What Does Pythia Cyber Do For You? (1 of 4)

(This post is the first in a series of four; the other posts are each directed at different roles: CEO, CISO, Investor.)

Because Pythia Cyber does not fit into any standard management consulting box, we are often asked exactly what it is that we are selling. The answer to that question is much clearer if we answer another question first: to whom are we selling?

We are selling to you if you have a vague feeling that you know you should be doing more in the way of cybersecurity, but you don't know what that would be. We are selling to you if you feel the ice getting a bit thin under your feet, but you are overwhelmed by the options. Maybe you are a relatively new organization that has put off getting serious about cybersecurity a bit too long. Maybe you are a growing organization that has prioritized growing over cybersecurity for a bit too long.

However you got here, here is where you are: you need to take the next step but you do not know enough to know what the next step should be. You are aware of the two options: build or buy. But building is risky and a distraction. But buying means taking a leap of faith as well. (Check out this post for more about these options: Oak vs Acorn).

Adding to the lack of clarity is the fact that cybersecurity is like physical security: organizations seem to either have too little or too much. Either anyone can walk right in the front door or everyone needs a company ID to get past the guard. You know you don't want too much and it is often difficult to assess the consequences of too little, so why don't we put this off for a little while longer?

There is also the problem of how vendors have structured the market. Vendors tend to provide a compliance program (training courses and the like intended to make your people behave more safely) or an appliance solution (hardware and software intended to make your environment more safe). Which do you need? How do you measure the effectiveness and cost-effectiveness of whatever you choose?

This is why so many organizations have too little cybersecurity: they are not ready for too much, too little seems to be working and they do not know that just enough is an option. This is what Pythia Cyber sells: management consulting to help you figure out what is the right amount for you and cybersecurity consulting to help you figure out how to get that right amount. This is why Pythia Cyber has experts in two areas: classic cybersecurity and behavioral cybersecurity.

By "classic cybersecurity" we mean rigorous and formal cybersecurity programs based on the NIST CSF. By "behavioral cybersecurity" we mean using behavioral science to change people's behavior with regard to using cyber assets and building bridges so that non-technical management can actually oversee technical work.

Come to us to learn a bit about the discipline of cybersecurity and a lot about what cybersecurity means to YOU. Once you are an educated consumer with clear goals and timelines and budgets, you can make educated decisions about building or buying. We can make you an educated consumer.

Our goal is to take you as far up the mountain of cyber safety as you want to go (or can afford to go). The mountain top is a rigorous, proven, self-sustaining cybersecurity program (CSP). Can everyone afford this? No. Is every team capable of reaching this goal? No. Does that mean that whatever you are doing is fine? Maybe: can you prove that it is?

Let us get more concrete. To us, a CSP does the following:

1. Extends Risk Management into the cyber domain
1. ID assets, risks to assets, policies for risks, procedures for policies
2. Links senior management to cyber defenders in a formal way
1. Management priorities (time and money) flow downward
2. Monitoring results flow upward
3. Ensures that the Incident Response Plan is updated and validated

If your cybersecurity efforts already meet all these criteria, then rejoice and be glad: all that remains for Pythia Cyber to do is affirm this as an objective outside entity and to make sure that your CSP is being kept up-to-date. If your cybersecurity efforts do not meet all these criteria, do not despair: Pythia Cyber can help you create a plan to get from wherever you are now as far up the mountain as you feel you need or can afford.

Walking on thin ice is unnerving, but falling through the ice is potentially fatal. If you feel that the ice is getting thin, give us a call before something really bad happens.