Boss man. Boss lady. Your cybersecurity manager is the lynchpin that makes your cyber-operations work.  We previously discussed cybersecurity technician talent, and now it's time for cybersecurity manager talents. Cybersecurity technician talent is the foundation for cybersecurity manager talent. Unfortunately, and we see this all the time, high-performing technicians are more likely to be promoted to manager. Promoting high-performing technicians to management makes sense in many ways, some good and some bad. It's critical for the cybersecurity manager to know cybersecurity. Also, and we all understand this, we're not going to promote people who are poor performers at a lower level.  This is the argument about minimum competence again. Sure, technician performance is a sign that the person is minimally competent, and yes that counts.  But there are too many differences in the demands on managers versus technicians for competence at a lower level to predict performance at...

  The nuts and bolts. The inside-out. Top to bottom. A to Z. The whole enchilada. Your cybersecurity technician may not come in knowing all these but this is the cybersecurity technician's domain. Cybersecurity technician talent is not dependent on where (or whether) that person went to college, or their MOS in the military, or the factoid that they held this job at a different organization. Sure, those are signs that the person is minimally competent, and yes that counts. But even recruiting at the 'right' elite college won't guarantee you more than that. Because other things count, also. And you/your recruiters are remiss if they don't take these other things into consideration. What counts beyond minimum competence is talent. We previously discussed the definition of talent offered by Conchie & Dalton: "A measurable, innate characteristic that a person demonstrates consistently in order to achieve high performance. Talents are strictly defined. A person...

Ah, how little joy it brings me to regularly search for "cybersecurity news today" and then to read the AI summary. Today, that means this: As of late January 2026, critical cybersecurity developments include  CISA adding a severe VMware vCenter flaw (CVE-2024-37079) to its exploited list, a surge in Chinese-linked cyber espionage using AI, and massive ransomware threats targeting critical infrastructure . Key focus areas include AI-driven attacks, browser security, and urgent patching for zero-day vulnerabilities This a good example of the current threat environment: A new exploit in some widely-used software (VMware in this case); AI-powered state-sponsored spying (the Chinese Communist Party in this case); Ransomware continuing to flourish, because it is profitable; Web browsers being targeted, because we use them so much and for so much; Urgent patching for zero-day vulnerabilities. All of this has become depressing normal for cybersecurity professionals; so much so th...

  You might expect to see polar bears on your street during a winter mega-storm. And you might expect to see polar bears if you popped your periscope up in the Antarctic. What if you see polar bears somewhere else? Have you ever seen that before? Pattern recognition is an important part of professional work. A lot of stock market work is done using charting, which is a fancy way of saying "I've seen this before." The dirty secret is than anyone can chart stocks (etc.) using financial websites, thus "I've seen this before" starts to sound a lot like "I've been in this job for a long time." Question is, how does the person turn their experience into action? It is well-known that experience is not a reliable indicator of performance. Instead it is a reliable indicator of minimum competence, and sometimes that counts.  But when you need an effective professional for your hedge fund or cybersecurity role, minimum competence is not enough. You need a...

Recently the topic of "Zero Trust" as a cybersecurity paradigm came up. This is a simple-seeming question which requires some context because a simple definition isn't really going to help you much. Here is the simple definition: Zero Trust is a cybersecurity paradigm whose motto is  Never trust, always verify. This motto is snappy and short and clear at the high level. But once you try to imagine how you would implement this paradigm there are many questions, starting with "what's the practical definition of 'cybersecurity paradigm'"? Your cybersecurity paradigm is your fundamental approach to cybersecurity. It underlies everything you do to maximize authorized access to your cyber resources while minimizing unauthorized access. It is usually so deeply ingrained and so pervasive that you aren't even aware of it. The most common cybersecurity paradigm we see is The Perimeter Paradigm: you build a virtual castle around your cyber resources and the...

'Tis the season to deal with respiratory illnesses, adjusting to that new 'better eating' regimen you had as a New Year's resolution -- and to increase your cybersecurity leadership talent. As anyone who starts an exercise or weight-training routine knows, you don't seek to start at your maximum capacity; that's what you build toward over time. In fact you will injure and embarrass yourself, not in that order, if you start out trying to max out your workout.  Let's take that incremental mindset to improvement of your cybersecurity leadership talent. Our HR guru, JP Elliott, started the new year with a post on increasing your impact as an HR leader. (I get that he writes about HR and this is about cybersecurity so scale as you see fit but...) Here is JP: After more than 20 years in HR, I've noticed a pattern among the leaders who consistently rise and make the biggest impact. It's not their technical expertise. It's not their business acumen. It...

