All prudent investors qualify their prospects in terms of cash flow, P&L, management team, industry standing, and growth potential. Why wouldn't you do the same qualification for cybersecurity risk management? Investors speak the language of business. We at Pythia speak the language of cybersecurity. All (100%) businesses with a digital function -- payment system, advertising, email address, data center, online sales or product development platform, etc. -- have some degree of cybersecurity risk. We assess the extent to which companies have managed their cybersecurity risk. This includes policies, systems, and leadership. You deserve to know how much investment your prospects needs to make in its cybersecurity risk management. And if they don't or can't do it, you need to know what you will need to invest. Pythia's assessment report for investors includes an expert review and summary of the three following cybersecurity risk components: 1. Cybersecurity...

This blog post is aimed at people working in organizations either too small or too new to have much of a Cyber Security program. you know who you are: you have the sneaking suspicious that you are out on some thin ice, but you don't know what do next. There is no shame in not being a Cyber Security expert. Most people are not. Nearly all people are not. But if you are part of the management team of a company, you rarely have the luxury of simply ignoring Cyber Security altogether. After all, every management team member has, at one time or another, had to manage people engaged in work that the manager does not really understand. In fact, staying current with the lower level details of work can be a real weakness in a manager. That said, there is no excuse for burying your head in the sand when it comes to Cyber Security. It may be a mystery to you, but many people cannot explain how GPS works and yet somehow manage to use systems based on it. If you have decided that you can avoid ...

Once upon a time, as I began to move from young adult to just plain adult, I found myself in a very familiar position: I needed more but gentler exercise to stay in shape but I had less time to exercise. The result of this dynamic was an ever-declining level of fitness, but I had an ace in the hole: a friend who was an exercise physiologist. I explained to her my plight and my old exercise routine and what I considered to be my strengths and weaknesses. She listened without paying the rapt attention that I had assumed would attend my detailed exercise history. She asked no probing questions. When I was done, I asked her what the best exercise for me would be. "The best exercise for you is the kind that you actually do" was her response. At the time, I was rather put out. This was not the kind of detailed and data-based and medically-appropriate response that I expected. As time has gone by, the clear wisdom of her reply has shone through my expectations ever more brightly: th...

Rank has its privileges is such a strong part of military life that this concept goes by its acronym: RHIP. Alas, this concept is not limited to the military. Plenty of civilian workplaces have cultures that encourage leaders to use at least some of their power to make their lives easier and more convenient. This tendency is often more annoying to the rank-and-file than anything else. After parking in my unprivileged parking spot and walked a good long way in the cold or rain, I have felt a stab of bitterness as I slog by the cars which are parked closer to the building and under some kind of shelter. If that were all RHIP ever did to an organization, we could just shrug it off. A little resentment by underlings isn't going to hurt the organization much and perhaps that resentment spurs some people's ambition, which might be good for the organization. Alas, in the Cyber Security realm, RHIP does much more damage than cause a little resentment or bitterness or jealousy. As we of...

Since we emphasize behavior here at Pythia Cyber, let's talk about it and answer this question: what do cybersecurity engineers actually do? Suppose you wanted to hire one right now. What would you expect to advertise for? Let's set this cybersecurity workforce ecosystem up correctly. There is at least a cybersecurity engineer and a manager. Maybe there is also a CISO , though this person might not manage cybersecurity engineers. First, then, as the employer, know what personnel you're actually hiring. You as the executive/hiring manager/HR guru need to define what you need done. Do you need systems management, or web security, or does this person do acquisitions, or deal with a vendor? How about developing a cybersecurity risk management plan? All of that? Two: OK now let's look at competencies and skills. Best place to start is with, yes really, the US government. Here is a link to the government's O*NET site -- think of it as a bank of continually validated jo...