(Image of a dog drawn by Adriaen van de Venne that is thought to have inspired Rembrandt; Rijksmuseum). Oh yes. Here we go again: the litany of the hacked, a monthly list of entities that have been successfully hacked. The point of these litany posts is to note that this sort of thing happens and it has consequences. Pretending that you can whistle past the graveyard in cyberspace is foolish and delusional. And so, the litany of the hacked, September 2025 edition. Apparently the cybersecurity dog didn't bark when hackers came for these entities: Kido International (child care chain in the UK)...Collins Aerospace (commercial passenger flight check-in systems)...Pulkovo Airport (St Petersburg, RU)...Uvalde (TX) Consolidated Independent School District...City of New Orleans (technically, Orleans Parish, LA)... These attacks indicate that the gangs perpetrating them -- and make no mistake these are gangs -- are getting better at doing cyber-crime. They have found that manipulating huma...

I recently went on an international business trip and did a mediocre job planning for contingencies. What does that have to do with cybersecurity? That comes at the end, I promise. Plan B is a must in computer operations. I have spent much of my career making sure that if Plan A goes awry I have Plan B: a tested, functional alternative which will mean that essential tasks are done, no matter what. We are in a belt AND suspenders profession. I like to think that I am good at providing contingency plans which are not too expensive but which provide sufficient functionality when the need arises. It turns out that I am good at the kind of analysis that I have done so often, but that I am not as good at anticipating problems in other fields. I recently went on a business trip abroad, the first in quite a while. My, how technology has made much of the mechanics of travel easier, faster and better. My, how much I now depend on my phone. My charged, available, WiFi-connected phone. Everything ...

A few weeks ago we wrote this about the 'big picture': Thus we come back to the big picture as a leader. It is about organizing and collaborating the work of people who might not otherwise have any reason to work together to accomplish meaningful goals. The right manager hire will understand that and promote it. The wrong hire will focus on being right (self) at the expense of leading the team (others) to get stuff done. Point being, the 'big picture' is about building a team to accomplish meaningful goals. That's certainly 90% of it. Unfortunately this is a stretch for many leaders -- maybe more so among technical leaders. Why is that? Because people with high levels of technical expertise -- a.k.a. your team members -- got to where they are because they could deliver the right answer: systems admin, programming, acquisitions, product management, etc. It's difficult getting people who deliver the right answer to coordinate as a team v. be individuals who work f...

MoneyMoneyMoney MUNNNNN-EH Our friend  Dave Winsborough  with his colleague, Daniel Robertson, hit it out of the park with their new piece in Forbes ( here ) on personality types most likely to be scammed by cybercriminals. I love their headline:  If it were a country, Cybercrimeland would be a world-scale player. You should read the whole thing. We love cross-posting like this because cybersecurity is a team sport: us against them. And there are a lot of them. Let's talk about us. As Dave & Daniel note, there are personality types more likely to get 'phished'. Quoting at length: Modern personality measures are based on the Big 5 framework, which defines human personality along five broad, bipolar dimensions of individual differences: Openness to Experience ranges from intellectual curiosity and artistic sensitivity to being conventional and pragmatic. Conscientiousness spans self-discipline, orderliness, and reliability to spontaneity, disorganization, and impulsivit...

History is littered world-wide with defensive embankments that look great and have endured as tourist attractions but had questionable defensive value: Hadrian's Wall (pictured), Maginot Line, Berlin Wall. The Chinese had better defensive wall success but their city gates were easier to destroy.  Walls do well at keeping people inside, yet at the same time these walls usually fall prey to the same problem: an attacker thinks "outside the box" and looks for a more vulnerable point in the defense.  What are the vulnerabilities in your cybersecurity process? A recent post by our friend Dr Brett Steenbarger focused on " Why traders fail ": Successful traders fail more because of stagnation than because they blow up. They focus so much on "plan your trade and trade your plan" that they never create new, more promising plans to trade. What creates a lasting business is thinking outside the box, observing different market relationships, and finding fresh sour...

"Vanity of vanities, says the Preacher, vanity of vanities! All is vanity," says the writer of the biblical Book of  Ecclesiastes . He continues: "What does man gain by all the toil at which he toils under the sun?" No one else can answer your career questions for you. You can get input and advice and well-wishes, and I promise your momma still loves you whatever happens, and you should do all that. And then you decide. Deciding means that you understand that you will lose something, even if you want to advance or do something different. But that's your choice. People will find you...pushy, ambitious, impatient. In fact people both admire and loathe others who are ambitious. You will "lose" their comfort with you. Once you accept that and you become uncomfortable with comfort -- when you own it -- you will have grown as a professional and as a person. And only when you have done this will you have gained your leadership "why." As we have wri...