  It's late January. Here in the northern hemisphere it's cold even if days are getting longer. Time to check in: How's that New Year's resolution going? You resolved to be a better person, or something vague like that. Maybe you had a specific resolution involving working out more or eating better. How's that going? Let's compare that to your New Year's cybersecurity improvement resolution. You had one, right ? The one that said This year I will improve my cybersecurity expertise and performance? We put a New Year's cybersecurity resolution out there for you in as few words as possible:  help others reach their goals by helping engage them in our cybersecurity process. Well? Let's do some benchmarking. The government of Taiwan recently released a report on foreign cyberattacks on its infrastructure including energy, water, communications, etc. The top-line number is that these attacks have risen by 6% from 2024 to 2025, meaning that the average num...

Your behavioral cybersecurity skillset is a risk vector. You were hired based in large part on your competencies, which means exactly that on Day 1 you were the person with the greatest degree of competence in whatever was determined to be the job's skillset: financial analysis, AI risk mitigation, systems analysis. Over time, things started to happen both in terms of life events -- births, deaths, illnesses -- and business events -- emergent technology, business disruptions, your own development. These changes leave traces. Even if you can't see them, you've changed. Consider the three pictures in this post of the sculpture " Knife Edge " by Henry Moore. The top picture is the model from 1961, the middle picture is the model from 1976, and the bottom picture is from 2004. What do you see? Two significant differences are apparent. First, the initial framework for the sculpture, and likely for your career, had a set of expectations, skillsets, and environments. The...

Apples may be both the most revered and feared fruit in human history. There was that nasty business in the Garden of Eden, of course ("Him by fraud I have seduced/From his Creator, and the more to increase/Your wonder, with an apple"; John Milton,  Paradise Lost , Book VIII, lines 485-488). Apples are among the most beloved fruits in Eastern Europe. The fairy tale princess Snow White was poisoned by the Evil Queen in a fit of envy through biting into an apple. One of the most valuable companies in the world, Apple, was early on sued by Apple Records over its logo.  You'd think we'd all be wary of apples. Oh no. In fact we engage in apple-polishing, as the phrase turns, to gain the favor of those above us in our hierarchies. And it keeps on working. All of us as employees at some point need to resolve this issue: stay in the technical/individual contributor field we started in, or go into management. The next steps, moving into mid-level leadership and then executive...

As the bible-inspired old saw goes, it is foolish man who builds his house on a foundation of sand. Assume that he has a choice, of course. Google's AI, ever helpful and knowing that I am interested in cybersecurity topics, sent me a link recently with this rather ominous opening paragraph: In early 2026, cybersecurity leadersare grappling with a critical disconnect between the frequency of third-party security incidents and their internal capacity to manage them. According to a comprehensive  2026 survey of 200 US-based CISOs, while 60% of organizations reported an increase in third-party breaches, a staggering 85% admitted they lack full visibility into their software supply chain risks. [ source ] This is fancy way of saying that we all take on the cybersecurity vulnerabilities of our business partners and suppliers, at least to some degree. The "lack full visibility into their software supply chain risks" is a bit dramatic: of course we do. It is not realistic to expe...

On Wednesday, January 14 2026 a major US mobile phone service experienced outages. This is as good a reason as any to remind everyone that the Respond and Recover parts of your NIST CSF-compliant policies and procedures work just as well in the aftermath of outages caused human error and disaster as they do against cyber attack. So use them. Of course you have plans to respond to loss of a service such as mobile phone service; why wouldn't you? Even if you plan is to shrug because you either don't depend on mobile phone service or because you have a readily available alternative. In my office we shrugged, mostly because we default to making WIFI-based mobile calls and that never stopped working. In fact, we did not even know that there was a problem until someone who was out of the office sent me a text to complain. Were we just lucky, or were we well-prepared? The latter, of course: we embraced WIFI-based calling a while ago in part because of the redundancy. As it happens, te...

As a cybersecurity practitioner, I have very specific responsibilities as part of protecting particular systems. But as a domain expert for Pythia Cyber, I cast a wider cybersecurity net. As part of my Pythia Cyber duties I try to keep an eye on cybersecurity trends and advancements (and setbacks). There are sites dedicated to the nitty-gritty, but their content is not very accessible to the layperson. So every now and then I search the Web for "cybersecurity news" and then I try to characterize what I find the top stories. This week what caught my eye was a story that made me wince, then made me grudgingly acknowledge some evil ingenuity and finally made me write this piece about the relentlessness of the cybersecurity onslaught. The story was about a new spear-phishing attack by a well-known state-sponsored hacker. Since this story was on a site written by and for cybersecurity programmers the larger story was about the evolution of this hacker's tool kit and therefore ...

"I'll know it when I see it." How often have you said that about your area of expertise or your One True Love? When we conduct strategic workforce analysis or we examine business processes, how often do the discussions around employees center on qualifications, skill sets, strategic business decisions, or 'hire-to-retire' cycles? That's right, nearly all the time. But when we think of people who do the work -- make the latte, create the stage effects, sell the penthouse apartment, close the deal, win the race, sew up that hole in your child's heart, land the fighter jet on an aircraft carrier, or come on be honest -- you -- we talk about talent. Talent rules. Competency models are good for outlining minimum acceptable behavior. Ironically they were originally developed at the US Office of Personnel Management in the 1990s to describe sets of knowledge, skills, and abilities that reflected outstanding performance, but along the way they too have been degrad...

