Very recently we discussed our thoughts about cybersecurity training. TL;DR: training people to not do something is ineffective ( hello Adam & Eve! ) and annual security training is not keeping up with current threats, but it does shift liability to employees from managers. Annual cybersecurity security compliance training is kind of like managers using a Princess Leia approach: " Help us, annual security training, you're our only hope ." Some key points about training in general are important for your consideration in terms of mandatory annual cybersecurity training. First, all training regimens are understood to target any one of these three aspects of the human psyche: affect (how we feel emotionally about things), behavior (what we do), or cognition (what we know). A, B, or C .  Let's review: Does your cybersecurity training try to make your employees hate cyberattacks? Do you want your employees to do something about cyberattacks? Is its goal to make people s...

Whatever your organization does, you want to avoid unplanned downtime. You want continuity of operations, which we call "business continuity" for short. What interrupts business continuity? Anything that interferes with operations: sickness, power outages, bad weather, cyber attacks (threats), system failures (vulnerabilities) and data integrity issues (a mixture of both). The usual stuff. In cybersecurity, most of the attention is on cyber attacks but we rarely hear about system failures or data integrity issues. But cyber attacks are not the only business disruption in the cyber domain. Hey, look what I just did: I restored a file. A file that I needed. A file that I was working on and had accidentally clobbered. How does an expert computer user with over four decades of experience clobber a file? The short answer is that people make mistakes. The long answer is too long, involving many unlikely unfortunate elements lining up in a really bad way--injured left wrist, recent ...

At Pythia Cyber we are often asked if we provide training. If you mean do we provide canned training to keep users from clicking on links in emails, then the answer is a hard "no." "Why not?" is the all-too-frequent follow up question. "That is a long story," we reply. So long that it needed this blog post to answer it. In this context, "training" means taking a course in any of several tiny subsets of cybersecurity, likely ending in an exam so that the trainers can certify that your people took the course (or charge you for them to take it again). Most of these courses are on-line, but sometimes they are given in person. We are agnostic about the delivery method: it is the content that concerns us. Why don't we provide this as a deliverable to our clients? After all, it has some attractive attributes from our perspective and some attractive attributes from the client's perspective: Good For Us We can design once, sell many and have less ...

As part of an internal research project we are surveying the public statements on cybersecurity from a variety of companies. We are assessing first how the marketplace typically describes cybersecurity to help us talking to executives in terms they already know.  But people judge you by the company you keep, so we wanted to get a sense of whose descriptions matched our vision of how best to practice cybersecurity and whose descriptions did not. This research project will result in an internal white paper and some external posts, of which this is one. As a preliminary result, we have noticed two broad categories of approach: buy it or build it. Since we have a foot in both camps (we sell help to build it), we can see both sides. We are talking this opportunity to answer a frequently asked question: which approach is best for us? Buy or build? As is so often the case, the short answer is "it depends on who you are and why you are buying or building." So much for short answers. ...

Small and new businesses have a lot going on. We understand. You probably are not focused on what you cybersecurity process is, why it's necessary, or how it works. (We'll assume that you have a process.) That's completely OK at first. Your business' growth is based on creating value for customers. That value proposition needs to include the trust that your data capture is secure and that you handle data in a secure manner. Just as your prospects and customers don't want to be in a business relationship with you that feels unsafe or "flaky," they won't give you their data if they believe you can't handle it securely. As you grow you will want to create guidelines and rules for securing your systems, your data, and your customers' data. You'll need to be able to explain your plans to creditors such as banks where you get loans, or to regulatory agencies, or to customers. You'll need to be able to explain your cybersecurity process. You m...

To be able to make decisions is to have cognitive biases. Even artificial intelligence (AI) platforms have biases.  Biases are the price systems pay for making quick decisions without spending time and effort on decision-making. Let's start with basics. From a statistical modeling perspective, bias occurs when the degree of mathematical modeling, typically a regression line, does not work as well with one set of data as with another. The result is increased error. In business terms, you probably would not build a marketing campaign for a product that appeals equally well to women and men, or to the "have and have-yachts." You would get good results in the intended target group and no results (i.e. you wasted money) in the non-target group. Same thing in AI. It is a fact that your AI model is trained in one sample, and when it is transported to other samples it will not perform as well. The less-effective result is due to statistical bias. (Remember, AI is math.) Let's...

