Who's The Boss?

We at Pythia Cyber been advised that our posts have tended to be too polite, to stop short of making our points because we don't want to offend. We've been advised to stop being so nice. Let's give that a try.

In our experience cybersecurity programs often fail to be either effective or cost-effective and the most common cause of this under-performing is lack of integration. Cybersecurity is everyone's job. That is not a slogan, it is a fact. It is not the only job of everyone but anyone can compromise your cybersecurity and that fact doesn't go away because you like or trust your CISO.

How do you know if you lack integration? Great question. (Spoiler alert: if you are not certain that your program is integrated then it is not integrated.)

Does Senior Management Manage?

If your cybersecurity program is something that someone in IT does for you then you have a problem. Senior management needs to have input into, and oversight of, cybersecurity efforts. If they don't then you are hoping that right things are being protected, and that the protection is working. Yes, even if you don't understand the nuts and bolts you can still provide oversight and we all know that a watched pot not only does boil, but you know when it boils and you can keep it from boiling over.

Is Uptime The Goal?

True cybersecurity has a clear goal: to maximize authorized access to critical systems and data while minimizing unauthorized access to those same resources. Making the systems easy to use must be balanced with making the systems hard to access without authorization. Keeping the systems up and running is as important as keeping your private data private. This means that your cybersecurity program must have a large systems administration component as well as the usual authorization and anti-instrusion components. Backup and restore are as important as your firewalls. Recovery from accidental data deletion and natural disaster is as important and repelling ransomware attacks. If you focus on defending your assets from bad actors but not protecting them from other kinds of loss, you are doing a bad job.

Does Everyone Do Their Part?

If the rank-and-file users in the company are not conscious of cybersecurity risks in their everyday interactions with technology, then every user is a potential liability. Mindfulness is the answer here, not rote learning, not compliance with simplistic rules that get out of date with shocking speed. Creating and maintaining mindfulness requires constant leadership. In the real world there are trade-offs which must be made and revisited and revised. A common problem is striking the right balance between friendly Customer Support and social engineering awareness. How are your Customer Support people to know the difference between naive users and people fronting for criminal organizations? Good question and the answer changes all the time. You will have to meet regularly with your Customer Support people and provide guidance to counter the ever-changing threat. You will have to lead them. Cybersecurity work is never done.

Do you think that this is an overstatement? Consider the analogy to public health. Everyone in your community can make you ill. You don't have to be a doctor or nurse to wash your hands, cover your face when you cough and stay home when you are sick. Anyone can carry a virus. It takes mindfulness to avoid spreading that virus. Everyone in your organization can let in a virus. You don't have to be a cybersecurity expert to be careful. It takes mindfulness to avoid spreading that virus.

Who's The Boss?

We did not ask "who is responsible?" because that is the wrong question. The "who is responsible" mindset is part of the problem: we are all responsible.

We ask "who's the boss?" because Cybersecurity is as much about behavior as it is about technology. You need both. The technology is relatively easy: you buy it, it can't quit and it doesn't sulk or seek to avoid tiresome tasks. The behavior is harder, so people tend to ignore it. The behavior requires active and constant leadership if you do it right and that takes time and effort.

Do you know your part? Are you being led? Are you leading? Or do you live in a blissful but vulnerable Eden where the behavior is someone else's problem and the technology is all anyone ever talks about?

We Can Help

We have experts in technology and in behavior and these different experts work together to help your company develop a culture of working together. If you see yourself in the above scenarios then it is time to schedule a meeting.