We at Pythia Cybersecurity focus on cybersecurity talent. It's one of our core areas of expertise. In today's post we will continue our discussion of identifying and bringing your cybersecurity edge to your craft. What do you like doing? Are you a birder or a quilter or a soprano, a pediatric neurosurgeon or a social worker or a police officer? Do you feel like you're in a 'flow state' when you do what you like doing, almost like time has slowed or your consciousness expands while you focus on what you're doing? Do you continually work to improve your skill at what you like doing? Maybe you watch videos or listen to podcasts or go to conferences or read; maybe you reflect upon what you do and think about new ways to do it better. Do you feel that when you do what you like doing that you're doing something that you're good at and would like to do more frequently? These are all among the signs that you're engaging in mastery-related experiences. Being ...

I am more optimistic about artificial intelligence (AI) than our other leaders at Pythia Cybersecurity. I'm not going to name names . And I've written about how to employ AI to create white box cybersecurity . Given all that, we can fairly say I have appreciation for AI in cybersecurity. Thus, let's discuss the DARPA AIxCC competition in terms of cybersecurity and consider how well the AI did. DARPA, the acronym for  Defense Advanced Research Projects Agency,   has as its mission the development and implementation of emerging technology for the US military. This year DARPA ran a competition, the AI Cyber Challenge (AIxCC), for teams to impement AI in order to (per DARPA) "demonstrate the ability of novel autonomous systems using AI to secure the open-source software that underlies critical infrastructure." This was a fabulous and high-paying ($1.4MM) competition. Bravo to Team Atlanta, the winners! What were the final stats of this victory? From DARPA: "In...

Once upon a time, sexual harassment in the workplace was all too common. But through the diligent application of training and slide shows this scourge was vanquished and now we all enjoy the reasonable certainty that our jobs are free of it. That is the story we tell ourselves, but alas! this story is not really true . There is hope for real improvement, but that improvement rarely comes from corporate training. In fact, sometimes corporate training makes things worse. And yet, when cybersecurity became the crisis of the moment, we reached for the same tools that did not work to change behavior in the past. Why? Because familiarity breeds content among management even as it breed contempt among rank-and-file workers. Managers are accustomed to these tools and unaccustomed to considering effectiveness over compliance. Workers are used to having their time and patience squandered in this kind of training. It all just seems, well, boring but normal. Pythia Cyber is often asked to justify ...

(Note: this is the second post in a series. In the first post we discussed you working with your leadership. In this post we will cover you as a leader. Later we will discuss what talents leaders need.) We've covered ground before about leading as a new CTO/CIO. We noted these leadership features at a macro level regarding leading a cybersecurity function: Cybersecurity can only be effective in an environment where it is a shared responsibility: Cybersecurity is an  enterprise function , it is not a subscription or a set of compliance rules or certificates Cybersecurity at the executive level is always about  trust  and trust requires  relationship management , not technical wizardry -- you have a team of technical wizards Cybersecurity requires being comfortable both with  delegation  (who is responsible?) and with  power-sharing  (continually revising risk management plans in anticipation of new risks) All well and good, you say. But...And...I ...

In a recent post we talked about effective cybersecurity . Now let's talk about cost-effective cybersecurity. Note that cost-effectiveness is not interesting without effectiveness. And effective is not the same as expensive. The goal is effective cybersecurity that is also cost-effective because we live in the real world. But all too often organizations have cybersecurity that is both expense and ineffective. We will assume that you already know what we mean by effective cybersecurity; if not, take a few minutes to read that other post. Now we will consider whether or not your cybersecurity is cost-effective. To do that we must understand what we mean by cost-effective analysis (CEA). A CEA is used when there are many options and few clear choices. Health care often uses them because, like cybersecurity, perfect health is unattainable and the potential cost of all potential options is essentially infinite. You can't do everything that you would want to do. You can't even do...

(Note: this post is about you working with your leadership. In the next post in this series, we will cover you as a leader.) We follow an HR guru, JP Elliott , whose blog post this week was epic. At least it echoes with themes we promote at Pythia Cybersecurity. In this post , JP discusses executive team-building. This quote struck us:  Most CEOs are building teams to win today. The best are building leaders to dominate tomorrow. According to JP, this is what the best CEOs think of when they seek to 'dominate tomorrow' (quoting at length): They wake up every morning asking themselves four critical questions: Are we focused on the right strategic imperatives? Are we operating our business effectively and efficiently? Are we optimizing our business model for competitive advantage? Do we have a plan for sustainable, profitable growth now and in the future? And while these business questions are foundational to winning in the marketplace, they are also your roadmap to building a b...