Here's a safe bet: even though you know what your annual spend on vendor support is, and how much you spend on coffee machine pods, you don't know what it costs to back-fill one bad CISO hire. Let's define terms. The term CISO "refers to the most senior security leader accountable for an organization's information security strategy, program execution, and risk management" ( 2026 Global CISO Leadership Report ). According to the same report, the level down from CISO in typical organizations is Deputy CISO or "NextGen," "[L]eaders who translate CISO strategy into operational execution, combining strategic alignment with hands-on program leadership. They typically manage teams of 5 to 50+ security professionals within their areas of specialization." About a third of CISOs report to CTOs or a comparable title, which means that about two-thirds report to some other nontechnical executive or the Board (which is also nontechnical).  Right off as p...

Pythia Cyber realizes that many a cybersecurity battle is won or lost long before the attack. Cybersecurity is about forethought, not reaction. But must as we love a good set of NIST CSF policies and procedures, we recognize that your cybersecurity program is only as good as the people who implement it. Therefore we offer consulting to help you find, hire and retain the right people. The right people are the people who will do the best job in your specific environment, both now and in the future. How do we do that? We use proprietary instruments to measure applicants talents because when it comes to building and maintaining teams, Talent-based hiring is better than Skills-based hiring and both are better than Certification-based hiring. Why is that the case? Because of The Problem we all know about but so rarely talk about. The Problem for technology in general the pace of change is so great that relying on what someone did a while ago (for which they received certification) is not a g...

Eventually your system will be compromised beyond your capacity to deal with it. What you do from a systems perspective is part of your growth curve. So is your emotional and behavioral path. As a cybersecurity professional, you can feel over-invested in your defense processes and systems. A systems compromise can feel disorienting and hard to accept. Maybe you could have done something more; maybe they were better; maybe it was something so obvious! We saw a recent piece in the New York Times (behind paywall) on how Olympic athletes deal with disappointment that seemed to capture this sort of scenario. It's abstracted here because the lessons Olympians learn are hard-won and eminently transferrable to other elite performers such as cyber-defenders. 1. Learn resilience . "Just as psychologists have athletes visualize their wins, they also ask them to imagine all the things that could go wrong, and how they’ll respond." 2. The power of purpose . "The best athletes se...

He's BAAACK! Bushan Sethi posted his talk from a presentation I attended last week in Las Vegas -- this picture might be from there, who knows. We've mentioned him before . Other than pictures of cats, Bushan seems to fill the Internet void. The goal of his presentation was to focus us on 'no-regrets moves' in the Time of AI. These recommendations are good for cybersecurity professionals too. I'm posting an extended quote -- his recommendations here, which are a lot less creepy than "move fast and break things": Think like an economist : Understand the macro and the micro - whether it's impact on AI on labor markets to challenging assumptions included in business case investments - whether they be about adoption, data architecture or investments in compute capacity. Think like a scientist : Use data and evidence to test hypotheses about what works in AI adoption and human-AI collaboration. Run hackathons - push the organization to generate ideas. Be co...

Once again a boffo post from Dr Eric Cole over on Substack. This one is on skills CISOs need. These will sound familiar to our blog readers! We're going to go beyond Eric's post to discuss three aspects of CISO skill: what they should be, how to find them among your applicants, and how to build them for yourself.  We're going to frame this in terms of the labyrinth. We've discussed that previously . It's not meant to be a mystery, but instead, a journey.  Prelude: Why must CISOs learn new skills? "Cybersecurity is no longer a discrete function. It is embedded in every strategic decision an organization makes—whether leaders recognize it or not. When companies adopt AI, expand globally, partner with third parties, or digitize core operations, they are making security decisions by default. The question is whether those decisions are informed or accidental." Part 1: What are these skills? As per Eric -- & us & Rich Mironov ): Skill #1: Business Risk ...

All of us get distracted by the bright shiny object. It seems luminous and irresistible, shining out in the darkness, beckoning. Admit it: AI is your current bright shiny object.  We keep an eye out for cybersecurity & AI material. Sometimes we run across posts that are excellent and we feel the need to create more community by bringing them to your attention. Here's one such post from LinkedIn by Val Tsenev . It deserves your time. I've boiled down his post to this question: What do CISOs want from AI? 1. Measurable risk reduction . What risks does the AI platform mitigate and how? 2. Explainability & auditability . As Val says, "Black-box AI is a liability, not an asset." 3. Integration into their existing workflows . It cannot stand alone. 4. G overnance and human oversight . There is always a person somewhere on, in, atop, or something the loop. Val concludes: "CISOs aren't rejecting AI. They're rejecting AI that's irrelevant, unvalidated,...