Cybersecurity Is A Team Sport

As part of our continuing series about how and why we bring behavioral science to cybersecurity let us consider that cybersecurity is a team sport. How so? 

To start, your organization has a team engaged in direct competition with other teams. The other teams are criminals, vandals, spies and disasters such as hardware failure, software bugs and bad weather. Underestimate your competition at your peril.

Like a sports team you cybersecurity team has members with different talents. This is fine because the game you are playing has different positions (roles) as laid out by the NIST CSF:

1. Identify--requires analytic skills to identify what is really important
2. Protect--requires management to set priorities and IT understanding to make policy & procedure
3. Detect--requires a dogged determination to remain vigilant at all times
4. Respond--requires a good plan and the ability to execute under pressure in an ad hoc team
5. Recover--requires a good plan and the ability to balance the cost:benefit of repair work
6. Governance--recognition that this is a management function and management has to do their part

That is the classic cybersecurity part; so where does the behavioral science come in? It comes in under two headings: talent and behavior. As we have mentioned before, talent is what a given individual can do and behavior is what a given individual actually does. Skill is a facility with a particular task which can be learned and honed. Talent determines how quickly and often how well you can acquire a skill.

Ultimately your cybersecurity rests on human behavior. While the NIST CSF gives excellent guidance on how to construct a rigorous Cybersecurity Program (CSP), it is silent on how to run an effective and cost-effective CSP. Tracking human behavior isn't part of the NIST CSF, but it should be. Since behavior largely is governed by the simple rule that what is rewarded is repeated and what is punished is avoided in theory is it a simple matter to set the incentives correctly and then sit back and enjoy having all your colleagues pulling in the same direction to achieve their shared goal.

In practice, perverse incentives abound in human enterprises and so does insincerity. Especially about goals. Health care organizations routine claim to highly prize privacy and confidentiality but in fact what is rewarded in the sphere is almost always providing as much health care as possible without compromising quality too much.

Many years ago the Ford Motor Company famously embraced a slogan of "Quality is Job 1" but in fact making motor vehicles in sufficient quantity with adequate quality was Job 1 because capitalism. Had they reduced their output to a single but perfect F150 pick up their shareholders would not have applauded. Saying something but not really meaning is all too common in corporations.

We understand that "Cybersecurity is Job 1" is not viable either in any organization that isn't actually providing cybersecurity goods and services. Most organizations have a much more pressing mission or goal. But that does not mean that mandatory annual training is the best that you can do in the way of company-wide cybersecurity and that does not mean that you can leave the rest to the cybersecurity group to somehow do all on their own.

As for the cybersecurity group, with our help you can assess their talents with specific regard to cybersecurity functions. The goal of this assessing is not to fire anyone who doesn't make the grade; at Pythia Cyber we understand that you go to war with the army you have. The short-term goal is to make the best use of the team you have. The medium-term goal is to make new hires which complement your team. The long-term goal is a talented team with the potential to develop its talent and sustain itself as people either leave or are promoted. This is Talent Acquisition & Upskilling done right.

As for the rest of your organization, with our help you can enlist them in relatively small levels of effort to produce relatively large gains in cybersecurity. Yes, really.

While you need to have a (frequently reviewed) CSP, simply having a CSP is not enough. The classic cybersecurity is the price admission. In order to play the game to maximum effect you need the human side: you need to assess talent and encourage behavior. Cybersecurity alone won't get you there; we can help you add the other side of the equation to put the right people in the right job doing the right thing. Ask us how.