Your life as a cybersecurity professional, especially as a cybersecurity leader, entails managing risk. There are external risks (a.k.a. hackers), there are physical security risks, there are budget risks, there are organizational risks and there are technology risks. Your employees -- moreover, your best employees -- are a risk. So sayeth CISO Tradecraft ®  Newsletter  (CTN) this week. Their rationale is clear: "The hard truth for modern leadership is that AI has democratized capability so thoroughly that your entire organization, not just your engineering team, can now generate production-grade risk at machine speed." We  just finished summarizing Rich Mironov's latest post, ' Code isn't product ,' that landed on a strikingly similar note: faster code production leads to "DOA products" because there is not consideration of what customers actually want, you're simply turning over more code to demonstrate activity with a mindset that activity ...

"Who asked for this?" One of the most fundamental questions in design and development or any product or process stays open. It was true for the Ford Edsel and it's true for your team's activities. Yes, the number one question your executive leadership asks is whether we're 'safe.' Yes, AI is changing the rules. (Well, some of them.) Yes, you can do "more" with AI than you could do in the past. Who asked for this? One of the key functions of leadership is to identify customer needs and then align work processes to meet or exceed those needs, typically by organizing teams to accomplish more than in the past. A significant challenge in an AI-oriented environment, especially when AI-leveraging gangs are attacking constantly, is to create more products as a way to satisfy the AI itch while anticipating novel demands.  The problem is, as Rich Mironov recently put it , you're creating "DOA products." According to Rich, implementation of AI...

A classic is something that everybody wants to have read and nobody wants to read--Mark Twain With apologies to Mark Twain, cybersecurity is something everybody wants to have and nobody wants to have to do. Over and above the sad truth that security is inconvenient  is the sadder truth that cybersecurity touches the entire organization so many of us are required to interact with cybersecurity without really knowing what it is or why it demands what it demands. Thus most of us either have to trust our cybersecurity team to have made the right trade-offs between convenience (productivity) and security, or we have to find a way to join the conversation without wasting anyone's time. (The second option is the one we at Pythia Cyber recommend, but it is difficult which is why our cybersecurity consulting practice is half behavioral science and half classic cybersecurity.) As with so many other aspects of life in the rapidly-changing, technology-driven 21st century, finding the balance ...

We take a moment to note the death of Eric Cole, PhD. We found his writing about cybersecurity to be enlightening, inciteful, and thoughtful. RIP. (image credit: LinkedIn post)

Sayings that seem to be true: In life, the only things you can count on are death and taxes The only constant is change In the valley of the blind, the one-eyed man is king [modify re: gender & ruler terms as appropriate] Here's a new one: You get to engineer the shape of your career. We write a lot about shaping your career . The emphasis is on you , as a cybersecurity professional, creating a career path for yourself appreciating that frequently there is more of a bush than a path .  Our approach grows from applied behavioral science because that community has a focus on career identification, management, and development.  The fact that your career path is a nonlinear journey rather than a process with clearly defined stages and edges can be disconcerting. Yet it is so. Phil Venables is out with a new post at his blog on managing your career. Phil is an engineer, not an organizational scientist or practitioner. We will thus say that he is writing about engineeri...

Spring is over, back to the grind. The litany of the hacked is our listing for each known/reported hack in the previous month. The point of the litany is not shame but awareness-raising that, well, these sorts of things happen. And so, the litany of the hacked for May 2026: San Diego Community College…Canvas (technically, Instructure; Canvas is the product)…WhatsApp accounts of some US military personnel…Medtronic…Cushman & Wakefield…Trellix…MediaWorks…supply chains for NVIDIA…Foxconn…West Pharmaceutical…GitHub…7-Eleven…Charter Communications...Lithuanian government offices...Hartford HealthCare...various Microsoft products (via routers)... Attacks via vendors continue to be problematic -- for you & your company. The law and & insurance  worlds are starting to notice. Here's how Cynthia Kaiser puts it: "Ask your security and tech teams this week: 'If our top three vendors were hit with ransomware tomorrow, what data of ours would be at risk? Do our contracts r...