Pythia Cyber is uniquely focused on the behavioral and organizational conditions that determine whether cybersecurity investments produce cybersecurity outcomes. We focus on cybersecurity talent at the engineer, manager, and leader levels, and on the culture and talent strategy that surround them. Brendan refers to this as TAU : the systems, processes, and talent implementation strategies that create cybersecurity. You can't hire your way to better cybersecurity if your systems, processes, and talent implementation strategies are inadequate and misaligned. You can't organize your way to cybersecurity through systems and processes that are under-executed by less-talented personnel, managers who can't connect with their teams and stakeholders, or leaders who can't lead. You need talent and you need a talent strategy. And you need the people running cybersecurity to be "bilingual." Cybersecurity leaders are translators by necessity. They face downward into the t...

(p.s. programming note: We're doing the April 2026 Litany of the Hacked today to make room for a multi-part special series starting Monday. Come back next week for our three-part series!) Do April cyber-attack showers bring May cybersecurity flowers? Better hope so! The litany of the hacked is our listing for each known/reported hack in the previous month. The point of the litany is not shame but awareness-raising that, well, these sorts of things happen. And so, the litany of the hacked for April 2026. Our litany this month reflects...I think the word is hubris (or  hýbris ) , to be classical: the  über -hacker-program, Mythos, the One AI To Rule Them All, was -- hacked! “We’re investigating a report claiming unauthorised access to Claude Mythos Preview through one of our third-party vendor environments,” said Anthropic . One implication is that nothing is entirely safe when people start getting involved . Another, to be a little more cheerful, is that the AI arms race to AGI...

At Pythia Cyber we combine behavioral science with classic cybersecurity because bad behavior so often beats good technology. As part of our behavioral science toolkit we have three different talent assessments: one for Cybersecurity Engineers, one for Cybersecurity Managers and one for Cybersecurity Leaders. A common misconception is that these three assessments are beginner, intermediate and advanced assessments. This misconception is rooted in the widely embraced fantasy of promotion as a reward for performance. In this fantasy all careers have the same trajectory: get a job, work hard, move up the ladder until you cannot rise any further. This fantasy is based on the fallacy that the core talents underlying success are the same at each stage of one's career, or that most people happen to have all three sets of talents. Both of these are fallacies: it is a rare person indeed who can succeed at all levels of the organization. Such a person is a unicorn. Don't count on unicorn...

The phrase "don't bother me with details" refers to a particularly annoying dynamic between the cybersecurity people and others. The short version is that saying "don't give me the details" is often not the clever avoidance of wasted time that one might think. The long version is in  this post . This post is part of series about how culture can hamper the delivery of cybersecurity, but it is also about which talents you need to succeed in this field. At Pythia Cyber we add behavior science to classic cybersecurity engineering to take effectiveness to the next level. We lean heavily on our proprietary assessments which allow us to add awareness of  talent  to the question of who you should hire, which employees should be in which roles and how that talent should be developed. Today's example of how cybersecurity people can feel caught between a rock and hard place is why we try to balance a talent for enforcing rules against a talent for finding reasonabl...

Yesterday Ted posted about how to consider talent as you develop your employees. Today we will look at Pythia Cyber's emphasis on talent as well as experience and credentials from a different perspective: what makes cybersecurity different from most of the rest of IT. More "why" than "how." I am not the only one who has noticed an alarming tendency in business (American business at least) to reward effort instead of achievement. When I started managing information technologists--either developers or operations personnel--I was stunned to start to have "I spent X hours/days/weeks on this" as an excuse for new technology or new configurations not working properly. This was a problem for me because part of the reason I was drawn to information technology was the glorious black-and-white nature of it all: it either worked or it didn't. The new one was either better or it wasn't. Upgrades were either smaller and faster and more reliable or they we...

