(image taken from https://www.express.co.uk/news/uk/1543817/Heathrow-emergency-Flight-diverted-British-Airways-plane-Dubai-London-police-latest-upda ) Oopsie! The "cost-benefit analysis" mindset strikes again. On 21 March 2025, a power station in Hyde North, which serves Heathrow Airport, failed. This failure caused the airport to cease operations until back-up systems could be manually checked and brought online. This process took about 18 hours. Many kudos are due the engineers and first responders who accomplished this task. As The New York Times put it  a few days later: "A gleaming new data center sits less than half a mile from the electric substation where a fire plunged Heathrow Airport into darkness last week. The data center’s own power was also cut that day. But no one who relied on it would have noticed, thanks to a bank of batteries and backup generators designed to kick in instantly. Meanwhile it took officials at Europe’s busiest airport close to 18 hou...

  At Pythia Cyber, we believe there are four questions you need to answer to know and manage your cybersecurity risks and options: 1. What needs protecting? 2. How do we create systems that keep us secure? 3. How do we get our people to support this process? 4. How do we adapt to the next threat? Think for a minute: Systems. Infrastructure. Servers. Peripherals. People. Data. Materiel. Customer information. Employee information. Credit card information. Secrets. Personally identifing information. Personal health information. Financial transactions. Isn't all this worth protecting? Isn't your business worth protecting? Isn't your reputation worth protecting? Now answer these questions: What needs protecting? How do we create systems that keep us secure? How do we get our people to support this process? How do we adapt to the next threat? As a successful businessperson, an IT professional, an HR practitioner, or as a prospective investor, you know it's all worth protectin...

The hottest LinkedIn post right now is on an artificial intelligence (AI)-based " job applicant " that can pass as human -- unless you know how to defeat it. The next hottest AI agent right now is  Manus . A few weeks ago the hot new platform was DeepSeek. We don't have any association with Manus or DeepSeek, we don't provide legal advice, etc. -- but open-source agents such as this that use 1 GPU (not thousands of GPUs) are going to become the norm. What are the AI implications for cybersecurity? 1.  Botnet and AI agent attacks . The attacks will not only target you (see AI-based job applicant post above and the TikTok notice*), they will target your customers and clients by spoofing your site. Will you be able to know whether a customer call requesting account information is real? 2.  Anticipating how to defeat attacks . If you don't anticipate joining/ being assimilated by  them, you need to beat them. And keep on beating them. 3. Balancing the risk of AI attac...

As part of Bill Clinton's 1992 run for the office of President of the United States, one of his advisors gave him a pithy piece of advice that became so famous it has its own Wikipedia page : It's the economy, stupid. The recent scandal over highly classified material being accidentally leaked to a journalist (pick a news source you like and this scandal was covered: CNN , AP , Fox , whatever you like) is a prime example of how risky behavior is...(drum roll please!) risky. To sum up the situation as neutrally as I can: A high US government official decided to go outside of secure channels to have a group chat That same official accidentally included a journalist in the chat (confusion over contact name?) Another official posted secrets to that group The journalist revealed that this had happened Many government officials denied that the material was sensitive To prove a point, the journalist published the material, which was indeed sensitive Many government officials denied th...

A large part of why we founded Pythia Cyber was the rueful recognition that human behavior plays a huge part in whether or not Cyber Security is effective. Many of us who work in the trenches find this observation painfully obvious, but to everyone else this claim seems far from obvious. Examples help, but we have to be careful not to publicize our colleague's or our client's mistakes in the name of clarity. Luckily there is an example from history where all the people who might be embarrassed are dead (and were on the losing side in World War II). Behold! The mighty encryption engine known as " The Enigma Machine. " This was the best that early-to-mid 20th century technology had to offer in the way of data protection. It was used to keep private communications private, mostly by governments to secure diplomatic messages or intelligence reports which were being transmitted home from abroad. If you are interested in encryption, it is well worth the research to get the ...

