At Pythia Cyber we spend too much of our time trying to get people out of their comfort zones so we can talk about an effective cybersecurity program. Like many domains in which the stakes are high, cybersecurity makes most people uncomfortable. It is arcane. It is hard to assess. It changes all the time. It is out of most people's comfort zone, which means most people just don't want to think about it. When something is out of your comfort zone the only way to remedy that is through exposure, education and evidence. You need to expose yourself to the thing you want to avoid. You need to educate yourself about the thing you fear is beyond you. You need to collect or review evidence that your fears are not being realized. However, too many of us shoot past the Learning Zone and into the Panic Zone. No one likes to panic, so no one stays in the Panic Zone for long. The natural thing to do is to retreat back into your comfort zone. Where there is no cybersecurity, or where cyberse...

We at Pythia Cyber focus on cybersecurity talent. It's one of our core areas of expertise. And so we have a question for you: why did you go into cybersecurity leadership? Was it the adulation , the money, the reverence and awe you get from others? Was it the money? Was it 'your turn' to be the leader? Those are all reasonable, normal rationales to go into management, and they work for many people. But -- what about you ? Did you go into cybersecurity leadership because... you thought the tech was so cool, you wanted to do it at a higher level? you are fascinated with everything to do with cybersecurity? Those are ' rage to master ' answers, and they are powerful. But -- what about you ? Did you go into cybersecurity leadership because... you wanted to help people? you wanted to work with people at a higher level of leadership? your identity was stolen and you're on a mission to ensure it doesn't happen to anyone else? Those are 'it's about the peop...

We at Pythia Cyber focus on cybersecurity talent. It's one of our core areas of expertise. We've discussed ideal CISOs and CIOs. We've discuss team leadership talent . We've discussed how failing is an option but you as a leader don't have to fail. Let's discuss dealing with the company's Board. It's time for a test . Don't fail. Question 1 . Which one of the following statements is true? A. Once I'm a cybersecurity leader, the Board will view me with awe and reverence. B. However I show up at executive leadership meetings is all good because of my inherent worthiness and authentic self. C. My expensive degrees from 'elite' universities and the fact that I am descended from royalty on both sides of my family mean I know how to deal with the Board. D. I need to step up my Board game. Question 2 . When I interact with the Board, they view me as... A. An employee B. A leader C. The boss D. A techno wiz Question 3 . The company's Board ...

I am typing this on a Tandy 102 Portable Computer. This marvel of the 1980s has been gathering dust on my computer lab shelves for who knows how long. But I was forced to resurrect it after discovering that current airline seat trays are too small for me to use my laptop comfortably. I need something smaller, but I want a full-sized keyboard. My options were limited, so I have put my old favorite back into service. Don't worry, this is not going to be nerd's delight of how good the old stuff was. Instead, it is going to be a real life example of the often awkward relationship between security and convenience. With a little of why we do not recommend "security by obscurity" thrown in for good measure. Spoiler alert: mindfulness is going to be a key concept in considering our cybersecurity when we travel. As I contemplated what I will take my next trip instead of my apparently oversized laptop, I was reminded of the trade-offs that dog so many of our cybersecurity decis...

At Pythia Cyber we stress that cybersecurity is a management function, not an IT function. We also stress that leadership is a crucial part of this function. Publicly, everyone nods sagely: just as all babies are beautiful, so are all cybersecurity programs either unnecessary or more than adequate. But privately we hear from a distressing number of CEOs that they fear that their chief tech is not up to the task of building or running a NIST-based integrated company-wide cybersecurity program. We have never heard a CEO say that the CFO was not up to the job of managing the company's money. Why is that? Why are so many technology leaders inspiring too little confidence? This has come up often enough that we thought it worthwhile to write up an answer. Why is it so hard to hire and keep the leader of your technology efforts? In order to be part of senior management you need to have two very different skill sets. You have to be a good colleague to other members of senior management and...

We at Pythia Cybersecurity focus on cybersecurity talent. It's one of our core areas of expertise. What is talent? It's a combination of human characteristics (personality, intelligence, interests, motivations, maybe physical ability) harnessed and focused by strategic goals determined by leadership (including self-leadership) that are consistent with achieving worthwhile outcomes. Because of its formative role in talent, today we will continue discussing leadership as a key element of behavioral cybersecurity. Why did you go into management, aside from money and adulation ? In every new supervisor/manager course I've sat in on, participants address this question and nearly 100% of the time the answers fall into one of two camps: 1. "I once worked for a total nutjob failure of a manager and I want to show how you do it right" 2. "I once worked for the most amazing human being of a manager and I want to share that with others" No one ever says (out loud) ...

