We here at Pythia Cyber are big believers in rigor so we strongly recommend following a rigorous framework when building your cybersecurity program (CSP). We use the NIST CSF by default but we recognize that there are a few other frameworks which will also do the trick. We seek to season cybersecurity with behavioral science because human behavior is a huge but rarely addressed part of running a CSP. Those who run the CSP are humans. Those who follow the CSP are humans. Those who work to subvert or circumvent the CSP are humans. There is much that is NOT cyber in cybersecurity. There are few places along the path to a great CSP where being human is more evident than in the writing of policies and procedures. The point of these documents is to inform, not impress. The goal is to guide human behavior in times of stress, so clarity and accuracy are of utmost importance. Length or literary flourishes are worse than irrelevant, they are an impediment to being useful in times of stress and u...

Phil Venables' new post, Do you really know what's going on? , caught our attention from the start (quoting at length): Most leaders do not know the actual truth of what is happening. This is not because people are overtly hiding things or that leaders are ineffective, although sometimes it is both of those, but rather this is because of the “thermocline of truth” that I covered in this post. Organizations are full of cultural, structural, process, and other barriers that stop reality making its way to leadership.  When you started out in your career you probably felt constant frustration that the “higher ups” had no clue about reality on the ground. Even today, you probably feel frustrated that peers in other organizations are clueless to the reality you know, or even in many cases that you know their teams know but are failing to push up to their leader.  When you become progressively more senior it’s easy to forget this experience and get in a position where you believe you...

Brendan has been writing about internal candidates, and we thought we'd enter the fray. There are upsides and downsides to building your talent pool v. external hiring & hoping it works, as Brendan noted. This post is about the internal pool. Integral to the buy/build decision are answers to the following questions: You've created a talent development process (I mean, you've done that...correct...?) You've invested in not only the identification but the acceleration of your people's performance (ditto...?) You're focusing on a talent-based performance management culture, not one that rewards surviving We've written about how this could happen. In brief you must: Intentionally create a newcomer socialization process Measure and monitor performance to get people to the point where they are considered for promotion "[You need to] manage the person's development intentionally so that they leverage their talents to perform. That happens through thr...

At Pythia Cyber we aim to blend behavioral science with cybersecurity to improve effectiveness and team dynamics. In the usual case we are helping you create, manage and maintain your internal cybersecurity program (CSP) but increasingly we are asked about how to manage cybersecurity threats to assets external to the organization. In practice, these external assets fall into one of two categories: assets owned by you but stored in the cloud and assets owned by someone else but used by you. The most common example of the second category is a software tool you use in your products which you buy or license from someone else. In other words, part of your supply chain. Just about all organizations these days have some exposure to the cloud. Generally only manufacturing concerns have digital supply chains. Some organizations have both of these issues. In either case, the problem is the same: these assets are not under your control: how do you apply your CSP to them? The Cloud One of the reas...

At Pythia Cyber warn you not to rely solely on skills or knowledge when choosing people to work in your cybersecurity program. Familiar as skills and knowledge may be for hiring, and comforting as that familiarity may be, you cannot rely on them alone. You need more than that because change is the one constant in cybersecurity and skills and knowledge get out of date. Talent is evergreen. We keep keep beating the drum of the importance of talent in building and maintaining your cybersecurity program because your people are the beating heat of your cybersecurity program. Those people need to keep up with the pace of change in the threat environment because the beat goes on and on and on. Modern life changes more swiftly and widely than life has ever changed before. Technology changes more swiftly and widely than it has ever changed before. Cybersecurity, sitting at the juncture of technology, crime, hardware failure and human error, changes more swiftly and widely than just about any ot...

At Pythia Cyber the conversation about who to hire and how to management often detours into distinguishing skills and talents. This comes up often enough that it is time for blog post. Let us start, as so many middle school assignments do, with the dictionary definitions. Today we are using Merriam-Webster as our source. skill  noun   ˈskil  ...