We discussed in the first part of this process that all organizations need to manage the performance of their employees at all levels. And, at the individual contributor level, performance management is critical. That was the 'why.' Now let's discuss 'how.' Performance management is a process . It is often confused with the outcome -- a rating or narrative review used in conjunction with an organizational decision such as incentive pay or promotions, or, as a rationale for developmental/corrective/punitive actions. Thus, it is a high-stakes process with multiple potential consequences for both the individual and the organization. In many ways, performance management is like managing tree growth. As in the picture above, taking on a new hire -- a sapling -- means you need to find the right place for it, set it up for success, tend to it. And sometimes the performance management process means you remove longer-tenured trees that have lost their vitality or their role...

As much as we talk about talent here at Pythia Cyber, or the NIST CSF, or AI, eventually you need either to perform, or manage performance, or collaborate with other executives to calibrate performance across the organization. That's right, it's time to talk performance management. In this post we'll discuss the 'why,' and in a later post we'll discuss 'how.' Let's start with the baseline. Maybe 1% of anyone who has been an employee or contractor at any organizational level wants to discuss performance management.  At the same time, it's a business-critical conversation -- maybe existential -- in a field such as cybersecurity. Here's is my friend Steve Hunt on performance management. Steve was a VP at SAP at the time he wrote this  piece , probably the best ever written on performance management. The key part is here (quoted at length): Performance management is both difficult and necessary. Performance management is difficult because it add...

No joke, folks -- time for the litany of the hacked! The litany of the hacked is our listing for each known/reported hack in the previous month. The point of the litany is not shame but awareness-raising that, well, these sorts of things happen. And so, the litany of the hacked for March 2026. Unfortunately we have a lot of new members of the litany, and to a significant extent this happened because of military actions in the Persian Gulf. You can be positive that there is no reason to think that cybersecurity is going to get easier from here on out. As Megi Benia puts it on her blog: Deterrence assumes identifiable actors, clear intent, and thresholds that trigger response. Iran’s use of ransomware deliberately undermines all three: - Attribution is blurred through proxies and criminal partnerships - Intent is dual-use, combining profit, disruption, and signaling - Activity remains below the threshold of armed attack The implication is not just tactical but strategic. If ransomware c...

In Dickens's A Christmas Carol  we are given one of the greatest metaphors of all time. When Scrooge is visited by the ghost of his old business partner, Jacob Marley, he finds that ghost trailing all things that Marley's greed goaded him into possessing: money boxes, transaction ledgers, pad locks and even heavy deeds. When Scrooge asks Marley where the chain came from, Marley's answer is chilling: I wear the chain I forged in life. I made it link by link, and yard by yard; I girded it on of my own free will. Believe it or not, this sprang to mind last week when I learned that current FBI directory Kash Patel had some of his personal emails leaked by enemies of the state. Iranians? Russians masquerading as Iranians? Iranians with Russian help? Who knows. The point is not specifically who did it. The point is not the rather banal and inane content. The point is not that the content was from a while ago. The point is that we all wear the digital chains we forge in life. We m...

I am a fan of sketchplanations.com  in general and this sketch in particular caught my eye for two reasons. First, I love me some hair-splitting (ask me about the difference between "virulent pathogens" and "infectious pathogens"). Second, this gives me a great way to talk about a big deal in cybersecurity. Before diving into that big deal I want to apply the point of the sketch to cybersecurity. The field of cybersecurity is a branch of Risk Management. The people running the organization have to set priorities and budgets. The people running the organization have to sign off on the policies which decide which risks are worth mitigating. The people running cybersecurity have to write procedures which implement those policies and then police activity to ensure that the procedures are active and effective. By analogy, the policies are accuracy: are you trying to protect what you need protected? The procedures are precision: are you effectively protecting whatever it ...

Everyone wants to be successful. Defining what "success" is may vary person to person, and deciding whether someone is successful may not be up to any of us, but we can find contentment and professional pride in everyday work over a career.  It's very difficult to define success in a career such as cybersecurity apart from the big picture issue of "nothing happened." Ultimately, if "nothing happens" you are successful, because nothing bad happened. But for cybersecurity, "nothing bad happened" is not the same as "nothing happened." In fact "nothing bad happened" because something good happened in cybersecurity. Lots of "something" may be happening as a matter of fact and success means that none of it resulted in a win for your adversaries. Lack of IT or cyber-systems failure is a sign that your cyber-defense processes performed well. Let's focus on that. Cybersecurity is the process by which you create maximu...