Every CTO and CISO knows the first job: defend the organization. Fewer recognize they have a second job that matters even more over time: build a team whose adaptive capacity outpaces the adversary’s rate of novelty .  As AI enables attackers to scale speed, variation, and deception, that second job is quickly becoming the first. This is not primarily a tooling problem --  it is a leadership problem . Here are three perspectives on that second job. What great CISOs actually build Phil Venables , former Goldman CISO and now Google Cloud's strategic security advisor, has spent years studying what he calls "CISO factories": organizations that produce a disproportionate number of successful security leaders. His finding is counterintuitive. It's not training programs, certifications, or formal development tracks, it's the daily behavior of the existing leaders: they pay attention to detail, they go deep occasionally, they validate things personally, they understand ho...

Sometimes a question gets asked so much that it gets a blog post, even if that question isn't at the center of what we do here at Pythia Cyber. Lately, one such question is "how does AI find cybersecurity vulnerabilities?" (We are also going to answer the underlying concern, which is usually "what can I do about this?") Generative AI has significant pattern-recognition capability. This means that AI can find not merely simple matches, such as matching "golden apple" with "This is the tale of the Golden Apple" but also subtler, deeper matches, such as "golden apple" with "Greek myths." Generative AI can only find patterns for which it has been trained. Once trained, that AI can only find patterns in data that has been fed into it. But after these two conditions have been met a decent AI is superhuman in its ability to find the patterns you taught it in the input that you give it. Let us say that you spun up a copy of your f...

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born. As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program. The first post describes the cybersecurity janitor model. The second post  describes the cybersecurity tyrant model. The third post (this one) describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right. In the janitor model the cybersecurity function is subordinate t...

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born. As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program. The first post describes the cybersecurity janitor model. The second post (this one) describes the cybersecurity tyrant model. The third post describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right. In my long career I have seen the tail wag the dog: I have seen o...

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born. As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program. The first post (this one) describes the cybersecurity janitor model. The second post describes the cybersecurity tyrant model. The third post describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right. I have been a janitor. I have also been a cybersecurity contribut...

I have a problem with conventional resume screening; I have mentioned it before . Especially automated resume screening. In my experience too many of the people  behind the screens are relying on two dimensions in setting up the bots: small chunks of text and keywords given to them by hiring managers. My problem is that I strain to see the link between how a resume is formatted (which chunks of text in which order) or worded (which words are in the chunks of text) or coded (which keywords are floating around) and hardcore technical talent. In fact, in my experience, the correlation is negative  by which I mean that I have seen topnotch technologists standing behind very ugly and badly worded resumes. I can see how one might hire a writer or a graphic designer based on how aesthetically pleasing a resume is. But I need convincing, with data, that this same methodology can spot  the kind of talent needed to succeed in cybersecurity. I have a particular distrust of keyword-b...