You know business. You know your market. You have mastered a field such as finance, biology, furniture manufacturing, human services, auto repair, logistics, medicine, law, agriculture, or restaurant management. You are a servant leader, a hedge fund platform manager, someone who "learned by doing." You might be able to sell insurance to people who hate insurance. You can recite poetry, write essays, derive Bayes' Theorem, calculate derivative prices. You have a smart phone or a fitness tracker. You drive a hybrid or electric vehicle. You have multiple streaming services. You are not a techie. Our series on white box cybersecurity for techies has two parts, here and here . You should read them even though you are not a techie. This post is for you. It is about white box cybersecurity for non-techies. White box cybersecurity is the result of a lignment between operational process and strategic cybersecurity. The organization you lead or help manage is looking for growth. ...

👇 This is a public service announcement. The recent escalation of hostilities in the Middle East means that the potential for cyber-attacks has increased. Sometimes these are black box attacks that seek out any target of opportunity, including your servers and data and websites. Sometimes these are attacks on vendors or some entity in your supply chain that drag you in, even if you're not explicitly the target.  You and your company need to be extra vigilant at least for a few weeks. That includes: *Adopt/enforce multi-factor authentication (MFA) *Patch/upgrade every Internet-facing asset -- looking at you, health care offices and municipalities and school systems *Segment networks & elevate detection on OT traffic *Contact your cybersecurity provider or your CISO/CIO/CTO to ensure you're all on the same page with regard to heightened awareness processes *Ensure repeatedly that your employees at all levels know that they need to be aware that the potential for a cyber-at...

I tell you “put all your eggs in one basket, and then watch that basket.” Look round you and take notice; men who do that do not often fail. It is easy to watch and carry the one basket. It is trying to carry too many baskets that breaks most eggs in this country. --Andrew Carnegie, addressing the students of Curry Commercial College, June 23, 1885 It is a depressing truism of cybersecurity that if you create a cyber asset of  unimaginable value and power you create a target so tempting that you will be forced to vigorously defend it. "Watch that basket" indeed! In the 1980s, so it was the data warehouse, a single database wherein all your organization's information was to be found. What promise! A single place to aggregate all that normalized data, from which you would glean untold insight into your operations! Assuming you could solve the data normalization problem, the real-time interface problem and the very tricky problem of granting access to everyone who might...

One of the Pythia Cyber founders introduced his novel way of describing our goal, "white box cybersecurity," in  this post . But that post was aimed at management and this post and its follow up are aimed at technical people; cyber warriors and cyber defenders. The people in the cybersecurity trenches. This post is the second of a pair. The first one is here . That first post explains what we mean by white box cybersecurity and black box cybersecurity. It also outlines why we think black box cybersecurity is bad for techies. This post explains why we say that white box cybersecurity is good for techies. So why is white box cybersecurity, i.e. cybersecurity whose inner workings are visible to management and ideally basically understood by management, good for techies? This short answer is that white box cybersecurity allows management to manage. It allows oversight. Oversight is good, even if micro-management is bad. White box cybersecurity means that you get input that you ne...

One of the Pythia Cyber founders introduced his novel way of describing our goal, "white box cybersecurity," in this post . But that post was aimed at management and this post and its follow up are aimed at technical people; cyber warriors and cyber defenders. The people in the cybersecurity trenches. This post is the first of a pair. The second one is  here . This first post explains what we mean by white box cybersecurity and black box cybersecurity. It also outlines why we think black box cybersecurity is bad for techies. That post explains why we say that white box cybersecurity is good for techies. By "white box" he means the opposite of black box. A figurative black box is a something whose inner workings are unknown and perhaps a mystery. By analogy, a white box is something whose inner works are known and understood. Black box cybersecurity therefore is what we call the all-too-common arrangement whereby management doesn't ask and IT Security and System ...

