People should trust you, right? I mean, you're trustworthy, aren't you? Sometimes leading is like magic. Magic acts are about misdirection of attention. Get people focused on one thing, which is key to trust, then pull off a trick they weren't expecting -- magic! Military leaders know this well: it's "the suck," as in, the troops are all maneuvering in the mud and it sucks but the key to leading wet muddy troops is to direct their attention to being in it together -- and presto, the effect is like magic! You can't be a magician without being trustworthy. If people didn't believe you they wouldn't put their attention in your hands. If wet muddy troops didn't feel you were all in it together they would focus on themselves. What's your CISO magic trick? How do you capture the attention of your team so that they are willing to follow along because what you do seems like magic? My friend Steve Hunt thinks a lot about leadership. Over on his Subs...

As I sit at my desk and type this, I can see an old server that I need to retire. It will be a pain because the golden promise of moving configurations from old machines to new machines is mostly a lie. I will have to recreate the services that have worked so well for so long. This will annoy the users, who are likely to see changes and feel inconvenience without seeing or feeling any benefit. The benefit is the reduction of risk and that is a benefit so abstract that few people can appreciate it. Which is why so many cybersecurity vulnerabilities quietly sprout and grow in even well-run IT environments: over time your up-to-date, secure installations can become risky and then a potential liability and finally an exploited vulnerability. I know all this, but I am dreading this project. If the replacement goes perfectly, no one will notice anything other than a drop in my ability to do the things that people are currently expecting me to do. If the replacement does not go perfectly the ...

All selection situations, and the hunt for a new CISO is no different, involve believing in a perfect candidate. The One. Our New Superstar. The Key To Our Success. Truly Exceptional . Your CISO from that previous campaign was out there. You believed. You found that truly exceptional person. Remember when the previous incumbent was that person? May have been, what, a few years ago, right? Whatever happened to that person? We've written about this person many times before, such as here . Let's clear this up right now: at the time yes this person was The One on Day 1 . That was a good call on the part of the hiring team. Let's dig deeper: speaking entirely dispassionately, that person was relatively the best candidate, compared to other candidates, and was willing to accept your job offer . That's raining on your parade as a hiring team but it's accurate.  How have things changed since then? Recently The Wall Street Journal (behind paywall) wrote that "Record ...

Here's a safe bet: even though you know what your annual spend on vendor support is, and how much you spend on coffee machine pods, you don't know what it costs to back-fill one bad CISO hire. Let's define terms. The term CISO "refers to the most senior security leader accountable for an organization's information security strategy, program execution, and risk management" ( 2026 Global CISO Leadership Report ). According to the same report, the level down from CISO in typical organizations is Deputy CISO or "NextGen," "[L]eaders who translate CISO strategy into operational execution, combining strategic alignment with hands-on program leadership. They typically manage teams of 5 to 50+ security professionals within their areas of specialization." About a third of CISOs report to CTOs or a comparable title, which means that about two-thirds report to some other nontechnical executive or the Board (which is also nontechnical).  Right off as p...

Pythia Cyber realizes that many a cybersecurity battle is won or lost long before the attack. Cybersecurity is about forethought, not reaction. But must as we love a good set of NIST CSF policies and procedures, we recognize that your cybersecurity program is only as good as the people who implement it. Therefore we offer consulting to help you find, hire and retain the right people. The right people are the people who will do the best job in your specific environment, both now and in the future. How do we do that? We use proprietary instruments to measure applicants talents because when it comes to building and maintaining teams, Talent-based hiring is better than Skills-based hiring and both are better than Certification-based hiring. Why is that the case? Because of The Problem we all know about but so rarely talk about. The Problem for technology in general the pace of change is so great that relying on what someone did a while ago (for which they received certification) is not a g...

Eventually your system will be compromised beyond your capacity to deal with it. What you do from a systems perspective is part of your growth curve. So is your emotional and behavioral path. As a cybersecurity professional, you can feel over-invested in your defense processes and systems. A systems compromise can feel disorienting and hard to accept. Maybe you could have done something more; maybe they were better; maybe it was something so obvious! We saw a recent piece in the New York Times (behind paywall) on how Olympic athletes deal with disappointment that seemed to capture this sort of scenario. It's abstracted here because the lessons Olympians learn are hard-won and eminently transferrable to other elite performers such as cyber-defenders. 1. Learn resilience . "Just as psychologists have athletes visualize their wins, they also ask them to imagine all the things that could go wrong, and how they’ll respond." 2. The power of purpose . "The best athletes se...