Not many of us -- probably none of us -- are as gifted as Mozart was as a composer and keyboardist. One of my favorite Mozart facts is that in a 13-month stretch spanning 1773 to 1774, beginning when he was 17, he composed nine full symphonies. He also produced string quartets, keyboard sonatas, divertimenti, and other works in the same period. The talent was obvious. The productivity was extraordinary. And yet even Mozart needed a job. The document pictured above is a state-sponsored retainer issued in 1787. It acknowledges Mozart’s talent, reputation, and prior success as justification for paying him an annual stipend to compose as needed. In other words, even extraordinary talent required both demonstrated output and a sponsor powerful enough to recognize its value. That is still how careers work. First, you have to get very good at your craft. Then you have to produce, collaborate, and create evidence that others can see. But even that is not always enough. You also need leaders...

Someone recently asked me why anyone would want Pythia Cyber's talent-assessing services. This question was not academic or objective: this person is deeply entrenched in the current recruiting culture of credential or experience first, then personal assessment. I cannot believe that anyone would say "what role does talent have in hiring?" Note that this person did not say "I am unconvinced that you can assess particular talents" which we would have been happy to refute. This person also did not say "I think that I can judge talent as well or better than the assessment" which we would have been happy to put to the test. Instead, this person claimed that "no one" would want to use this service which is awkward because we can demonstrate that at least some people do want to use this service. This recent interaction has made me nostalgic because it is so similar to an interaction that I had lo! these many years ago. Once upon a time, I was a cad...

"Details, details. Things to do. Things to get done. Don't bother me with details, just tell me when they're done" is a famous quote from the character Jimmy Price (played by Kenneth Cranham) in the 2004 crime film Layer Cake.  "Don't bother me details" sounds like a crisp, clear, leader-like thing to say. It implies that your underlings are boring you with unnecessary detail and that you are not going to fall for that. You have things to do--better things to do than listen to nerds go on about nerd stuff. As a professional nerd, I have been on the other end of this dynamic pretty often, which is why I keep getting asked by well-meaning non-nerds "why is my technologist colleague so annoyed with me?" This is the first of what will be an intermittent and, I hope, infrequent series in which I give examples of just how this crisp, clear, leader-like attitude is so frustrating and infuriating and how it can be utterly wrong-minded. Are there boring...

Every CTO and CISO knows the first job: defend the organization. Fewer recognize they have a second job that matters even more over time: build a team whose adaptive capacity outpaces the adversary’s rate of novelty .  As AI enables attackers to scale speed, variation, and deception, that second job is quickly becoming the first. This is not primarily a tooling problem --  it is a leadership problem . Here are three perspectives on that second job. What great CISOs actually build Phil Venables , former Goldman CISO and now Google Cloud's strategic security advisor, has spent years studying what he calls "CISO factories": organizations that produce a disproportionate number of successful security leaders. His finding is counterintuitive. It's not training programs, certifications, or formal development tracks, it's the daily behavior of the existing leaders: they pay attention to detail, they go deep occasionally, they validate things personally, they understand ho...

Sometimes a question gets asked so much that it gets a blog post, even if that question isn't at the center of what we do here at Pythia Cyber. Lately, one such question is "how does AI find cybersecurity vulnerabilities?" (We are also going to answer the underlying concern, which is usually "what can I do about this?") Generative AI has significant pattern-recognition capability. This means that AI can find not merely simple matches, such as matching "golden apple" with "This is the tale of the Golden Apple" but also subtler, deeper matches, such as "golden apple" with "Greek myths." Generative AI can only find patterns for which it has been trained. Once trained, that AI can only find patterns in data that has been fed into it. But after these two conditions have been met a decent AI is superhuman in its ability to find the patterns you taught it in the input that you give it. Let us say that you spun up a copy of your f...

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born. As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program. The first post describes the cybersecurity janitor model. The second post  describes the cybersecurity tyrant model. The third post (this one) describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right. In the janitor model the cybersecurity function is subordinate t...

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born. As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program. The first post describes the cybersecurity janitor model. The second post (this one) describes the cybersecurity tyrant model. The third post describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right. In my long career I have seen the tail wag the dog: I have seen o...

