Not many of us -- probably none of us -- are as gifted as Mozart was as a composer and keyboardist. One of my favorite Mozart facts is that in a 13-month stretch spanning 1773 to 1774, beginning when he was 17, he composed nine full symphonies. He also produced string quartets, keyboard sonatas, divertimenti, and other works in the same period. The talent was obvious. The productivity was extraordinary. And yet even Mozart needed a job. The document pictured above is a state-sponsored retainer issued in 1787. It acknowledges Mozart’s talent, reputation, and prior success as justification for paying him an annual stipend to compose as needed. In other words, even extraordinary talent required both demonstrated output and a sponsor powerful enough to recognize its value. That is still how careers work. First, you have to get very good at your craft. Then you have to produce, collaborate, and create evidence that others can see. But even that is not always enough. You also need leaders...

Someone recently asked me why anyone would want Pythia Cyber's talent-assessing services. This question was not academic or objective: this person is deeply entrenched in the current recruiting culture of credential or experience first, then personal assessment. I cannot believe that anyone would say "what role does talent have in hiring?" Note that this person did not say "I am unconvinced that you can assess particular talents" which we would have been happy to refute. This person also did not say "I think that I can judge talent as well or better than the assessment" which we would have been happy to put to the test. Instead, this person claimed that "no one" would want to use this service which is awkward because we can demonstrate that at least some people do want to use this service. This recent interaction has made me nostalgic because it is so similar to an interaction that I had lo! these many years ago. Once upon a time, I was a cad...

"Details, details. Things to do. Things to get done. Don't bother me with details, just tell me when they're done" is a famous quote from the character Jimmy Price (played by Kenneth Cranham) in the 2004 crime film Layer Cake.  "Don't bother me details" sounds like a crisp, clear, leader-like thing to say. It implies that your underlings are boring you with unnecessary detail and that you are not going to fall for that. You have things to do--better things to do than listen to nerds go on about nerd stuff. As a professional nerd, I have been on the other end of this dynamic pretty often, which is why I keep getting asked by well-meaning non-nerds "why is my technologist colleague so annoyed with me?" This is the first of what will be an intermittent and, I hope, infrequent series in which I give examples of just how this crisp, clear, leader-like attitude is so frustrating and infuriating and how it can be utterly wrong-minded. Are there boring...

Every CTO and CISO knows the first job: defend the organization. Fewer recognize they have a second job that matters even more over time: build a team whose adaptive capacity outpaces the adversary’s rate of novelty .  As AI enables attackers to scale speed, variation, and deception, that second job is quickly becoming the first. This is not primarily a tooling problem --  it is a leadership problem . Here are three perspectives on that second job. What great CISOs actually build Phil Venables , former Goldman CISO and now Google Cloud's strategic security advisor, has spent years studying what he calls "CISO factories": organizations that produce a disproportionate number of successful security leaders. His finding is counterintuitive. It's not training programs, certifications, or formal development tracks, it's the daily behavior of the existing leaders: they pay attention to detail, they go deep occasionally, they validate things personally, they understand ho...

Sometimes a question gets asked so much that it gets a blog post, even if that question isn't at the center of what we do here at Pythia Cyber. Lately, one such question is "how does AI find cybersecurity vulnerabilities?" (We are also going to answer the underlying concern, which is usually "what can I do about this?") Generative AI has significant pattern-recognition capability. This means that AI can find not merely simple matches, such as matching "golden apple" with "This is the tale of the Golden Apple" but also subtler, deeper matches, such as "golden apple" with "Greek myths." Generative AI can only find patterns for which it has been trained. Once trained, that AI can only find patterns in data that has been fed into it. But after these two conditions have been met a decent AI is superhuman in its ability to find the patterns you taught it in the input that you give it. Let us say that you spun up a copy of your f...

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born. As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program. The first post describes the cybersecurity janitor model. The second post  describes the cybersecurity tyrant model. The third post (this one) describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right. In the janitor model the cybersecurity function is subordinate t...