What Does Pythia Cyber Do For the CISO (3 of 4)

(This post is the third in a series of four; the first post is general and the other posts are each directed at different roles: general, CEO, Investor.)

This post is directed at you, the CISO or part-time CISO or fractional CISO or CTO or CIO or CISO or whatever your organization calls the person heading up cybersecurity. Why would you hire Pythia Cyber and if you did, what would you get for your money?

What sets Pythia Cyber apart in the cybersecurity consulting space is that we have two areas of focus: classic cybersecurity and behavioral cybersecurity. We are structured this way because there is a large behavioral component to cybersecurity. In fact, there are two such components: the behavior of colleagues when they are users of technology and the conversations you should be having with senior management about cybersecurity.

It is likely that your career before you got this job did not prepare you either to influence people you do not directly manage or to frame this on-going conversation with senior management. Pythia Cyber can help you with any and all parts of these two crucial skill sets.

When referring to user behavior, we use the word "influence" advisedly. We like to say that the CISO's authority is narrow but their responsibility is broad. In other words, you are responsible for the consequences of the behavior of every user in your organization, but only a fraction of those users report directly to you. In cybersecurity, an ounce of preventation is definitely worth a pound of cure which means that you want to get ahead of cybersecurity issues caused by user misbehavior. To do that, you have to prevent the misbehavior from happening in the first place. To do that, you must become adept at influencing the behavior of people who report to someone else. Otherwise you will be cleaning up the cybersecurity mess you could have prevented.

When referring to managing up, we use the word "conversation" advisedly. Many technologists have little patience for bureaucratic procedure, but a NIST CSF-based Cybersecurity Program (CSP) demands that you become savvy in this regard. Being largely ignored by your senior management seems like freedom until something goes wrong and you discover that people tend to have no investment in processes and procedures into which they have had no input or of which they have had little awareness. If you do not bring management along with you on the journey of building or maintaining your CSP, you may find yourself the presumed-to-be trustworthy head of cybersecurity one day and the unemployed scapegoat the next.

Of course we have cybersecurity experience and expertise. Of course we can provide some technical advice and some strategic planning help. But when we work with CISOs that is not where we start. We start with figuring what you are doing right in every domain so we can help you do more things right in more domains. And that includes ensuring that your interactions with both management above you and colleagues in other hierarchies are effective in elevating your security.

On the classical cybersecurity front we can help you in two ways: external validation of what you are doing and internal updating of what you are doing. As for the validating, moving you to an evidence-based footing is a huge step. As for updating, just about everyone gets out of date with their cybersecurity since the threat environment changes so rapidly and so few organizations staff their cybersecurity teams with the "excess" capacity to constantly update as needed.

We also use the words "proof" and "proven" advisedly. We define proof as evidence that your management understands. We defined proven known by management to be working based on evidence. The move from faith-based cybersecurity, in which your management trusts you implicitly for whatever reason, to evidence-based cybersecurity, in which your management trusts you because they have some understanding of what you are doing and a basic grasp of how you know what you are doing is working, is what moves your cybersecurity from an IT activity to a company asset.

You collect evidence and you present evidence. Managing up is behavioral part: presenting the evidence in a professional, concise and effective way. Your goal is having a relationship with management in which their trust in you is based on evidence. This goal is about human interaction, not technological function. You were likely not trained in this; we were.

Cybersecurity requires leadership at many levels, but unique to the CISO is the requirement that you exert influence where your responsibility exceeds your authority. You need to lead your team but that is not enough. You need to influence your peers and help them lead their reports, at least with regard to cybersecurity. When the receptionist clicks on an evil link in a cleverly crafted phishing email, she makes work for you but she does not work for you. You need to bridge this gap in a sustainable way.

It is a common misconception that your job requirements begin and end with defending the company's cyber assets. Instead, your job requirements begin with helping senior management decide which assets to protect, in what priority order, for what level of resources. Your job requirements end with gathering and presenting evidence to senior management that your CSP is working. This kind of collaborative Risk Management work is rarely what we are trained for in the IT department, but it is a necessary skill if you are to build or maintain a rigorous, proven, self-sustaining CSP.

Managing up--helping your senior management to see and embrace their proper role in the CSP--and wielding influence instead of authority are not skills that a successful technologist needs to get the top, but they are skills you need to stay there. Pythia Cyber can coach you to get better at these critical skills as you build or burnish your CSP. You can prove that you are good at your job. We can help.