Posts

Bounce Back From The Hack

Image
Eventually your system will be compromised beyond your capacity to deal with it. What you do from a systems perspective is part of your growth curve. So is your emotional and behavioral path. As a cybersecurity professional, you can feel over-invested in your defense processes and systems. A systems compromise can feel disorienting and hard to accept. Maybe you could have done something more; maybe they were better; maybe it was something so obvious! We saw a recent piece in the New York Times (behind paywall) on how Olympic athletes deal with disappointment that seemed to capture this sort of scenario. It's abstracted here because the lessons Olympians learn are hard-won and eminently transferrable to other elite performers such as cyber-defenders. 1. Learn resilience . "Just as psychologists have athletes visualize their wins, they also ask them to imagine all the things that could go wrong, and how they’ll respond." 2. The power of purpose . "The best athletes se...
Post a Comment
Read more

Bushan, Again: How To Make 'No-Regrets' Cybersecurity Moves In An Angry AI Environment

Image
He's BAAACK! Bushan Sethi posted his talk from a presentation I attended last week in Las Vegas -- this picture might be from there, who knows. We've mentioned him before . Other than pictures of cats, Bushan seems to fill the Internet void. The goal of his presentation was to focus us on 'no-regrets moves' in the Time of AI. These recommendations are good for cybersecurity professionals too. I'm posting an extended quote -- his recommendations here, which are a lot less creepy than "move fast and break things": Think like an economist : Understand the macro and the micro - whether it's impact on AI on labor markets to challenging assumptions included in business case investments - whether they be about adoption, data architecture or investments in compute capacity. Think like a scientist : Use data and evidence to test hypotheses about what works in AI adoption and human-AI collaboration. Run hackathons - push the organization to generate ideas. Be co...
Post a Comment
Read more

Yet Another We Said/He Said: What Skills Do Your CISOs Need Now?

Image
Once again a boffo post from Dr Eric Cole over on Substack. This one is on skills CISOs need. These will sound familiar to our blog readers! We're going to go beyond Eric's post to discuss three aspects of CISO skill: what they should be, how to find them among your applicants, and how to build them for yourself.  We're going to frame this in terms of the labyrinth. We've discussed that previously . It's not meant to be a mystery, but instead, a journey.  Prelude: Why must CISOs learn new skills? "Cybersecurity is no longer a discrete function. It is embedded in every strategic decision an organization makes—whether leaders recognize it or not. When companies adopt AI, expand globally, partner with third parties, or digitize core operations, they are making security decisions by default. The question is whether those decisions are informed or accidental." Part 1: What are these skills? As per Eric -- & us & Rich Mironov ): Skill #1: Business Risk ...
Post a Comment
Read more

What Do Cybersecurity Leaders Want From AI?

Image
All of us get distracted by the bright shiny object. It seems luminous and irresistible, shining out in the darkness, beckoning. Admit it: AI is your current bright shiny object.  We keep an eye out for cybersecurity & AI material. Sometimes we run across posts that are excellent and we feel the need to create more community by bringing them to your attention. Here's one such post from LinkedIn by Val Tsenev . It deserves your time. I've boiled down his post to this question: What do CISOs want from AI? 1. Measurable risk reduction . What risks does the AI platform mitigate and how? 2. Explainability & auditability . As Val says, "Black-box AI is a liability, not an asset." 3. Integration into their existing workflows . It cannot stand alone. 4. G overnance and human oversight . There is always a person somewhere on, in, atop, or something the loop. Val concludes: "CISOs aren't rejecting AI. They're rejecting AI that's irrelevant, unvalidated,...
Post a Comment
Read more

Getting Cybersecurity Just Right

Image
At Pythia Cyber we try to give behavior its rightful place in cybersecurity. Often we mean that what your organization's users do is a huge part of the vulnerability picture. Sometimes we mean that the way people react to situations is also a source of vulnerability. This time we mean how your organization models its relationship to your cybersecurity professionals. This is important because how we define our boundaries at work has a huge impact on people's expectations of themselves and others. Expectations are a big factor in our effectiveness. So much for the abstract stuff. Let's get concrete. There is a spectrum of relationships that go from too little through too much with a stop in middle for just right. By "too little" I mean giving your cybersecurity people too little input into your decisions. By "too much" I mean letting your cybersecurity people make your decisions for you. By "just right" I mean working with your cybersecurity peop...
Post a Comment
Read more

We Said/He Said: CISO Talent And Cybersecurity Leader Talent Are Not The Same

Image
Recently we started following Dr Eric Cole on LinkedIn and on his Substack channel. His recent pieces are very good. One of his posts notes that metrics/numbers are good, but they don't answer the fundamental question Boards care about: are we secure?   So why do we report things such as patch compliance rates, vulnerability counts, mean time to remediate,  and tool coverage?  Because they are metrics under our control and they're comfortable and easy to explain. Same in any field -- keep it simple, stupid. It's a metric, it's not magic. What Eric says next is, well, magic: "When boards ask oversimplified questions, they get oversimplified answers. Dashboards are built to reassure rather than challenge. Over time, this trains leadership to equate motion with protection." Let's not laugh too quickly at those dumb ol' Boards asking oversimplified questions though because where do they get the idea that metrics are security? That's right. They got t...
Post a Comment
Read more

The Organization Of The Future Is Nearly Here -- What Does It Look Like?

Image
Recently I attended a talk by Bhushan Sethi. You almost can't miss him ( here , here , here , here , etc.) and last week it was my turn. Here is a thought question he tossed out. What will the future organization look like? Our normative model is the Pyramid of Khafre in Giza, pictured above. Classic -- lots of worker bees at the bottom, fewer in the middle, very few/one at the top. What about this next one? Here, most of us get to a point in the hierarchy and then...that's it. But some people -- the AI automation people? -- keep going and going. Or this: This is a "normal"-looking hierarchy but employees start in the middle, not at the bottom. You may not care per se but think of it this way. If AI takes mid-career cybersecurity jobs away, how will you adjust once that happens? Or, if entry-level jobs go away, how will entry-level -- formerly mid-level -- cyber-defenders learn their craft? What about those pesky risk vectors, a.k.a. nontechnical employees? It's a...
Post a Comment
Read more