A classic is something that everybody wants to have read and nobody wants to read--Mark Twain With apologies to Mark Twain, cybersecurity is something everybody wants to have and nobody wants to have to do. Over and above the sad truth that security is inconvenient  is the sadder truth that cybersecurity touches the entire organization so many of us are required to interact with cybersecurity without really knowing what it is or why it demands what it demands. Thus most of us either have to trust our cybersecurity team to have made the right trade-offs between convenience (productivity) and security, or we have to find a way to join the conversation without wasting anyone's time. (The second option is the one we at Pythia Cyber recommend, but it is difficult which is why our cybersecurity consulting practice is half behavioral science and half classic cybersecurity.) As with so many other aspects of life in the rapidly-changing, technology-driven 21st century, finding the balance ...

We take a moment to note the death of Eric Cole, PhD. We found his writing about cybersecurity to be enlightening, inciteful, and thoughtful. RIP. (image credit: LinkedIn post)

Sayings that seem to be true: In life, the only things you can count on are death and taxes The only constant is change In the valley of the blind, the one-eyed man is king [modify re: gender & ruler terms as appropriate] Here's a new one: You get to engineer the shape of your career. We write a lot about shaping your career . The emphasis is on you , as a cybersecurity professional, creating a career path for yourself appreciating that frequently there is more of a bush than a path .  Our approach grows from applied behavioral science because that community has a focus on career identification, management, and development.  The fact that your career path is a nonlinear journey rather than a process with clearly defined stages and edges can be disconcerting. Yet it is so. Phil Venables is out with a new post at his blog on managing your career. Phil is an engineer, not an organizational scientist or practitioner. We will thus say that he is writing about engineeri...

Spring is over, back to the grind. The litany of the hacked is our listing for each known/reported hack in the previous month. The point of the litany is not shame but awareness-raising that, well, these sorts of things happen. And so, the litany of the hacked for May 2026: San Diego Community College…Canvas (technically, Instructure; Canvas is the product)…WhatsApp accounts of some US military personnel…Medtronic…Cushman & Wakefield…Trellix…MediaWorks…supply chains for NVIDIA…Foxconn…West Pharmaceutical…GitHub…7-Eleven…Charter Communications...Lithuanian government offices...Hartford HealthCare...various Microsoft products (via routers)... Attacks via vendors continue to be problematic -- for you & your company. The law and & insurance  worlds are starting to notice. Here's how Cynthia Kaiser puts it: "Ask your security and tech teams this week: 'If our top three vendors were hit with ransomware tomorrow, what data of ours would be at risk? Do our contracts r...

Predicting the future is hard. As the great philosopher and baseball player, Yogi Berra, once put it: "It's tough to make predictions, especially about the future." A new hire is a prediction of the future. Over at Employment Group, a recent post of theirs put it this way in terms of predicting how would be successful as a new hire: "At its core, hiring is a signal detection challenge. You’re trying to answer one question: Who is most likely to succeed in this role, in this environment? But most hiring processes rely on weak proxies: Resumes as indicators of performance  Interviews as indicators of fit  Experience as a substitute for capability  Without stronger signal, speed becomes dangerous—and slowness becomes inefficient. Neither solves the problem." It seems that it should be easier to find your new best hire. The answer to this problem is that it this is a problem on your end. Bottom line, you're the one who's making it difficult . But you also b...

At Pythia Cyber, we dream of a world without passwords. True, adding two-factor authentication makes passwords less bad. But imagine a life without them at all. Ah, bliss. But what could replace them? Passkeys have a great shot at that. What is a passkey? The short answer is this: a passkey is a token generated on one end and verified on the other with Public/Private Key (PPK) encryption. Since most people are not comfortable with PPK encryption, we will start with a simple description of that and then get into how this kind of encryption can be used to replace the user ID / password model of authentication. The cool part of PPK is the fact that there are two keys: the public one that you publish to the wide world and the private one that you keep secret. The public key is used to encrypt a payload (whatever you want to share privately) and the private key is used to decrypt the payload. While encrypted the payload is secure and only you can read it. Anyone can encrypt, only you can de...