros and cons in being at the low end. The pros are that the lines of communication are short, the number of people involved is small and the silos are not as deep. Building a program on top of existing IT security is largely about fostering communication, so short lines of communications make that easier. Building a program is also about changing organizational culture which is also easier if there are fewer people. Changing culture often requires people to understand other people's goals and methods and that is easier when the silos are shallower. In a huge company, the IT people often never even meet their users. In a small company, the IT people eat lunch with their users. This contact is valuable if you can get it.

We always ask the same questions to kick off an engagement:

• Are the right things being protected?
• Is that protection actually happening?
• Is that protection effective? 

At the low end, we ask the IT security people to tell us what they are protecting and then we confirm with management that this list accurately reflects the organization's priorities. For details, see our posts about the NIST CSF "Identify" pillar.

At the low end, we help the IT security talk to management about how to provide proof, which we define as "evidence management can understand." This means defining reports and terms that are both accurate (so IT can stand behind them) and comprehensible (so management can stand behind them). The goal is to unite IT and management in being confident about cybersecurity. For details, see our posts about the NIST CSF "Detect" pillar.

At the low end we facilitate discussions between IT and management about how your organization will respond to a cybersecurity incident.You can write an Incident Respond Plan and we can help. For details see our posts about the Incident Response Plan concept.

Being that the low end of the continuum is reasonable for many organizations. Failing to upgrade from mere cybersecurity to a cybersecurity program is not a good idea for many of these organizations. You can find the appropriate level of cybersecurity program and we can help.