Did your November cybersecurity process pile up like a mulch stack? We started a series named the litany of the hacked . It's a monthly list of entities that have been successfully hacked. The point of these litany posts is to note that this sort of thing happens and it has consequences. Pretending that you can whistle past the graveyard in cyberspace is foolish and delusional. And so, the litany of the hacked, November 2025 edition. The litany now includes: US Congressional Budget Office...Manassas City, Virginia Public Schools...Logitech...Mobile Commons and OnSolve CodeRED (two text alert system providers)...Asus...Protie...SitusAMC (banking mortgage loan servicer)...Harvard University's Alumni Affairs and Development Office systems...Princeton University's alumni affairs and development systems...University of Pennsylvania's alumni affairs and development systems...Google's Antigravity platform...KFNC (Houston's ESPN radio station)... That's quite a vari...

We at Pythia Cyber are taking a break this Thanksgiving. Never fear, we'll return on 1 December 2025 with...The Litany Of The Hacked!   Ask us how you can avoid mistaking the giant fruit bat for a Thanksgiving turkey...

Recently we came across this small labyrinth in Charlottesville, VA. It is an Eagle Scout project by Carys Smith of Boy Scout Troop 1029 that was completed in May 2023 -- congratulations, by the way! Most of the time we don't think of the difference between a labyrinth and a maze. This sign helps us get our bearings on the distinction, quoting in full: A labyrinth is not a maze. A maze is designed for you to lose your way, a labyrinth is designed for you to find your way. I couldn't find this quote on the Internet, so -- double congratulations, Carys! Our brief series on transformation and change management comes to this point: In your cybersecurity career, you may feel that you are in a maze. But it's not a maze because no one is trying to make you lose your way. It is a labyrinth where you need to reflect, reorient, and choose your next step, one step after another. Your cybersecurity career is a process of continually finding your way. Our former colleague Adam Dickson ...

  Speaking of managing a transformation: Our HR Guru JP Elliott is back again with language skill tips! Sometimes as a technologist you must wonder what your nontechnologist peers are talking about. After a while it becomes familiar enough, you can make out patterns and themes, but their business language skills are usually superior. JP has some suggestions, or directions, for you: Master these metrics and you'll be on the road to speaking their language:  • Revenue Growth • Gross Margin • EBITDA • Free Cash Flow Sure , you say, right after I reconfigure this system! OK maybe but you need a guide. Here are JP's recommendations for learning to speak the language that your executives speak: 𝗛𝗲𝗿𝗲'𝘀 𝘆𝗼𝘂𝗿 𝗿𝗼𝗮𝗱𝗺𝗮𝗽 𝘁𝗼 𝗯𝘂𝗶𝗹𝗱 𝗳𝗶𝗻𝗮𝗻𝗰𝗶𝗮𝗹 𝗮𝗰𝘂𝗺𝗲𝗻: 𝟭. Find Your Finance Mentor 𝟮. Read Your Company's 10-K (yes, actually read it)  𝟯. Calculate True Operating Costs  𝟰. Learn One Metric Monthly  𝟱. Connect Everything to Business Impact He...

This is the second of two related posts; the other one is here . In theory I am all for change management; in IT change is inevitable. In fact, to keep things the same you often have to change them constantly. In a field with so much flux built in, managing the change is essential. In practice I see two problems with how change management is implemented. In accordance with common practice I will keep my rants to one issue per post. This post is about the difficulty of avoiding ruts in Change Management. One rut is to say "every change goes through maximum change management" and the other rut is to say "change management is so painful that we will create an 'emergency change' or 'trivial change' pathway and use that pathway ALL THE TIME." (In this context, "overhead" means testing, validating, documenting and deploying.) In the previous post I examined how difficult it is to be sure that a given change is as small (in scope and therefor pres...

This is the first of two posts on this topic. The second one is here . In theory I am all for change management; in IT change is inevitable. In fact, to keep things the same you often have to change them constantly. In a field with so much flux built in, managing the change is essential. In practice I see two problems with how change management is implemented. In accordance with common practice I will keep my rants to one issue per post. This post is about the difficulty of assessing the potential impact of any given change, and how that leads to poor change management decisions. In an idea world rolling out changes is an exercise in risk analysis: for a small change there need only be a small amount of overhead while a large change merits a large amount of overhead. (In this context, "overhead" means testing, validating, documenting and deploying.) Note that we are often a bit sloppy with our terminology here: is a small change small in scope (amount of stuff being changed, ...

