As much as we talk about talent here at Pythia Cyber, or the NIST CSF, or AI, eventually you need either to perform, or manage performance, or collaborate with other executives to calibrate performance across the organization. That's right, it's time to talk performance management. In this post we'll discuss the 'why,' and in a later post we'll discuss 'how.' Let's start with the baseline. Maybe 1% of anyone who has been an employee or contractor at any organizational level wants to discuss performance management.  At the same time, it's a business-critical conversation -- maybe existential -- in a field such as cybersecurity. Here's is my friend Steve Hunt on performance management. Steve was a VP at SAP at the time he wrote this  piece , probably the best ever written on performance management. The key part is here (quoted at length): Performance management is both difficult and necessary. Performance management is difficult because it add...

No joke, folks -- time for the litany of the hacked! The litany of the hacked is our listing for each known/reported hack in the previous month. The point of the litany is not shame but awareness-raising that, well, these sorts of things happen. And so, the litany of the hacked for March 2026. Unfortunately we have a lot of new members of the litany, and to a significant extent this happened because of military actions in the Persian Gulf. You can be positive that there is no reason to think that cybersecurity is going to get easier from here on out. As Megi Benia puts it on her blog: Deterrence assumes identifiable actors, clear intent, and thresholds that trigger response. Iran’s use of ransomware deliberately undermines all three: - Attribution is blurred through proxies and criminal partnerships - Intent is dual-use, combining profit, disruption, and signaling - Activity remains below the threshold of armed attack The implication is not just tactical but strategic. If ransomware c...

In Dickens's A Christmas Carol  we are given one of the greatest metaphors of all time. When Scrooge is visited by the ghost of his old business partner, Jacob Marley, he finds that ghost trailing all things that Marley's greed goaded him into possessing: money boxes, transaction ledgers, pad locks and even heavy deeds. When Scrooge asks Marley where the chain came from, Marley's answer is chilling: I wear the chain I forged in life. I made it link by link, and yard by yard; I girded it on of my own free will. Believe it or not, this sprang to mind last week when I learned that current FBI directory Kash Patel had some of his personal emails leaked by enemies of the state. Iranians? Russians masquerading as Iranians? Iranians with Russian help? Who knows. The point is not specifically who did it. The point is not the rather banal and inane content. The point is not that the content was from a while ago. The point is that we all wear the digital chains we forge in life. We m...

I am a fan of sketchplanations.com  in general and this sketch in particular caught my eye for two reasons. First, I love me some hair-splitting (ask me about the difference between "virulent pathogens" and "infectious pathogens"). Second, this gives me a great way to talk about a big deal in cybersecurity. Before diving into that big deal I want to apply the point of the sketch to cybersecurity. The field of cybersecurity is a branch of Risk Management. The people running the organization have to set priorities and budgets. The people running the organization have to sign off on the policies which decide which risks are worth mitigating. The people running cybersecurity have to write procedures which implement those policies and then police activity to ensure that the procedures are active and effective. By analogy, the policies are accuracy: are you trying to protect what you need protected? The procedures are precision: are you effectively protecting whatever it ...

Everyone wants to be successful. Defining what "success" is may vary person to person, and deciding whether someone is successful may not be up to any of us, but we can find contentment and professional pride in everyday work over a career.  It's very difficult to define success in a career such as cybersecurity apart from the big picture issue of "nothing happened." Ultimately, if "nothing happens" you are successful, because nothing bad happened. But for cybersecurity, "nothing bad happened" is not the same as "nothing happened." In fact "nothing bad happened" because something good happened in cybersecurity. Lots of "something" may be happening as a matter of fact and success means that none of it resulted in a win for your adversaries. Lack of IT or cyber-systems failure is a sign that your cyber-defense processes performed well. Let's focus on that. Cybersecurity is the process by which you create maximu...

We read a recent post by Tracy Lawrence that gave us hope for a better cybersecurity leadership hiring process...until the end. But the journey through her post is worth your time as long as you take a detour. As Tracy  notes : For decades, a long track record has been the gold standard for executive hiring. In today’s disruptive business environment, over-indexing on experience may actually be working against you. As an executive recruiter and CEO coach, I’ve seen the same well-intentioned mistake play out more times than I can count. Boards and senior teams filling critical leadership roles focus on the candidate with the deepest industry background, the longest tenure, the most impressive titles. They’ve ‘seen it all before.’ On paper, they look like exactly the right hire. Then, six months in, the organization is struggling. The new leader keeps reaching for solutions that worked in their last job, even though the current business environment has moved past them. Go Tracy Go! ...