There they go again.  According to The Wall Street Journal last week, recruiters are going back to recruiting at 'elite' colleges. And of course not just 'elite' colleges but, you know, the right 'elite' colleges.  Here is how bad this has become ( original behind paywall): "The hiring trend for new graduates resembles recruiting practices before the pandemic and the tight labor market of 2018 and 2019...Most [firms] now only recruit at up to 30 American colleges out of about 4,000, starting with top-ranked schools and then looking at local universities...If you fall outside of those two categories? 'God help you,' [the recruiter] added." "God help you"? Wow.  Why not recruit this way for cybersecurity? Because entry-level cybersecurity technicians all must have the same qualifications so candidate from the right 'elite' colleges have the same qualifications as those from the not-right-elite colleges and so on. (Note : we...

Several pieces in last week's The Wall Street Journal touched on the business of cybersecurity. A significant theme was that cybersecurity personnel (undefined) need to "show their worth" in the new year to maintain their jobs, their programs, etc. We talk a lot here about exactly this: you must be able to translate your cybersecurity work to the language of business. That is why cybersecurity is a line of business much like manufacturing, sales, etc.: all lines of business have a profit and loss calculus. If you don't know what that is for your cybersecurity team then your job is at risk, and so maybe is your entire function.  Think of it this way. The organization needs cybersecurity. It's a function that could be outsourced at a known rate and leadership knows what it's buying, you not included. That means you need to answer two questions.  First, the language of business is what your net profit and functional contributions are to the business. So, what a...

Definitions from Oxford Languages · Learn more ra·ga /ˈräɡə/ noun noun : raga ; plural noun : ragas ; noun : rag ; plural noun : rags (in Indian music) a pattern of notes having characteristic intervals, rhythms , and embellishments , used as a basis for improvisation . a piece using a particular raga.

One story about the basketball great Michael Jordan went like this. After a tight game where Jordan led the team to a come-from-behind victory, a reporter said to Jordan that "There's no 'I' in TEAM." To which Jordan responded, "No, but there's an 'I' in WIN." All work happens in a social environment: submarines, basketball, farming, executive leadership, and especially cybersecurity. You must be able to be an effective team contributor as a cybersecurity technician; and if you're a leader at any level, you must be able to build and maintain a team. Research say's you're bad at both. Our friend Gordy Curphy over at LinkedIn has provided a year-beginning summary of the state of teamwork. It's grim. Gordy is the world's premier expert on the behavioral science of team dynamics. While there are some excellent behavioral researchers in the team arena, Curphy is a psychologist who has assessed thousands of teams to derive his f...

A significant new year's fitness resolution for many people is, "I'm going to lift weights!" This poses a problem for gyms because a lot of new paying customers flood the weight floor looking to, you know, get buff by lifting weights. Which annoys the living heck out of previous paying customer gym rats who have been lifting all along. Because while the weightlifting community is good, it has a hierarchy. And nobody likes noobs who don't know what they're doing, take up time using the equipment while figuring it out, do it wrong, need help, etc. Sounds a lot like cybersecurity. The three key words for cybersecurity in 2026 (we've written about them here and here ) are secure , thwart , and defend . Think about these as you consider how you will deal with the noobs. While it is not your new year's resolution to be cybersecure -- it's your job and your passion -- you can turn your new three-word mindset to dealing with people who are new to your sys...

Three words have changed cybersecurity for 2026: Secure Thwart Defend These are the new terms proposed by the NIST CSF for AI (first reported by Brendan). While still in a 45-day public comment period (i.e. in draft form through about 31 January 2026), this framework or something close to it reflect the cybersecurity community's collective belief about what it takes to be successful. In summary (quoting at length): The Cyber AI Profile centers on three focus areas: Securing AI systems: identifying cybersecurity challenges when integrating AI into organizational ecosystems and infrastructure Conducting AI-enabled cyber defense: identifying opportunities to use AI to enhance cybersecurity, and understanding challenges when leveraging AI to support defensive operations Thwarting AI-enabled cyberattacks: building resilience to protect against new AI-enabled threats “The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Cuthill said. “B...

Here at Pythia Cyber we focus on what makes a good leader of technologists because that is a necessary (but not sufficient!) requirement for being a good cybersecurity chief. We have talked about being technically credible and about being open to change without blindly chasing every new thing. Today we are on a different topic: the difference between being a leader and being a boss.  Recently I had an unpleasant reminder of the difference between bossing and leading. A colleague veered wildly out of the Leadership Lane and into Boss Alley. Why? Because they could. How? they got upset and then let their emotions take the wheel. Their position in the C Suite meant that they could get away with this bad behavior and that was apparently good enough for them. When they calmed down, they calmly informed us that this was how they handles stress. So I guess we all have to just accept this behavior because they're the boss. What is the difference between bosses and leaders? You follow leade...