In Dickens's A Christmas Carol  we are given one of the greatest metaphors of all time. When Scrooge is visited by the ghost of his old business partner, Jacob Marley, he finds that ghost trailing all things that Marley's greed goaded him into possessing: money boxes, transaction ledgers, pad locks and even heavy deeds. When Scrooge asks Marley where the chain came from, Marley's answer is chilling: I wear the chain I forged in life. I made it link by link, and yard by yard; I girded it on of my own free will. Believe it or not, this sprang to mind last week when I learned that current FBI directory Kash Patel had some of his personal emails leaked by enemies of the state. Iranians? Russians masquerading as Iranians? Iranians with Russian help? Who knows. The point is not specifically who did it. The point is not the rather banal and inane content. The point is not that the content was from a while ago. The point is that we all wear the digital chains we forge in life. We m...

I am a fan of sketchplanations.com  in general and this sketch in particular caught my eye for two reasons. First, I love me some hair-splitting (ask me about the difference between "virulent pathogens" and "infectious pathogens"). Second, this gives me a great way to talk about a big deal in cybersecurity. Before diving into that big deal I want to apply the point of the sketch to cybersecurity. The field of cybersecurity is a branch of Risk Management. The people running the organization have to set priorities and budgets. The people running the organization have to sign off on the policies which decide which risks are worth mitigating. The people running cybersecurity have to write procedures which implement those policies and then police activity to ensure that the procedures are active and effective. By analogy, the policies are accuracy: are you trying to protect what you need protected? The procedures are precision: are you effectively protecting whatever it ...

Everyone wants to be successful. Defining what "success" is may vary person to person, and deciding whether someone is successful may not be up to any of us, but we can find contentment and professional pride in everyday work over a career.  It's very difficult to define success in a career such as cybersecurity apart from the big picture issue of "nothing happened." Ultimately, if "nothing happens" you are successful, because nothing bad happened. But for cybersecurity, "nothing bad happened" is not the same as "nothing happened." In fact "nothing bad happened" because something good happened in cybersecurity. Lots of "something" may be happening as a matter of fact and success means that none of it resulted in a win for your adversaries. Lack of IT or cyber-systems failure is a sign that your cyber-defense processes performed well. Let's focus on that. Cybersecurity is the process by which you create maximu...

We read a recent post by Tracy Lawrence that gave us hope for a better cybersecurity leadership hiring process...until the end. But the journey through her post is worth your time as long as you take a detour. As Tracy  notes : For decades, a long track record has been the gold standard for executive hiring. In today’s disruptive business environment, over-indexing on experience may actually be working against you. As an executive recruiter and CEO coach, I’ve seen the same well-intentioned mistake play out more times than I can count. Boards and senior teams filling critical leadership roles focus on the candidate with the deepest industry background, the longest tenure, the most impressive titles. They’ve ‘seen it all before.’ On paper, they look like exactly the right hire. Then, six months in, the organization is struggling. The new leader keeps reaching for solutions that worked in their last job, even though the current business environment has moved past them. Go Tracy Go! ...

The United States of America has taken military action against the Islamic Republic of Iran. Unforeseen or unforeseeable? In the cybersecurity context, it doesn't really matter: either you were prepared for this or you were prepared for something like this or you have the talent and bandwidth to pivot or you are a cautionary tale waiting to happen. By "something like this" I mean the risk of cyber attacks from foreign operatives as opposed to criminals or vandals. Vandals are mostly thrill-seeking. Criminals want to get money. Operators want to either lurk or disable your systems. Vandals are often as unsophisticated in their thinking as they are sophisticated in their hacking. It has been a long time since they were the top threat. Just keep your defenses up-to-date and your monitoring current and you should be able to keep them out. Criminals are getting every more sophisticated in their scams and their use of stolen information. But they don't want to get caught an...

When you as a cyber-professional think of planning for war, you probably have in mind some order of battle map such as the one above. It shows the front lines, terrain, forces in opposition, troop movements, etc.  Your thought process is wrong. And, when you as a cyber-professional think of war you probably think of engaging with the enemy and taking and holding territory, or bombing, or drones and missiles. Well that thought process is wrong too.  But you're in a war anyway. How is it going for you? War is serious business and cyber-warfare is not like other wars, especially when you're almost always on defense at all times. All of us have models, scripts, or even memories based on experience and education for endeavors such as wars. These models and scripts come from family lore, movies, books, military service, and so on. They are all valid as far as that goes. Problem is, you're in a cyber-war and you don't have a model or script, probably not even personal experien...

