My workday was interrupted today by a planned visit from some electricians we have contracted with to upgrade our backup generator. "Mind if we test the circuit breaker panel labels?" they asked. I hesitated. In theory, our systems all have functioning, tested uninterruptible power supplies (USPs) and so flipping circuit breakers off and on should not have any noticeable effect. I should have given the OK immediately. Instead, I hesitated. I was reluctant to tempt fate. I imagined the pain of failure, a self-inflicted wound. Our office manager asked me if I wanted to shut down the network first but she was a bit thrown by my reluctance. In the end, I took a deep breath and explained that we are all set against power outage, so there should be no problem, so they should proceed. Not only do we have a separate UPS for each system, but each system is configured to shut itself down gracefully if the UPS's power levels drop. So, best case, no effect and worst case, graceful sh...

People seem surprised when I tell them that as part of our expansion plans Pythia Cyber wants to have recruiters as clients. There seems to be an assumption that recruiters and talent assessment don't mix. I can't imagine why this would be. Recruiters have a process and a product. In my experience the process is rather humanist and the product is the trust their clients have in them as a function of the track record they have with their clients. We see ourselves as completely compatible with that model. We don't get between the placement firms and their clients. In fact, we provide a straight fee-for-service to the search firm: we assess whichever candidates they choose, we deliver our high-level report and the firm can do with that whatever they like. We don't tell people who to hire, we tell people what the likely consequences would be if they hire the assessed candidates. In this case we enhance your picture of candidates with an assessment of their talents in the sp...

I have come to see the light: when hiring to fill positions I can see that HR has a valuable role to play and that role is to protect the organization, writ large, from the hiring manager's inexperience in hiring. Much as the hiring manager might know all about the domain into which they are hiring, the hiring manager is rarely an expert in hiring itself. The hiring manager is likely to be blind to questions of equal access and unconscious bias. The hiring manager might be great at detecting and nurturing talent but unaware of anything else, which is how you get technology groups whose members are all in the same demographic--all good at their jobs and good hires individually, but collective a lawsuit waiting to happen. HR is there to make sure that the hiring process does not run afoul of the large number of laws and regulations and policies governing hiring. This is a relatively recent development in my thinking. For most of my career in technology HR has been a hurdle to be gott...

We discussed in the first part of this process that all organizations need to manage the performance of their employees at all levels. And, at the individual contributor level, performance management is critical. That was the 'why.' Now let's discuss 'how.' Performance management is a process . It is often confused with the outcome -- a rating or narrative review used in conjunction with an organizational decision such as incentive pay or promotions, or, as a rationale for developmental/corrective/punitive actions. Thus, it is a high-stakes process with multiple potential consequences for both the individual and the organization. In many ways, performance management is like managing tree growth. As in the picture above, taking on a new hire -- a sapling -- means you need to find the right place for it, set it up for success, tend to it. And sometimes the performance management process means you remove longer-tenured trees that have lost their vitality or their role...

As much as we talk about talent here at Pythia Cyber, or the NIST CSF, or AI, eventually you need either to perform, or manage performance, or collaborate with other executives to calibrate performance across the organization. That's right, it's time to talk performance management. In this post we'll discuss the 'why,' and in a later post we'll discuss 'how.' Let's start with the baseline. Maybe 1% of anyone who has been an employee or contractor at any organizational level wants to discuss performance management.  At the same time, it's a business-critical conversation -- maybe existential -- in a field such as cybersecurity. Here's is my friend Steve Hunt on performance management. Steve was a VP at SAP at the time he wrote this  piece , probably the best ever written on performance management. The key part is here (quoted at length): Performance management is both difficult and necessary. Performance management is difficult because it add...

No joke, folks -- time for the litany of the hacked! The litany of the hacked is our listing for each known/reported hack in the previous month. The point of the litany is not shame but awareness-raising that, well, these sorts of things happen. And so, the litany of the hacked for March 2026. Unfortunately we have a lot of new members of the litany, and to a significant extent this happened because of military actions in the Persian Gulf. You can be positive that there is no reason to think that cybersecurity is going to get easier from here on out. As Megi Benia puts it on her blog: Deterrence assumes identifiable actors, clear intent, and thresholds that trigger response. Iran’s use of ransomware deliberately undermines all three: - Attribution is blurred through proxies and criminal partnerships - Intent is dual-use, combining profit, disruption, and signaling - Activity remains below the threshold of armed attack The implication is not just tactical but strategic. If ransomware c...