Posts

The (Cybersecurity Threat) Beat Goes On

Image
At Pythia Cyber warn you not to rely solely on skills or knowledge when choosing people to work in your cybersecurity program. Familiar as skills and knowledge may be for hiring, and comforting as that familiarity may be, you cannot rely on them alone. You need more than that because change is the one constant in cybersecurity and skills and knowledge get out of date. Talent is evergreen. We keep keep beating the drum of the importance of talent in building and maintaining your cybersecurity program because your people are the beating heat of your cybersecurity program. Those people need to keep up with the pace of change in the threat environment because the beat goes on and on and on. Modern life changes more swiftly and widely than life has ever changed before. Technology changes more swiftly and widely than it has ever changed before. Cybersecurity, sitting at the juncture of technology, crime, hardware failure and human error, changes more swiftly and widely than just about any ot...
Post a Comment
Read more

Employ Skills But Hire Talents

Image
At Pythia Cyber the conversation about who to hire and how to management often detours into distinguishing skills and talents. This comes up often enough that it is time for blog post. Let us start, as so many middle school assignments do, with the dictionary definitions. Today we are using Merriam-Webster as our source. skill  noun   ˈskil  ...
Post a Comment
Read more

We Predict The CISO Talent Dilemma If You Don't Become Better At Managing Talent Development

Image
You're out of time. Ross Young posted recently on LinkedIn about "The Three Kinds of CISOs." It's a compact but targeted post. In his view, CISOs are one of three types: reactive, proactive, or predictive. Let's review. The first type, the reactive CISO, is a short-timer; why it exists at all is a mystery. The second type, the proactive one, sounds great...two years ago. And sure, being proactive is good as an employee and a professional. While it's good, it's not good enough. Because you're out of time., because, yes here we go, AI is not pro active -- it's active .  That leave Ross telling us about the third CISO type, those who are predictive: "The CISOs who will matter in five years aren't running better audit programs. They're running AI agents that never sleep, never miss a commit, and never need to be asked." We completely agree that being predictive is right -- definitely better than being proactive, for example, and don...
Post a Comment
Read more

The "Build or Buy" Dilemma When Hiring

Image
Pythia Cyber focuses on behavior as well as classic cybersecurity because a great program manned by mediocre people is not what you want and a great team following mediocre procedures is not what you want. You need both sides of the equation: the right people in the right jobs doing the right things. Cybersecurity is a branch of risk management, not a branch of computer science. The goal is not technological excellence at any cost, the goal is the most effective security you can afford and you can provide. Risk management is as much about prediction as it is about execution. Again, you need them both: doing a great job stopping the wrong threats is no better than doing a terrible job stopping the right threats. Human behavior can be very hard to predict unless and until you have a great deal of experience with how that particular person behaves in that particular environment. That person's previous experience in a different environment is a possible proxy for their future experienc...
Post a Comment
Read more

The Yin of Talent & The Yang of Experience

Image
At Pythia Cyber our focus on blending behavioral science with classic cybersecurity means that we have to address something other cybersecurity consultants do not: wishful thinking. Magical thinking, if you prefer. The tendency of people to believe whatever they have to believe in order to accommodate an inconvenient truth. At the top of the list of inconvenient truths is that experience in a previous position is a mediocre predictor of success in a new position. We all have firsthand experience of the new hire for "the exact same job" who cannot cut it. Near the top of the list is that credentials are a mediocre measure of capability. We all have walked into the cubicle of a mediocre colleague only to find their walls covered with certificates of courses passed and plaques of participation in impressive projects. Believe me, we understand why people cling to these ideas despite the personal contradictory experience. Not only is the dream so appealing (more below) but this te...
Post a Comment
Read more

Outro: A Closing Note On The Talent And Function Series

Image
  The cybersecurity technical conversation is mature. There are frameworks, certifications, vendors, and a generation of professionals who have built careers around the technical layer. The talent conversation is improving, thanks in part to voices like Eric Cole's that have pushed the industry to look honestly at how it recruits, develops, and retains the people who do security work. The conversation about how technology, talent, and organization combine to produce actual security outcomes is still developing. It happens when a CISO realizes that a technically excellent program is still being compromised through behaviors the SOC doesn't see. It happens when a board recognizes that the cybersecurity function is reporting metrics rather than shaping decisions. It happens when an executive team asks why the cybersecurity investments of the past five years haven't translated into the resilience they expected. The bilingual axis runs through all of these conversations. Cyberse...
Post a Comment
Read more

Decisions, Decisions, Decisions, And Decisions

Image
The HR Guru JP Elliott is back at it with a recently published piece on what he calls "decision leadership." His argument: the best HR leaders don't just execute decisions, they improve the quality of the decisions themselves by asking better questions, framing decisions more precisely, surfacing trade-offs that would otherwise stay hidden, and bringing a clear point of view. He frames the capability as Ask, Frame, Advise. This framework applies even more powerfully in cybersecurity. With credit to JP for the concept, we want to translate it into cybersecurity because the gap he describes between leaders who support decisions and leaders who shape them is at least as wide and the consequences are at least as significant. This post is written to two audiences. For executives who hire and resource cybersecurity leadership: this is what your organization should expect, and what you lose when you don't get it. For cybersecurity leaders moving toward senior roles: these ar...
Post a Comment
Read more