Rank has its privileges is such a strong part of military life that this concept goes by its acronym: RHIP. Alas, this concept is not limited to the military. Plenty of civilian workplaces have cultures that encourage leaders to use at least some of their power to make their lives easier and more convenient. This tendency is often more annoying to the rank-and-file than anything else. After parking in my unprivileged parking spot and walked a good long way in the cold or rain, I have felt a stab of bitterness as I slog by the cars which are parked closer to the building and under some kind of shelter. If that were all RHIP ever did to an organization, we could just shrug it off. A little resentment by underlings isn't going to hurt the organization much and perhaps that resentment spurs some people's ambition, which might be good for the organization. Alas, in the Cyber Security realm, RHIP does much more damage than cause a little resentment or bitterness or jealousy. As we of...

Since we emphasize behavior here at Pythia Cyber, let's talk about it and answer this question: what do cybersecurity engineers actually do? Suppose you wanted to hire one right now. What would you expect to advertise for? Let's set this cybersecurity workforce ecosystem up correctly. There is at least a cybersecurity engineer and a manager. Maybe there is also a CISO , though this person might not manage cybersecurity engineers. First, then, as the employer, know what personnel you're actually hiring. You as the executive/hiring manager/HR guru need to define what you need done. Do you need systems management, or web security, or does this person do acquisitions, or deal with a vendor? How about developing a cybersecurity risk management plan? All of that? Two: OK now let's look at competencies and skills. Best place to start is with, yes really, the US government. Here is a link to the government's O*NET site -- think of it as a bank of continually validated jo...

  (image taken from https://www.express.co.uk/news/uk/1543817/Heathrow-emergency-Flight-diverted-British-Airways-plane-Dubai-London-police-latest-upda ) Oopsie! The "cost-benefit analysis" mindset strikes again. On 21 March 2025, a power station in Hyde North, which serves Heathrow Airport, failed. This failure caused the airport to cease operations until back-up systems could be manually checked and brought online. This process took about 18 hours. Many kudos are due the engineers and first responders who accomplished this task. As The New York Times put it  a few days later: "A gleaming new data center sits less than half a mile from the electric substation where a fire plunged Heathrow Airport into darkness last week. The data center’s own power was also cut that day. But no one who relied on it would have noticed, thanks to a bank of batteries and backup generators designed to kick in instantly. Meanwhile it took officials at Europe’s busiest airport close to 18 hou...

  At Pythia Cyber, we believe there are four questions you need to answer to know and manage your cybersecurity risks and options: 1. What needs protecting? 2. How do we create systems that keep us secure? 3. How do we get our people to support this process? 4. How do we adapt to the next threat? Think for a minute: Systems. Infrastructure. Servers. Peripherals. People. Data. Materiel. Customer information. Employee information. Credit card information. Secrets. Personally identifing information. Personal health information. Financial transactions. Isn't all this worth protecting? Isn't your business worth protecting? Isn't your reputation worth protecting? Now answer these questions: What needs protecting? How do we create systems that keep us secure? How do we get our people to support this process? How do we adapt to the next threat? As a successful businessperson, an IT professional, an HR practitioner, or as a prospective investor, you know it's all worth protectin...

The hottest LinkedIn post right now is on an artificial intelligence (AI)-based " job applicant " that can pass as human -- unless you know how to defeat it. The next hottest AI agent right now is  Manus . A few weeks ago the hot new platform was DeepSeek. We don't have any association with Manus or DeepSeek, we don't provide legal advice, etc. -- but open-source agents such as this that use 1 GPU (not thousands of GPUs) are going to become the norm. What are the AI implications for cybersecurity? 1.  Botnet and AI agent attacks . The attacks will not only target you (see AI-based job applicant post above and the TikTok notice*), they will target your customers and clients by spoofing your site. Will you be able to know whether a customer call requesting account information is real? 2.  Anticipating how to defeat attacks . If you don't anticipate joining/ being assimilated by  them, you need to beat them. And keep on beating them. 3. Balancing the risk of AI attac...

As part of Bill Clinton's 1992 run for the office of President of the United States, one of his advisors gave him a pithy piece of advice that became so famous it has its own Wikipedia page : It's the economy, stupid. The recent scandal over highly classified material being accidentally leaked to a journalist (pick a news source you like and this scandal was covered: CNN , AP , Fox , whatever you like) is a prime example of how risky behavior is...(drum roll please!) risky. To sum up the situation as neutrally as I can: A high US government official decided to go outside of secure channels to have a group chat That same official accidentally included a journalist in the chat (confusion over contact name?) Another official posted secrets to that group The journalist revealed that this had happened Many government officials denied that the material was sensitive To prove a point, the journalist published the material, which was indeed sensitive Many government officials denied th...