When you as a cyber-professional think of planning for war, you probably have in mind some order of battle map such as the one above. It shows the front lines, terrain, forces in opposition, troop movements, etc.  Your thought process is wrong. And, when you as a cyber-professional think of war you probably think of engaging with the enemy and taking and holding territory, or bombing, or drones and missiles. Well that thought process is wrong too.  But you're in a war anyway. How is it going for you? War is serious business and cyber-warfare is not like other wars, especially when you're almost always on defense at all times. All of us have models, scripts, or even memories based on experience and education for endeavors such as wars. These models and scripts come from family lore, movies, books, military service, and so on. They are all valid as far as that goes. Problem is, you're in a cyber-war and you don't have a model or script, probably not even personal experien...

You get hacked. What can Pythia Cyber do for you? Once you have addressed the immediate problem and then done what you can to repair the damage, it is time to figure out what happened. That is when we can help. (If you follow the NIST CSF, we come in right after the Recover phase .) In the Respond phase you address the immediate problem. In the Recover phase you do what you can to repair the damage. Then you fight off the temptation to rest and you go back to the Identify phase because you need to figure out what went wrong so you can make sure that it doesn't happen again. As part of that investigation you have a very important question to answer: was the root of your problem systemic or not ? This should involve a top-to-bottom review of your cybersecurity program. It is tempting to keep this in-house--who wants to air their dirty laundry?--but we recommend an objective, external, expert observer. "Expert" is obvious. "External" because...

Eric Cole recently posted his review on Substack of the new US Cybersecurity strategy . His review is meant to be brief and touches on four parts of the strategy that move us toward better practices and processes. He also enumerates three ways in which the strategy comes up short. We're amplifying here because of the implications of both the strategy and the review for behavioral cybersecurity. 1. The strategy "correctly frames cybersecurity as an element of national power rather than simply an IT hygiene issue. Cyber now intersects directly with economic growth, military capability, supply chain resilience, artificial intelligence, and national infrastructure." 2. It "recognizes that modern cyber adversaries are no longer focused solely on data theft. Increasingly, they are targeting operational continuity and daily life, including healthcare systems, energy infrastructure, telecommunications, and financial networks." 3. "The strategy acknowledges an impo...

We like to highlight perspectives by experts who can add value to your work as a cybersecurity professional. This post, by Dr. Louiza Livschitz , concerns issues and remedies for CTO judgment under pressure. How Chronic Pressure Quietly Undermines Technical Judgment and  What You Can Do  About That Technical leaders are trained for clear thinking under duress, having built their careers solving complex problems in environments defined by high risk, urgency, and material consequences. For this reason, it can be deeply unsettling when judgment begins to feel less sharp. Under chronic pressure, many CTOs and technical executives observe subtle, yet impactful, shifts. Decisions feel heavier, options narrow more quickly, and familiar solutions become disproportionately more appealing than exploring new possibilities. The mind instinctively moves toward certainty sooner than it used to. This phenomenon is not a failure of intelligence or experience; it is a predictable, systemic eff...

Albert Einstein never actually said that the definition of insanity is trying the same thing over and over and expecting something different ( source ). But it's a really smart thing to understand, because if your attempts at dealing with burnout feel like, well, insanity, then read on. Brendan kicked us off with burnout so let's pick up from there. What is 'burnout' (or burn-out)? According to a 2019 World Health Organization report ( here ), burnout is: "[A] syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed. It is characterized by three dimensions: feelings of energy depletion or exhaustion; increased mental distance from one’s job, or feelings of negativism or cynicism related to one's job; and reduced professional efficacy. Burn-out refers specifically to phenomena in the occupational context and should not be applied to describe experiences in other areas of life." The part that matters from an ...

Recently I have seen mentions in different outlets of the problem of burnout in an alarming number of cybersecurity programs. The Wall Street Journal had such a piece in which a number of CISOs complained that the programs they oversee are understaffed and what staff they have are burning out under the weight of the ever-growing deluge of cyber attacks of various kinds. The problem described in the piece resonated with me. The tone and thrust of the CISO's complaints did not. Before I talk about the problems to which I think I have useful input I want to outline the problem to which I think I do not have useful input: the burnout problem. I keep seeing the following dynamic in cybersecurity groups: there is a surge of cyber attacks and mission-driven employees that we are, the cybersecurity folks respond by working more hours to deal with these particular crises. But the surge turns into the new normal, so while we wait for the cavalry to arrive, we fall into working late on weekni...