A new Stanford Graduate School of Business study caught our attention. The title is, "2025 CEO Coaching and Kitchen Cabinet Survey." Since we at Pythia regularly write about the value of  coaching , it seemed to be something we would bring to your attention. The take-away is the report's summary first sentence:  Half of CEOs use a professional coach, and 82 percent rely on a carefully selected “kitchen cabinet” of friends, acquaintances, and former colleagues to advise on sensitive workplace issues. The report continues: “Discretion is key,” adds Stephen A. Miles, CEO of The Miles Group, and co-author of the study. "The issues CEOs and directors grapple with are highly sensitive. Business leaders are careful to cultivate professional and informal advisors known for honesty, judgment, and, above all, confidentiality with whom they can discuss a wide range of topics from assembling the right team, to dealing with difficult constituents, addressing social controversies...

Because you're been reading our blog posts (haven't you?) you know that we write a lot about cybersecurity process leadership. Time to tidy up some themes for investors. Your natural inclination may be to ignore the technical hires in your business plan. This is incorrect thinking.  As an investor, you need to consider every single leadership hire as if it were crucial. Here are the four criteria to use to find the head of your cybersecurity process. First: each of your leadership hires is a business leader first and a technical leader second. The leader of a business line should be able to talk the language of business. If not, you have just hired someone who is likely a schmoozer  or a technocrat who cannot align their process with your priorities. Second: as we tell any reader, you will hire for skills and fire for personality. There is nothing wrong with hiring the most technically skilled candidate, or the one with the most experience, or the one you "like" mo...

Un Mondo (1929), Ángeles Santos Torroella, Museo Nacional Centro de Arte Reina Sofía Brendan created a recent post entitled " The Buck Stops At Cybersecurity ." Here is a part that caught my wandering eye: I am complaining about a lack of focus on the end result because this lack of focus makes your support team a drag to deal with, but it makes your cybersecurity team ineffective. Cybersecurity is about results. You don't get credit for having a firewall, you get credit for having a properly configured firewall whose effectiveness you can confirm on an on-going basis. I'm sure you thought it: I will never lack for work if I can create a "properly configured firewall whose effectiveness you can confirm on an on-going basis."  As a cybersecurity leader I'm sure you're thinking: "Cybersecurity is about focusing on the end result."  As you toil away in 2025 these thoughts are valid and accurate and profitable. Keep thinking them! It turns ou...

From the Department of Eternal Questions: Is it better to be a good politician or a good technologist? I once asked someone in the medical education field which was more important for a surgeon: good technical skills or good people skills? The answer was: both. Let's consider your situation as a CISO or CTO/CIO. Remember that time you got hired into this job? You had more skills than the competition. You may also have had a good reputation but realistically it was skills: certifications, experience managing a team and a budget, worked in a comparable organization/industry, good recommendations, went to the right 'elite' university, and interviewed well.  In brief you were a stellar technologist. Put a different way, you seemed the best "fit." Typical recruiters love to look for a back-fill for the previous person who just, um, left that job who is as close as possible to the previous incumbent. There are a lot of reasons why that is so but the biggest reason is it...

Are you, right now, the most amazing leader you could be? If the answer is no, what's holding you back? Here are some frequently mentioned barriers: lack of political skill/connections my boss is a toxic leader or an ineffective leader my team is a disaster organizational drama pace of change is so steep that I can't be strategic, I'm always fighting fires I can't improve my skills because I can't go off-line or don't have budget for training For the sake of perspective, these rationales could be said about any leader at any time in history in any organization. We're not saying this to make you feel badly about yourself, we're saying it because it's true and these barriers are real. And, because it's true and these barriers are real, we're going to strategize with you about creating accelerators to becoming the amazing leader you could be. To start, think of saving money. You're spending money right now on energy because you have things -...

How many times have we at Pythia Cyber told you that annual cybersecurity training does not work? Answer: a lot .  Go ahead & don't listen to us. But maybe you should listen to the people who study this. A recent study by Ho and associates (link here ) gave some users at UC San Diego Medical Center standard annual cybersecurity training, while other users got interactive training or were in a control group. In the standard training, participants watched an informational video about phishing attacks. There was no interaction opportunity or embedded quiz; the video was entirely static. In the interactive condition, participants were given a training in which there was an embedded quiz during the training video along with "tips" on avoiding cybersecurity incidents. At least 12% of participants failed during the year following the standard cybersecurity training when a deliberately introduced phishing attack was launched. That is, at least 12% of all participants clicked...

One of our favorite financial advisor bloggers, Ben Carlson , posted his reflections on having worked for 10 years in institutional asset management and 10 years in individual wealth management. One of his learnings is, "Philosophy has to be universal. Strategy has to be personal." Here's what he means (quoting at length): Everyone in a wealth management firm needs to be rowing the same direction for things to run smoothly. You need everyone on the same page when it comes to the overarching philosophy for investments, financial plans and client experience. No rogue agents. But the individual strategy for each client has to be personalized if it’s going to work. Everyone has different circumstances, needs and desires and you have to build them into the plan. The client always has more buy-in when the comprehensive plan is tailored to their particular situation. We can't comment on wealth management or how Ben thinks about it but this is an important starting point for ...

