A previous post decried the sad state of the common company-wide mandatory annual cybersecurity training. This training is ineffective and sometimes even counterproductive. We say "counterproductive" in that it reduces cybersecurity awareness to mindless adherence to simple rules such as "don't click on stuff in email." In that post we talked about what we feel such training should contain . In this post we will describe what we feel such training should achieve . Cybersecurity training for the masses should enlist those masses in the cybersecurity cause. Instead of hoping that people don't do anything dangerous the goal should be reports of oddness, of the unexpected or the strange. As dull as it sounds, looking into the odd, the unexpected or the strange is a great way to track down actual problems. For example I recently saw an email that was very sophisticated  spear phishing attack. This email was shown to me as a curiosity by another IT professional....

A colleague recently tried to be polite about Pythia Cyber's willingness to help organizations overhaul their annual mandatory company-wide cybersecurity training. She was polite but persistent in her questioning the wisdom of this move. Her comments became ever sharper though. Such training is usually a fig leaf for insurance reasons, Nobody takes it seriously. It doesn't accomplish anything. All such training I have ever had has been boring and useless and even a little condescending. I agreed that all of the observations were usually true. So then she tried a different tack: why is Pythia Cyber's training any different? This was a very useful question. Our training is different because our goal is to improve cybersecurity rather than checking bureaucratic boxes. Instead of the scolding tone and the list of dumb things to avoid doing, we use the NIST CSF to frame enlisting your people in the cybersecurity cause. We recommend that you start by surveying your people to find...

Givens: 1. You need a cybersecurity strategy 2. You're investing in AI Therefore, you need an AI-oriented cybersecurity strategy. An AI process or platform is not the same thing as an AI strategy. As Brendan notes frequently (e.g., here ), the NIST CSF endures because it anticipates and outlines the need for a strategy. As you work through the NIST process in developing your AI cybersecurity strategy, you can anticipate that the integration of AI into typical work functions is meant to create productivity. The implication is that your AI strategy needs to anticipate growth in utilization and use cases. Remember, the bosses spend money on AI because there is an anticipated return on investment, and the same bosses expect your shop to create a secure environment for the AI.  How would you develop an AI cybersecurity strategy? Think of the development of your AI cybersecurity strategy as part of your AI platform purchase. The upside is that you don't pay for it per se , though you...

Here at Pythia Cyber we engage in real-world consulting. We don't provide you with theoretical solutions to real-world problems. This means that we really try to avoid cool-seeming (but actually useless) topics like "AI and Cybersecurity in 2026." Eye-catching as these headlines are, they either presage a bland and shallow take on a complex issue or they make deep and simplifying assumptions. An example of the bland take is "AI is going to super-charge the cybersecurity threat environment in 2026!" An example of the deep and simplifying assumption is "AI is going to make all phishing into spear phishing in 2026!" You might as well ask "what about electricity and cybersecurity in 2026?" Well, lots of things in cybersecurity will be affected by electricity in 2026, to a high degree; what will thinking about this do to help you protect your digital assets? Not much. Here in the real-world we know that we cannot take perhaps the most general-purp...

Your life as a cybersecurity professional, especially as a cybersecurity leader, entails managing risk. There are external risks (a.k.a. hackers), there are physical security risks, there are budget risks, there are organizational risks and there are technology risks. Your employees -- moreover, your best employees -- are a risk. So sayeth CISO Tradecraft ®  Newsletter  (CTN) this week. Their rationale is clear: "The hard truth for modern leadership is that AI has democratized capability so thoroughly that your entire organization, not just your engineering team, can now generate production-grade risk at machine speed." We  just finished summarizing Rich Mironov's latest post, ' Code isn't product ,' that landed on a strikingly similar note: faster code production leads to "DOA products" because there is not consideration of what customers actually want, you're simply turning over more code to demonstrate activity with a mindset that activity ...

"Who asked for this?" One of the most fundamental questions in design and development or any product or process stays open. It was true for the Ford Edsel and it's true for your team's activities. Yes, the number one question your executive leadership asks is whether we're 'safe.' Yes, AI is changing the rules. (Well, some of them.) Yes, you can do "more" with AI than you could do in the past. Who asked for this? One of the key functions of leadership is to identify customer needs and then align work processes to meet or exceed those needs, typically by organizing teams to accomplish more than in the past. A significant challenge in an AI-oriented environment, especially when AI-leveraging gangs are attacking constantly, is to create more products as a way to satisfy the AI itch while anticipating novel demands.  The problem is, as Rich Mironov recently put it , you're creating "DOA products." According to Rich, implementation of AI...