Brendan has been writing about internal candidates, and we thought we'd enter the fray. There are upsides and downsides to building your talent pool v. external hiring & hoping it works, as Brendan noted. This post is about the internal pool. Integral to the buy/build decision are answers to the following questions: *You've created a talent development process (I mean, you've done that...correct...?) *You've invested in not only the identification but the acceleration of your people's performance (ditto...?) *You're focusing on a talent-based performance management culture, not one that rewards surviving We've written about how this could happen. In brief you must: *Intentionally create a newcomer socialization process *Measure and monitor performance to get people to the point where they are considered for promotion *"[You need to] manage the person's development intentionally so that they leverage their talents to perform. That happens throu...

At Pythia Cyber we aim to blend behavioral science with cybersecurity to improve effectiveness and team dynamics. In the usual case we are helping you create, manage and maintain your internal cybersecurity program (CSP) but increasingly we are asked about how to manage cybersecurity threats to assets external to the organization. In practice, these external assets fall into one of two categories: assets owned by you but stored in the cloud and assets owned by someone else but used by you. The most common example of the second category is a software tool you use in your products which you buy or license from someone else. In other words, part of your supply chain. Just about all organizations these days have some exposure to the cloud. Generally only manufacturing concerns have digital supply chains. Some organizations have both of these issues. In either case, the problem is the same: these assets are not under your control: how do you apply your CSP to them? The Cloud One of the reas...

At Pythia Cyber warn you not to rely solely on skills or knowledge when choosing people to work in your cybersecurity program. Familiar as skills and knowledge may be for hiring, and comforting as that familiarity may be, you cannot rely on them alone. You need more than that because change is the one constant in cybersecurity and skills and knowledge get out of date. Talent is evergreen. We keep keep beating the drum of the importance of talent in building and maintaining your cybersecurity program because your people are the beating heat of your cybersecurity program. Those people need to keep up with the pace of change in the threat environment because the beat goes on and on and on. Modern life changes more swiftly and widely than life has ever changed before. Technology changes more swiftly and widely than it has ever changed before. Cybersecurity, sitting at the juncture of technology, crime, hardware failure and human error, changes more swiftly and widely than just about any ot...

At Pythia Cyber the conversation about who to hire and how to management often detours into distinguishing skills and talents. This comes up often enough that it is time for blog post. Let us start, as so many middle school assignments do, with the dictionary definitions. Today we are using Merriam-Webster as our source. skill  noun   ˈskil  ...

You're out of time. Ross Young posted recently on LinkedIn about "The Three Kinds of CISOs." It's a compact but targeted post. In his view, CISOs are one of three types: reactive, proactive, or predictive. Let's review. The first type, the reactive CISO, is a short-timer; why it exists at all is a mystery. The second type, the proactive one, sounds great...two years ago. And sure, being proactive is good as an employee and a professional. While it's good, it's not good enough. Because you're out of time., because, yes here we go, AI is not pro active -- it's active .  That leave Ross telling us about the third CISO type, those who are predictive: "The CISOs who will matter in five years aren't running better audit programs. They're running AI agents that never sleep, never miss a commit, and never need to be asked." We completely agree that being predictive is right -- definitely better than being proactive, for example, and don...

Pythia Cyber focuses on behavior as well as classic cybersecurity because a great program manned by mediocre people is not what you want and a great team following mediocre procedures is not what you want. You need both sides of the equation: the right people in the right jobs doing the right things. Cybersecurity is a branch of risk management, not a branch of computer science. The goal is not technological excellence at any cost, the goal is the most effective security you can afford and you can provide. Risk management is as much about prediction as it is about execution. Again, you need them both: doing a great job stopping the wrong threats is no better than doing a terrible job stopping the right threats. Human behavior can be very hard to predict unless and until you have a great deal of experience with how that particular person behaves in that particular environment. That person's previous experience in a different environment is a possible proxy for their future experienc...