With today's military events in the Middle East, cyberspace is going to be heating up for the foreseeable future. Here is a blog post from Cynthia Kaiser at LinkedIn and a link to Halcyon's blog . Ask us how you can keep your people motivated. (image credit: BogTar201213, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons)

People should trust you, right? I mean, you're trustworthy, aren't you? Sometimes leading is like magic. Magic acts are about misdirection of attention. Get people focused on one thing, which is key to trust, then pull off a trick they weren't expecting -- magic! Military leaders know this well: it's "the suck," as in, the troops are all maneuvering in the mud and it sucks but the key to leading wet muddy troops is to direct their attention to being in it together -- and presto, the effect is like magic! You can't be a magician without being trustworthy. If people didn't believe you they wouldn't put their attention in your hands. If wet muddy troops didn't feel you were all in it together they would focus on themselves. What's your CISO magic trick? How do you capture the attention of your team so that they are willing to follow along because what you do seems like magic? My friend Steve Hunt thinks a lot about leadership. Over on his Subs...

As I sit at my desk and type this, I can see an old server that I need to retire. It will be a pain because the golden promise of moving configurations from old machines to new machines is mostly a lie. I will have to recreate the services that have worked so well for so long. This will annoy the users, who are likely to see changes and feel inconvenience without seeing or feeling any benefit. The benefit is the reduction of risk and that is a benefit so abstract that few people can appreciate it. Which is why so many cybersecurity vulnerabilities quietly sprout and grow in even well-run IT environments: over time your up-to-date, secure installations can become risky and then a potential liability and finally an exploited vulnerability. I know all this, but I am dreading this project. If the replacement goes perfectly, no one will notice anything other than a drop in my ability to do the things that people are currently expecting me to do. If the replacement does not go perfectly the ...

All selection situations, and the hunt for a new CISO is no different, involve believing in a perfect candidate. The One. Our New Superstar. The Key To Our Success. Truly Exceptional . Your CISO from that previous campaign was out there. You believed. You found that truly exceptional person. Remember when the previous incumbent was that person? May have been, what, a few years ago, right? Whatever happened to that person? We've written about this person many times before, such as here . Let's clear this up right now: at the time yes this person was The One on Day 1 . That was a good call on the part of the hiring team. Let's dig deeper: speaking entirely dispassionately, that person was relatively the best candidate, compared to other candidates, and was willing to accept your job offer . That's raining on your parade as a hiring team but it's accurate.  How have things changed since then? Recently The Wall Street Journal (behind paywall) wrote that "Record ...

Here's a safe bet: even though you know what your annual spend on vendor support is, and how much you spend on coffee machine pods, you don't know what it costs to back-fill one bad CISO hire. Let's define terms. The term CISO "refers to the most senior security leader accountable for an organization's information security strategy, program execution, and risk management" ( 2026 Global CISO Leadership Report ). According to the same report, the level down from CISO in typical organizations is Deputy CISO or "NextGen," "[L]eaders who translate CISO strategy into operational execution, combining strategic alignment with hands-on program leadership. They typically manage teams of 5 to 50+ security professionals within their areas of specialization." About a third of CISOs report to CTOs or a comparable title, which means that about two-thirds report to some other nontechnical executive or the Board (which is also nontechnical).  Right off as p...

Pythia Cyber realizes that many a cybersecurity battle is won or lost long before the attack. Cybersecurity is about forethought, not reaction. But must as we love a good set of NIST CSF policies and procedures, we recognize that your cybersecurity program is only as good as the people who implement it. Therefore we offer consulting to help you find, hire and retain the right people. The right people are the people who will do the best job in your specific environment, both now and in the future. How do we do that? We use proprietary instruments to measure applicants talents because when it comes to building and maintaining teams, Talent-based hiring is better than Skills-based hiring and both are better than Certification-based hiring. Why is that the case? Because of The Problem we all know about but so rarely talk about. The Problem for technology in general the pace of change is so great that relying on what someone did a while ago (for which they received certification) is not a g...

