Like everyone else, we get asked "what's your elevator pitch?" We always have one, but we find it a useful exercise to revisit and revise ours to better fit this ever-changing world of cybersecurity. Here is our latest elevator pitch. Cybersecurity is a risk management function. Management is mostly about people. Many Cybersecurity Programs (CSPs) are rigorous and based on a valid, tested foundation such as the NIST CSF. Few CSPs have been implemented with an eye to how the people involved will behave. We help you make your CSP more effective by making it more rooted in human behavior. Running a CSP is like putting on a play: a good script is a necessary but not sufficient condition for a good performance. A single good performance is nice, but that does not make a successful run. Having good policies and good procedures based on those policies is a fine start, but if your cast and crew don't deliver then you don't have good cybersecurity. Those of us who have see...

A previous post decried the sad state of the common company-wide mandatory annual cybersecurity training. This training is ineffective and sometimes even counterproductive. We say "counterproductive" in that it reduces cybersecurity awareness to mindless adherence to simple rules such as "don't click on stuff in email." In that post we talked about what we feel such training should contain . In this post we will describe what we feel such training should achieve . Cybersecurity training for the masses should enlist those masses in the cybersecurity cause. Instead of hoping that people don't do anything dangerous the goal should be reports of oddness, of the unexpected or the strange. As dull as it sounds, looking into the odd, the unexpected or the strange is a great way to track down actual problems. For example I recently saw an email that was very sophisticated  spear phishing attack. This email was shown to me as a curiosity by another IT professional....

A colleague recently tried to be polite about Pythia Cyber's willingness to help organizations overhaul their annual mandatory company-wide cybersecurity training. She was polite but persistent in her questioning the wisdom of this move. Her comments became ever sharper though. Such training is usually a fig leaf for insurance reasons, Nobody takes it seriously. It doesn't accomplish anything. All such training I have ever had has been boring and useless and even a little condescending. I agreed that all of the observations were usually true. So then she tried a different tack: why is Pythia Cyber's training any different? This was a very useful question. Our training is different because our goal is to improve cybersecurity rather than checking bureaucratic boxes. Instead of the scolding tone and the list of dumb things to avoid doing, we use the NIST CSF to frame enlisting your people in the cybersecurity cause. We recommend that you start by surveying your people to find...

Givens: 1. You need a cybersecurity strategy 2. You're investing in AI Therefore, you need an AI-oriented cybersecurity strategy. An AI process or platform is not the same thing as an AI strategy. As Brendan notes frequently (e.g., here ), the NIST CSF endures because it anticipates and outlines the need for a strategy. As you work through the NIST process in developing your AI cybersecurity strategy, you can anticipate that the integration of AI into typical work functions is meant to create productivity. The implication is that your AI strategy needs to anticipate growth in utilization and use cases. Remember, the bosses spend money on AI because there is an anticipated return on investment, and the same bosses expect your shop to create a secure environment for the AI.  How would you develop an AI cybersecurity strategy? Think of the development of your AI cybersecurity strategy as part of your AI platform purchase. The upside is that you don't pay for it per se , though you...

Here at Pythia Cyber we engage in real-world consulting. We don't provide you with theoretical solutions to real-world problems. This means that we really try to avoid cool-seeming (but actually useless) topics like "AI and Cybersecurity in 2026." Eye-catching as these headlines are, they either presage a bland and shallow take on a complex issue or they make deep and simplifying assumptions. An example of the bland take is "AI is going to super-charge the cybersecurity threat environment in 2026!" An example of the deep and simplifying assumption is "AI is going to make all phishing into spear phishing in 2026!" You might as well ask "what about electricity and cybersecurity in 2026?" Well, lots of things in cybersecurity will be affected by electricity in 2026, to a high degree; what will thinking about this do to help you protect your digital assets? Not much. Here in the real-world we know that we cannot take perhaps the most general-purp...

Your life as a cybersecurity professional, especially as a cybersecurity leader, entails managing risk. There are external risks (a.k.a. hackers), there are physical security risks, there are budget risks, there are organizational risks and there are technology risks. Your employees -- moreover, your best employees -- are a risk. So sayeth CISO Tradecraft ®  Newsletter  (CTN) this week. Their rationale is clear: "The hard truth for modern leadership is that AI has democratized capability so thoroughly that your entire organization, not just your engineering team, can now generate production-grade risk at machine speed." We  just finished summarizing Rich Mironov's latest post, ' Code isn't product ,' that landed on a strikingly similar note: faster code production leads to "DOA products" because there is not consideration of what customers actually want, you're simply turning over more code to demonstrate activity with a mindset that activity ...