When was the last time you were not only 100% satisfied with how things were and you not only wished they would stay that way because they were so perfect, you worked to make those circumstances or things stay just as they were? Can't think of anything like that, can you. Nope. We've written about the speed with which cybersecurity skillsets change. We've written about coaching and the necessity of change. We've even written about how the cybersecurity threat environment changes so rapidly that it is never the same over time. Point is, your cybersecurity career is an active process of transformation . You need to manage the transformation actively. That means you are gaining insights, knowledge, and experience; you are growing your influence (let's hope); the threats you face are changing, which means the organization's perceptions of its risks are changing.  Cybersecurity is about authorized access, and that access is an ongoing transformation of how users, ...

We're promoting a blog post by Taimur Ijlal that caught our wandering eye entitled The 3 Cybersecurity Skills That Will Make You Irreplaceable in 2026 . As Ijlal's post says, "Spoiler alert: none of these are technical." Maybe you notice a theme, a pattern, a series of dots: your cybersecurity skillset is a combination of computer science/engineering/systems knowledge -- education-based technical things you learn -- and skill in applying them in your team and organization -- exposure-based ways you apply what you learn. You should read the blog post for elaboration but TL;DR here are the three skills: 1. AI Collaboration — Mastering Human + Machine Synergy 2. Human Judgment — The Skill AI Can’t Learn 3. Adaptive Learning — Staying Ahead of the Curve Excellent skills! Note how you start your job on Day 1 with Skill 1, AI Collaboration, locked in. If you're a successful technologist by Day 90 (etc.) it's because you mastered Skill 2. Only then, to be considered ...

Sure, you have a computer science degree from the right 'elite' university. Bravo.  Interview question number 1: what exactly did you learn as a comp sci major?   Interview question number 2: how will what you learned as a comp sci major help us achieve our cybersecurity goals?  In a new essay in the NY Times (behind paywall) entitled You're a computer science major. Don't panic , two Carnegie Mellon University professors, Mary Shaw and Michael Hilton, discuss the potential impact of artificial intelligence (AI) on the career prospects of comp sci majors.  Bad news: Carnegie Mellon has a lot of comp sci students and they are one of those right 'elite' universities. AI seems to be an existential threat. Good news: they're pretty smart over there and they have a thoughtful perspective on the subject that can help you as a cybersecurity leader looking to hire new team members. Shaw & Hilton note that while AI might seem like a problem, it presents an opp...

We like to promote blog posts from others (as long as they agree with us -- JUST KIDDING!) that amplify themes we bring to your attention. One such post is by Phil Fersht and Dana Daher at Horses for Sources , entitled "AI will never save bad leadership: Pay your leadership debt to put Humans at the Helm."  You may notice a theme, a trend, a pattern -- call it what you will -- that not only do we focus on leadership behavior, but other people do also...because it will either wreck or enable your program. Yes, it is binary. And it's going to become starkly even more so with the upcoming integration of artificial intelligence (AI) systems with human teams. Let's review what Fersht & Daher say about AI integration into human teams: Fear isn’t the problem. Leadership avoidance is Executives keep saying their people are afraid of AI. They are not wrong, but they are not right either. Fear in the workforce is not resistance; it is feedback. It signals that leaders have...

Have you seen any of the recent spate of articles  on how easy it is to 'poison' a Large Language Model (LLM), also called a 'Predictive Artificial Intelligence'?  Take this one for instance, from Anthropic . The title says it all: " A small number of samples can poison LLMs of any size " The once and future nerd in me yearns to expound at length on what it means to poison an LLM and why hacking LLMs is bad. But I gather that the former is beyond the scope of Pythia Cyber's outreach to business people and that the latter is, at some level, pretty obvious. So for the purposes of this post, I will just say that one poisons an LLM by hiding bad stuff in its input stream, which bad stuff is invisible to the human eye but very visible to the LLM's textual analysis. Or, to use Google's AI's rather bombastic wording, LLM poisoning is a malicious act of intentionally injecting corrupted, misleading, or harmful data into a Large Language Model's (...

Recently we've discussed how technology leaders absolutely cannot become absolutists , and how being a successful leader means you sometimes need to deceive ( but not lie to ) your team. Heavy stuff! Are we advocating for you to be untrustworthy? In fact we're actually advocating for exactly the opposite : you need to be trustworthy to be effective . How can you show that you're trustworthy?  One of our favorite executive coaching gurus, Scott Eblin, put it succinctly: increase the time you take as a leader to make a decision . That's right: you are always better off as a leader not making an in-the-moment decision unless you must do so.  You should exercise your intellectual capacity to assess and recall facts, make calculations, and make judgments. But, as a leader, when you say you will do something or that you endorse a course of action, it's a 'done deal' -- no going back now. When you increase the time you take to make a decision, you are demonstratin...

Thank you to all the uniformed service personnel whose efforts and sacrifices help ensure our collective security.