Anytime we discuss talent, including cybersecurity talent, we must discuss failing. Boo hiss you say. That's not nice or fun. Watching someone flail around awkwardly in their job is painful at a human level.  Look, not everyone is cut out to have a cybersecurity career. Just because you majored in cybersecurity or computer science does not mean you are employable in that role. Just because you were a code jockey doesn't mean you are a Great Leader. Let's explore what that means and what the implications are. Individual Contributor There are a lot of employment options for someone who majored in a cyber-related field in college, or who worked with computer systems in the military. The biggest issue you need to overcome as a newbie is that this field is changing sometimes daily. The second biggest issue is that you need to work with other people, some of whom are unpleasant or bad at their jobs. The third biggest issue is that your leaders may themselves not be very good at t...

We at Pythia Cybersecurity focus on cybersecurity talent. It's one of our core areas of expertise. In today's post we will discuss how you would test for cybersecurity talent in an individual contributor. Cybersecurity talent is not about "hard skills" -- it's harder.  Let's say you want to hire someone to work on your cybersecurity team. How would you go about developing an ad and then sorting through the candidate pool? Your first stop is to understand what competencies you're hiring for. A good place to go is ONET , which is high-quality and freely available. (You could copy job ads from Big Tech Company Players but their situation may not be your situation.) ONET does not have job information for "cybersecurity" but it has related titles, such as " penetration tester ," that seem reasonable. It suggests that required software credentials include those for development environment software, object or component oriented development sof...

We at Pythia Cybersecurity focus on cybersecurity talent. It's one of our core areas of expertise. In today's post we will continue our discussion of identifying and bringing your cybersecurity edge to your craft. What do you like doing? Are you a birder or a quilter or a soprano, a pediatric neurosurgeon or a social worker or a police officer? Do you feel like you're in a 'flow state' when you do what you like doing, almost like time has slowed or your consciousness expands while you focus on what you're doing? Do you continually work to improve your skill at what you like doing? Maybe you watch videos or listen to podcasts or go to conferences or read; maybe you reflect upon what you do and think about new ways to do it better. Do you feel that when you do what you like doing that you're doing something that you're good at and would like to do more frequently? These are all among the signs that you're engaging in mastery-related experiences. Being ...

I am more optimistic about artificial intelligence (AI) than our other leaders at Pythia Cybersecurity. I'm not going to name names . And I've written about how to employ AI to create white box cybersecurity . Given all that, we can fairly say I have appreciation for AI in cybersecurity. Thus, let's discuss the DARPA AIxCC competition in terms of cybersecurity and consider how well the AI did. DARPA, the acronym for  Defense Advanced Research Projects Agency,   has as its mission the development and implementation of emerging technology for the US military. This year DARPA ran a competition, the AI Cyber Challenge (AIxCC), for teams to impement AI in order to (per DARPA) "demonstrate the ability of novel autonomous systems using AI to secure the open-source software that underlies critical infrastructure." This was a fabulous and high-paying ($1.4MM) competition. Bravo to Team Atlanta, the winners! What were the final stats of this victory? From DARPA: "In...

Once upon a time, sexual harassment in the workplace was all too common. But through the diligent application of training and slide shows this scourge was vanquished and now we all enjoy the reasonable certainty that our jobs are free of it. That is the story we tell ourselves, but alas! this story is not really true . There is hope for real improvement, but that improvement rarely comes from corporate training. In fact, sometimes corporate training makes things worse. And yet, when cybersecurity became the crisis of the moment, we reached for the same tools that did not work to change behavior in the past. Why? Because familiarity breeds content among management even as it breed contempt among rank-and-file workers. Managers are accustomed to these tools and unaccustomed to considering effectiveness over compliance. Workers are used to having their time and patience squandered in this kind of training. It all just seems, well, boring but normal. Pythia Cyber is often asked to justify ...

(Note: this is the second post in a series. In the first post we discussed you working with your leadership. In this post we will cover you as a leader. Later we will discuss what talents leaders need.) We've covered ground before about leading as a new CTO/CIO. We noted these leadership features at a macro level regarding leading a cybersecurity function: Cybersecurity can only be effective in an environment where it is a shared responsibility: Cybersecurity is an  enterprise function , it is not a subscription or a set of compliance rules or certificates Cybersecurity at the executive level is always about  trust  and trust requires  relationship management , not technical wizardry -- you have a team of technical wizards Cybersecurity requires being comfortable both with  delegation  (who is responsible?) and with  power-sharing  (continually revising risk management plans in anticipation of new risks) All well and good, you say. But...And...I ...

In a recent post we talked about effective cybersecurity . Now let's talk about cost-effective cybersecurity. Note that cost-effectiveness is not interesting without effectiveness. And effective is not the same as expensive. The goal is effective cybersecurity that is also cost-effective because we live in the real world. But all too often organizations have cybersecurity that is both expense and ineffective. We will assume that you already know what we mean by effective cybersecurity; if not, take a few minutes to read that other post. Now we will consider whether or not your cybersecurity is cost-effective. To do that we must understand what we mean by cost-effective analysis (CEA). A CEA is used when there are many options and few clear choices. Health care often uses them because, like cybersecurity, perfect health is unattainable and the potential cost of all potential options is essentially infinite. You can't do everything that you would want to do. You can't even do...

