Sayings that seem to be true: In life, the only things you can count on are death and taxes The only constant is change In the valley of the blind, the one-eyed man is king [modify re: gender & ruler terms as appropriate] Here's a new one: You get to engineer the shape of your career. We write a lot about shaping your career . The emphasis is on you , as a cybersecurity professional, creating a career path for yourself appreciating that frequently there is more of a bush than a path .  Our approach grows from applied behavioral science because that community has a focus on career identification, management, and development.  The fact that your career path is a nonlinear journey rather than a process with clearly defined stages and edges can be disconcerting. Yet it is so. Phil Venables is out with a new post at his blog on managing your career. Phil is an engineer, not an organizational scientist or practitioner. We will thus say that he is writing about engineeri...

Spring is over, back to the grind. The litany of the hacked is our listing for each known/reported hack in the previous month. The point of the litany is not shame but awareness-raising that, well, these sorts of things happen. And so, the litany of the hacked for May 2026: San Diego Community College…Canvas (technically, Instructure; Canvas is the product)…WhatsApp accounts of some US military personnel…Medtronic…Cushman & Wakefield…Trellix…MediaWorks…supply chains for NVIDIA…Foxconn…West Pharmaceutical…GitHub…7-Eleven…Charter Communications...Lithuanian government offices...Hartford HealthCare...various Microsoft products (via routers)... Attacks via vendors continue to be problematic -- for you & your company. The law and & insurance  worlds are starting to notice. Here's how Cynthia Kaiser puts it: "Ask your security and tech teams this week: 'If our top three vendors were hit with ransomware tomorrow, what data of ours would be at risk? Do our contracts r...

Predicting the future is hard. As the great philosopher and baseball player, Yogi Berra, once put it: "It's tough to make predictions, especially about the future." A new hire is a prediction of the future. Over at Employment Group, a recent post of theirs put it this way in terms of predicting how would be successful as a new hire: "At its core, hiring is a signal detection challenge. You’re trying to answer one question: Who is most likely to succeed in this role, in this environment? But most hiring processes rely on weak proxies: Resumes as indicators of performance  Interviews as indicators of fit  Experience as a substitute for capability  Without stronger signal, speed becomes dangerous—and slowness becomes inefficient. Neither solves the problem." It seems that it should be easier to find your new best hire. The answer to this problem is that it this is a problem on your end. Bottom line, you're the one who's making it difficult . But you also b...

At Pythia Cyber, we dream of a world without passwords. True, adding two-factor authentication makes passwords less bad. But imagine a life without them at all. Ah, bliss. But what could replace them? Passkeys have a great shot at that. What is a passkey? The short answer is this: a passkey is a token generated on one end and verified on the other with Public/Private Key (PPK) encryption. Since most people are not comfortable with PPK encryption, we will start with a simple description of that and then get into how this kind of encryption can be used to replace the user ID / password model of authentication. The cool part of PPK is the fact that there are two keys: the public one that you publish to the wide world and the private one that you keep secret. The public key is used to encrypt a payload (whatever you want to share privately) and the private key is used to decrypt the payload. While encrypted the payload is secure and only you can read it. Anyone can encrypt, only you can de...

Like many security professionals, we at Pythia Cyber are not overly impressed with passwords . If they are good passwords then they are hard to remember and hard to type. If you take security seriously, they are a pain to manage: a unique one for every account, changing them at random intervals. Worse, the target systems keep exposing them to criminals. So what to use instead? Two-factor authentication is a big step up: you still have a password, but you are not relying solely on that password. That is what the "two" means: a password plus something else. (Passkeys are also an option, but they get their own post.) All second factors produce a temporary authentication code which is required in addition to your password. But not all second factors are created equal. In order of effectiveness, the common options are: An authenticator app A code sent via text message A code sent via email Before we talk about the best we will dispose of the rest. In last place is a temporary code...

Today, let's take a moment to appreciate the sacrifices of those who died defending democracy in service to our country. (image credit: https://www.abmc.gov/cemeteries-memorials/about-korean-war-monument-at-busan/)

Oh, sigh. It has only been 5 months since my last post on Zero Day Vulnerabilities  and now I am provoked by news of multiple such vulnerabilities in various Microsoft products . My post was about what that term used to mean, came to mean and means now. It was also about why reacting to these issues has become a potential vulnerability in itself. The short version of the definition is that "Zero Day Vulnerability" now means "you should do what you can about this vulnerability as quickly as you can." The short version of the dangers of panic is that panic is dangerous: just because you need to react to a vulnerability ASAP does not mean that you can cut corner or rush. Remember that not only are human beings prone to error when they rush but that evil human beings may try to exploit that tendency by offering corrupted patches which are, themselves, malware. The best way to be able to react ASAP without rushing is to plan ahead. Of course you cannot predict when any g...

Continuing on the theme of leadership -- would you say you're disposable? Ross Young over at CISO Tradecraft has a good post out on how you should envision your leadership role in terms of becoming disposable. His key line: "The most effective leaders aren’t the smartest people in the room; they are the architects of systems that thrive in their absence." As a CISO, or generally as the leader of a technical function, you will work amongst many very smart people. An easy question for you to answer incorrectly is: why am I a leader, while they are not leaders?  So many bad or wrong (or alarming) answers might come to mind for you, such as: I'm the most senior employee; I've done all the jobs here; I'm the highest performing employee; I wanted the leadership job more than they did ; etc. It's unlikely you'll think to yourself that you were the most politically savvy. I can report that I personally know people who thought of themselves as 'saviors...

