In June 1981, the 95th Wimbledon Championships tournament saw Chris Evert Lloyd -- now going by the name Chris Evert -- win her third, and final, singles championship. She was awarded £19,440.  That's not what people remember about the '81 Wimbledon Championships. What they remember is the men's finals where a trash-talking New Yorker (full disclosure: we are ourselves native New Yorkers) who had excelled at the collegiate level while at Stanford, lost at the 1980 Wimbledon Championships, challenged all the calls he didn't like, made a spectacle of himself by being fined for berating umpires and referees, and created "buzz" at one of the ultimate upper-crust staid sporting events, beat the reigning world champion, Bjorn Borg. (The British tabloids referred to McEnroe as "SuperBrat" and Borg as "Ice Man." For his victory, McEnroe won £21,600.) John McEnroe's contribution to Western civilization was the line "you cannot be serious....

When you are reviewing a prospect for possible investment or acquisition, you perform a lot of due diligence. You request reports. You make snap judgments. You might say "I know a 'diamond in the rough' when I see it." EBITA, market position, regulatory environment -- check, check, check. What happens when the subject is cybersecurity spending and their return on investment? Most organizations we work with have this approach: the prospect already has cybersecurity in place, their senior managers claim to value it or do a hand wave, and at best they are sufficiently in touch to know that they're falling behind. Even worse, to many senior managers of less-technically-focused companies, cybersecurity is a black box -- you throw budget in, and techies say things that boil down to "they want more money." Other organizations, ironically the medium- to high-end ones, may take this approach: we have had a system in place and it works because we have not had a pr...

Marks & Spencer. Coinbase. United Healthcare. US Departments of Commerce and Treasury. GrubHub. Microsoft 365 accounts. The National Assembly of Ecuador. My dentist. This is the litany of the hacked, the partial list of entities that have been successfully hacked by cyberthieves in the recent past. Is your prospect on the list? Are you on the list? If your company, or your prospect's company, is not taking cybersecurity risk management seriously, this creates another opportunity for thieves to push the company into the litany. The doors used by cyber-attackers differ. This is why subscribing to one service, or relying on what you did a few years ago, or annual spam email training, does not work. One of my favorites is the Coinbase attack from May 2025. Apparently the attackers bribed non-US contractors and associates to give them just enough access to gain crypto account information on Coinbase's customers. Tens of millions of dollars were lost. In contrast, my dentist and...

Our series on the CISO continuum is here , here , and here . There are two themes that run through these posts: 1. You could fail at cybersecurity regardless of where you are on the cybersecurity sophistication continuum, including you folks at the high end. 2. If you fail, it is likely that you failed because you were overconfident.   Why are you overconfident? First, humans are overconfident. It is a well-known cognitive bias . You almost can't help it -- unless you actively work to overcome your own overconfidence. Oh sure, you're above average in self-awareness of your overconfidence, right? (LOL) Let's get more specific. Overconfidence can lead to failure in cybersecurity. There are two ways that could happen. First, you as a CISO or CTO/CIO are overconfident because you're really smart and tech savvy. You have a very high degree of understanding of technical detail that maybe no one else in the organization has. People come to you for advice. All the adulation fe...

This post is about what Pythia Cyber can do for prospects who are at the high end of the CISO Continuum. "The CISO Continuum" refers to the combination of two phenomena: the fact that people tend to use "CISO" (short for Chief Information Security Officer) as shorthand for "cybersecurity program" and the fact that cybersecurity programs fall somewhere on a spectrum. (For more about this, see out  CISO Continuum post ). In this context, "cybersecurity program" means "a formal effort to protect your cyber assets." Many organizations do not have a cybersecurity program, but almost all organizations are engaged in some kind of cybersecurity. Having your IT department engage in some kind of IT security is not a cybersecurity  program  but it is cybersecurity. Note that "high end" is descriptive, not laudatory. It means "having more management involvement in cybersecurity." Being at the high end does not mean that your org...