You get hacked. What can Pythia Cyber do for you? Once you have addressed the immediate problem and then done what you can to repair the damage, it is time to figure out what happened. That is when we can help. (If you follow the NIST CSF, we come in right after the Recover phase .) In the Respond phase you address the immediate problem. In the Recover phase you do what you can to repair the damage. Then you fight off the temptation to rest and you go back to the Identify phase because you need to figure out what went wrong so you can make sure that it doesn't happen again. As part of that investigation you have a very important question to answer: was the root of your problem systemic or not ? This should involve a top-to-bottom review of your cybersecurity program. It is tempting to keep this in-house--who wants to air their dirty laundry?--but we recommend an objective, external, expert observer. "Expert" is obvious. "External" because...

Eric Cole recently posted his review on Substack of the new US Cybersecurity strategy . His review is meant to be brief and touches on four parts of the strategy that move us toward better practices and processes. He also enumerates three ways in which the strategy comes up short. We're amplifying here because of the implications of both the strategy and the review for behavioral cybersecurity. 1. The strategy "correctly frames cybersecurity as an element of national power rather than simply an IT hygiene issue. Cyber now intersects directly with economic growth, military capability, supply chain resilience, artificial intelligence, and national infrastructure." 2. It "recognizes that modern cyber adversaries are no longer focused solely on data theft. Increasingly, they are targeting operational continuity and daily life, including healthcare systems, energy infrastructure, telecommunications, and financial networks." 3. "The strategy acknowledges an impo...

We like to highlight perspectives by experts who can add value to your work as a cybersecurity professional. This post, by Dr. Louiza Livschitz , concerns issues and remedies for CTO judgment under pressure. How Chronic Pressure Quietly Undermines Technical Judgment and  What You Can Do  About That Technical leaders are trained for clear thinking under duress, having built their careers solving complex problems in environments defined by high risk, urgency, and material consequences. For this reason, it can be deeply unsettling when judgment begins to feel less sharp. Under chronic pressure, many CTOs and technical executives observe subtle, yet impactful, shifts. Decisions feel heavier, options narrow more quickly, and familiar solutions become disproportionately more appealing than exploring new possibilities. The mind instinctively moves toward certainty sooner than it used to. This phenomenon is not a failure of intelligence or experience; it is a predictable, systemic eff...

Albert Einstein never actually said that the definition of insanity is trying the same thing over and over and expecting something different ( source ). But it's a really smart thing to understand, because if your attempts at dealing with burnout feel like, well, insanity, then read on. Brendan kicked us off with burnout so let's pick up from there. What is 'burnout' (or burn-out)? According to a 2019 World Health Organization report ( here ), burnout is: "[A] syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed. It is characterized by three dimensions: feelings of energy depletion or exhaustion; increased mental distance from one’s job, or feelings of negativism or cynicism related to one's job; and reduced professional efficacy. Burn-out refers specifically to phenomena in the occupational context and should not be applied to describe experiences in other areas of life." The part that matters from an ...

Recently I have seen mentions in different outlets of the problem of burnout in an alarming number of cybersecurity programs. The Wall Street Journal had such a piece in which a number of CISOs complained that the programs they oversee are understaffed and what staff they have are burning out under the weight of the ever-growing deluge of cyber attacks of various kinds. The problem described in the piece resonated with me. The tone and thrust of the CISO's complaints did not. Before I talk about the problems to which I think I have useful input I want to outline the problem to which I think I do not have useful input: the burnout problem. I keep seeing the following dynamic in cybersecurity groups: there is a surge of cyber attacks and mission-driven employees that we are, the cybersecurity folks respond by working more hours to deal with these particular crises. But the surge turns into the new normal, so while we wait for the cavalry to arrive, we fall into working late on weekni...

Ah, Bhushan is back out on the speaking circuit. (Does the man have a day job?) His latest Substack post focuses on BS, which, just to set it straight now, he admits are his initials. Not that Bhushan Sethi doesn't focus on Bhushan Sethi. His target in the post is organizational BS. And that does not refer to buffalo sunning. The nub of Bhushan's post is about remarks on the future of work by Jamie Dimon , CEO of JPMorgan Chase Bank, made at the Davos meeting this year (video here ). His topics ranged from the impact of AI on organizations as well as no-nonsense leadership. Apparently these remarks affected Bhushan more than he initially thought they might, as they resounded in his February presentation  that I attended as well as this post in March.  Here are Dimon's themes as Bhushan has processed them: *Operationalizing "the cost of honesty" (Bhushan's term) as what you're going to pay as a leader to get honesty in the AI age. Bhushan summarized the Di...

