We were planning on being done posting for the year, but this trigger was timely and so just one more post for 2025. At Pythia Cyber we use the NIST CSF because cybersecurity is too important not to use a proven methodology and this proven methodology seems the most flexible of the commonly-accepted one. (Want more detail? Start here .) Because we use the NIST CSF we have been kept to the general when we talk about how to use AI in your cybersecurity risk management process, since the CSF had not yet been formally extended in this way. But a few days ago, that changed. NIST has done their usual thorough and reasonable job in doing just that: formally extending the CSF to address Artificial Intelligence by publishing their Draft NIST Guidelines Rethink Cybersecurity for the AI Era . We certainly encourage you to read both the blurb about the draft (linked to above) and the draft itself (linked to in the blurb). To whet your appetite, here is a sample: The Cyber AI Profile centers on thr...

In terms of behavioral cybersecurity, we focused a lot on leadership because good leadership is required for any organization to be successful. In cybersecurity, the range of attack vectors and the speed of technology transformation puts a premium on better leadership. What is its core? Our former colleague, Bernadine Karunaratne , had this to say recently over on LinkedIn: Leadership is collective. Impact is shared. And culture is built—one team at a time. In the new year you will have new and more challenges -- AI, pressure to show value, compliance, new threat surfaces, etc. It's not going to let up. Listen to Bernadine: Leadership is collective. Impact is shared. And culture is built -- one team at a time. That's your best mantra as a leader going into the new year. Work through your team and make the win, and then take it. That wraps up our blog post series for now. Enjoy the holiday season and here's to a better new year. See you in early January with the next Litany ...

" In bots vs. hackers, AI is close to winning ." Thus declares a headline in a recent The Wall Street Journal front-page article (behind paywall). Bonus aggravation: that's the title on the physical paper version of the story, and if you read it online the title is "AI hackers are coming dangerously close to beating humans." Fear, danger, defeat. Denial, anger, bargaining, depression, acceptance. Or, as the crawler to start The Empire Strikes Back , put it: " It is a dark time for the Rebellion ." Ready to give up yet? Have you laid out cookies and milk for our robot overlords? Let's actually read the story. Two computer engineers at Stanford university created an AI model, named Artemis, designed to assess cybersecurity vulnerabilities. Then they let the AI model 'attack' Stanford's College of Engineering servers. They found that the servers were vulnerable. The story continues: "Stanford's network hadn't been hacked by a...

Here at Pythia Cyber we do go on about two things that most of our competitors ignore: How leading a technical group differs from leading other groups How cybersecurity has a huge behavioral component These areas of focus are the result of years of experience, some of it bitter. Experience can be a terrific school, but the tuition is high and the teachers are mean. This post is about Thing 1: specifically why we say that leaders of technical groups don't have to be great technologists themselves, but they do have to have technical credibility. We define technical credibility as the ability to comprehend basic technology issues AND to display that ability to your troops. One of the ways in which technical credibility is crucial is as a tool when it comes time to play referee. All too often leading a technical group requires that you referee disputes about technology deployment or development. All too often these disputes are between Goofus and Gallant , ie between someone who is pro...

Recently we posted about what, broadly speaking,  AI can do to hurt you . This is the second of two posts getting a little more specific. This post is about AI-powered network vulnerability detection. Here is a link to the first post  that gets specific. Networks are no longer solely devoted to being a data transport layer: these days, networks have to balance functionality with security. This means that large part of what networks are designed to do is prevent unauthorized access. How do you confirm that your network is secure? Well, ahem, the best way is to attack your network. What to know how good your lock is? Ask an expert lock picker to pick it. Not very elegant is it? But there is really no other way. No one is interested in the theoretical protection a lock provides: we only care about what actual protection a lock provides. It is the same with engineering. Mechanical engineers determine the safe load for a component by subjecting that component to stress until that c...

Recently we posted about what, broadly speaking, AI can do to hurt you . This is the first of two posts getting a little more specific;  This post is about AI-powered spear phishing. Here is a link to the second post  that gets specific. When I first encountered email in late 1980, it was a text-only affair. A simple transfer protocol (which quickly became...more complicated), a simple text file format (which quickly became...more complicated) and a simple app to view or create simple messages (which slowly became so complicated as to terrify the meek and appall the brave). Way back Unix types had the mighty talk app which split the screen and  allowed us to type messages on our dumb ASCII terminals and have the responses displayed on the other half of the screen--in real time! It was miraculous. But it required coordination: you both had to be logged in at the same time, And back then users usually were logged in to get work done, not to chat, so this was terrific occas...

A very useful, if overused, software design concept is "Keep It Simple, Stupid" or KISS. As is probably obvious, the idea is to avoid complexity where possible. This idea is necessary because it is so very tempting to solve very aspect of a problem individually, ending up with a solution that is as large as it possibly can be. The more lines of code you have, the more opportunities for bugs and inefficiencies and conflicts, all of which are things you don't want. However, features are external and visible to the peole who pay you while poor structure is internal, only visible indirectly as when software is too slow or takes too long to modify, or tends to blow up. This means that external features tend to carry more weight than internal elegant simplicity. That means that software can end up too complicated and bloated. Which leads to managers having posters, t-shirts, mugs and knickknacks with K.I.S.S emblazoned on them. In that spirit, Pythia Cyber has our own pithy bum...

One distinct aspect of technological leadership, especially cybersecurity leadership, is the requirement of transparency. In order to do your job as a member of the management team you have to keep informing your peers of every significant screw up and every exploited oversight and every exploited vulnerability of every product that gets exploited, so sometimes other people's mistakes as well. If you are thin-skinned in this regard you are going to struggle to succeed as a cybersecurity leader. If you are uncomfortable telling people about mistakes or oversights, then this job is not for you. If you hate taking responsibility for other people's mistakes, than this job is really not for you. Isn't every senior management position like this? Yes and no. Yes, in that taking responsibility for mistakes and being transparent is a big part of just about any senior position. No, in that most other jobs don't have armies of people dedicated to breaking your hard work and don...

