Pythia Cyber focuses on behavior as well as classic cybersecurity because a great program manned by mediocre people is not what you want and a great team following mediocre procedures is not what you want. You need both sides of the equation: the right people in the right jobs doing the right things. Cybersecurity is a branch of risk management, not a branch of computer science. The goal is not technological excellence at any cost, the goal is the most effective security you can afford and you can provide. Risk management is as much about prediction as it is about execution. Again, you need them both: doing a great job stopping the wrong threats is no better than doing a terrible job stopping the right threats. Human behavior can be very hard to predict unless and until you have a great deal of experience with how that particular person behaves in that particular environment. That person's previous experience in a different environment is a possible proxy for their future experienc...

At Pythia Cyber our focus on blending behavioral science with classic cybersecurity means that we have to address something other cybersecurity consultants do not: wishful thinking. Magical thinking, if you prefer. The tendency of people to believe whatever they have to believe in order to accommodate an inconvenient truth. At the top of the list of inconvenient truths is that experience in a previous position is a mediocre predictor of success in a new position. We all have firsthand experience of the new hire for "the exact same job" who cannot cut it. Near the top of the list is that credentials are a mediocre measure of capability. We all have walked into the cubicle of a mediocre colleague only to find their walls covered with certificates of courses passed and plaques of participation in impressive projects. Believe me, we understand why people cling to these ideas despite the personal contradictory experience. Not only is the dream so appealing (more below) but this te...

  The cybersecurity technical conversation is mature. There are frameworks, certifications, vendors, and a generation of professionals who have built careers around the technical layer. The talent conversation is improving, thanks in part to voices like Eric Cole's that have pushed the industry to look honestly at how it recruits, develops, and retains the people who do security work. The conversation about how technology, talent, and organization combine to produce actual security outcomes is still developing. It happens when a CISO realizes that a technically excellent program is still being compromised through behaviors the SOC doesn't see. It happens when a board recognizes that the cybersecurity function is reporting metrics rather than shaping decisions. It happens when an executive team asks why the cybersecurity investments of the past five years haven't translated into the resilience they expected. The bilingual axis runs through all of these conversations. Cyberse...

The HR Guru JP Elliott is back at it with a recently published piece on what he calls "decision leadership." His argument: the best HR leaders don't just execute decisions, they improve the quality of the decisions themselves by asking better questions, framing decisions more precisely, surfacing trade-offs that would otherwise stay hidden, and bringing a clear point of view. He frames the capability as Ask, Frame, Advise. This framework applies even more powerfully in cybersecurity. With credit to JP for the concept, we want to translate it into cybersecurity because the gap he describes between leaders who support decisions and leaders who shape them is at least as wide and the consequences are at least as significant. This post is written to two audiences. For executives who hire and resource cybersecurity leadership: this is what your organization should expect, and what you lose when you don't get it. For cybersecurity leaders moving toward senior roles: these ar...

Most cybersecurity organizations are structured the way hospitals organize specialty clinics. Discrete functional teams (SOC, IR, GRC, AppSec, vulnerability management, identity) each with their own leaders, metrics, and budgets. Work flows through routing and handoffs. The model builds deep expertise and clean reporting lines, and it is the structure most CISOs inherited. Its failure mode shows up at the seams. The acquisition integration that needs SOC visibility, IR readiness, GRC sign-off, and AppSec review of inherited code moves through four functions on incompatible timelines. The product launch that needs threat modeling, control implementation, monitoring tuning, and incident response plans gets each piece from a different team. The vendor onboarding becomes a series of parallel reviews that finish weeks apart. By the time anyone sees the whole picture, the picture has changed. The pattern isn't a failure of any individual function. Each function is doing its job. The patt...

Eric Cole recently published a piece called  The CyberTalent Lie  that is worth reading. His argument is that the persistent industry narrative about a cybersecurity talent shortage has become a cover story for avoidable strategic failures in how organizations recruit, develop, evaluate, and retain security professionals. He's right. Organizations have systematically eliminated entry-level positions , leaned on certification filters that exclude strong candidates, treated compensation as the lever for retention when exit data points to culture and mission, and excluded security leaders from the strategic conversations where their authority would matter most. His five-step rebuild -- audit credential inflation, restore early-career pathways, conduct honest exit analysis, elevate strategic positioning, protect the learning budget -- is the right prescription for the problem he diagnoses. The problem Eric describes is the 'supply-side' talent problem for the people who do se...