We are often asked what a Cyber Security Program is supposed to be. Here is the short answer: Integrated. Scalable. Trusted. Self-Sustaining. At Pythia Cyber we believe that these are the attributes of a functioning Cyber Security program that is delivering on-going value. Integrated means that your program is part of people's decisions and actions. The priorities come from the top, are understood by management and executed by the rank-and-file. Scalable means that, thanks to the integration, your program grows as you grow, taking you out of the outgrow / catch up later cycle that leaves so many organizations vulnerable. Trusted means that your program produces evidence that is comprehensible to non-technical leaders. You trust the program because, at every level, the program is verified in ways that make to the level above. Self-sustaining means that you have a process that supports the program. You have a process that you constantly apply to keep the program up to date. If yo...

At Pythia Cyber, one of our founders likes to distinguish between faith-based Cyber Security and evidence-based Cyber Security. In either case you, the senior management of the organization, trust that Cyber Security is being done and done right. Faith-based trust is based on the fact that it is  Someone Else's Problem  (usually someone in the IT department) and you generally trust that someone else. Evidence-based trust is based on the fact that you have been shown evidence by those you manage, who have been show evidence by those they manage, until you get down the person actually doing the work. And at every tier of this cake every subordinate offers appropriate evidence which is understood by the superior . If you require that it be proved to you, then you can prove it to others, should the need arise. What others? Your superiors. Your business partners. Your clients or customers. Your insurer. Your investors. Your bank. Note that we do not advocate the same proof at every...

You know what other people in the organization think of you: reactive, never available, poor 'people skills,' a cost center and not a revenue producer, not strategic, needs a lot of training, easily out-sourced. Yes you, IT, that's what people think of you. Oh wait -- you thought this post was about Human Resources! We at Pythia propose that cybersecurity and HR are inseparable. Check our posts about social engineering , ransomware problems , the Enigma machine, etc.: bottom line, you cannot have cybersecurity without HR . We also propose that there are cybersecurity problems because organizations have HR functions that are not aligned with cybersecurity functions .  And there you have it: HR and IT are the  yin and yang  of organzations. What does all that mean for HR and for IT? A fundamental rule of being a business partner in any organization is this: you (or the function you lead) must be able to show metrics regarding how you increased revenue or profit, or minimize...

There are two statements that seem contradictory but are both true: The best cybersecurity defense in terms of employee-initiated actions (v. external agent-initiated actions) is the first-line supervisor.  The most likely cause of employee-initiated cybersecurity actions (v. external agent-initiated actions) is the first-line supervisor.  Significant empirical research on the impact of managers and leaders on organizations shows that supervisors at any level who are not able to focus their direct reports on task performance, who are not able to create an inclusive environment, who don't provide feedback, or who are not putting their direct reports in positions where they get to do what they do best every day, reap the rewards: poor performance, turnover, employee theft, and loss of customers. All of these negative outcomes set up organizations for cyber-related incidents. Why? Because, as Dr. Chloe Wilson has demonstrated , people who feel that their employer "owes" the...

(picture and food styling by By やましこ - Sandwich Cross-section, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=110787140) Of all the positions of leadership in any organization, middle management may have the greatest impact on cybersecurity. These leaders go by many titles -- middle managers, platform managers, program or project managers -- and share the following role-based attributes: Their authority is narrow, but their organizational influence is both broad and deep Unique in many respects is that their work is done through other leaders, through direct reports, and through their own expertise Finally, their jobs almost always involve spending money or saving money -- rarely do they "make money" Here are some implications of this role. First, they need to find allies in CTOs/CIOs (for 'top-cover' and funding), peers, and clients. Second, they need to create metrics that demonstrate their impact . They were hired for their expertise, but quickly be...