This post is about what Pythia Cyber can do for prospects who are in the middle of the CISO Continuum. "The CISO Continuum" refers to the combination of two phenomena: the fact that people tend to use "CISO" (short for Chief Information Security Officer) as shorthand for "cybersecurity program" and the fact that cybersecurity programs fall somewhere on a spectrum. (For more about this, see out  CISO Continuum post ). In this context, "cybersecurity program" means "a formal effort to protect your cyber assets." Many organizations do not have a cybersecurity program, but almost all organizations are engaged in some kind of cybersecurity. If you have someone doing CISO stuff, probably part-time, but that person has no staff and minimal input from management, then your are in the middle of the CISO continuum. We have a number of posts about the various kinds of CISO; here is a good starting point . Organizations in the middle are often quit...

This post is about what Pythia Cyber can do for prospects who are at the low end of the CISO Continuum. "The CISO Continuum" refers to the combination of two phenomena: the fact that people tend to use "CISO" (short for Chief Information Security Officer) as shorthand for "cybersecurity program" and the fact that cybersecurity programs fall somewhere on a spectrum. (For more about this, see our  CISO Continuum post ). In this context, "cybersecurity program" means "a formal effort to protect your cyber assets." Many organizations do not have a cybersecurity program, but almost all organizations are engaged in some kind of cybersecurity. Having your IT department engage in some kind of IT security is not a cybersecurity  program  but it is cybersecurity (and puts you on the low end of the continuum). Note that "low end" is descriptive, not pejorative. It means "having less management involvement in cybersecurity." Hav...

Very recently we came across the obituary for Ed Smylie. Mr. Smylie was a mechanical engineer at NASA in April of 1970 when the Apollo 13 mission went awry. With under two days of oxygen left, the crew in space had to rely on Mr. Smylie's team on earth to concoct a mechanism to clean the carbon dioxide from the capsule's air. The answer was: duct tape. In the 1995 film version of the incident the lead flight director, Gene Kranz , speaks a famous line: " Failure is not an option ." Is failure an option in your company's cybersecurity process? If you discover that your organization had a cybersecurity incident, which of these two responses is the honest story you will relay to your leadership?  (a) an adversary beat our cybersecurity system; or (b) it seems there was a previously unknown flaw in our cybersecurity system that the adversary exploited. The only way you can honestly give response (a), that your system was beat, is if you can verify that it was worki...

Congratulations, you got the promotion to be the chief technology officer (CTO) or the chief information officer (CIO). Feels good, doesn't it -- people laugh at your jokes, they seem to care what you think, you have staff, you hob-nob with other C-suite leaders, the Board looks to you to explain complicated technical topics, your opinion is sought on weighty matters by investors and thought-leaders. In Shakespeare's play Henry IV , the new king reflects upon his misfortune: as supreme ruler, he can order any of his subjects to do any of his wishes, but they in turn rely upon him for constant guidance and protection, safety, food, etc. The burden of leadership is not borne by his jesters or serfs or peons, or even by dukes and earls and noblemen. All victories are his, and in turn so are all misfortunes and miscalculations. Henry in his insomnia  laments :  "How many thousand of my poorest subjects Are at this hour asleep! O sleep, O gentle sleep, Nature’s soft nurse, how ...

Familiarity breeds content. It may also breed contempt, but in terms of living your life on a daily basis you have habits that make you content. They are your daily routine: you wake up at a generally consistent time, you get into your conveyance (car, van pool, subway, etc.) around the same time, you eat lunch about the same time, you leave work around the same time, and so on. Maybe on the evening before a weekend you hang out with your pals at a happy hour event. On your weekend you go grocery shopping and of course you have a set time to call your parents. The point of these familiar habits and routines is to reduce the amount of attention you invest in deciding about whether to do something or how to do it. Habitual actions decrease attention spent on routine activities and increase attention time on activities that require your attention. This is the nature of vigilance. Because attention is almost like a quantity -- you pay attention, make attention, focus your attention, or los...

This post is about the range of cybersecrity programs we encounter in the wild, or what one of our founders calls "The CISO Continuum." This phrase refers to the combination of two phenomena: the fact that people tend to use "CISO" (short for Chief Information Security Officer) as shorthand for "cybersecurity program" and the fact that cybersecurity programs fall somewhere on a spectrum. Note that in this context, "cybersecurity program" means "a formal effort to protect your cyber assets." Many organizations do not have a cybersecurity program, but almost all organizations are engaged in some kind of cybersecurity. Having your IT department engage in some kind of IT security is not a cybersecurity program  but it is cybersecurity. The question of where any given organization falls on the continuum arises when prospects tell us that they have cybersecurity already, so they do not see why they would need more cybersecurity. To answer thi...