Do you think of your company as a corporate office with geographically dispersed field offices, vendors, a logistics chain, and customers? If so, you are adopting a model that can be boiled down to this:  "Our company is an ATM" (or cash point , for you UK readers). Now of course you don't think you run an ATM. But that's how you're operating. An ATM is a hardened machine that sits in a location and people approach it and it connects to your servers and, when it's working, it dispenses a service (a.k.a. currency) to customers.  Many companies, include multi-billion-dollar entities, expect that customers come to them: their website, their bakery, their restaurant, their hospital. And that's OK. Your 21st century company is not in one place. It exists where it gathers data from the customer . It's a ring, an activity tracker/watch, a glucose monitor, a "smart appliance," a phone or tablet, a mobile credit card swipe device, a sensor, a medical ...

Check out the picture at the head of this post. It's from a deck made public by Mary Meeker at Bond Capital in May 2025, and it shows the frequency of searches using ChatGPT (a good initial proxy for "generic AI") v. Google searches per year, starting from initial launch. Now, as we say in psychology, sit with this from the same deck: time (in years) to reach 100 million users, by platform. The AI is coming to your company regardless of whether you're adopting it or not. You do not have an option to opt out. And that means that your cybersecurity process is now a target of 'bad actors' using AI. We'll build this out later but there are things you're doing with your company's AI that is making you a target of bad actor AI. In a nutshell, the more you use agents as part of your AI platform the more inviting those agents become as bad-actor AI targets. In one ironic way this is good for your cybersecurity process. In days of AI yore...like, last yea...

At Pythia Cyber, we advocate the appropriate amount of cybersecurity. Not the most possible. Not all the cybersecurity. The appropriate amount. We all can imagine what happens if you have too little cybersecurity: you get hacked or have system failure and you lose money either in productivity or in ransom or in liability over lost or altered data. That is all bad, in obvious and well-defined ways. But how can you have too much cybersecurity? You can tell that you have too much cybersecurity when you have either of two problems: your cybersecurity is an excessive impediment to getting work done or your are spending more than you need to spend in order to be safe enough. What is an "excessive" impediment to getting work done? After all, pretty much all cybersecurity is an impediment to getting work done in some way or another. An excessive impediment is an impediment that either does not add any real safety or does not allow you to do your work at all.  For example, one of our ...

The future is now.  As an organizational leader, you can no longer justify not controlling cybersecurity costs. You can no longer get by with not understanding cybersecurity. You can no longer avoid questions from investors and customers about how you're securing their assets. As a cybersecurity leader, you can no longer justify having more and more layers at more and more cost. You can no longer get by with not explaining how your cybersecurity process controls costs. You can no longer avoid questions from other managers about how you're securing their assets. Your organization and your Board (and investors) deserve to have answers from you about the proof that your cybersecurity is proven effective, for the assets the organization values, at a reasonable cost. You need white box cybersecurity. You know what "black box" systems are. One marketing leader we worked with once explained marketing research as "there are gozintas and comezouttas" (I promise it...

In previous eras, cautious human beings were wise human beings. When the environment remained largely unchanged for century after century, doing what most people did was a pretty good strategy. For example, the Roman Empire existed for a little under 1,000 years and if you took an army recruit from the first professional Roman army and magically transported him to the last professional Roman army, he would have been able to function. But that is not the era in which we live. Following the herd feels good but is all too often a terrific way to be a day late and a penny short, especially with respect to the new (AI) and the ever-changing (cybersecurity). Someday, AI chat bots and agents and other pseudo-employees will have well-defined roles, bounded by HR policies and properly overseen by managers. In many companies, that is not the case yet. But if you wait to tackle these problems until these problems have thoroughly tested, widely accepted solutions then you will likely have exposed ...

According to a new review by our friend, the business psychologist  Derek Lusk , 50% of new CEOs fail . He explores why this happens, and summarizes his thesis as follows: "What happens in the early months between a new CEO and the board drastically influences the long-term outcome. A board that is simply an evaluator of the CEO will plant seeds of failure early on. In contrast, a board that steps into the role of partner and coach can help transform the CEO's psychological turbulence into clarity and, by extension, leadership effectiveness. In other words, CEO transitions don't succeed because of a single great leader. They succeed when the group of people at the top is an effective team. And no part of the team is more influential in shaping the CEO's transition than the board." There are two pieces to this, and they are both important for new leaders who are transitioning to corporate governance. First, the board creates the context within which the CEO learns ...

