Today, let's take a moment to appreciate the sacrifices of those who died defending democracy in service to our country. (image credit: https://www.abmc.gov/cemeteries-memorials/about-korean-war-monument-at-busan/)

Oh, sigh. It has only been 5 months since my last post on Zero Day Vulnerabilities  and now I am provoked by news of multiple such vulnerabilities in various Microsoft products . My post was about what that term used to mean, came to mean and means now. It was also about why reacting to these issues has become a potential vulnerability in itself. The short version of the definition is that "Zero Day Vulnerability" now means "you should do what you can about this vulnerability as quickly as you can." The short version of the dangers of panic is that panic is dangerous: just because you need to react to a vulnerability ASAP does not mean that you can cut corner or rush. Remember that not only are human beings prone to error when they rush but that evil human beings may try to exploit that tendency by offering corrupted patches which are, themselves, malware. The best way to be able to react ASAP without rushing is to plan ahead. Of course you cannot predict when any g...

Continuing on the theme of leadership -- would you say you're disposable? Ross Young over at CISO Tradecraft has a good post out on how you should envision your leadership role in terms of becoming disposable. His key line: "The most effective leaders aren’t the smartest people in the room; they are the architects of systems that thrive in their absence." As a CISO, or generally as the leader of a technical function, you will work amongst many very smart people. An easy question for you to answer incorrectly is: why am I a leader, while they are not leaders?  So many bad or wrong (or alarming) answers might come to mind for you, such as: I'm the most senior employee; I've done all the jobs here; I'm the highest performing employee; I wanted the leadership job more than they did ; etc. It's unlikely you'll think to yourself that you were the most politically savvy. I can report that I personally know people who thought of themselves as 'saviors...

We here at Pythia Cyber are big believers in rigor so we strongly recommend following a rigorous framework when building your cybersecurity program (CSP). We use the NIST CSF by default but we recognize that there are a few other frameworks which will also do the trick. We seek to season cybersecurity with behavioral science because human behavior is a huge but rarely addressed part of running a CSP. Those who run the CSP are humans. Those who follow the CSP are humans. Those who work to subvert or circumvent the CSP are humans. There is much that is NOT cyber in cybersecurity. There are few places along the path to a great CSP where being human is more evident than in the writing of policies and procedures. The point of these documents is to inform, not impress. The goal is to guide human behavior in times of stress, so clarity and accuracy are of utmost importance. Length or literary flourishes are worse than irrelevant, they are an impediment to being useful in times of stress and u...

Phil Venables' new post, Do you really know what's going on? , caught our attention from the start (quoting at length): Most leaders do not know the actual truth of what is happening. This is not because people are overtly hiding things or that leaders are ineffective, although sometimes it is both of those, but rather this is because of the “thermocline of truth” that I covered in this post. Organizations are full of cultural, structural, process, and other barriers that stop reality making its way to leadership.  When you started out in your career you probably felt constant frustration that the “higher ups” had no clue about reality on the ground. Even today, you probably feel frustrated that peers in other organizations are clueless to the reality you know, or even in many cases that you know their teams know but are failing to push up to their leader.  When you become progressively more senior it’s easy to forget this experience and get in a position where you believe you...

Brendan has been writing about internal candidates, and we thought we'd enter the fray. There are upsides and downsides to building your talent pool v. external hiring & hoping it works, as Brendan noted. This post is about the internal pool. Integral to the buy/build decision are answers to the following questions: You've created a talent development process (I mean, you've done that...correct...?) You've invested in not only the identification but the acceleration of your people's performance (ditto...?) You're focusing on a talent-based performance management culture, not one that rewards surviving We've written about how this could happen. In brief you must: Intentionally create a newcomer socialization process Measure and monitor performance to get people to the point where they are considered for promotion "[You need to] manage the person's development intentionally so that they leverage their talents to perform. That happens through thr...