Don't Sleeping Cybersecurity Lie

A common question we get from prospects is this: "why would I question my cybersecurity?" The subtext usually turns out to be that the prospect's organization is staffed by reasonable, hardworking, dedicated people and therefore it is borderline rude to imply that they are not doing a good job.

(For the purposes of this post, let us set aside the issue that there is a difference between making cybersecurity someone's job and just assuming that the IT folks are doing something reasonable.)

At Pythia Cyber, until proven otherwise, we assume that your coworkers are reasonable, hardworking and dedicated. There are still three common scenarios that lead well-run, well-meaning organizations down the garden path of insufficient or ineffective cybersecurity.

The March of Time is relentless. It is common to take a cybersecurity posture and then faithfully maintain that posture, which is a good thing to do. Alas, doing this is not enough: you must also allocate resources to constantly review what you are doing to make sure that you are doing the right things. This is one way reasonable, hardworking, dedicated teams get out of date: they keep doing what they are supposed to be doing while the threat environment changes around them. This scenario includes small companies that outgrow their previous posture as well as mature companies that do not keep up-to-date. Keeping up-to-date is a big job and there is no shame in needing some outside help in doing that.

The Super Important Project (SIP) is another common downfall. When a SIP blows through town, it is tempting to pull resources from other projects to serve the SIP. When pulling resources, it is tempted to cut back a bit on cybersecurity, which is a cost center and mostly invisible. The price of freedom is eternal vigilance. The price of cybersecurity is constant attention. Taking your eye off the ball, shifting your focus, whatever you want to call it, can have long-lasting consequences as things settle into the "new normal" in the SIP's wake. Not only are you distracting during the SIP but you are likely to fail to return to pre-SIP routines, especially if Son of SIP is on the horizon. This scenario is hauntingly common, given the number of IT departments we see who are trying to catch their breath as the SIPs keep coming. Someone needs to help them catch their breath and assess their priorities because doing that while on the SIP treadmill is nearly impossible.

The Blind Spot is something we all have. When the blind spot is owned by your CISO or whoever runs your cybersecurity, then it doesn't matter that they are reasonable, hardworking and dedicated. They are missing something and they can't see that they can't see. A blind spot is a vulnerability and sooner or later a threat will exploit that vulnerability. They need someone else's help to discover what they cannot see and to learn to use techniques and tools to help them be more aware.

Having evidence-based cybersecurity as part of a program that bridges the gap between the IT security folks and management is how you can detect and correct sliding into any of these scenarios. We are not saying that your cybersecurity is lax or inept, we are saying that without a closed loop between cyberecurity and management, there is no way for you to be sure.