Recently we started following Dr Eric Cole on LinkedIn and on his Substack channel. His recent pieces are very good. One of his posts notes that metrics/numbers are good, but they don't answer the fundamental question Boards care about: are we secure?   So why do we report things such as patch compliance rates, vulnerability counts, mean time to remediate,  and tool coverage?  Because they are metrics under our control and they're comfortable and easy to explain. Same in any field -- keep it simple, stupid. It's a metric, it's not magic. What Eric says next is, well, magic: "When boards ask oversimplified questions, they get oversimplified answers. Dashboards are built to reassure rather than challenge. Over time, this trains leadership to equate motion with protection." Let's not laugh too quickly at those dumb ol' Boards asking oversimplified questions though because where do they get the idea that metrics are security? That's right. They got t...

Recently I attended a talk by Bhushan Sethi. You almost can't miss him ( here , here , here , here , etc.) and last week it was my turn. Here is a thought question he tossed out. What will the future organization look like? Our normative model is the Pyramid of Khafre in Giza, pictured above. Classic -- lots of worker bees at the bottom, fewer in the middle, very few/one at the top. What about this next one? Here, most of us get to a point in the hierarchy and then...that's it. But some people -- the AI automation people? -- keep going and going. Or this: This is a "normal"-looking hierarchy but employees start in the middle, not at the bottom. You may not care per se but think of it this way. If AI takes mid-career cybersecurity jobs away, how will you adjust once that happens? Or, if entry-level jobs go away, how will entry-level -- formerly mid-level -- cyber-defenders learn their craft? What about those pesky risk vectors, a.k.a. nontechnical employees? It's a...

I recently attended a fantastic workshop conducted in part by our friend, and my former grad school roommate,  Bob Lewis . The focus of the workshop was building a talent-based process. One of the aspects he discussed is how not all talents 'work' the same at all levels. You need to gauge them relative to work role needs. This is especially important when moving from manager to executive leader. Many of us believe that if a little of something is a good thing, why then more must be better. In a talent context, this belief can run  afoul of data .  BEFORE we go further let's state for the record that more talent is, well, better. The question here is: are talents at lower levels good for performance at higher levels? Sort of like -- yeah I already did that so I must be good at it. Answer: in fact not only is that belief incorrect it can create counter-productive behavior. Bob's research using '360s' among managers showed that manager level matters. (More context!...

Among the oldest tools known to mankind are the mortar and pestle. To cheat a bit: the mortar is a heavy bowl (see above) while the pestle is a rod-shaped tool. They are used in tandem to crush elements -- seeds, berries, etc -- to create pastes, aromas, etc. Managers rely upon a different tool to understand the contexts of their businesses: PESTLE. The acronym refers to a set of analyses of salient forces affecting your business: political, economic, social, technological, legal, environmental forces. Businesses do not function the same outside of their home country. Local cultures even outside of the main HQ office -- we've all experienced this -- affect what gets done and by whom, and certainly when it gets done.  Cybersecurity should be highly attuned to PESTLE for exactly those reasons. Any time a satellite office ("HQ2") opens, systems need to be synced. Think of that when non-home-country suppliers or contractors, or subcontractors, are involved. What's done in...

If it floats like a duck, and looks like a duck...is it a duck? What if it wears overalls, um, er, not like a duck? One size does not fit all from a talent perspective. People perform within context. Talent matters, within context. The context of the organization matters a lot. Some organizations require a high work tempo, while others may require managing vendors in a medium- or low-tempo environment. Sometimes a cybersecurity engineer is a great fit when there is a highly heterogeneous team v. being the lone engineer. The fit of role to context, and talent to role, requires careful integration. Some organizations are not focused on building a cadre based on cybersecurity talent; they are focused on managing vendors, or have leadership teams that do not integrate risk management into cyber-defense. Other organizations pay careful attention to building through talent. Sometimes even those organizations focus on the wrong level of analysis -- minimum qualifications, usually -- and do no...

At Pythia Cyber we are about  behavioral cybersecurity  and when it comes to predicting behavior,  talent trumps credentials . By which we mean that your certifications tells us what you have done, but your talent profile tells us what you are capable of in the future. Specifically, Ted has a series of posts about the talent profile of different cybersecurity roles, specifically Talent needed to be front line cyber defender Talent needed to manage cyber defenders Talent needed to lead a cybersecurity program As a counterpoint to Ted's behavioral science perspective I present a series of my own, giving examples of practical applications of talent assessment to cybersecurity. This post is about how a talent assessment can help you with a high risk, high reward hire: your head of cybersecurity. As we have talked about in previous posts ( here and here ) there is not much merit to the traditional career path in cybersecurity: hired as a front line cybersecurity defender, pro...