Every critical function in your business needs to do one of two things: either the function increases revenue or it decreases cost. Functions that do something else are cost-centers. Effective cybersecurity is a critical function. Ineffective cybersecurity is a cost center. How can you demonstrate that your cybersecurity program is a critical function? The correct answer -- which is hard work -- is that you need to demonstrate how your cybersecurity program contributes to the company's return on investment (ROI). But for a lot of cybersecurity programs, it's more important to be effective than correct. (As they say in the world of hedge fund management, do you want to be right or make money? )  The effective cybersecurity approach requires that you understand the following: what market you're working in, who your partners are, and how your cybersecurity program enhances what the organization values while minimizing annoyance. Then, as we say elsewhere, "you prove that...

Many jobs have an obvious focus: sell things, fix things, clean teeth, provide therapy, teach people, write legislation, fly an airplane, bake a cake, fight fires, manage tour groups, trade pork bellies.  What do cybersecurity professionals do? A lot of the time you spend on the job being effective involves, let's face it, keeping bad things from happening. And that's good because the average data breach in 2024 was $4.88MM. That's an expensive bad day at the office. How can you avoid having your company be breached? One easy answer is to get smarter about the best cybersecurity practices and models. Read our blog posts about them. Another answer is to be aware of what people do -- get knowledgeable about cybersecurity behavior, not only yours but what your coworkers do. We've written about that too. Understand how to explain your role not just in technical terms, but in terms of supporting the values of the organization. You should have an 'elevator pitch' ...

Cybersecurity should be one of the key concerns when a private equity (PE) firm is performing due diligence on a candidate acquisition target. Specifically: is the target company doing enough cybersecurity ? Is the target company's cybersecurity effective? Is it cost effective? If the answer to any of these questions is "no" or "I don't know" then your due diligence has a hole in it. Cybersecurity liabilities might drive down the target company’s value in the aftermath of a poorly managed security incident. The obvious answer is to get some kind of cybersecurity assessment but all too often the cybersecurity assessment process often seems opaque and complex and its results hard to understand or trust. At Pythia, we make the process simple, comprehensible, and we base the process on the business value that the PE is seeking. Pythia’s approach, though easier to understand than others, is no less diligent, and actually more rigorous. The approach focuses on the...

  You know you shouldn't plug your device into some rando port. Why not? Because you sat through dozens of cybersecurity training sessions, or you read something somewhere, or someone told you something.  There wouldn't have been training if there were no problem to avoid, right? And now you're on vacation, and you're sitting in a tour bus looking at your device's low battery warning...and...oh, just this one time... Humans are really good at not following rules . It's part of what makes us human. And bad actors know this, and exploit our tendencies against us. And now you're on vacation, and you're sitting in a tour bus looking at your device's low battery warning...and...oh, just this one time... Cybersecurity is about balancing authorized systems access with blocking unauthorized systems access. Behavioral cybersecurity is the most important part of cybersecurity because people still click on the spam/ransomwear link, or plug their devices into r...

You know the mantras: "Keep It Simple, Stupid!" "What if we do nothing?" "What problem are we trying to solve?" Most people in organizations try to avoid accountability because they assume something will go wrong and hey it wasn't my fault it was hers. True story: I know someone in a team meeting whose manager drew a line on a white board, then drew a loopy W on the line. The manager then said: "If you make a recommendation, just remember it's your [three-letter biblical term for a donkey] on the line." Guess how effective that was for idea generation. But hey the manager kept his job. Cybersecurity is not simple, but addressing it won't work if your approach is simplistic. In other words don't confuse a simplistic solution with a simple solution. Simple solutions clarify situations that meet your needs. Simplistic solutions seem "smart," but they require re-work and revision and aren't quite right and don't quit...