Lately we've been discussing a new question: What's the shape of your career? Most people think of the shape of their career being something like a fused set of triangles, much like this: The blue part is what you do as an individual contributor. The yellow part is what you do as a leader. Duration of career is along the X-axis. This is reasonable as far as it goes: we all start as a 'doer', even if you start somewhere new as a leader. Our conversations are swinging around to thinking of your career as having more of the shape of an amphora, as shown in the lead photo (all pictures of amphorae from Wikimedia Commons, blue/yellow rectangle drawn by Gemini).  An amphora is very narrow at the bottom, then broadens out, then and only then becomes narrow. Think of a cybersecurity career: starts with skills, then moves to project and program and team leadership, then maybe a few people become higher-/enterprise-level leaders. Here is what that looks like relative to a career:...

Our friend Tomas Chamorro-Premuzic is back at it: over-use v. under-use of leadership talents .  But this time he challenges his audience to find the balance, warning that neither pole is good. For example, if you woke me up at 3am and asked whether being un-self-aware was bad, I'd say, sure: bad. But if you woke me up at 3am and asked whether being un-self-aware was sometimes good, I'd say...well...as Tomas says: "In other words, even the qualities we most admire become dysfunctional when taken too far, and even the traits we distrust can be valuable in moderation. Human behavior functions the same way: Most psychological strengths aren’t inherently good or bad; they’re dose-dependent." At this point you're either annoyed that psychologists can't get this answer down to good or bad, or you're thinking you know better.  Wrong & wrong. Tomas notes this: self-awareness predicts higher job performance, enhances leadership performance, and increases the qu...

Very recently Brendan put up two posts about AI and cybersecurity. This part caught our wandering eye: You can't ignore the fact that AI will make cyber attacks either better or more frequent or both. You can't run around like a headless chicken either. You can review your Cybersecurity Risk Profile and update it with an eye to what AI will make worse. Ideally, you already have such a profile and merely need to adjust it. If not, starting with what AI might do does not make sense. Start with what is already happening, how you are responding and then figure out what adjustments you will make and why. The good news is AI isn't magic and your response isn't panic. The bad news is that things are going to get a bit worse before they get better. It's time to have the talk with your senior leaders. You know this is coming: the talk about AI and cybersecurity. It will feel awkward. It will be like sign language in a language you don't speak. You're an expert tech...

In a previous post we looked at how much Pythia Cyber recommends that you trust AI to help you. In this post, we look at how much Pythia Cyber thinks you should be worried that AI will hurt you. It is tempting to shrug off the threat of AI-powered cyber attacks because that threat seems overblown. Certainly that threat is over exposed: it seems to get more coverage in the media and social media that it could possibly deserve. It is also tempting to let the threat of AI-powered cyber attacks derail your short-term plans and rewrite your priorities. Neither of these extreme reactions is appropriate. At the risk of repeating ourselves, Cybersecurity should be a form of Risk Management. This means following the usual methodology: determine what might happen, assess how painful any of these eventualities would be, assess how likely these eventualities would be and based on your best guess about likelihood and severity, allocate your limit resources for maximum effectiveness within your bud...

We are often asked at Pythia Cyber a simple-seeming question: how do you guys feel about AI? To which we are forced to give a legalistic answer: that depends on what you are actually asking. We can't give you a simple answer because this is a simplistic question, not a simple one. A simple question is clear, even if the answer isn't. "Do you believe in God?" is a simple question even if it generally has a complex answer. A simplistic question is clear only if you ignore inherent and inescapable complications. "Do you trust Artificial Intelligence" is not a simple question because in order to answer it, we have to ask you a number of questions first. (This post is about how much you should trust AI to help you; there is another post about how much you should fear AI will hurt you.) What Do You Mean by "AI"? Do you mean generative AI, which seem magical but essentially predict the next word or phrase as they go along? Chat bots are a common example...

Recently we were alerted by our friend Barry Conchie about a new paper he is in love with. It's a paper by Gilles Gigna c, a Professor at the University of Western Australia, entitled The number of exceptional people: Fewer than 85 per 1 million across key traits . Professor Gignac's modeling shows the following (quoted at length): Cognitive biases can lead to overestimating the expected prevalence of exceptional multi-talented candidates, leading to potential dissatisfaction in recruitment contexts. This study aims to accurately estimate the odds of finding individuals who excel across multiple correlated dimensions. According to the literature, the three key individual differences variables are intelligence, conscientiousness, and emotional stability. Consequently, data were simulated using a multivariate normal distribution (N = 20 million), where the three variables were standardized (mean of 0 and SD of 1). The correlations were specified as: intelligence with conscientio...

Here is some basic 'business 101' stuff: Organizational business units cost money and at the same time so something of value for the organization. Business units stay in operation when they create more value for the organization than it costs to run the business unit. Outputs beyond costs are profit, while expenses beyond output are losses. All business unit leaders should know their function's profit and loss, or P&L (sometimes it's written PnL). Any organization's cybersecurity function is a business unit. It has a P&L. Put differently, it must have a P&L.  What's your cybersecurity P&L?  Almost certainly the nontechnical executive leaders in your organization know what it costs to run your cybersecurity function. That's (financial) "loss." Do they know whether it has a profit?  We've mentioned before, even recently , the need for cybersecurity leaders to develop business concepts and adapt business jargon to describe what th...