You're out of time. Ross Young posted recently on LinkedIn about "The Three Kinds of CISOs." It's a compact but targeted post. In his view, CISOs are one of three types: reactive, proactive, or predictive. Let's review. The first type, the reactive CISO, is a short-timer; why it exists at all is a mystery. The second type, the proactive one, sounds great...two years ago. And sure, being proactive is good as an employee and a professional. While it's good, it's not good enough. Because you're out of time., because, yes here we go, AI is not pro active -- it's active .  That leave Ross telling us about the third CISO type, those who are predictive: "The CISOs who will matter in five years aren't running better audit programs. They're running AI agents that never sleep, never miss a commit, and never need to be asked." We completely agree that being predictive is right -- definitely better than being proactive, for example, and don...

Pythia Cyber focuses on behavior as well as classic cybersecurity because a great program manned by mediocre people is not what you want and a great team following mediocre procedures is not what you want. You need both sides of the equation: the right people in the right jobs doing the right things. Cybersecurity is a branch of risk management, not a branch of computer science. The goal is not technological excellence at any cost, the goal is the most effective security you can afford and you can provide. Risk management is as much about prediction as it is about execution. Again, you need them both: doing a great job stopping the wrong threats is no better than doing a terrible job stopping the right threats. Human behavior can be very hard to predict unless and until you have a great deal of experience with how that particular person behaves in that particular environment. That person's previous experience in a different environment is a possible proxy for their future experienc...

At Pythia Cyber our focus on blending behavioral science with classic cybersecurity means that we have to address something other cybersecurity consultants do not: wishful thinking. Magical thinking, if you prefer. The tendency of people to believe whatever they have to believe in order to accommodate an inconvenient truth. At the top of the list of inconvenient truths is that experience in a previous position is a mediocre predictor of success in a new position. We all have firsthand experience of the new hire for "the exact same job" who cannot cut it. Near the top of the list is that credentials are a mediocre measure of capability. We all have walked into the cubicle of a mediocre colleague only to find their walls covered with certificates of courses passed and plaques of participation in impressive projects. Believe me, we understand why people cling to these ideas despite the personal contradictory experience. Not only is the dream so appealing (more below) but this te...

  The cybersecurity technical conversation is mature. There are frameworks, certifications, vendors, and a generation of professionals who have built careers around the technical layer. The talent conversation is improving, thanks in part to voices like Eric Cole's that have pushed the industry to look honestly at how it recruits, develops, and retains the people who do security work. The conversation about how technology, talent, and organization combine to produce actual security outcomes is still developing. It happens when a CISO realizes that a technically excellent program is still being compromised through behaviors the SOC doesn't see. It happens when a board recognizes that the cybersecurity function is reporting metrics rather than shaping decisions. It happens when an executive team asks why the cybersecurity investments of the past five years haven't translated into the resilience they expected. The bilingual axis runs through all of these conversations. Cyberse...

The HR Guru JP Elliott is back at it with a recently published piece on what he calls "decision leadership." His argument: the best HR leaders don't just execute decisions, they improve the quality of the decisions themselves by asking better questions, framing decisions more precisely, surfacing trade-offs that would otherwise stay hidden, and bringing a clear point of view. He frames the capability as Ask, Frame, Advise. This framework applies even more powerfully in cybersecurity. With credit to JP for the concept, we want to translate it into cybersecurity because the gap he describes between leaders who support decisions and leaders who shape them is at least as wide and the consequences are at least as significant. This post is written to two audiences. For executives who hire and resource cybersecurity leadership: this is what your organization should expect, and what you lose when you don't get it. For cybersecurity leaders moving toward senior roles: these ar...

Most cybersecurity organizations are structured the way hospitals organize specialty clinics. Discrete functional teams (SOC, IR, GRC, AppSec, vulnerability management, identity) each with their own leaders, metrics, and budgets. Work flows through routing and handoffs. The model builds deep expertise and clean reporting lines, and it is the structure most CISOs inherited. Its failure mode shows up at the seams. The acquisition integration that needs SOC visibility, IR readiness, GRC sign-off, and AppSec review of inherited code moves through four functions on incompatible timelines. The product launch that needs threat modeling, control implementation, monitoring tuning, and incident response plans gets each piece from a different team. The vendor onboarding becomes a series of parallel reviews that finish weeks apart. By the time anyone sees the whole picture, the picture has changed. The pattern isn't a failure of any individual function. Each function is doing its job. The patt...