Eventually your system will be compromised beyond your capacity to deal with it. What you do from a systems perspective is part of your growth curve. So is your emotional and behavioral path. As a cybersecurity professional, you can feel over-invested in your defense processes and systems. A systems compromise can feel disorienting and hard to accept. Maybe you could have done something more; maybe they were better; maybe it was something so obvious! We saw a recent piece in the New York Times (behind paywall) on how Olympic athletes deal with disappointment that seemed to capture this sort of scenario. It's abstracted here because the lessons Olympians learn are hard-won and eminently transferrable to other elite performers such as cyber-defenders. 1. Learn resilience . "Just as psychologists have athletes visualize their wins, they also ask them to imagine all the things that could go wrong, and how they’ll respond." 2. The power of purpose . "The best athletes se...

He's BAAACK! Bushan Sethi posted his talk from a presentation I attended last week in Las Vegas -- this picture might be from there, who knows. We've mentioned him before . Other than pictures of cats, Bushan seems to fill the Internet void. The goal of his presentation was to focus us on 'no-regrets moves' in the Time of AI. These recommendations are good for cybersecurity professionals too. I'm posting an extended quote -- his recommendations here, which are a lot less creepy than "move fast and break things": Think like an economist : Understand the macro and the micro - whether it's impact on AI on labor markets to challenging assumptions included in business case investments - whether they be about adoption, data architecture or investments in compute capacity. Think like a scientist : Use data and evidence to test hypotheses about what works in AI adoption and human-AI collaboration. Run hackathons - push the organization to generate ideas. Be co...

Once again a boffo post from Dr Eric Cole over on Substack. This one is on skills CISOs need. These will sound familiar to our blog readers! We're going to go beyond Eric's post to discuss three aspects of CISO skill: what they should be, how to find them among your applicants, and how to build them for yourself.  We're going to frame this in terms of the labyrinth. We've discussed that previously . It's not meant to be a mystery, but instead, a journey.  Prelude: Why must CISOs learn new skills? "Cybersecurity is no longer a discrete function. It is embedded in every strategic decision an organization makes—whether leaders recognize it or not. When companies adopt AI, expand globally, partner with third parties, or digitize core operations, they are making security decisions by default. The question is whether those decisions are informed or accidental." Part 1: What are these skills? As per Eric -- & us & Rich Mironov ): Skill #1: Business Risk ...

All of us get distracted by the bright shiny object. It seems luminous and irresistible, shining out in the darkness, beckoning. Admit it: AI is your current bright shiny object.  We keep an eye out for cybersecurity & AI material. Sometimes we run across posts that are excellent and we feel the need to create more community by bringing them to your attention. Here's one such post from LinkedIn by Val Tsenev . It deserves your time. I've boiled down his post to this question: What do CISOs want from AI? 1. Measurable risk reduction . What risks does the AI platform mitigate and how? 2. Explainability & auditability . As Val says, "Black-box AI is a liability, not an asset." 3. Integration into their existing workflows . It cannot stand alone. 4. G overnance and human oversight . There is always a person somewhere on, in, atop, or something the loop. Val concludes: "CISOs aren't rejecting AI. They're rejecting AI that's irrelevant, unvalidated,...

At Pythia Cyber we try to give behavior its rightful place in cybersecurity. Often we mean that what your organization's users do is a huge part of the vulnerability picture. Sometimes we mean that the way people react to situations is also a source of vulnerability. This time we mean how your organization models its relationship to your cybersecurity professionals. This is important because how we define our boundaries at work has a huge impact on people's expectations of themselves and others. Expectations are a big factor in our effectiveness. So much for the abstract stuff. Let's get concrete. There is a spectrum of relationships that go from too little through too much with a stop in middle for just right. By "too little" I mean giving your cybersecurity people too little input into your decisions. By "too much" I mean letting your cybersecurity people make your decisions for you. By "just right" I mean working with your cybersecurity peop...

