Posts

Beware "All or Nothing"

Image
The technological base of most modern networking is rather naive with respect to security. It was created on the assumption that connection was good and that networks exist to transmit data and facilitate access to resources. Ah, the innocence of those simpler times. The same was true of most software: it was written to be used. Once you logged into the mainframe or minicomputer or departmental server, you were authorized to do whatever there was to do. The original PC environments had no authorization at all: you turned them on and started typing. This history means that an awful lot of technology's original authorization scheme was "none at all."  Adding authorization has not been easy, especially in a client/server environment. In a client/server environment we rarely can be certain of the other end which makes trust difficult to establish and maintain. Early authentication was based mostly on permission schemes layered on after logging in. Early sys admins used permis...

The Right Exceptions to the Rule

Image
I want to expand slightly on a recent post of Ted's entitled We Said/He Said: Protecting The Wrong Things . That post takes a high level look at the problem of protecting the wrong things in your cybersecurity program. This post takes low level, nuts-and-bolts look at the same problem. I know from personal experience that there is a lack of continuity between the C-Suite and the lower echelons. By personal experience I don't mean decades ago, when I was a humble computer programmer; I mean yesterday because I am still a (part-time) humble programmer. At every stage of my career I have continued to be a technical contributor at the same time I was advancing. This started out as a temporary issue caused by a career transition but this duality is so useful that I made it a feature of my career. (This isn't as odd as it might sound: our local ambulance company requires its senior staff to ride the vehicle one weekend per month and our local hospital requires their senior staff ...

Cybersecurity Lessons From Lab Med Autoverification

Image
I want to recommend this article to my fellow cybersecurity professionals: https://thehackernews.com/2026/07/thinking-fast-and-slow-in-soc-case-for.html It does a nice job laying out reasonable roles for AI (pattern-matching donkey work) and human co-pilots (distinguishing the abnormal from the malevolent). Since a big part of why Pythia Cyber exists is to get more people in management to see cybersecurity as part of their job, I am going to write the rest of this post as a way to explain this strategy by way of an analogy that is not based in cybersecurity. Once upon a time I consulted to the laboratory medicine department of a large academic medical center. A large clinical laboratory is not a monolith, it is a conglomeration of different focus areas such as Immunology, Hematology, Chemistry, Virology and some other more obscure areas. The goal was to interface automated analyzers to the Laboratory Information System (LIS), but not directly because it was common wisdom that a qualifi...

We Said/He Said: Protecting The Wrong Things

Image
Ross Young came out this weekend with (another) excellent essay. It aligns completely with what we say here at Pythia Cyber. The topic is aligning what your cybersecurity team protects with what the business needs protecting. I'm pasting in Ross' main slide as it's excellent. These are what different stakeholders want in terms of "protection." Note that first what they want differs maybe from what you think they want. Second, what it takes to protect what different stakeholders want protecting is different. Third, and this is critical you need to do all of this. We'll expect the tech leader to know how to protect different systems using different processes. The point from a behavioral science perspective is that tech leaders need the talent to get to know who wants what protected. It's not good enough to presume that you know better, or you have heard it before. Talented tech leaders deliberately create engagement with stakeholders to learn so that there...

We Said/He Said: Quality Candidates Are Not Always Quality Hires

Image
Let's continue on our talent roll! Time for a focus on the talent acquisition function. Question: suppose you had 50 applicants for an open position. Which of the following describes how you will decide which candidates move on in the process? A. Toss all the candidate resumes onto the stairs and see which fall to the lowest step B. Check their social media to weed out whackos, and everyone else moves on (assuming anyone's left) C. Look for candidates with the most impressive-sounding biographies -- the 'right' elite universities, the 'right' elite credentials, same job title, etc. D. Do a preliminary screening interview to see whether the candidate seems like a real human being who actually did what they said v. some AI-generated candidate. All of these approaches are based on the idea that a "quality candidate" is going to become a "quality hire." This is a false belief. We see this all the time. The belief system is that all the candidates...

Getting Better Tech Leadership Means You're Going To Need To Be -- Or Find -- A Better Tech Leader

Image
This week we've covered the role of upskilling through deliberate practice, which is how you get a 3.61x multiple return on investment. We covered intentionally applying your practice in becoming more open-minded about aggregating services in your practice. We covered expanding your list of tech risks to cover wellbeing .  Not done yet! Many organizations do a talent audit. This includes leaders, and people who want to become leaders.  Organizations that are serious about leadership will do assessments. About 70% of leadership assessments happen at the individual -- i.e., you -- level; about 20% do team-level assessment, and the rest is some combination of those and a 360-degree/in-depth interview assessment. (Organizations that are less serious about leadership will only do surveys, such as "the annual employee survey." Which is good only if action is taken based on results -- much like deliberate practice. Otherwise it's a ritual.) I have included here a chart abo...

Managing Tech Work Risks -- Not Those, These

Image
Phishing scams? Cake! AI-based cyber-attacks? Sure! Quantum apocalypse coming at ya? You got it! Return to the office mandates, 80-hour work weeks, constant threat of layoffs? But of course! Workplace wellbeing?  Workplace wellbeing, come in workforce wellbeing... Your cybersecurity workplace is lacking in workforce wellbeing. The term wellbeing can be defined as follows: "[It] is a measure of how well life is going for someone. In the broadest sense, it covers the balance of all positive and negative aspects of a person's life. More narrowly, it refers only to positive degrees and contrasts with ill-being, which denotes negative ones. In this sense, well-being is what egoists typically seek for themselves and altruists aim to enhance in others, serving as a central goal of many individual and societal endeavors. Researchers discuss different types of well-being by how they are measured, who they belong to, and which domain of life they affect. Subjective well-being refers to...