Continuing on the theme of leadership -- would you say you're disposable? Ross Young over at CISO Tradecraft has a good post out on how you should envision your leadership role in terms of becoming disposable. His key line: "The most effective leaders aren’t the smartest people in the room; they are the architects of systems that thrive in their absence." As a CISO, or generally as the leader of a technical function, you will work amongst many very smart people. An easy question for you to answer incorrectly is: why am I a leader, while they are not leaders?  So many bad or wrong (or alarming) answers might come to mind for you, such as: I'm the most senior employee; I've done all the jobs here; I'm the highest performing employee; I wanted the leadership job more than they did ; etc. It's unlikely you'll think to yourself that you were the most politically savvy. I can report that I personally know people who thought of themselves as 'saviors...

We here at Pythia Cyber are big believers in rigor so we strongly recommend following a rigorous framework when building your cybersecurity program (CSP). We use the NIST CSF by default but we recognize that there are a few other frameworks which will also do the trick. We seek to season cybersecurity with behavioral science because human behavior is a huge but rarely addressed part of running a CSP. Those who run the CSP are humans. Those who follow the CSP are humans. Those who work to subvert or circumvent the CSP are humans. There is much that is NOT cyber in cybersecurity. There are few places along the path to a great CSP where being human is more evident than in the writing of policies and procedures. The point of these documents is to inform, not impress. The goal is to guide human behavior in times of stress, so clarity and accuracy are of utmost importance. Length or literary flourishes are worse than irrelevant, they are an impediment to being useful in times of stress and u...

Phil Venables' new post, Do you really know what's going on? , caught our attention from the start (quoting at length): Most leaders do not know the actual truth of what is happening. This is not because people are overtly hiding things or that leaders are ineffective, although sometimes it is both of those, but rather this is because of the “thermocline of truth” that I covered in this post. Organizations are full of cultural, structural, process, and other barriers that stop reality making its way to leadership.  When you started out in your career you probably felt constant frustration that the “higher ups” had no clue about reality on the ground. Even today, you probably feel frustrated that peers in other organizations are clueless to the reality you know, or even in many cases that you know their teams know but are failing to push up to their leader.  When you become progressively more senior it’s easy to forget this experience and get in a position where you believe you...

Brendan has been writing about internal candidates, and we thought we'd enter the fray. There are upsides and downsides to building your talent pool v. external hiring & hoping it works, as Brendan noted. This post is about the internal pool. Integral to the buy/build decision are answers to the following questions: You've created a talent development process (I mean, you've done that...correct...?) You've invested in not only the identification but the acceleration of your people's performance (ditto...?) You're focusing on a talent-based performance management culture, not one that rewards surviving We've written about how this could happen. In brief you must: Intentionally create a newcomer socialization process Measure and monitor performance to get people to the point where they are considered for promotion "[You need to] manage the person's development intentionally so that they leverage their talents to perform. That happens through thr...

At Pythia Cyber we aim to blend behavioral science with cybersecurity to improve effectiveness and team dynamics. In the usual case we are helping you create, manage and maintain your internal cybersecurity program (CSP) but increasingly we are asked about how to manage cybersecurity threats to assets external to the organization. In practice, these external assets fall into one of two categories: assets owned by you but stored in the cloud and assets owned by someone else but used by you. The most common example of the second category is a software tool you use in your products which you buy or license from someone else. In other words, part of your supply chain. Just about all organizations these days have some exposure to the cloud. Generally only manufacturing concerns have digital supply chains. Some organizations have both of these issues. In either case, the problem is the same: these assets are not under your control: how do you apply your CSP to them? The Cloud One of the reas...

At Pythia Cyber warn you not to rely solely on skills or knowledge when choosing people to work in your cybersecurity program. Familiar as skills and knowledge may be for hiring, and comforting as that familiarity may be, you cannot rely on them alone. You need more than that because change is the one constant in cybersecurity and skills and knowledge get out of date. Talent is evergreen. We keep keep beating the drum of the importance of talent in building and maintaining your cybersecurity program because your people are the beating heat of your cybersecurity program. Those people need to keep up with the pace of change in the threat environment because the beat goes on and on and on. Modern life changes more swiftly and widely than life has ever changed before. Technology changes more swiftly and widely than it has ever changed before. Cybersecurity, sitting at the juncture of technology, crime, hardware failure and human error, changes more swiftly and widely than just about any ot...