Posts

We Said/He Said: Protecting The Wrong Things

Image
Ross Young came out this weekend with (another) excellent essay. It aligns completely with what we say here at Pythia Cyber. The topic is aligning what your cybersecurity team protects with what the business needs protecting. I'm pasting in Ross' main slide as it's excellent. These are what different stakeholders want in terms of "protection." Note that first what they want differs maybe from what you think they want. Second, what it takes to protect what different stakeholders want protecting is different. Third, and this is critical you need to do all of this. We'll expect the tech leader to know how to protect different systems using different processes. The point from a behavioral science perspective is that tech leaders need the talent to get to know who wants what protected. It's not good enough to presume that you know better, or you have heard it before. Talented tech leaders deliberately create engagement with stakeholders to learn so that there...

We Said/He Said: Quality Candidates Are Not Always Quality Hires

Image
Let's continue on our talent roll! Time for a focus on the talent acquisition function. Question: suppose you had 50 applicants for an open position. Which of the following describes how you will decide which candidates move on in the process? A. Toss all the candidate resumes onto the stairs and see which fall to the lowest step B. Check their social media to weed out whackos, and everyone else moves on (assuming anyone's left) C. Look for candidates with the most impressive-sounding biographies -- the 'right' elite universities, the 'right' elite credentials, same job title, etc. D. Do a preliminary screening interview to see whether the candidate seems like a real human being who actually did what they said v. some AI-generated candidate. All of these approaches are based on the idea that a "quality candidate" is going to become a "quality hire." This is a false belief. We see this all the time. The belief system is that all the candidates...

Getting Better Tech Leadership Means You're Going To Need To Be -- Or Find -- A Better Tech Leader

Image
This week we've covered the role of upskilling through deliberate practice, which is how you get a 3.61x multiple return on investment. We covered intentionally applying your practice in becoming more open-minded about aggregating services in your practice. We covered expanding your list of tech risks to cover wellbeing .  Not done yet! Many organizations do a talent audit. This includes leaders, and people who want to become leaders.  Organizations that are serious about leadership will do assessments. About 70% of leadership assessments happen at the individual -- i.e., you -- level; about 20% do team-level assessment, and the rest is some combination of those and a 360-degree/in-depth interview assessment. (Organizations that are less serious about leadership will only do surveys, such as "the annual employee survey." Which is good only if action is taken based on results -- much like deliberate practice. Otherwise it's a ritual.) I have included here a chart abo...

Managing Tech Work Risks -- Not Those, These

Image
Phishing scams? Cake! AI-based cyber-attacks? Sure! Quantum apocalypse coming at ya? You got it! Return to the office mandates, 80-hour work weeks, constant threat of layoffs? But of course! Workplace wellbeing?  Workplace wellbeing, come in workforce wellbeing... Your cybersecurity workplace is lacking in workforce wellbeing. The term wellbeing can be defined as follows: "[It] is a measure of how well life is going for someone. In the broadest sense, it covers the balance of all positive and negative aspects of a person's life. More narrowly, it refers only to positive degrees and contrasts with ill-being, which denotes negative ones. In this sense, well-being is what egoists typically seek for themselves and altruists aim to enhance in others, serving as a central goal of many individual and societal endeavors. Researchers discuss different types of well-being by how they are measured, who they belong to, and which domain of life they affect. Subjective well-being refers to...

Tech Leadership Is Not Going To Wait For You To Learn How To Be Effective

Image
We've seen several thought pieces recently on the future of technology leadership. The bad news is that it's evolving probably faster than people can cope with. The good news is that the future of technology leadership is creating opportunities for leaders who deliberately work at being effective. I like how  James Azar  put it: "Modern business isn’t built anymore. It’s integrated." That's right. Your AI models, your platforms, your security systems -- all of it is on an 'as-a-service' model. That creates modularity compatibility challenges. It also creates team utilization challenges and possible threats from over-servicing especially when supply chains are added.  Over at Deloitte Consulting  they think a lot about agentic AI. Here is their key chart: As they put it (quoting at length): What’s clear is that the underlying shifts aren’t happening in isolation. They operate across every layer of the tech stack: computing, coordination across agents and da...

How To Upskill Yourself (Or Your Team) In Cybersecurity

Image
The old joke goes like this: "How do you get to Carnegie Hall?" "Practice, practice, practice." Speaking of, the great pianist Vladimir Horowitz -- who played Tchaikovky's Piano Concerto #1 at Carnegie Hall in April 1943 as a WWII bond fundraiser, a performance that is still a masterpiece -- once said that if he didn't practice for one day, he would know it, and if he didn't practice for two days the whole world would know it. How about you?  Be honest in answering this question: how have you improved yourself as a cybersecurity professional in the past year? To get ahead of things, the wrong answer is along the lines of "I listened to some podcasts" or "I attended an industry event." The challenge in answering this question is that you had to change something. If you do not now do things differently than you did before, you did not develop yourself as a cybersecurity professional no matter what you think. Disclaimer : connecting wit...

Happy Semiquincentennial!

Image
You may have been around for the bicentennial...maybe you'll be here for the tercentennial...but seize the semiquincentennial while you have it! (image credit: After Jasper Johns, Public domain, via Wikimedia Commons)