Executive leaders set the vision, tone, and mission for their organizations. They are accountable to Boards, and, in conglomerates, HQ-based executives; some are accountable to investors, shareholders, etc. for either revenue growth, market share, or mission accomplishment.  Why are executives responsible for cybersecurity, and responsible to whom? CTOs/CIOs and CEOs clearly share both authority and responsibility for cybersecurity. Most obviously a CTO/CIO is ultimately accountable and responsible for cybersecurity in a way that a CFO would not be. The CEO has the statutory authority to direct the CTO/CIO to implement cybersecurity processes and programs. Executives achieve results through subordinate leaders. If there is no middle-manager, e.g. a  CISO, who is accountable for implementing and maintaining a cybersecure organization, has the CTO/CIO outsourced cybersecurity to Big Consulting Company and how is that relationship managed? Or, if you prefer, why is the CTO/CIO ha...

Though unlike corporate leaders who are either directly accountable or responsible for cybersecurity, Board members are nevertheless part of the corporate cybersecurity ecosystem. Because we're talking about human beings, it's understandable that some members are chosen because they are friends or relatives of the Board Chair, or check some box (e.g. the union member on the board). In terms of function, Board members provide perspective for the corporation's executives, and have a duty to hold executives accountable for performance. Part of executive performance involves cybersecurity. Some Board members serve on multiple boards or are executives in other coroporations. They know people who know cybersecurity, even if those resources are not directly known by a particular corporation's executives. When we're talking about cybersecurity, then, it is their job description to ensure that executives are exercising due diligence to achieve corporate goals while maintaini...

When we say that "all leaders are responsible for cybersecurity," an immediate reaction might be: no, that's what I hired the CISO to do; or, no, I can't do that because I don't have the (budget or support or time or systems or staff or whatever); or, no, we pay Big Consulting Company to do that. All of these knee-jerk reactions are wrong in different ways. In this series we will explore what every leader's responsibility is for cybersecurity at the level of leadership they hold. Our position is that cybersecurity is everyone's business , and when we're talking business, we're talking about leaders and leadership. Let's start by outlining who is a leader in any typical organization. Your organization/company might call these roles different things but that's window-dressing. Board member : someone who has responsibility for overseeing the performance of executives, and whose own job involves having broad awareness of corporate goals, strat...

A traditional cybersecurity attack involves targeting people with authorized access to information technology to get them to allow people who do not have authorized access to gain access inappropriately. It's called " social engineering " and it works well, historically , as a means for  criminal activit y or inappropriate use of the host organization's compute. Social engineering works because the attacker has found a way to manipulate the target to do something they should not do to the benefit of the attacker.   It does not have to be that easy. Ultimately we don't know how effective social engineering is because the attackers are not going to engage in A/B experiments. We know that social engineering is effective it because there is a low barrier to entry -- much like CBD & vape shops, there are more attacks every day -- at almost no cost and at a tremendous upside when it works. (Sophisticated state-sponsored actors that hack tech companies or federal go...

In this blog we have been mentioning ransomware frequently of late and this has caused people to ask about cryptocurrency, because ransoms are almost always paid in cryptocurrency. If you squint this is sort of on topic so here you go, for all you crypto-curious readers: a blog post about cryptocurrency, as it relates to crime. If you are interested in a wildly unstable and terrifyingly speculative investment opportunity, crypto is also that, but you will have to look elsewhere for that information. If you have never been able to figure out what cryptocurrency is and feel that perhaps it is just beyond you, rejoice! Quantum physics is mind-bending. Moral philosophy is nuanced and complex. MC Escher's prints are hard to follow. Cryptocurrency is easy to understand and often appallingly badly explained. Before we explain "crypto" we should first re-introduce you to paper money. You think of paper money as a hard-to-forge object whose value is backed by a government. In fact...

Pythia Cyber was founded on the principle that there is a huge behavioral component to cybersecurity that goes largely unaddressed in the marketplace. This claim is not obvious to many people, especially people new to cybersecurity. Oddly, the evil twin of this idea is all too familiar to people, even people new to cybersecurity: social engineering. This is one of two posts on this topic: this post is by our IT infrastructure practice leader; the next one will be by our behavioral science practice leader. Our perspectives are different enough to create some value by showing both the "what" perspective (this post) and the "how" perspective (the next post). It was once common practice to cite the "dictionary definition" of a term as a starting point for discussing that term in greater detail or greater depth. Now we have progressed to using an AI generated summary, so let's do that. Social engineering attacks are defined by the Google AI this way: Social...

