We at Pythia Cyber been advised that our posts have tended to be too polite, to stop short of making our points because we don't want to offend. We've been advised to stop being so nice. Let's give that a try. In our experience cybersecurity programs often fail to be either effective or cost-effective and the most common cause of this under-performing is lack of integration. Cybersecurity is everyone's job. That is not a slogan, it is a fact. It is not the only job of everyone but anyone can compromise your cybersecurity and that fact doesn't go away because you like or trust your CISO. How do you know if you lack integration? Great question. (Spoiler alert: if you are not certain that your program is integrated then it is not integrated.) Does Senior Management Manage? If your cybersecurity program is something that someone in IT does for you then you have a problem. Senior management needs to have input into, and oversight of, cybersecurity efforts. If they don...

We recently met up with our friend Barry Conchie . The topic was, as usual, cybersecurity talent.  That's not where we started but most conversations with Barry center around talent. We will have more about this later but as we spoke, the topics moved my mind to another old friend: Dr Brett Steenbarger , hedge fund trader and psychologist to traders. Dr Brett writes frequently about a concept called "rage to master." Again, this is a topic we will return to, but three short-term implications for cybersecurity processionals of talent and raging to master are these: 1. The goal of cybersecurity is not a bright shiny product that you buy or a clean verifcation report. The goal is for you and your team to continually -- that means every day, people -- identify keys parts of your cybersecurity process that lead to and support security. A good result is that you're mastering the processes ensuring cybersecurity, which are always changing. 2. You need to know what your cyber...

As the old saying goes, you can’t con an honest man. The claim is that every successful confidence game depends on the mark being greedy. This smacks a bit of blaming the victim but there is certainly an element of truth to it: many con games depend on the victim being hooked by the possibility of getting something for nothing.  This saying is on my mind after a recent attempt to scam me on my phone. It occurred to me that the modern version of this saying should be that you can't con a mindful user. Many scams depend on panic because panic short-circuits your ability to focus and mindfulness is your best defense against a scam. The scam that I was subjected to is not new; it was very like this one . I was watching YouTube on my phone when an official-looking dialog box popped up. The pop-up warned me that my phone’s storage was full and offered me a link to clean up my phone.  There were a number of things about this incident that were not right.: The dialog box was very nice...