The Future Is Now

In previous eras, cautious human beings were wise human beings. When the environment remained largely unchanged for century after century, doing what most people did was a pretty good strategy. For example, the Roman Empire existed for a little under 1,000 years and if you took an army recruit from the first professional Roman army and magically transported him to the last professional Roman army, he would have been able to function.

But that is not the era in which we live. Following the herd feels good but is all too often a terrific way to be a day late and a penny short, especially with respect to the new (AI) and the ever-changing (cybersecurity).

Someday, AI chat bots and agents and other pseudo-employees will have well-defined roles, bounded by HR policies and properly overseen by managers. In many companies, that is not the case yet. But if you wait to tackle these problems until these problems have thoroughly tested, widely accepted solutions then you will likely have exposed yourself to lots of risk. Cybersecurity has a huge component of human behavior, that is obvious right now. As you incorporate pseudo-employees into your workforce, cybersecurity will have a growing nonhuman behavior component. Letting that liability go without oversight would have been perfectly sane 2 years ago; it is not a great idea now, since AI is coming. In a few years having no management oversight of AI deployment will be negligent and dangerous.

Someday, cybersecurity reporting to management will be as mature and standard as the Profit and Loss statement is for finance. Ah, the P&L, a masterpiece of summary without becoming misleading, a terrific snapshot and a great place to start a conversation. We take it for granted now, but before standardized financial reporting, it could be painfully difficult to take the financial pulse of an organization of any size. But if you wait for someone else to figure out a format in which to report cybersecurity activity to management, you will flying blind for quite some time. Oversight of cybersecurity should be happening now; every day you wait to define a common format so that your cybersecurity team's evidence can become proof (evidence that you understand) is a day in which you are not overseeing your cybersecurity team's activity. Is your cybersecurity excellent? Perhaps. Is your cybersecurity understaffed or focused on what they can control instead of what needs to be controlled? Let's hope not; better than that, let's find out.

If you wait long enough, there will be widely accepted answers to these questions and you won't have to do this work for yourself. All this will cost you is months or years of exposure to risk. Is that exposure worth it? There is no good way to make that assessment while flying blind. Maybe?

Know your risks. Take control of what you can control but figure out what needs to be controlled in the future. Pythia Cyber can help you figure out what the rules are for helpful AI and what the format is for useful cybersecurity reporting. Then you can start overseeing all that excellent work instead of praying that everything is as alright as it can be.