Cybersecurity as a field contains a lot of different careers. There is security, systems administration, and penetration testing; cloud security, incident response, and identity and access management; oh yeah, and artificial intelligence (AI). Technology, information systems, engineering, and forensics -- and more -- are all part of the cybersecurity field. When we're asked about career guidance for cybersecurity personnel, we like to gauge the 'why' each person brings. For example, were you the type of person who liked to take things apart to see how they worked? For example, when you were a little tyke you took apart a radio because you didn't know how the sound could come out of it? Maybe you like to watch videos to learn skills because, well, you like to figure things out? Maybe you like training people and you enjoy seeing them learning something new. Maybe you get a kick out of attacking systems, or in defeating attacks. Maybe you like to see what AI can do beyond...

You're pretty well trained. You graduated from the right 'elite' university, you got progressively more impressive cybersecurity certificates and certifications, and you work hard at keeping up with the latest cybersecurity trends. Not good enough. In organizational analysis, when initiatives or campaigns roll out we see three levels of reaction. There is resistance, which sounds like "We've seen this before [eyeroll], just get through it and they'll move on to the next bright shiny object." As a leader you cannot get caught in active resistance because at that moment your leadership career is done. One of the burdens of leadership is that you don't get to resist anymore. It's another reason they pay you the big bucks. You can do your own calculus on the cost of that versus your soul's value. Then there is compliance, which can be summarized in four words: mandatory annual cybersecurity training. Just remember, while you can comply as a leader ...

When I became a parent for the first time, I was alternately desperate for sage advice and thoroughly fed up with getting unhelpful advice. I even got a piece of advice that turned out to be both sage and unhelpful: "you can parent too much or your can parent too little." Technologists all start out eager to learn something new--and we do. We often master whatever technology we happen upon first. Few of us make a carefully weighed decision about what technology is our first love. Sadly, many more recent technologists never fell in love at all: they did make a conscious decision to pursue a particular technology in search of easier paths to employment. However we came to the field, some of us retain a zest for learning new technologies. Others of us become grumpy old technologists, trying to avoid novelty. Very few of us retain just the right amount of interest in the new while maintain proficiency in the old. It seems that if you are a technologist, you can either be overly i...

Let's talk about you. When other IT or cybersecurity professionals talk about you behind your back, would they describe you as a cuddly lap dog or as a snarling guard dog?  (Yes you can only have two options. And no, the dog you think you are does not matter .) Not everyone should be a leader -- just like not all dogs are good watchdogs .  Our advice is simple: if you're going to be a leader, particularly a leader in cybersecurity, you must manage your career strategically . What that means is that you are always intentionally building your peer network, making connections (in real life not on social media), and being helpful. You don't need to be everyone's friend but you need to be supportive and act like a resource. What's in it for you? Our HR guru, JP Elliott, puts it this way: "But the real benefit is confidence. When you're connected to a community of HR professionals, you stop feeling like you're solving problems alone. You gain perspective on ...

As an investor, your first (and second...) contact with a new acquisition is not about cybersecurity. But cybersecurity, particularly using a "red-team" approach, is the function that delivers value in every organization.  How are you leveraging it when you evaluate possible investments? As our PE friend Matt Wilhelmi says, "The difference between diagnostics and delivered outcomes often comes down to clarity, focus, and leadership follow-through." Your client's or portco's (portfolio company's) cybersecurity function should anticipate the diagnostics that deliver value.  The best cybersecurity functions are not gate-keepers, they are business partners . That may sound obvious or maybe even counterintuitive. But our review of the cybersecurity landscape shows it to be true always everywhere. When we see that functional positioning, it means staff know what the organization's strategy is, know what markets they're in, and provide cybersecurity as...

There's a reason they call some technologies, but not all of them, disruptive.  A disruptive technology " Changes the way society behaves, thinks, or interacts ." Sometimes the technology is as 'low tech' as the Erie Canal (pictured above) which transformed the United States by created new markets for importers and exporters, shuttering farms in Europe, opening doors for immigrants, and creating social mobility on a previously unseen scale. Sometimes it's something as routine as plastics. Next it will be quantum computing .  A constant in disruption is people adapting the new technology into their lives for their own purposes. Good current examples include artificial intelligence (AI), internet of things (IoT), cloud-based computing, and maybe blockchain. In each case there is a strong need for cybersecurity that anticipates, adapts, and enables people using tech. And that's the problem. People are always capable of disrupting the technology as much as the...

The other day I had a conversation about management. A key question was, is leadership one of those things that once you're a leader in one area you could lead (basically) any organizational function? Who leads is the most important determinant of an organization's success. Not everyone should be a leader , and not everyone wants to be a leader. What those three statements say about the nature of management and leading is critical, especially for a technical function such as cybersecurity. First, leaders need to be technically credible. Maybe it's 50% of the job , maybe less. Regardless, your technical people are not going to buy into what they are asked to do if the boss doesn't understand what the team does for the organization. A lot of organizations stop at that point & decide that the best technologist/coder/etc would do just fine as a leader. Bad idea. What about that part of the job that is not technical?  You have some cold realities as a manager of a techni...

