The HR Guru JP Elliott is back at it with a recently published piece on what he calls "decision leadership." His argument: the best HR leaders don't just execute decisions, they improve the quality of the decisions themselves by asking better questions, framing decisions more precisely, surfacing trade-offs that would otherwise stay hidden, and bringing a clear point of view. He frames the capability as Ask, Frame, Advise. This framework applies even more powerfully in cybersecurity. With credit to JP for the concept, we want to translate it into cybersecurity because the gap he describes between leaders who support decisions and leaders who shape them is at least as wide and the consequences are at least as significant. This post is written to two audiences. For executives who hire and resource cybersecurity leadership: this is what your organization should expect, and what you lose when you don't get it. For cybersecurity leaders moving toward senior roles: these ar...

Most cybersecurity organizations are structured the way hospitals organize specialty clinics. Discrete functional teams (SOC, IR, GRC, AppSec, vulnerability management, identity) each with their own leaders, metrics, and budgets. Work flows through routing and handoffs. The model builds deep expertise and clean reporting lines, and it is the structure most CISOs inherited. Its failure mode shows up at the seams. The acquisition integration that needs SOC visibility, IR readiness, GRC sign-off, and AppSec review of inherited code moves through four functions on incompatible timelines. The product launch that needs threat modeling, control implementation, monitoring tuning, and incident response plans gets each piece from a different team. The vendor onboarding becomes a series of parallel reviews that finish weeks apart. By the time anyone sees the whole picture, the picture has changed. The pattern isn't a failure of any individual function. Each function is doing its job. The patt...

Eric Cole recently published a piece called  The CyberTalent Lie  that is worth reading. His argument is that the persistent industry narrative about a cybersecurity talent shortage has become a cover story for avoidable strategic failures in how organizations recruit, develop, evaluate, and retain security professionals. He's right. Organizations have systematically eliminated entry-level positions , leaned on certification filters that exclude strong candidates, treated compensation as the lever for retention when exit data points to culture and mission, and excluded security leaders from the strategic conversations where their authority would matter most. His five-step rebuild -- audit credential inflation, restore early-career pathways, conduct honest exit analysis, elevate strategic positioning, protect the learning budget -- is the right prescription for the problem he diagnoses. The problem Eric describes is the 'supply-side' talent problem for the people who do se...

Pythia Cyber is uniquely focused on the behavioral and organizational conditions that determine whether cybersecurity investments produce cybersecurity outcomes. We focus on cybersecurity talent at the engineer, manager, and leader levels, and on the culture and talent strategy that surround them. Brendan refers to this as TAU : the systems, processes, and talent implementation strategies that create cybersecurity. You can't hire your way to better cybersecurity if your systems, processes, and talent implementation strategies are inadequate and misaligned. You can't organize your way to cybersecurity through systems and processes that are under-executed by less-talented personnel, managers who can't connect with their teams and stakeholders, or leaders who can't lead. You need talent and you need a talent strategy. And you need the people running cybersecurity to be "bilingual." Cybersecurity leaders are translators by necessity. They face downward into the t...

(p.s. programming note: We're doing the April 2026 Litany of the Hacked today to make room for a multi-part special series starting Monday. Come back next week for our three-part series!) Do April cyber-attack showers bring May cybersecurity flowers? Better hope so! The litany of the hacked is our listing for each known/reported hack in the previous month. The point of the litany is not shame but awareness-raising that, well, these sorts of things happen. And so, the litany of the hacked for April 2026. Our litany this month reflects...I think the word is hubris (or  hýbris ) , to be classical: the  über -hacker-program, Mythos, the One AI To Rule Them All, was -- hacked! “We’re investigating a report claiming unauthorised access to Claude Mythos Preview through one of our third-party vendor environments,” said Anthropic . One implication is that nothing is entirely safe when people start getting involved . Another, to be a little more cheerful, is that the AI arms race to AGI...

At Pythia Cyber we combine behavioral science with classic cybersecurity because bad behavior so often beats good technology. As part of our behavioral science toolkit we have three different talent assessments: one for Cybersecurity Engineers, one for Cybersecurity Managers and one for Cybersecurity Leaders. A common misconception is that these three assessments are beginner, intermediate and advanced assessments. This misconception is rooted in the widely embraced fantasy of promotion as a reward for performance. In this fantasy all careers have the same trajectory: get a job, work hard, move up the ladder until you cannot rise any further. This fantasy is based on the fallacy that the core talents underlying success are the same at each stage of one's career, or that most people happen to have all three sets of talents. Both of these are fallacies: it is a rare person indeed who can succeed at all levels of the organization. Such a person is a unicorn. Don't count on unicorn...