White Box Cybersecurity for Techies, Part 2

One of the Pythia Cyber founders introduced his novel way of describing our goal, "white box cybersecurity," in this post. But that post was aimed at management and this post and its follow up are aimed at technical people; cyber warriors and cyber defenders. The people in the cybersecurity trenches. This post is the second of a pair. The first one is here.

That first post explains what we mean by white box cybersecurity and black box cybersecurity. It also outlines why we think black box cybersecurity is bad for techies. This post explains why we say that white box cybersecurity is good for techies.

So why is white box cybersecurity, i.e. cybersecurity whose inner workings are visible to management and ideally basically understood by management, good for techies?

This short answer is that white box cybersecurity allows management to manage. It allows oversight. Oversight is good, even if micro-management is bad.

White box cybersecurity means that you get input that you need, guidance that you need and support that you need. How do I know that you need these things? Because you need them by definition.

Your job is protect cyber assets from threats and vulnerabilities.

Who decides what is a cyber asset? You do. Who decides the relative importance of each cyber asset? You do not. Even if you think that you know better than everyone else, this is not your call to make. This is a management function. If you make this call, you will have to defend this call when things go wrong. If you don't make this call, you do not have to defend it.

Who decides how much time and money to spend protecting these assets? You do not. Yes, management should get your input. But allocating resources, which is an expression of organization-wide priority, is not your job. That is literally what management is for. If you try to make this call, you will end up in some pretty deep water and if your colleagues let you make this call, they are either bad at their jobs or setting you up as a scapegoat. Your job is to operate within these priorities, not to set them in the first place.

Who decides if this protection is cost-effective? You do not. Yes, management should get your input. But overseeing yourself is meaningless and will not end well. For one thing, even if you are the smartest, wisest, most experienced and sharpest eyed person in the company, you lack perspective. You cannot escape being you and seeing things as you see them. Want to ensure that your worldview is properly aligned with the stakeholders? Ask them.

Yes, oversight means that sometimes you will be told to do things with which you disagree. Sometimes you know best. But here is something too few techies learn and most of us learn it too late: it does not matter if you are right unless you can convey the facts to non-techies and convince them of the correctness of your position. Non-techies learn early that if people don't know that you care, then they don't care that you know. We learn that if it works other people can just shut up and enjoy the fact that it works. This attitude is survivable at lower levels but if you want to run a cybersecurity program, you need to learn to embrace oversight and communication. You need to learn to manage up and well as down. Believe it or not, life is better as a part of a healthy team. And Pythia Cyber can help you get there.