At Pythia Cyber we aim to blend behavioral science with cybersecurity to improve effectiveness and team dynamics. In the usual case we are helping you create, manage and maintain your internal cybersecurity program (CSP) but increasingly we are asked about how to manage cybersecurity threats to assets external to the organization. In practice, these external assets fall into one of two categories: assets owned by you but stored in the cloud and assets owned by someone else but used by you. The most common example of the second category is a software tool you use in your products which you buy or license from someone else. In other words, part of your supply chain. Just about all organizations these days have some exposure to the cloud. Generally only manufacturing concerns have digital supply chains. Some organizations have both of these issues. In either case, the problem is the same: these assets are not under your control: how do you apply your CSP to them? The Cloud One of the reas...

At Pythia Cyber warn you not to rely solely on skills or knowledge when choosing people to work in your cybersecurity program. Familiar as skills and knowledge may be for hiring, and comforting as that familiarity may be, you cannot rely on them alone. You need more than that because change is the one constant in cybersecurity and skills and knowledge get out of date. Talent is evergreen. We keep keep beating the drum of the importance of talent in building and maintaining your cybersecurity program because your people are the beating heat of your cybersecurity program. Those people need to keep up with the pace of change in the threat environment because the beat goes on and on and on. Modern life changes more swiftly and widely than life has ever changed before. Technology changes more swiftly and widely than it has ever changed before. Cybersecurity, sitting at the juncture of technology, crime, hardware failure and human error, changes more swiftly and widely than just about any ot...

At Pythia Cyber the conversation about who to hire and how to management often detours into distinguishing skills and talents. This comes up often enough that it is time for blog post. Let us start, as so many middle school assignments do, with the dictionary definitions. Today we are using Merriam-Webster as our source. skill  noun   ˈskil  ...

You're out of time. Ross Young posted recently on LinkedIn about "The Three Kinds of CISOs." It's a compact but targeted post. In his view, CISOs are one of three types: reactive, proactive, or predictive. Let's review. The first type, the reactive CISO, is a short-timer; why it exists at all is a mystery. The second type, the proactive one, sounds great...two years ago. And sure, being proactive is good as an employee and a professional. While it's good, it's not good enough. Because you're out of time., because, yes here we go, AI is not pro active -- it's active .  That leave Ross telling us about the third CISO type, those who are predictive: "The CISOs who will matter in five years aren't running better audit programs. They're running AI agents that never sleep, never miss a commit, and never need to be asked." We completely agree that being predictive is right -- definitely better than being proactive, for example, and don...

Pythia Cyber focuses on behavior as well as classic cybersecurity because a great program manned by mediocre people is not what you want and a great team following mediocre procedures is not what you want. You need both sides of the equation: the right people in the right jobs doing the right things. Cybersecurity is a branch of risk management, not a branch of computer science. The goal is not technological excellence at any cost, the goal is the most effective security you can afford and you can provide. Risk management is as much about prediction as it is about execution. Again, you need them both: doing a great job stopping the wrong threats is no better than doing a terrible job stopping the right threats. Human behavior can be very hard to predict unless and until you have a great deal of experience with how that particular person behaves in that particular environment. That person's previous experience in a different environment is a possible proxy for their future experienc...

At Pythia Cyber our focus on blending behavioral science with classic cybersecurity means that we have to address something other cybersecurity consultants do not: wishful thinking. Magical thinking, if you prefer. The tendency of people to believe whatever they have to believe in order to accommodate an inconvenient truth. At the top of the list of inconvenient truths is that experience in a previous position is a mediocre predictor of success in a new position. We all have firsthand experience of the new hire for "the exact same job" who cannot cut it. Near the top of the list is that credentials are a mediocre measure of capability. We all have walked into the cubicle of a mediocre colleague only to find their walls covered with certificates of courses passed and plaques of participation in impressive projects. Believe me, we understand why people cling to these ideas despite the personal contradictory experience. Not only is the dream so appealing (more below) but this te...