What Does Pythia Cyber Do For the CEO? (2 of 4)

(This post is the second in a series of four; the first post is general and the other posts are each directed at different roles: general, CISO, Investor.)

This post focuses on what Pythia Cyber sells to the CEO (and other members of the C-suite).

In order to keep this description of what we do as concrete as possible, let us first define the goal that our services exist to reach: a rigorous and formal cybersecurity program (CSP) based on the NIST CSF. More specifically, we mean a CSP that does the following:

1. Extends Risk Management into the cyber domain
1. ID assets, risks to assets, policies for risks, procedures for policies
2. Links senior management to cyber defenders in a formal way
1. Management priorities (time and money) flow downward
2. Monitoring results flow upward
3. Ensures that the Incident Response Plan is updated and validated

As a senior manager, you have two roles in the CSP:

1. You validate the list of cyber assets and the priority of their protection.
2. You oversee the efforts to protect those assets

In other words, you make sure that resources are allocated in a manner consistent with your organizations needs and you oversee those working underneath you to ensure the effectiveness and the cost-effectiveness of their work.

Have you been told that cybersecurity is a techie thing done by techies? Then you were misinformed. Consider finance as an analogous function in your organization. Would you ever consider just letting the finance people do whatever it is that they do? Of course not: while you are not a bookkeeper or an accountant, you still need to have a basic grasp of finance and still need to exercise oversight of the people overseeing the bookkeeping and the accounting. Why treat cybersecurity differently?

You treat cybersecurity differently because you have to, because no one has given you the grounding in the discipline that you were given in finance. There is no cybersecurity equivalent of the P&L statement, but there should be. In fact, there needs to be inside your organization, otherwise how can you oversee this important function?

We can give you that grounding. Pythia Cyber provides management consulting in two areas: classic cybersecurity and behavioral cybersecurity. In both of these areas we can help you lead even if you are not a domain expert.

By "classic cybersecurity" we mean giving you some basic tools to make possible meaningful conversation with the cyber defenders. They have to produce evidence that what they are doing is working. You have to be able to understand that evidence. We can help you frame that on-going conversation.

By "behavioral cybersecurity" we mean using behavioral science to  help your cyber defenders change people's behavior with regard to using cyber assets and to help you set up the linkage between you, senior management, and the CSP. No, this does not fall 100% on whoever heads up your CSP, just as your CFO isn't soleely responsible for all decisions about money.

In order to protect the company's cyber assets there needs to be a well-supported CSP in place. In order to lead the company and oversee the CSP there needs to be a formal reporting process in place and there need to be reports which make sense to the C-suite but do not overburden IT. Teaching both sides how to interact professionally and effectively is what we sell the CEO in particular and senior management in general.