One of our readers noted this sentence in a recent blog post of ours as a key point in Pythia's value proposition: "IT security folks accept responsibility for cybersecurity but not for keeping management informed and management pretends to oversee what they merely watch." (Read the whole blog entry here . Watch a cool scene from the opera Faust  here .) This is, as the post noted, a Faustian bargain , to wit: one enters into an agreement with the Devil to trade something such as his/her soul in exchange for something the Devil can offer, typically youth, beauty, riches, fame, knowledge -- the usual. You may be an atheist or a devout attendee of your congregation, but in either case you know that this is not going to end well for the person entering into the trade. So it is with the relationship between the CISO and executive leadership. And you know which one is the Devil...right...? Exactly. Who, actually, is making the bargain with whom? IT Security people get funding ...

Cartier. Harrods. The North Face. Victoria's Secret. Additions to the litany of the hacked include marquee brands. Let's reflect on this. All of these entities are retailers. There are some issues inherent to retailing that make them inviting cyber-targets: corporate management that is remote (in any possible sense of the word) from stores, practices that reduce barriers for people/customers to access merchandise either in person or online, and low-paid staff unlikely to be around long enough or motivated to benefit from or care about annual cybersecurity training. Second, and no blame here, these are entities that put a lot of money into branding and marketing. They are about creating image and experience. A secure shopping experience is not something that comes to mind when you think "tank watch" or lingerie. The result of all this brand development and cachet is catnip for cyberthieves. Customers who are willing to pay for the brand image have money. They are the ...

We often see a double-standard that puzzles us. To us,  finance and cybersecurity are both critical functions requiring management oversight. But in the wild, we often see a big difference in how they are treated by management. When we ask senior managers about cybersecurity we often get a rather shockingly low level of interest: "I don't really know what my CISO does all day; I am not a programmer. I can't read an Incident Report. I know that whatever they do is working because our systems are still up and running." Imagine a CEO being comfortable making the equivalent statements about their CFO: "I don't really know what my CFO does all day; I am not an accountant. I can't read a financial statement. I know that whatever they are doing is working because my paycheck clears every month." That second CEO, the one who cannot be bothered to think about finance, would not keep their job for very long, assuming that such a person could ever get the job i...

A common question we get from prospects is this: "why would I question my cybersecurity?" The subtext usually turns out to be that the prospect's organization is staffed by reasonable, hardworking, dedicated people and therefore it is borderline rude to imply that they are not doing a good job. (For the purposes of this post, let us set aside the issue that there is a difference between making cybersecurity someone's job and just assuming that the IT folks are doing something reasonable.) At Pythia Cyber, until proven otherwise, we assume that your coworkers are reasonable, hardworking and dedicated. There are still three common scenarios that lead well-run, well-meaning organizations down the garden path of insufficient or ineffective cybersecurity. The March of Time  is relentless. It is common to take a cybersecurity posture and then faithfully maintain that posture, which is a good thing to do. Alas, doing this is not enough: you must also allocate resources to co...

At Pythia Cyber we say that your cybersecurity should be part of a program, by which we mean that there should be communication between those who do the securing and those who oversee the securing. By communication, we mean that the overseers know and approve what is being secured and that those doing the securing offer proof of that securing. By proof, we mean evidence that the overseers can understand. It is not enough for the overseers to blindly trust that the securing is happening and is working It is not enough that those doing the securing are given time and money. The oversight is important, because we all do a better job when someone is paying attention. The proof is important, because the act of gathering and presenting evidence in a way that lands ensures a level of attention that is hard to ensure any other way. A key component of such a cybersecurity program (CSP) is the agreement between overseer and securer on what constitutes "proof." The tricky part is findin...

At Pythia Cyber, we say that your cybersecurity should be part of a program and that program should be Integrated--linking management and cybersecurity. Scalable--growing as you grow. Trusted--based on proof, not faith. Self-Sustaining--adapting as the environment changes. When we say "proof" we mean "evidence that you can understand." When we say "evidence-based" we mean "there is evidence, you have seen it and you understood what you were seeing." Oversight is part of management's duties. Oversight requires the ability to know when what you are overseeing is working. Being aware of an activity is not the same as overseeing that activity. For example, I could watch a surgery but I have no ability to determine how well that surgery is being executed. I would be watching, not overseeing. I would be present and aware, but not in a position to exercise oversight, except at the very grossest level. So it is sometimes with cybersecurity: we ask ma...