Pythia Cyber realizes that many a cybersecurity battle is won or lost long before the attack. Cybersecurity is about forethought, not reaction. But must as we love a good set of NIST CSF policies and procedures, we recognize that your cybersecurity program is only as good as the people who implement it. Therefore we offer consulting to help you find, hire and retain the right people. The right people are the people who will do the best job in your specific environment, both now and in the future. How do we do that? We use proprietary instruments to measure applicants talents because when it comes to building and maintaining teams, Talent-based hiring is better than Skills-based hiring and both are better than Certification-based hiring. Why is that the case? Because of The Problem we all know about but so rarely talk about. The Problem for technology in general the pace of change is so great that relying on what someone did a while ago (for which they received certification) is not a g...

Eventually your system will be compromised beyond your capacity to deal with it. What you do from a systems perspective is part of your growth curve. So is your emotional and behavioral path. As a cybersecurity professional, you can feel over-invested in your defense processes and systems. A systems compromise can feel disorienting and hard to accept. Maybe you could have done something more; maybe they were better; maybe it was something so obvious! We saw a recent piece in the New York Times (behind paywall) on how Olympic athletes deal with disappointment that seemed to capture this sort of scenario. It's abstracted here because the lessons Olympians learn are hard-won and eminently transferrable to other elite performers such as cyber-defenders. 1. Learn resilience . "Just as psychologists have athletes visualize their wins, they also ask them to imagine all the things that could go wrong, and how they’ll respond." 2. The power of purpose . "The best athletes se...

He's BAAACK! Bushan Sethi posted his talk from a presentation I attended last week in Las Vegas -- this picture might be from there, who knows. We've mentioned him before . Other than pictures of cats, Bushan seems to fill the Internet void. The goal of his presentation was to focus us on 'no-regrets moves' in the Time of AI. These recommendations are good for cybersecurity professionals too. I'm posting an extended quote -- his recommendations here, which are a lot less creepy than "move fast and break things": Think like an economist : Understand the macro and the micro - whether it's impact on AI on labor markets to challenging assumptions included in business case investments - whether they be about adoption, data architecture or investments in compute capacity. Think like a scientist : Use data and evidence to test hypotheses about what works in AI adoption and human-AI collaboration. Run hackathons - push the organization to generate ideas. Be co...

Once again a boffo post from Dr Eric Cole over on Substack. This one is on skills CISOs need. These will sound familiar to our blog readers! We're going to go beyond Eric's post to discuss three aspects of CISO skill: what they should be, how to find them among your applicants, and how to build them for yourself.  We're going to frame this in terms of the labyrinth. We've discussed that previously . It's not meant to be a mystery, but instead, a journey.  Prelude: Why must CISOs learn new skills? "Cybersecurity is no longer a discrete function. It is embedded in every strategic decision an organization makes—whether leaders recognize it or not. When companies adopt AI, expand globally, partner with third parties, or digitize core operations, they are making security decisions by default. The question is whether those decisions are informed or accidental." Part 1: What are these skills? As per Eric -- & us & Rich Mironov ): Skill #1: Business Risk ...

All of us get distracted by the bright shiny object. It seems luminous and irresistible, shining out in the darkness, beckoning. Admit it: AI is your current bright shiny object.  We keep an eye out for cybersecurity & AI material. Sometimes we run across posts that are excellent and we feel the need to create more community by bringing them to your attention. Here's one such post from LinkedIn by Val Tsenev . It deserves your time. I've boiled down his post to this question: What do CISOs want from AI? 1. Measurable risk reduction . What risks does the AI platform mitigate and how? 2. Explainability & auditability . As Val says, "Black-box AI is a liability, not an asset." 3. Integration into their existing workflows . It cannot stand alone. 4. G overnance and human oversight . There is always a person somewhere on, in, atop, or something the loop. Val concludes: "CISOs aren't rejecting AI. They're rejecting AI that's irrelevant, unvalidated,...

At Pythia Cyber we try to give behavior its rightful place in cybersecurity. Often we mean that what your organization's users do is a huge part of the vulnerability picture. Sometimes we mean that the way people react to situations is also a source of vulnerability. This time we mean how your organization models its relationship to your cybersecurity professionals. This is important because how we define our boundaries at work has a huge impact on people's expectations of themselves and others. Expectations are a big factor in our effectiveness. So much for the abstract stuff. Let's get concrete. There is a spectrum of relationships that go from too little through too much with a stop in middle for just right. By "too little" I mean giving your cybersecurity people too little input into your decisions. By "too much" I mean letting your cybersecurity people make your decisions for you. By "just right" I mean working with your cybersecurity peop...