Talent Acquisition & Upskilling

This is the first of four related articles. The others  The others are here: one two three four..

Pythia Cyber was formed to seek a very particular Holy Grail: improving cybersecurity by combining behavioral science with information technology. It was clear to us that human behavior plays a huge role in cybersecurity failures and therefore deserves a large percentage of the time, energy and focus that the technology gets.

Alas, aside from scolding users about clicking on links in emails (which is sadly an important function these days) we see precious little attention being paid to human behavior in the typical corporate cybersecurity program. We know this because we have looked: we have trained an AI to analyze public statements about cybersecurity to see what management claims to focus on.

We can see why it is tempting to assume that by "human behavior" we mean "those naive users who don't understand the threat environment." I too prefer to assume that I'm free of the flaws I see so clearly in others; but evidence is mounting that I am not objective about myself and my friends and colleagues. Evidence is also mounting that you are not objective either.

The fact is that cybersecurity professionals do not always behave in ways that effectively prioritize our actual goal: maximizing authorized access to digital assets (computer systems and data) while minimizing unauthorized access. For example, a common prejudice we see is a near-total focus on outages caused by bad actors, to the exclusion of natural disasters, human error or systems failure.

We also see a reliance on certification and experience because there is often no good way to determine talent, which is why we had to create a good way to determine talent.

We all know that we all have blind spots and bad days. Witness the fact that there are standard cybersecurity methodologies, such as the NIST CSF. We know that we should not re-invent the wheel when excellent wheels already exist. What Pythia Cyber wants to do is go on the next step and use behavioral science to put in place scaffolding to protect us from our blind spots and our bad days, our inevitable mistakes and mis-judgements.

Changing individual habits is hard. Changing organizational culture is exponentially harder. One effective way to change culture is through hiring. The problem is that hiring can be effective in either degrading or upgrading your culture, which is why hiring is so fraught. The problem isn't just hiring though: new people need to be integrated into your team and then kept engaged. Internally, we call these three phases Find, Manage and Retain but we bow to convention and call them externally "Talent Acquisition & Upskilling" (TAU for short). In other words, we recognize that sometimes evolution is a better option than revolution and that what you need from us is not a way to revolutionize your cybersecurity program but rather help in building a TAU program that lets you evolve your cybersecurity program at a safe pace with lower risk of vulnerability during the transition.

Whether you want us to help with a revolution or an evolution you will find  a drive toward accuracy and fairness at the heart of our offerings. We are all human and so we make mistakes, take short-cuts required by limited time and fall prey to unconscious bias. This fact means that we often introduction inaccuracy and unfairness into our personnel decisions. Pythia Cyber can help you minimize these failings. How does a firm run by people avoid human failing? We do it by using trainable software that we train to be objective, even if we cannot be totally objective ourselves. (More of that "seeing clearly flaws in others".)

Specifically, we use an AI to match résumés with job descriptions as a first pass screen and we use the talent assessment to help us see people clearly. We often refer to the first as simply “the screen” and the second as simply “the assessment.” Whenever you see references to screens or screening in our writing, we refer to this AI tool. Whenever you see references to assessments or assessing in our writing, we refer to one of the three Pythia Cyber Cybersecurity Talent Stack assessments.There are  three varieties of assessment, depending on the role for which you are acquiring or retaining talent:

• The Pythia Cyber Cybersecurity Contributor Talent Stack (useful for general technology roles as well)
• The Pythia Cyber Cybersecurity Manager Talent Stack (specific to Cybersecurity)
• The Pythia Cyber Cybersecurity Executive Talent Stack (specific to Cybersecurity)

We break down a TAU program into Find, Manage and Retain. It is probably clear how we can help with the first step, Find (hiring), since screen can help you focus on talent, not presentation and the assessment provides more data to support your hiring decisions. What may not be so clear is how we can help with the manage step: after all, you are an experienced manager and have done this before, right? This is mostly true: you are an experienced manager but you might be running more on instinct than on science and you might not be used to managing talented people as opposed to capable people.

What's the difference between talented and capable? In many contexts, there is no observable difference. Take the example of two people, both of whom are well-educated, well-credentialled and experienced technologists. Which do you hire? A coin toss or a "cultural fit" test are about your only options without a talent assessment. But sometimes one of the people is a talented technologist and the other is someone who has mastered a particular technology. Both are more-or-less equally valuable, unless you need the new hiree to adapt and evolve and leave behind the warm, safe confines of familiar technology and forge ahead into a brave new world. And if you are hiring cybersecurity personnel you are definitely looking for a lover of exploring the brave new world because our world changes in a matter of months.

A historian gave a lovely illustration of how much life in the 21 century differs from what came before: consider the Imperial Roman Army. It lasted about 890 years. If you magically transported a competent legionnaire from the early years centuries into the late period, that legionnaire would have been, with minimal retraining, a competent legionnaire once again. The experiment works in reverse: a competent legionnaire of the late period would have been useful in the early period. But this is not true now and especially not true in cybersecurity: change is the only constant. Transporting a technologist to the present from even 40 years ago would not give you a competent technologist, it would give you the mother of all training headaches. You could probably upskill such a person but the effort would be massive and the time traveler would have to want to change--and to have the raw talent to adapt. But we wouldn't have to go back decades in cybersecurity: a year or two would probably be enough. To keep the forces of evil at bay you need to hire talent, not just experience.

What about Retain, the way you keep people? You probably are pretty good at that, or as good as you think is reasonable. That is probably true. But we don't mean "person has not quit" when we say "retain talent." We mean "person is still as engaged and effective as they were before AND has not moved on." Talented people want a challenge, they want recognition and they want to make a difference. Keeping them moving forward is not as easy as giving them good performance reviews and predictable pay increases.

You go to war with the army you have. You play the cards you were dealt. We are not saying that talent assessments should be used to lay waste to your current staff. We are saying that you are a better recruiter and better manager and better mentor when you shift to a talent-based culture. We can help. Ask us how.