Proof: Evidence You Can Understand

At Pythia Cyber, we say that your cybersecurity should be part of a program and that program should be

• Integrated--linking management and cybersecurity.
• Scalable--growing as you grow.
• Trusted--based on proof, not faith.
• Self-Sustaining--adapting as the environment changes.

When we say "proof" we mean "evidence that you can understand." When we say "evidence-based" we mean "there is evidence, you have seen it and you understood what you were seeing."

Oversight is part of management's duties. Oversight requires the ability to know when what you are overseeing is working.

Being aware of an activity is not the same as overseeing that activity. For example, I could watch a surgery but I have no ability to determine how well that surgery is being executed. I would be watching, not overseeing. I would be present and aware, but not in a position to exercise oversight, except at the very grossest level.

So it is sometimes with cybersecurity: we ask management to oversee cybersecurity but we do not give them to tools to do any more than spectate at best. Sometimes this is a Faustian bargain: IT security folks accept responsibility for cybersecurity but not for keeping management informed and management pretends to oversee what they merely watch. IT security is free from the burden of reporting and oversight and management is free from the burden of tracking cybersecurity metrics. This bargain works well unless and until something bad happens, at which point management points fingers and IT security becomes a scapegoat.

And these days, it is almost always a matter of when something bad happens, not if.

When we see this bargain the most common underlying assumption is that to oversee cybersecurity one must be a cybersecurity expert. Thank God, this is just not true. Instead, it is true that to oversee cybersecurity, one must understand only the evidence being presented. You do not have to grasp the mechanics of any given cyber attack in order to understand a report of how many attacks occurred last month, how many were thwarted, how many succeeded to whatever extent they succeeded. So it is for every other measure your cyber defenders put in place. In order to have confidence in your cybersecurity program, you need answers that you understand to these questions:

1. Are you protecting the right assets?
2. Are you mitigating the right risks?
3. Is the mitigation being done?
4. Is the mitigation working?

While I was typing this post, I got any email from Google Workspace about the Pythia Cyber account:

We found some security gaps for your organization

Review the latest issues we found below. Take action now to better protect your organization, with just a few clicks.

The link takes me to a review of some settings they would like me to change, plus a warning about phishing attacks. This is language the layman can understand. This is a way to let me know that something is up that is neither scary nor condescending. This is an example of effective communication between cybersecurity and the stakeholder.

You should strive to meet the same bar: if you are a cyber defender, accept the burden of effective communication with management. If you are in management, accept the burden of having a basic grasp of the activity you are meant to oversee. Remember that cybersecurity and management are in this together. Neither of you wins if you both agree not to play the game. The apparent peace and quiet will mask a lack of oversight and a brittleness to management support.

You can master the behavioral and cultural aspects of a cybersecurity program; Pythia Cyber can help.