Our executive coach guru, Scott Eblin, is at it again. In his latest post, "From March Madness to March Mastery: A Leader’s Guide to Managing Energy When the Pressure is On," Scott discusses how the concept of "March Madness" -- the single-elimination basketball tournaments that lead to crowing the best collegiate teams in the US -- can be seen by leaders as a means to create better teams. Scott calls it "March Mastery." He starts by discussing how March is the month where it finally, actually feels like we're done with winter -- for example, the winter of '25-'26 was the third-snowiest on record in the Boston area -- and now the year can blossom. He continues (quoting at length): Here’s what I’ve learned in 25 years of coaching executives: the leaders who navigate March successfully aren’t the ones who grind the hardest. They’re the ones who manage their energy – personal, team, and organizational – intentionally so that they can lead for both...

Our focus at Pythia Cyber is behavioral cybersecurity. That means we bring the best in behavioral science and organizational behavior practice to the realm of cybersecurity. We recently wrote about what it means to make the shift to a talent-based culture.  Starting out as a talent-based culture has several components, but one of the most obvious pathways is through assessing new employees for talent. As part of our mission, we have developed three assessments of cybersecurity talent -- front-line, manager, leader -- for the purpose of assessing talents related to effective cybersecurity performance. Talent assessment is entirely a 'normal course of business' in the behavioral science and organizational behavior realms. An organization that tests for talent has to become used to saying 'no' to candidates that it used to hire. There's nothing wrong with those people. But they lack the new talent that is required to be successful. A normal human response on the part o...

Our focus at Pythia Cyber is behavioral cybersecurity. We bring the best in behavioral science and organizational behavior practice to the realm of cybersecurity. As part of the mission, we have developed three assessments of cybersecurity talent -- front-line, manager, leader -- for the purpose of assessing talents related to effective cybersecurity performance. Talent assessment is entirely a 'normal course of business' in the behavioral science and organizational behavior realms. Using a pre-hire assessment process means that you will find that some people have talent, maybe a lot of it, to be effective in these roles. There will also be people who score low on these assessments. Cybersecurity is a technologist domain. Talent assessment is a behavioral science domain. These are different domains, and that creates a need to create dialog and bridges between the two domains to capitalize on the synergy to be gained through their overlap.  First let's ask why we wish to cre...

This is the fourth of four related articles. The others are here: one  |  two  |  three  | four. Pythia Cyber was formed to seek a very particular Holy Grail: improving cybersecurity by combining behavioral science with information technology. It was clear to us that human behavior plays a huge role in cybersecurity failures and therefore deserves a large percentage of the time, energy and focus that the technology gets. Changing individual habits is hard. Changing organizational culture is exponentially harder. One effective way to change culture is through hiring. The problem is that hiring can be effective in either degrading or upgrading your culture, which is why hiring is so fraught. The problem isn't just hiring though: new people need to be integrated into your team and then kept engaged. Internally, we call these three phases Find, Manage and Retain but we bow to convention and call them externally "Talent Acquisition & Upskilling" (TAU for short). ...

This is the third of four related articles. The others are here: one  |  two  |  t hree |  four . Pythia Cyber was formed to seek a very particular Holy Grail: improving cybersecurity by combining behavioral science with information technology. It was clear to us that human behavior plays a huge role in cybersecurity failures and therefore deserves a large percentage of the time, energy and focus that the technology gets. Changing individual habits is hard. Changing organizational culture is exponentially harder. One effective way to change culture is through hiring. The problem is that hiring can be effective in either degrading or upgrading your culture, which is why hiring is so fraught. The problem isn't just hiring though: new people need to be integrated into your team and then kept engaged. Internally, we call these three phases Find, Manage and Retain but we bow to convention and call them externally "Talent Acquisition & Upskilling" (TAU for sh...

This is the second of four related articles. The others are here: one  | two |  three |   four . Pythia Cyber was formed to seek a very particular Holy Grail: improving cybersecurity by combining behavioral science with information technology. It was clear to us that human behavior plays a huge role in cybersecurity failures and therefore deserves a large percentage of the time, energy and focus that the technology gets. Changing individual habits is hard. Changing organizational culture is exponentially harder. One effective way to change culture is through hiring. The problem is that hiring can be effective in either degrading or upgrading your culture, which is why hiring is so fraught. The problem isn't just hiring though: new people need to be integrated into your team and then kept engaged. Internally, we call these three phases Find, Manage and Retain but we bow to convention and call them externally "Talent Acquisition & Upskilling" (TAU for short). In o...