Ted Hayes writes: People are easy to manipulate. Maybe not everyone at any time, but both human history and behavioral research show that eventually we can be swayed. As our post on the CSF puts it,  potayto potahto  -- I'll call it manipulation and you can call it training or education or development. Our ultimate goal is to have you do something different or differently than you did before. It's good that we can be manipulated when we're talking about public health or driving safely or treating each other with dignity and respect, or when we're trying to train people to crochet or have them learn how to be neurosurgeons.  There's a downside to manipulation. Call it training debt: people don't behave as predictably, to do a specific function, as circuits and switches and processors do. This presents a big problem when an organization depends on people to use systems in a way that supports cybersecurity. Cyber-thieves rely on being able to manipulate people to c...

The Recover phase of a NIST CSF -based Cyber Security program is about the longer-term clean up after an incident, as opposed to the Respond phase which is more focused on the short-term. The Incident Response Plan (IRP) has kicked in, you have taken steps to stop the problem and now it is time to get back to normal. The Recover phase is a classic example of why Cyber Security is not just an IT function and why we say management has to be involved. Much of what we do in the Recover phase is done by System Administration people or Operations people, because recovering from hardware failure and recovering from a ransomware attack are damn near the same activity. Your Cyber Security program, in effect, outsources this work to their colleagues. But that outsourcing does not exempt this process from the usual Cyber Security rigor and methodology. Trust, but verify: yes, trust your colleagues to their job but also apply the usual oversight and standards of proof. Let's take a real-life...

Brendan Hemingway writes: I am the leader of our IT practice because I have spent decades in many parts of the applied technology world: application software development, embedded systems, databases, IT and cyber security. In those decades I have observed a tendency in my field to focus on what we can control (technology) and shrug at what we cannot control (human behavior). Specifically, complex applications often require a complex security model, with user roles and permissions and restrictions. The trouble is that reality rarely conforms to the model. If we are lucky, these  use cases that do not conform are edge cases  and we can shrug them away with "how often does that happen?" or "don't do that." But we are not always lucky: sometimes those non-conforming cases are common, or those edge cases are important despite being rare. Then we have a problem: people are great at getting around restrictions and many of these workaround are as unsafe as they are usef...

 This from the @IOPSYCHMEMES account on LinkedIn (etc.)...

The Respond phase of a NIST CSF -based Cyber Security program is about responding to the failures of the Protect phase that you detected in the Detect phase.. Even if you do not have a format Cyber Security program, let alone one based on the NIST CSF, you need an Incident Response Plan  (IRP). If the three most important considerations when buying real estate are Location, Location and  Location, then the three most important considerations when responding to a Cyber Security Incident are Preparation, Preparation, Preparation. You need an IRP for several reasons.  In today's threat environment the chances that you will never have an incident are low and the severity of the consequences are high, so this is just good business. In the aftermath of an incident you need to balance responding as quickly as possible (stop the bleeding) with responding as effectively as possible (the cure should not be worse than the disease and uncertainty through poor communication should ...

Recently the news brought word of three different cybersecurity incidents that occurred within about a five-month span. These news stories are worth review by investors. In the first event, a US intelligence community analyst illegally shared classified information with a social media site because he personally disagreed with US policy and he wanted to alert anyone on the site about what was happening. Releasing classified information to a social media platform is a felony. In the second event, about 100 personnel across the US intelligence community were suspended or  fired for misusing internal chat rooms by engaging in what we might gingerly call "not suitable for work" banter (NY Times summary: "Officials confirmed that the N.S.A. managed a system that had been used for sexually explicit chats and L.G.B.T.Q. discussions"). To add on, these discussions came to light because a social media platform host gained access to chatroom logs, which should be if not clas...