After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born. As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program. The first post describes the cybersecurity janitor model. The second post (this one) describes the cybersecurity tyrant model. The third post describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right. In my long career I have seen the tail wag the dog: I have seen o...

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born. As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program. The first post (this one) describes the cybersecurity janitor model. The second post describes the cybersecurity tyrant model. The third post describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right. I have been a janitor. I have also been a cybersecurity contribut...

I have a problem with conventional resume screening; I have mentioned it before . Especially automated resume screening. In my experience too many of the people  behind the screens are relying on two dimensions in setting up the bots: small chunks of text and keywords given to them by hiring managers. My problem is that I strain to see the link between how a resume is formatted (which chunks of text in which order) or worded (which words are in the chunks of text) or coded (which keywords are floating around) and hardcore technical talent. In fact, in my experience, the correlation is negative  by which I mean that I have seen topnotch technologists standing behind very ugly and badly worded resumes. I can see how one might hire a writer or a graphic designer based on how aesthetically pleasing a resume is. But I need convincing, with data, that this same methodology can spot  the kind of talent needed to succeed in cybersecurity. I have a particular distrust of keyword-b...

We've recently posted about the role of HR in the cybersecurity hiring process. As Brendan puts it , HR's role is to mitigate risk from the hiring manager's unconscious (or not) bias and potentially inefficient hiring practices. Hooray! The other side of that bargain is that you must assess awkward issues in the hiring process. If you don't ask, you -- managers, HR, whoever -- are assuming that those issues are unimportant. You are making an ASS out of U and ME . There are two sets of asks: What productivity talent does this person have? and What propensity does this person have to engage in counterproductive work behavior or deviance? Let's tackle each in turn. Talent . We write extensively about cybersecurity talent. It specifically involves high performance in any of three main cybersecurity roles -- individual contributor, manager, leader/executive. We have developed with Conchie Associates a proprietary talent assessment for each of these roles.  Many asses...

“Ten years ago, did you expect to be in the job you hold today?” Well, did you? One of the greatest popular science books of the last 50 years is The Mismeasure of Man by Steven Jay Gould. Professor Gould was also famous for questioning the popular science hypothesis that evolution was linear. Gould didn't question whether  la evolución  was real. Instead at issue was whether evolution was a linear progression...or something that sprouted more like a bush: What's the difference? Our friend Barry Conchie puts it this way : "For most people, careers are not the result of long-term planning. They are the result of capability, opportunity, and circumstance interacting over time." The problem with a linear assumption regarding evolution or careers is that progress is some function of earlier investments that results in a later outcome, and so on. The unfortunate fundamental nature of evolution (and careers) though is that they don't always work out; they may dead-end;...

As the technology practice lead of Pythia Cyber , I try to stay away from the behavioral side of things except as a follower but today I am going to be a little out of my lane. Perhaps my behavioral science counterpart will have something to post in reply. But today I am going to make an exception: I am going to talk about some human behavior that I encounter on the technology side of things because this behavior illustrates a key concept of our philosophy. The behavior is the technology hiring equivalent of being famous for being famous. According to Professor Google, here is the origin of this catch phrase: Coined by historian Daniel J. Boorstin in his 1961 book, The Image: A Guide to Pseudo-events in America , defining a celebrity as "a person who is known for his well-knownness". The analogy to which I refer is being hired as a leader because you were hired as a leader. The key concept this illustrates is the faulty logic in relying on certifications or experience or both...