The Middle of the CISO Continuum

This post is about what Pythia Cyber can do for prospects who are in the middle of the CISO Continuum.

"The CISO Continuum" refers to the combination of two phenomena: the fact that people tend to use "CISO" (short for Chief Information Security Officer) as shorthand for "cybersecurity program" and the fact that cybersecurity programs fall somewhere on a spectrum. (For more about this, see out CISO Continuum post).

In this context, "cybersecurity program" means "a formal effort to protect your cyber assets." Many organizations do not have a cybersecurity program, but almost all organizations are engaged in some kind of cybersecurity. If you have someone doing CISO stuff, probably part-time, but that person has no staff and minimal input from management, then your are in the middle of the CISO continuum. We have a number of posts about the various kinds of CISO; here is a good starting point.

Organizations in the middle are often quite comfortable with the level of program that they have, They have given cybersecurity enough priority to have a more formal approach. In these engagements, the first question is: are assumptions out of date? Does your current size and maturity need more management involvement? Are your current policies and procedures a match for the ever-evolving threat environment? Is your CISO-ish person providing proof that would satisfy external reviewers in the event of an incident?

Often there is a defensive undertone to this initial interaction because prospects are under the mistaken impression that we are looking to find fault with their current cybersecurity. This is the opposite of what we are looking to do: our first step is always to figure out what you are already doing right and then build on that if what they are doing right is not enough. If their current efforts are enough, then we focus on the bridge between management and IT security so that management can execute the oversight function that is part of their job.

Often being in the middle of the CISO Continuum is exactly where the organization should be. Management should be able to oversee the program but that does not mean micro-managing the CISO. Management should have real confidence in what is being done, but that does not mean making them all cybersecurity experts. The people doing the work should feel supported and should not fear being made a scapegoat if something bad happens. The people doing the work should feel that management can grasp the evidence that is offered as proof that the work is good. If all that is happening and your organization is adequately protected, then you are doing as well as you can.

For the middle of the range, our focus is on making sure that your assumptions are still valid and that what guided your previous decisions is also guiding your current operations. That being said, there is a minimum level of protection that is required in order for actions to be considered cybersecurity so we expect even the middle of the range to use some kind of formal framework for their programs. (We recommend the NIST CSF for this.) As a simple test of the foundations of any existing program, we always ask the same questions to kick off an engagement:

• Are the right things being protected? (NIST CSF "Identify" pillar)
• Is that protection actually happening? (NIST CSF "Detect" pillar)
• Is that protection effective? (NIST CSF "Respond" pillar)
• Is your Incident Response Plan reasonable?

For the middle of the range we are checking to see that things are still working the way you thought they were. This is like an annual physical: there should be no surprises and the interventions that we recommend should be relatively moderate because things should be relatively good already.

Continually revisiting and revising your assumptions is hard. Over time we get comfortable with our environment and stop paying close attention to it. Let us be the fresh eyes that help you be whatever it is that you know you need to be.