US President Harry S. Truman famously  had this sign on his desk while in office:  The import was "I am ultimately responsible for whatever happens." What a glorious, goal-oriented and functional philosophy. The other day I was bitterly reminded of how rare this philosophy is. Taking my cue from some medical establishments that require their senior medical staff to commit to working as though they were still mostly providers (a hospital that requires its department heads to spend a month a year on the floor and an ambulance company that requires its vice presidents to ride the ambulance one weekend a month), I still take on front-line IT projects not as a senior exec but as a humble technical contributor. In theory, this keeps me current and in touch. In practice, it reminds me that "the view from 50,000 feet" misses lots of detail, most of which is irrelevant but some of which matters. The day in question I was struggling with trying to re-establish remote access t...

Our consistent theme at Pythia is: you need to improve both your technical and people leadership capacities. There is no option to stand in the place you started and in fact it's a bad idea. How could you change? What would you change? Suppose you are ready to change  your leadership skills based on all you read from this site. That means you have come to accept that you will lose something (that you should lose but it's still a loss), there was a compelling need to change, and you can anticipate gaining something new - better habits, better mindsets, better skills.  Our friend Ken Nowack likes to say "only wet babies like change" and he's right. But of course wet babies want change, while adults...maybe not so much! Let's get this out of the way first: coaching is not therapy . There is significant agreement at the highest levels of professional organizations regarding boundaries between coaching and therapy.  In therapy we're addressing personal or fami...

A man cannot step into the same river twice, because it is not the same river, and he is not same man. -Heraclitus. You can't operate in the same threat environment twice. This is a message we have to deliver at Pythia Cyber and then pretend that we can't tell that people are rolling their eyes. At this point, we will try anything--even plagiarizing ancient Greek philosophers--to get people to take this seriously: cybersecurity is never done. You never get to say "steady as she goes." This is because what you are up against is always changing and you have to change with it or live with gaping holes in your cybersecurity. What you are up against is the combination of new bugs in new or updated software, the bored hobbyists and professional criminals and state-sponsored hackers looking for those bugs and possibly old, yet-to-discovered bugs and aging hardware's vulnerabilities and new hardware's vulnerabilities and weather events and power grid issues and good ...

I know: it's not you, it's them. I know: you have degrees from the right 'elite' universities and you've been a techie since MS-DOS and you were the CISO (or CIO or CTO) at Big Co before this Bigger Co job. Check, check, check. You need to change. We've written about change frequently on this site. Sometimes change is getting a certificate. Sometimes change is getting the Board to see things your way. Sometimes it's about motivating your team. Usually it's about being outside your comfort zone . Very common action/decision models have at least four parts -- plan, do, check, act; observe, orient, decide, act; etc. Nothing wrong with these and really, whichever works for you is fine. But there is a psychological process in change that happens before the action process. Sometimes it's in the form of a (pretty good) grim joke -- " change is good, you go first " comes to mind. Let's boil it down so that it's less...change-full. First, c...

Back in the late '80s there was a business book making the rounds entitled The Goal . Despite what its author and publicist say, it was not "a gripping business novel." But it asks good questions: What business is your team in? What are the goals of that business? What actions conducted by the team bring the team closer to its goal or goals? Think about those questions in terms of cybersecurity: (a) What business is your cybersecurity team in? (b) In what ways is that business aligned with the business goals of the company and in what ways is it misaligned? (a) What are the goals of your cybersecurity team? (b) How do those goals further the success of your company? (a) What functions or actions improve the team's performance relative to your own metrics? (Assuming you have metrics...) (b) How do those metrics align with broader company metrics? Notice that each of those questions had two parts. The first part of each question -- (a) -- is only answerable by you as a ...

Dilbert Comic Strip, August 31, 2000 There are two ways to assess potential hirees: you can try to assess their talent for the task or you can try to extrapolate from the their experience, from the tokens of success that they bring to the table. The higher up the chain you go, the further you get from the nice, safe, "if you have this qualification, you are appropriate" model and the less likely that the candidates will have exactly the right experience. There are many programmers, but few CTOs. There are many IT support staffers but few CIOs. A big part of what makes cybersecurity so tricky is that hiring the right senior technology leader (CTO/CIO/CISO/CSO) is so tricky. A big part of what makes hiring technologists so tricky is that we fall heavily into the Talent camp, at least for the bulk of our careers. When technologists are looking for a job, having a provable talent is more important than having a credential. Our resumes don't have to glitter with qualifications...

Every organization wants to make a perfect hire. Sometimes the organization convinces itself that the next applicant is a perfect hire because they just need to hire someone and after all anyone could learn this job. Sometimes the perfect hire is someone who can code, or has a degree from a particular 'elite' college.  In a recent post , Brendan makes this point about "The Ideal IT Leader": Technologists are not selected for tact or political chops or a persuasive manner. We are selected for our ability to comprehend and apply technology. We are lucky that our field has the "it works / it does not work" binary, which tends to map on to the "you are right / you are wrong" binary which tends to make us quite comfortable telling people that they are wrong, or worse yet, that we told you so. We are unimpressed by your spreadsheet model because reality will soon determine what is actually happening or what actually happened. We are bad at persuading pe...