At Pythia Cyber we understand that cybersecurity is a matter of technology and practice. In other words, you need to have the right technology to shield you but that is not enough: you need to avoid the wrong user behavior. As we like to say, eventually bad behavior beats good technology. This means that good cybersecurity requires good leadership. Good leaders are not easy to find, but you can find them if you try, especially if you are willing to help people grow into leadership positions. But alas! Cybersecurity is unlike most other domains: you do not need to be a domain expert, but you must be credible to domain experts. We understand that, in theory, some people are such great leaders that they could "lead anyone in anything" but we are not all sanguine about this idea being apply to cybersecurity. The reason for our lack of faith is this: the people you lead must believe that you can lead them. Even if you could lead them, if they do not believe that you can lead them ...

We've had a series on our blog about whether you should be a leader. This post offers some reflections on that series, as well as a consideration of whether the answer should be "no." This is not an easy question. As a highly technically trained person and a successful project lead, you know the field. You are likely to be motivated by its challenges. Going into leadership means more money. It means prestige. It means helping to shape the course of your organization. It also means you will spend about 80% of your time on people issues. You will spend maybe 5% on budget issues. Then there's the 5% to 10% on office politics. Along the way there's the 5% on the geeky nerdy cyber stuff. Correct, going into leadership means much longer hours. Because organizations pay you for your time in one way or another. We offered some self-reflection considerations by our friend Tomas. Lest you think otherwise, Tomas has worked with leaders around the world at all levels. You mig...

👀🤔 Part 2 This is part 2 of our series, "Should you be a leader?" The decision you need to make about whether to move into leadership is critical in your career. Tomas Chamorro-Premuzic, world-famous business psychologist, former CEO, author, and raconteur, tells us that this is not a decision to be made lightly (emphasis added): Of course, it would be disingenuous not to acknowledge the elephant in the boardroom: Plenty of people ascend to leadership not because they are especially talented, but because they  lucked into the right family, the right network, or the right school tie. Nepotism, privilege, and elite membership still grease the wheels of many leadership careers.  I’ve left these off the checklist for the simple reason that not everything that is should be. Just because these forces still work doesn’t mean we should celebrate them, let alone confuse them with actual leadership potential. He offers ten questions for reflection. We will review them and add commen...

Our friend Tomas Chamorro-Premuzic is out in Fast Company with a new piece asking you to think about managing your career. Topic: should you be a leader?  A lot of people go into a leadership role because it was their turn, or they are the best individual contributor, or they were the best project team lead last quarter -- something like that. Maybe they are the boss' niece or nephew, or went to the same 'elite' university. Thess suboptimal approaches to selecting leaders happen because most organizations are reluctant to measure leadership directly or because the CEO wants the nephew/niece in that role.  (Pause: if you are responsible for assessing and selecting leaders, there are sciences for that which we at Pythia Cyber can help you manage.) The decision you need to make about whether to move into leadership is so important that we will have two posts about it. Part 1 Let's do some self-reflection. Quoting Tomas at length:  The real problem is not the enthusiasm f...

Leadership requires good decision-making. As an experienced, well-trained, and (of course) thoughtful technologist, you probably believe that you have the answer. And even better, you know the questions which of course are consistent with the answers you have. Some decisions are easy because there are policies, guidelines, scoring rubrics, etc. and as long as the decision to be made fits within the parameters you have at your disposal, cool. As a cybersecurity leader you also have a team -- most of whom you probably hired -- you can get input from, and you have peer leaders who can provide perspective. Easy, right? As we constantly say here, you get hired for your skills and fired for your personality. When you were hired into this job, you were considered the best possible candidate. There was a process that you aced -- credentials/certificates, degree(s) from the right 'elite' university, enough experience, recommendations. Maybe there was even a test battery that you did wel...

We get it: all that organizational stuff is "soft skills" and you, cyber wiz, mastered "hard skills." Sure. OK chief, time to meet your new cyberskillset: leading and managing the cybersecurity function during reorganization. Organizations reorganize when their markets or customers change. Re-orgs are not "cybersecurity friendly" in some subtle ways that you should anticipate. First, typically the reorganization is reactive, which is (or should be) contrary to how you run a cybersecurity function. External forces led to a need for the organization to change its internal structure  in order to create greater speed to market, care for customers, etc. You built a system around products or markets or users that are now changing. New users will be in a position to use the systems, maybe in ways they are not clear about. People take time to get to know new systems. That's a vulnerability. Second, a reorganization means there is new leadership that you need t...