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born. As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program. The first post (this one) describes the cybersecurity janitor model. The second post describes the cybersecurity tyrant model. The third post describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right. I have been a janitor. I have also been a cybersecurity contribut...

I have a problem with conventional resume screening; I have mentioned it before . Especially automated resume screening. In my experience too many of the people  behind the screens are relying on two dimensions in setting up the bots: small chunks of text and keywords given to them by hiring managers. My problem is that I strain to see the link between how a resume is formatted (which chunks of text in which order) or worded (which words are in the chunks of text) or coded (which keywords are floating around) and hardcore technical talent. In fact, in my experience, the correlation is negative  by which I mean that I have seen topnotch technologists standing behind very ugly and badly worded resumes. I can see how one might hire a writer or a graphic designer based on how aesthetically pleasing a resume is. But I need convincing, with data, that this same methodology can spot  the kind of talent needed to succeed in cybersecurity. I have a particular distrust of keyword-b...

We've recently posted about the role of HR in the cybersecurity hiring process. As Brendan puts it , HR's role is to mitigate risk from the hiring manager's unconscious (or not) bias and potentially inefficient hiring practices. Hooray! The other side of that bargain is that you must assess awkward issues in the hiring process. If you don't ask, you -- managers, HR, whoever -- are assuming that those issues are unimportant. You are making an ASS out of U and ME . There are two sets of asks: What productivity talent does this person have? and What propensity does this person have to engage in counterproductive work behavior or deviance? Let's tackle each in turn. Talent . We write extensively about cybersecurity talent. It specifically involves high performance in any of three main cybersecurity roles -- individual contributor, manager, leader/executive. We have developed with Conchie Associates a proprietary talent assessment for each of these roles.  Many asses...

“Ten years ago, did you expect to be in the job you hold today?” Well, did you? One of the greatest popular science books of the last 50 years is The Mismeasure of Man by Steven Jay Gould. Professor Gould was also famous for questioning the popular science hypothesis that evolution was linear. Gould didn't question whether  la evolución  was real. Instead at issue was whether evolution was a linear progression...or something that sprouted more like a bush: What's the difference? Our friend Barry Conchie puts it this way : "For most people, careers are not the result of long-term planning. They are the result of capability, opportunity, and circumstance interacting over time." The problem with a linear assumption regarding evolution or careers is that progress is some function of earlier investments that results in a later outcome, and so on. The unfortunate fundamental nature of evolution (and careers) though is that they don't always work out; they may dead-end;...

As the technology practice lead of Pythia Cyber , I try to stay away from the behavioral side of things except as a follower but today I am going to be a little out of my lane. Perhaps my behavioral science counterpart will have something to post in reply. But today I am going to make an exception: I am going to talk about some human behavior that I encounter on the technology side of things because this behavior illustrates a key concept of our philosophy. The behavior is the technology hiring equivalent of being famous for being famous. According to Professor Google, here is the origin of this catch phrase: Coined by historian Daniel J. Boorstin in his 1961 book, The Image: A Guide to Pseudo-events in America , defining a celebrity as "a person who is known for his well-knownness". The analogy to which I refer is being hired as a leader because you were hired as a leader. The key concept this illustrates is the faulty logic in relying on certifications or experience or both...

My workday was interrupted today by a planned visit from some electricians we have contracted with to upgrade our backup generator. "Mind if we test the circuit breaker panel labels?" they asked. I hesitated. In theory, our systems all have functioning, tested uninterruptible power supplies (USPs) and so flipping circuit breakers off and on should not have any noticeable effect. I should have given the OK immediately. Instead, I hesitated. I was reluctant to tempt fate. I imagined the pain of failure, a self-inflicted wound. Our office manager asked me if I wanted to shut down the network first but she was a bit thrown by my reluctance. In the end, I took a deep breath and explained that we are all set against power outage, so there should be no problem, so they should proceed. Not only do we have a separate UPS for each system, but each system is configured to shut itself down gracefully if the UPS's power levels drop. So, best case, no effect and worst case, graceful sh...