  The easiest question an investor or manager can ask is, what will be our return on investment? A prudent investor should always be knowledgeable about risks and costs. If you only look at the "upside" you will miss how that "upside" comes with a cost that may be substantial.  So it is with cybersecurity. Suppose for example that your cybersecurity team has "proved" that your organization has enough cybersecurity because it subscribes to a cybersecurity service. Well done. That is in fact proof that...your organization subscribes to a cybersecurity service. A prudent investor or manager should ask, How does that align to our growth projections, our values, or our user needs? How does it mitigate against upcoming threats? There's nothing wrong about subscribing to a cybersecurity service. It's certainly better than doing nothing. The problem is that most investors or managers see this as a box-check compliance issue: cybersecurity subscription is c...

  Our friend Barry Conchie sent us a LinkedIn post by Jeremy Levin regarding threats and risk. In grossly oversimplified terms, threat is a function of capability and intent, while risk is a function of the possible consequences of the threat.  Commentors on the original post noted that these are not static values. Threats change over time because capabilities change -- sometimes in your favor, sometimes not (think: AI scraping your system via its API). The recent power outages at Heathrow Airport (blown transformer) and in Spain (mysterious blackout) frame this idea of threat for us relative to what happens when we do a quote cost-benefit analysis unquote: usually, if it's costly to anticipate something, it's probably a bigger threat than you think. Intent may also change -- maybe now that your company has grown, there's more to steal or disruptions are a bigger problem.  Risk is a time-based forecast. The risk of a flood is higher in summer months, for example, than...

On this we can all agree: at about 12:15pm local time on Monday, 28 April 2025, there was a blackout throughout Spain that also reached into Portugal and southern France. Power was restored in most areas of Spain by about 6:30pm local time; full internet service returned the next morning. As someone who was in Sevilla at the time of the blackout, I am quite interested in what happened, why it happened, and what lessons could be drawn in thinking about cybersecuirty as well as managing a power company -- as the lessons are quite clearly parallel. Numerous possible reasons for the blackout were offered, including the possibility of a cybersecurity incident, "fanatical" use of renewable engery sources , vibrations from an atmospheric inversion , or, um something (in fact the current answer one week later is: we're checking and we'll get back to you). There is an active investigation into whether this was a cybersecurity incident, and we don't discount that. In the me...

Recently there have been several studies that discuss how personality test scores related to organizational performance. This post will summarize the implications of these studies for cybersecurity professionals, managers, and investors. TL;DR: your humanity is not some linear function of your personality test scores, however, your scores are good predictors of your work performance and this has implications for your effectiveness. Organizational scientists and practitioners want you to take personality tests for any of several reasons. They help capture how you approach your work, deal with people, lead, work with customers, and so on. These scores also might give you insight into what you’re good at (a.k.a. your strengths), your tendencies that will derail your career, or your level of emotional intelligence. Finally, when done in a highly structured manner known as a “360-degree assessment,” the scores are excellent indicators of your areas for growth and your blind spots. Pyt...

This post is part of a series about aspects of cybersecurity which are not obvious, especially to newcomers. This post is about the cybersecurity aspects of oversight by leadership, specifically oversight of cybersecurity. What does cybersecurity have to do with oversight? To answer that question, let us go down the cybersecurity chain from start to finish. (1) Senior management signs off on a cyber asset as critical, which means that the asset is to be protected from at least one specific risk. This is Identify in the  NIST CSF . (2) Someone in the cybersecurity program (CSP) assigns a "control" to that risk for that asset. This is Protect in the NIST CSF. This step includes agreeing on what constitutes proof that the control is effective. (3) Monitoring that control becomes part of someone's job. This is Detect in the NIST CSF. (4) Sharing the results of that monitoring, the evidence which makes your CSP evidenced-based, with a supervisor becomes part of the same someon...

This post is part of a series about aspects of cybersecurity which are not obvious, especially to newcomers. This post is about the cybersecurity aspects of management reporting, by which we mean "managing up" through information presentation. What does cybersecurity have to do with management reporting? To answer that question, let us go down the cybersecurity chain from start to finish. (1) Senior management signs off on a cyber asset as critical, which means that the asset is to be protected from at least one specific risk. This is Identify in the  NIST CSF . (2) Someone in the cybersecurity program (CSP) assigns a "control" to that risk for that asset. This is Protect in the NIST CSF. This step includes agreeing on what constitutes proof that the control is effective. (3) Monitoring that control becomes part of someone's job. This is Detect in the NIST CSF. (4) Sharing the results of that monitoring, the evidence which makes your CSP evidenced-based, with a ...