Once again a boffo post from Dr Eric Cole over on Substack. This one is on skills CISOs need. These will sound familiar to our blog readers! We're going to go beyond Eric's post to discuss three aspects of CISO skill: what they should be, how to find them among your applicants, and how to build them for yourself.  We're going to frame this in terms of the labyrinth. We've discussed that previously . It's not meant to be a mystery, but instead, a journey.  Prelude: Why must CISOs learn new skills? "Cybersecurity is no longer a discrete function. It is embedded in every strategic decision an organization makes—whether leaders recognize it or not. When companies adopt AI, expand globally, partner with third parties, or digitize core operations, they are making security decisions by default. The question is whether those decisions are informed or accidental." Part 1: What are these skills? As per Eric -- & us & Rich Mironov ): Skill #1: Business Risk ...

All of us get distracted by the bright shiny object. It seems luminous and irresistible, shining out in the darkness, beckoning. Admit it: AI is your current bright shiny object.  We keep an eye out for cybersecurity & AI material. Sometimes we run across posts that are excellent and we feel the need to create more community by bringing them to your attention. Here's one such post from LinkedIn by Val Tsenev . It deserves your time. I've boiled down his post to this question: What do CISOs want from AI? 1. Measurable risk reduction . What risks does the AI platform mitigate and how? 2. Explainability & auditability . As Val says, "Black-box AI is a liability, not an asset." 3. Integration into their existing workflows . It cannot stand alone. 4. G overnance and human oversight . There is always a person somewhere on, in, atop, or something the loop. Val concludes: "CISOs aren't rejecting AI. They're rejecting AI that's irrelevant, unvalidated,...

At Pythia Cyber we try to give behavior its rightful place in cybersecurity. Often we mean that what your organization's users do is a huge part of the vulnerability picture. Sometimes we mean that the way people react to situations is also a source of vulnerability. This time we mean how your organization models its relationship to your cybersecurity professionals. This is important because how we define our boundaries at work has a huge impact on people's expectations of themselves and others. Expectations are a big factor in our effectiveness. So much for the abstract stuff. Let's get concrete. There is a spectrum of relationships that go from too little through too much with a stop in middle for just right. By "too little" I mean giving your cybersecurity people too little input into your decisions. By "too much" I mean letting your cybersecurity people make your decisions for you. By "just right" I mean working with your cybersecurity peop...

Recently we started following Dr Eric Cole on LinkedIn and on his Substack channel. His recent pieces are very good. One of his posts notes that metrics/numbers are good, but they don't answer the fundamental question Boards care about: are we secure?   So why do we report things such as patch compliance rates, vulnerability counts, mean time to remediate,  and tool coverage?  Because they are metrics under our control and they're comfortable and easy to explain. Same in any field -- keep it simple, stupid. It's a metric, it's not magic. What Eric says next is, well, magic: "When boards ask oversimplified questions, they get oversimplified answers. Dashboards are built to reassure rather than challenge. Over time, this trains leadership to equate motion with protection." Let's not laugh too quickly at those dumb ol' Boards asking oversimplified questions though because where do they get the idea that metrics are security? That's right. They got t...

Recently I attended a talk by Bhushan Sethi. You almost can't miss him ( here , here , here , here , etc.) and last week it was my turn. Here is a thought question he tossed out. What will the future organization look like? Our normative model is the Pyramid of Khafre in Giza, pictured above. Classic -- lots of worker bees at the bottom, fewer in the middle, very few/one at the top. What about this next one? Here, most of us get to a point in the hierarchy and then...that's it. But some people -- the AI automation people? -- keep going and going. Or this: This is a "normal"-looking hierarchy but employees start in the middle, not at the bottom. You may not care per se but think of it this way. If AI takes mid-career cybersecurity jobs away, how will you adjust once that happens? Or, if entry-level jobs go away, how will entry-level -- formerly mid-level -- cyber-defenders learn their craft? What about those pesky risk vectors, a.k.a. nontechnical employees? It's a...

I recently attended a fantastic workshop conducted in part by our friend, and my former grad school roommate,  Bob Lewis . The focus of the workshop was building a talent-based process. One of the aspects he discussed is how not all talents 'work' the same at all levels. You need to gauge them relative to work role needs. This is especially important when moving from manager to executive leader. Many of us believe that if a little of something is a good thing, why then more must be better. In a talent context, this belief can run  afoul of data .  BEFORE we go further let's state for the record that more talent is, well, better. The question here is: are talents at lower levels good for performance at higher levels? Sort of like -- yeah I already did that so I must be good at it. Answer: in fact not only is that belief incorrect it can create counter-productive behavior. Bob's research using '360s' among managers showed that manager level matters. (More context!...