Become Expert At Taking Expert Advice

A classic is something that everybody wants to have read and nobody wants to read--Mark Twain

With apologies to Mark Twain, cybersecurity is something everybody wants to have and nobody wants to have to do.

Over and above the sad truth that security is inconvenient is the sadder truth that cybersecurity touches the entire organization so many of us are required to interact with cybersecurity without really knowing what it is or why it demands what it demands.

Thus most of us either have to trust our cybersecurity team to have made the right trade-offs between convenience (productivity) and security, or we have to find a way to join the conversation without wasting anyone's time.

(The second option is the one we at Pythia Cyber recommend, but it is difficult which is why our cybersecurity consulting practice is half behavioral science and half classic cybersecurity.)

As with so many other aspects of life in the rapidly-changing, technology-driven 21st century, finding the balance between blissful ignorance and trying to learn everything about everything is hard but essential for success. We cannot all become experts in everything so we all need to become experts at taking expert advice.

An expert at taking expert advice is good at all of these things:

• Identifying experts: trust but verify!
• Clearly articulating desired end results in order to get good advice.
• Executing the measures to implement that good advice.
• Monitoring the status of those measures.
• Intervening if something goes awry.
• Re-evaluating the goals on a regular basis.

All of these attributes are built into the NIST CSF and that is not a coincidence. In a profound sense the NIST CSF is expert advice on how to give good (pertinent) advice, how to take that advice, how to make sure that advice is working, what do when that advice falls short and how to refresh that advice on a regular basis.

Cybersecurity can seem obscure or arcane, especially if you focus on the lower level implemenetation details. But at every level of the Cybersecurity Program the paradigm is getting direction (advice) from above, implementing that direction, generating evidence that the implementation is effective and sending that evidence back up the chain.

Cybersecurity is not some highly technical exercise in hardening information technology any more than film-making is all about using cameras. While it is true that you cannot make a movie without cameras and camera operators it is also true that you cannot make a movie with only cameras and camera operators. So it is with the Cybersecurity Engineer: you need them, but they are not the whole ball of wax.

Nor is cybersecurity different from any other human activity that crosses many organizational boundaries. In many cases it comes down to giving and taking advice from experts, just as working with the finance department often does and just as working with the legal department often does, or the shipping department.

If you work in cybersecurity, be mindful about giving advice and explanations. If you work with cybersecurity, be mindful about taking advice and input. Good experts and expert users of experts are the best way to build, run and maintain your cybersecurity.