Quick: think of the best leader you ever had. [Take a moment to reflect...] What did that leader say or do that made that person the best leader you ever had? Chances are you didn't include "lying" in that reflection. Yet there it is. Our friend Tomas Chamorro-Premuzic is out again in Forbes discussing effective leadership. In this piece he discusses what "authentic leadership" is. TL;DR: "the best leaders are versatile and able to broaden their span in order to better adapt to new challenges and avoid becoming a more narrow, limited, or predictable version of themselves." Here is Tomas, quoted at length: Interestingly, a recent meta-analysis shows that effective leaders score significantly higher on impression management, the tendency to adjust and adapt one’s behavior to the specific demands of each situation - think of it as a sort of interpersonal flexibility or social chameleon. Furthermore, contrary to popular belief, the relationship between i...

  One of the greatest business books of the 20th century, Built to Last  by Jim Collins, had a memorable chapter about leadership as the distinction between telling people what time it was versus building clocks. Here is the concept directly from Collins' website: Leading as a charismatic visionary—a “genius with a thousand helpers”—is time telling; shaping a culture that can thrive far beyond any single leader is clock building. Searching for a single great idea on which to build success is time telling; building an organization that can generate many great ideas over a long period of time is clock building. Enduring greatness requires clock building. In cybersecurity, building clocks is about you creating a cybersecurity function that is effective now and will grow with the evolution of threats.  You were hired on Day 1 of your cybersecurity role as a problem-solver. Here is what was going through the hiring committee's collective heads (trust me, I'm a psycho...

By now you have at least read about, if not suffered through, the recent outages at Amazon Web Services (AWS) and Microsoft Azure. These are two of the Big Three providers of cloud computing, the other being Google Cloud. My colleagues assure me that most of you do not want to read a crisp diatribe on the source of the service outages; they tell me that most of you only want to know that these were both calamities having to do with systems administration and configuration. With great effort I will save the rant about DNS in specific and Network Administration in general for another time and place. But I won't resist the urge to revisit my favorite cybersecurity rant about how it is not a good idea to reduce cybersecurity to just defending computer systems against malicious attack. What else would "cybersecurity" be, you ask? To be all nerdy about it, we at Pythia Cyber define cybersecurity as policy and procedure aimed at maximizing authorized access of digital assets whi...

Most functional programs, including cybersecurity, have at least a little bit of "us v. them" going on. You know how this sounds or at least you've seen the look (not on the faces of your team of course): this job would be great if it weren't for the people we deal with . Because let's face it the reason you have a functional program and you're not embedded or matrixed to other business units is that there is a gap between what you offer the organization and what the other business units do.  Maybe you're even a "Center of Excellence." At the very least you have a team that focuses on specific technical skills, and there is -- apparently -- value in having your team be distinct from other business lines or units. Here's how that plays out from their perspective, not yours:  Yeah those people in IT, why do they call them the quote Help Desk unquote? Have you ever tried to reach those guys on Monday morning? Hey, I know someone there who is w...

According to Google's AI, The phrase "see no evil, hear no evil, speak no evil" originates from Eastern philosophy, likely starting in ancient China with Confucian teachings and then brought to Japan, where the imagery of the Three Wise Monkeys was developed . The concept was popularized in Japan through a clever wordplay on the verbs for "see," "hear," and "speak," which sounded similar to the word for "monkey" (saru). The most famous visual depiction is a 17th-century carving at the Tōshō-gū shrine in Nikkō, Japan. Early on in my career a senior technologist I admired had a statuette on his desk of the Three Wise Monkeys, one covering its eyes, one its ears and one its mouth. "How odd" I thought to myself at the time. "How appropriate!" I think to myself now. Working with technical leaders, their direct reports and their peers, brings this phrase to my mind almost weekly. And those adorable monkeys. Somet...

Welcome the litany of the hacked, a monthly list of entities that have been successfully hacked. The point of these litany posts is to note that this sort of thing happens and it has consequences. Pretending that you can whistle past the graveyard in cyberspace is foolish and delusional. And so, the litany of the hacked, October 2025 edition. This month has been so busy, we'll call it "Hack-Tober": Asahi Group (beer distillers & distribution) ... Oracle e-Business Suite ... US Customs & Border Protection ... US Federal Emergency Management Agency ... Williams & Connolly (law firm) ... a variety of airport public announcement systems in the US and various countries ... UK Ministry of Defence ... PRC's National Time Service Centre ... Heywood Hospital and Athol Hospital (both in MA) ... local government service offices in Texas, Tennessee, and Indiana ...   And, as a bonus, here are the hacks disclosed in October 2025 that had been ongoing prior to th...

  This, shamelessly copied from Kevin Beaumont (https://doublepulsar.com/) -- nice! 😂