Recently we started following Dr Eric Cole on LinkedIn and on his Substack channel. His recent pieces are very good. One of his posts notes that metrics/numbers are good, but they don't answer the fundamental question Boards care about: are we secure?   So why do we report things such as patch compliance rates, vulnerability counts, mean time to remediate,  and tool coverage?  Because they are metrics under our control and they're comfortable and easy to explain. Same in any field -- keep it simple, stupid. It's a metric, it's not magic. What Eric says next is, well, magic: "When boards ask oversimplified questions, they get oversimplified answers. Dashboards are built to reassure rather than challenge. Over time, this trains leadership to equate motion with protection." Let's not laugh too quickly at those dumb ol' Boards asking oversimplified questions though because where do they get the idea that metrics are security? That's right. They got t...

Recently I attended a talk by Bhushan Sethi. You almost can't miss him ( here , here , here , here , etc.) and last week it was my turn. Here is a thought question he tossed out. What will the future organization look like? Our normative model is the Pyramid of Khafre in Giza, pictured above. Classic -- lots of worker bees at the bottom, fewer in the middle, very few/one at the top. What about this next one? Here, most of us get to a point in the hierarchy and then...that's it. But some people -- the AI automation people? -- keep going and going. Or this: This is a "normal"-looking hierarchy but employees start in the middle, not at the bottom. You may not care per se but think of it this way. If AI takes mid-career cybersecurity jobs away, how will you adjust once that happens? Or, if entry-level jobs go away, how will entry-level -- formerly mid-level -- cyber-defenders learn their craft? What about those pesky risk vectors, a.k.a. nontechnical employees? It's a...

I recently attended a fantastic workshop conducted in part by our friend, and my former grad school roommate,  Bob Lewis . The focus of the workshop was building a talent-based process. One of the aspects he discussed is how not all talents 'work' the same at all levels. You need to gauge them relative to work role needs. This is especially important when moving from manager to executive leader. Many of us believe that if a little of something is a good thing, why then more must be better. In a talent context, this belief can run  afoul of data .  BEFORE we go further let's state for the record that more talent is, well, better. The question here is: are talents at lower levels good for performance at higher levels? Sort of like -- yeah I already did that so I must be good at it. Answer: in fact not only is that belief incorrect it can create counter-productive behavior. Bob's research using '360s' among managers showed that manager level matters. (More context!...

Among the oldest tools known to mankind are the mortar and pestle. To cheat a bit: the mortar is a heavy bowl (see above) while the pestle is a rod-shaped tool. They are used in tandem to crush elements -- seeds, berries, etc -- to create pastes, aromas, etc. Managers rely upon a different tool to understand the contexts of their businesses: PESTLE. The acronym refers to a set of analyses of salient forces affecting your business: political, economic, social, technological, legal, environmental forces. Businesses do not function the same outside of their home country. Local cultures even outside of the main HQ office -- we've all experienced this -- affect what gets done and by whom, and certainly when it gets done.  Cybersecurity should be highly attuned to PESTLE for exactly those reasons. Any time a satellite office ("HQ2") opens, systems need to be synced. Think of that when non-home-country suppliers or contractors, or subcontractors, are involved. What's done in...

If it floats like a duck, and looks like a duck...is it a duck? What if it wears overalls, um, er, not like a duck? One size does not fit all from a talent perspective. People perform within context. Talent matters, within context. The context of the organization matters a lot. Some organizations require a high work tempo, while others may require managing vendors in a medium- or low-tempo environment. Sometimes a cybersecurity engineer is a great fit when there is a highly heterogeneous team v. being the lone engineer. The fit of role to context, and talent to role, requires careful integration. Some organizations are not focused on building a cadre based on cybersecurity talent; they are focused on managing vendors, or have leadership teams that do not integrate risk management into cyber-defense. Other organizations pay careful attention to building through talent. Sometimes even those organizations focus on the wrong level of analysis -- minimum qualifications, usually -- and do no...

