Cybersecurity Partners

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born.

As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program.

The first post describes the cybersecurity janitor model. The second post describes the cybersecurity tyrant model. The third post (this one) describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right.

In the janitor model the cybersecurity function is subordinate to the "real work" of the organization, which means that the cybersecurity program is about reacting to other people's decisions and trying to respond quickly to whatever inadvertent chaos that causes.

In the tyrant model the cyberseucrity function is dominant to the "real work" of the organization, often providing superior cybersecurity but at the cost of reduced productivity and increased overhead.

The alternative is the partnership model: cybersecurity function is neither an afterthought nor driving force. Instead the entire organization understands its part in the risk management effort, of which cybersecurity is a part. In this way important decisions have cybersecurity input and the inevitable trade-offs are made in a way that respects both risk and reward. The tricky part is not only does everyone have to be given a chance to do their job, but that the overall result has to be effective. Low cybersecurity and high productivity is not sustainable because something bad is going to happen. High cybersecurity and low productivity is not sustainable because organizations which are bad at their primary purpose are not sustainable.

Achieving this goal is so difficult that there are multiple frameworks to guide you in creating cybersecurity programs which are both practical and effective. We at Pythia Cyber prefer the NIST CSF, but there are others. Even with the CSF, you need a culture of respect and a shared goal. But with the CSF you have a real shot at avoiding cybersecurity janitors and cybersecurity tyrants.

Cybersecurity is a team sport. Everyone is on the team, like it or not. The choices aren't ruler and servant: there is the option of respected teammate if you are willing to do the work to get there. That starts by recognizing that cybersecurity is not something that you get from technology alone.

Striking the right balance means that you trust that you have the right people in the right jobs doing the right things. People, placement, procedure. This is hard. We can help. Ask us how.