(Note: this post is about you working with your leadership. In the next post in this series, we will cover you as a leader.) We follow an HR guru, JP Elliott , whose blog post this week was epic. At least it echoes with themes we promote at Pythia Cybersecurity. In this post , JP discusses executive team-building. This quote struck us:  Most CEOs are building teams to win today. The best are building leaders to dominate tomorrow. According to JP, this is what the best CEOs think of when they seek to 'dominate tomorrow' (quoting at length): They wake up every morning asking themselves four critical questions: Are we focused on the right strategic imperatives? Are we operating our business effectively and efficiently? Are we optimizing our business model for competitive advantage? Do we have a plan for sustainable, profitable growth now and in the future? And while these business questions are foundational to winning in the marketplace, they are also your roadmap to building a b...

Pythia Cybersecurity co-founder, John Sebes, has some thoughts about the Microsoft SharePoint hack that we reported on last week in the 'litany of the hacked.' You can contact us to talk with John at greater length and about your specific issue. Here is John's perspective on this hack: The latest massive cyber-attack is broad and dire, but has important cybersecurity lessons for everyone: how to avoid doom and gloom, and focus high-value to-dos that everyone should do -- especially important for smaller companies whose leadership's lack of focus on security is based on inaccurate beliefs about the low likelihood and being targeted by cyber-criminals. In fact, everyone is a target, and the SharePoint incident shows why. In this case, the companies that are vulnerable are those that run Microsoft SharePoint, a very commonly used system for people across a company to share documents and many kinds of files. The vulnerability was discovered by cyber-attackers first (call...

In our experience many organizations want to focus exclusively on their core business, their main mission, the activity which gives them their identity. This sounds like a good idea but it is not a good idea because no organization can afford to ignore all the other things that are required here in the 21st century, The two aspects of running an organization that we see most often neglected are these: Providing a safe working environment, free from sexual harassment etc Take due care of private data--both yours and your customers' and partners' It is easy to fall into the trap of saying that your core business is "the real work" and that the other stuff is unimportant and only there because outsiders require it. But hostile work environments cost money in turnover and loss of talent while ineffective cybersecurity exposes you to risk of loss of money and reputation. Both of these areas share an apparent lack of importance, especially in the short-term. But this illusi...

Recently one of our Pythia Cybersecurity co-founders, Brendan Hemingway , posted an entry about mindful technology use . Here is a part that caught my wandering eye: While I am a fan using software tools to protect me, I struggle to imagine software tools ever replacing mindfulness in the arms race of scammers versus systems programmers. He continues: We now live in a world where scammers are trying to craft attacks that push our buttons, trying to take advantage of the simple rules, trying to leverage your best intentions to hurt you.  Disclaimer: we at Pythia don't like fear, uncertainty, and dread as motivation. We like facts. Facts are very important in cybersecurity because you have enough hype in your daily life. Fact: your system is under attack, right now. Fact: you probably have not improved your cybersecurity skill. I discount that nice new certificate you have because let's face it that's a chit you got from a course you paid to attend and you got a certificate ...

We at Pythia Cyber been advised that our posts have tended to be too polite, to stop short of making our points because we don't want to offend. We've been advised to stop being so nice. Let's give that a try. In our experience cybersecurity programs often fail to be either effective or cost-effective and the most common cause of this under-performing is lack of integration. Cybersecurity is everyone's job. That is not a slogan, it is a fact. It is not the only job of everyone but anyone can compromise your cybersecurity and that fact doesn't go away because you like or trust your CISO. How do you know if you lack integration? Great question. (Spoiler alert: if you are not certain that your program is integrated then it is not integrated.) Does Senior Management Manage? If your cybersecurity program is something that someone in IT does for you then you have a problem. Senior management needs to have input into, and oversight of, cybersecurity efforts. If they don...

We recently met up with our friend Barry Conchie . The topic was, as usual, cybersecurity talent.  That's not where we started but most conversations with Barry center around talent. We will have more about this later but as we spoke, the topics moved my mind to another old friend: Dr Brett Steenbarger , hedge fund trader and psychologist to traders. Dr Brett writes frequently about a concept called "rage to master." Again, this is a topic we will return to, but three short-term implications for cybersecurity processionals of talent and raging to master are these: 1. The goal of cybersecurity is not a bright shiny product that you buy or a clean verification report. The goal is for you and your team to continually -- that means every day, people -- identify keys parts of your cybersecurity process that lead to and support security. A good result is that you're mastering the processes ensuring cybersecurity, which are always changing. 2. You need to know what your cybe...