At Pythia Cyber we are about  behavioral cybersecurity  and when it comes to predicting behavior,  talent trumps credentials . By which we mean that your certifications tells us what you have done, but your talent profile tells us what you are capable of in the future. Specifically, Ted has a series of posts about the talent profile of different cybersecurity roles, specifically Talent needed to be front line cyber defender Talent needed to manage cyber defenders Talent needed to lead a cybersecurity program As a counterpoint to Ted's behavioral science perspective I present a series of my own, giving examples of practical applications of talent assessment to cybersecurity. This post is about how a talent assessment can help you with a high risk, high reward hire: your head of cybersecurity. As we have talked about in previous posts ( here and here ) there is not much merit to the traditional career path in cybersecurity: hired as a front line cybersecurity defender, pro...

At Pythia Cyber we are about  behavioral cybersecurity  and when it comes to predicting behavior,  talent trumps credentials . By which we mean that your certifications tells us what you have done, but your talent profile tells us what you are capable of in the future. Specifically, Ted has a series of posts about the talent profile of different cybersecurity roles, specifically Talent needed to be front line cyber defender Talent needed to manage cyber defenders Talent needed to lead a cybersecurity program As a counterpoint to Ted's behavioral science perspective I present a series of my own, giving examples of practical applications of talent assessment to cybersecurity. This post is about how a talent assessment can help you solve a common problem with finding and retaining cybersecurity managers: balancing managing ability and technical credibility. When the time comes to fill a vacant cybersecurity manager position you have two common options: promote from within...

At Pythia Cyber we are about behavioral cybersecurity  and when it comes to predicting behavior, talent trumps credentials . By which we mean that your certifications tells us what you have done, but your talent profile tells us what you are capable of in the future. Specifically, Ted has a series of posts about the talent profile of different cybersecurity roles, specifically Talent needed to be front line cyber defender Talent needed to manage cyber defenders Talent needed to lead a cybersecurity program As a counterpoint to Ted's behaviorial science perspective I present a series of my own, giving examples of practical applications of talent assessment to cybersecurity. This post is about how a talent assessment can help you solve a common problem with retaining and compensating front line cybersecurity personnel: avoiding using promotion as a reward for performance. Consider the case of the lower level cybersecurity worker, the technician, who is terrific at their job. You want...

The Big Cheese. The Top Banana. The Head Honcho. Number 1. We previously discussed cybersecurity technician talent and cybersecurity manager talent, and now it's time for cybersecurity executive talent. The executive in charge of cybersecurity must have technical credibility. It may be more at the level of minimum competence at this point in the person's career as long as the executive can understand what the technical team is doing and communicate it effectively to peer leaders. We propose that talented cybersecurity executives will keep up at more than a minimum competence level simply because they like the subject matter. In contrast to cybersecurity managers, the cybersecurity executive has an enterprise-wide perspective that allows for understanding, advocating, and communicating the role of cybersecurity within the organization's risk management process. The executive is responsible for the 'profit and loss' (P&L) of the cybersecurity function, which requi...

The groundhog has emerged to find...6 MORE WEEKS OF HACKS AND CYBERATTACKS! Wait, only 6??!! The litany of the hacked is our listing for each known/reported hack in the previous month. The point of the litany is not shame but awareness-raising that, well, these sorts of things happen. And so, the litany of the hacked for January 2026, which now includes some big-time targets, entire cities, and nation-state actors. Amazing that the groundhog even tries to guesstimate! Caracas, VZ...Islamic Republic of Iran Broadcasting (IRIB)...Kensington and Chelsea Council, UK...Instagram...Google Play...Palo Alto Networks...Sedgwick Government Solutions...KPMG Netherlands...Crunchbase...Nike...Poland's power grid...Fortinet...McDonald’s India...Luxshare Precision...Ingram Micro...Spokane County, WA...Gmail (AGAIN!)...The College Board's online SAT... The list goes on. Here's an...exciting...bonus: according to James Azar over at the Cyber Hub podcast, malicious Chrome and Edge browser ...