Be honest: how much does it matter to you that you have a high-functioning cybersecurity team? Teamwork and leading a team are hard. You got promoted into this leadership job because you were judged to be the best candidate for the job. That means that on Day 1 of your new job, you were The Best Leader . Which day is it now? We've written several times about team leadership. Ultimately, even if you are the only cybersecurity professional in your organization (we've seen that), you are nevertheless on many teams -- peer leaders, team leaders, etc. If you lead a team of professionals, you have a lot of roles to fill: supervisor, manager of performance, decision-maker, etc. What if your cybersecurity team needed to be at the top of its game every day? This cool interview with the cool Dr Suzanne Bell gives you a sense for what it takes to build and maintain a high-functioning team. Dr Bell leads the Behavioral Health and Performance Laboratory at NASA’s Johnson Space Center. He...

Most of us believe that we need to be 'true to ourselves,' that we need to bring 'our whole self to work,' and that 'putting on airs' is bad because it isn't 'how you really feel' and you like to 'keep it real.' Scare quote marks aside, ask yourself this: how much do you like working with that one over there who is a gossiper, or the one over there who stabs you in the back whenever possible, or this one sitting next to you who complains all the time? Don't get me started about the ones -- probably half the employees in the company -- who don't actually work, they are suck-ups or always "sick" or have to leave early before a big deadline for vague reasons. And then there are the people whose carpool leaves at 3pm. You know who I mean. Spoiler alert, they're bringing their "true selves" to work. As a cybersecurity leader, as do all leaders, you probably put up with a variety of "personalities" on your ...

As a technologist, I imagine that you think your organization's HR function stinks. Or more likely you probably don't think of HR at all unless you need assistance or a benefits form or something. Bottom line you probably don't see your HR function as a cybersecurity partner, and even more so you don't give any thought to your organization's recruitment process that uses AI as a r é sum é  screen. Buckle up. Is that r é sum é  that came through your portal and sits in your repository merely a r é sum é ? Or is it a potential cyberattack vector? Put another (paranoid) way, how much of an attack vector is that r é sum é ? We've written before about cybersecurity threats posed by AI including patch attacks, model attacks, and data poisoning. We discussed how your AI cybersecurity vendor needs to account for this type of attack. Ask yourself this: why should your organization's HR department using an AI screener be any different? Here is a piece in today's...

At Pythia Cyber we focus on leadership in the technology sphere. This means that we concern ourselves with the intersection of technical expertise and leadership skills. You don't have to be a technology wizard to be a leader of a technology group, but you do have to be technologically credible. However you do have to be a great leader in order to be a great leader of technologists. What about the big chair? Well, you can get into the big chair a number of ways which boil down to either working your way up the ladder or leading a succession of ever-larger entities. It is rarely the case that either path goes through IT, so we stress that a great leader of the technology group has to be able to manage up the chain as well as down the chain. In other words, a great leader of your technology function generally has to be good at managing the boss. Doesn't every senior manager have to be good at managing up? Yes, but for the chief tech the problem has the added wrinkle that the boss...

Recently we read a fine blog post on AI by Vladimir Lukic entitled CEOs + Data: A Match Made for AI . He notes the following challenges for executives pivoting to an AI-integrated strategy: Start with the goals of the business Be ruthless about integration decisions Understand the cost of getting it wrong. Along the way, Lukic notes that "Each integration choice carries tradeoffs in cost, speed, accuracy, and cybersecurity risk." Exactly. All integrations of AI into a business process, and then the integration of enabled processes into the organization's strategy, carry risks. First question for you: How are you preparing the executive team to understand and calibrate these risks? Before you say "Not my job" let me push back: it is your job as the leader of a technical function to do exactly that. Lukic continues (quoting at length): "I firmly believe that in the near future, more CEOs will have a foundational background in data. That doesn’t mean that CEOs...

There it is: in the very near future, the US Department of War (the department known previously as the US Department of Defense) will " Relax the mandatory frequency for Cybersecurity training ." [deep breath] In the world of science, we test Hypothesis A versus the "null hypothesis" to determine empirically whether A and null differ to a degree that is more than we expect by chance alone, a.k.a. are A and null statistically significantly different. We have reported on at least two recent occasions that cybersecurity training doesn't work. That means that Hypothesis A, standard cybersecurity training will have a significant impact on individual behavior, is not noticeably different from the null hypothesis that there is no meaningful impact on individual behavior due to cybersecurity training. So, you'd think we'd be thrilled by the decision by DoW to "Relax the mandatory frequency for Cybersecurity training." [deep breath] No. Quoting myself...

One of the perks of living with a cybersecurity expert is that you benefit from the higher awareness of risk, or so I tell my wife. One of the drawbacks of living with a cybersecurity expert is that you have to listen them whine about how unsafe every new technology is, or so my wife tells me. But today, dear reader, I come to praise a new development, not to disdain it. I just did the following: Received an email making sure that I had received a new credit card Realized that I had not, which launched a rescue mission in my physical inbox Discovered the as-yet-unopened letter with the new card (the envelop looked like junk to me) Opened the letter to confirm that it contained a new card Saw a QR which would let me activate this new card Good news: these are convenient Bad news: these are pretty damn insecure Warning: don't scan QR codes unless you are highly sure of the source I read that the QR code would launch the credit card company's app on my phone Given that I trusted t...