We here at Pythia Cyber are big believers in rigor so we strongly recommend following a rigorous framework when building your cybersecurity program (CSP). We use the NIST CSF by default but we recognize that there are a few other frameworks which will also do the trick. We seek to season cybersecurity with behavioral science because human behavior is a huge but rarely addressed part of running a CSP. Those who run the CSP are humans. Those who follow the CSP are humans. Those who work to subvert or circumvent the CSP are humans. There is much that is NOT cyber in cybersecurity. There are few places along the path to a great CSP where being human is more evident than in the writing of policies and procedures. The point of these documents is to inform, not impress. The goal is to guide human behavior in times of stress, so clarity and accuracy are of utmost importance. Length or literary flourishes are worse than irrelevant, they are an impediment to being useful in times of stress and u...

Phil Venables' new post, Do you really know what's going on? , caught our attention from the start (quoting at length): Most leaders do not know the actual truth of what is happening. This is not because people are overtly hiding things or that leaders are ineffective, although sometimes it is both of those, but rather this is because of the “thermocline of truth” that I covered in this post. Organizations are full of cultural, structural, process, and other barriers that stop reality making its way to leadership.  When you started out in your career you probably felt constant frustration that the “higher ups” had no clue about reality on the ground. Even today, you probably feel frustrated that peers in other organizations are clueless to the reality you know, or even in many cases that you know their teams know but are failing to push up to their leader.  When you become progressively more senior it’s easy to forget this experience and get in a position where you believe you...

Brendan has been writing about internal candidates, and we thought we'd enter the fray. There are upsides and downsides to building your talent pool v. external hiring & hoping it works, as Brendan noted. This post is about the internal pool. Integral to the buy/build decision are answers to the following questions: You've created a talent development process (I mean, you've done that...correct...?) You've invested in not only the identification but the acceleration of your people's performance (ditto...?) You're focusing on a talent-based performance management culture, not one that rewards surviving We've written about how this could happen. In brief you must: Intentionally create a newcomer socialization process Measure and monitor performance to get people to the point where they are considered for promotion "[You need to] manage the person's development intentionally so that they leverage their talents to perform. That happens through thr...

At Pythia Cyber we aim to blend behavioral science with cybersecurity to improve effectiveness and team dynamics. In the usual case we are helping you create, manage and maintain your internal cybersecurity program (CSP) but increasingly we are asked about how to manage cybersecurity threats to assets external to the organization. In practice, these external assets fall into one of two categories: assets owned by you but stored in the cloud and assets owned by someone else but used by you. The most common example of the second category is a software tool you use in your products which you buy or license from someone else. In other words, part of your supply chain. Just about all organizations these days have some exposure to the cloud. Generally only manufacturing concerns have digital supply chains. Some organizations have both of these issues. In either case, the problem is the same: these assets are not under your control: how do you apply your CSP to them? The Cloud One of the reas...

At Pythia Cyber warn you not to rely solely on skills or knowledge when choosing people to work in your cybersecurity program. Familiar as skills and knowledge may be for hiring, and comforting as that familiarity may be, you cannot rely on them alone. You need more than that because change is the one constant in cybersecurity and skills and knowledge get out of date. Talent is evergreen. We keep keep beating the drum of the importance of talent in building and maintaining your cybersecurity program because your people are the beating heat of your cybersecurity program. Those people need to keep up with the pace of change in the threat environment because the beat goes on and on and on. Modern life changes more swiftly and widely than life has ever changed before. Technology changes more swiftly and widely than it has ever changed before. Cybersecurity, sitting at the juncture of technology, crime, hardware failure and human error, changes more swiftly and widely than just about any ot...

At Pythia Cyber the conversation about who to hire and how to management often detours into distinguishing skills and talents. This comes up often enough that it is time for blog post. Let us start, as so many middle school assignments do, with the dictionary definitions. Today we are using Merriam-Webster as our source. skill  noun   ˈskil  ...

You're out of time. Ross Young posted recently on LinkedIn about "The Three Kinds of CISOs." It's a compact but targeted post. In his view, CISOs are one of three types: reactive, proactive, or predictive. Let's review. The first type, the reactive CISO, is a short-timer; why it exists at all is a mystery. The second type, the proactive one, sounds great...two years ago. And sure, being proactive is good as an employee and a professional. While it's good, it's not good enough. Because you're out of time., because, yes here we go, AI is not pro active -- it's active .  That leave Ross telling us about the third CISO type, those who are predictive: "The CISOs who will matter in five years aren't running better audit programs. They're running AI agents that never sleep, never miss a commit, and never need to be asked." We completely agree that being predictive is right -- definitely better than being proactive, for example, and don...

Pythia Cyber focuses on behavior as well as classic cybersecurity because a great program manned by mediocre people is not what you want and a great team following mediocre procedures is not what you want. You need both sides of the equation: the right people in the right jobs doing the right things. Cybersecurity is a branch of risk management, not a branch of computer science. The goal is not technological excellence at any cost, the goal is the most effective security you can afford and you can provide. Risk management is as much about prediction as it is about execution. Again, you need them both: doing a great job stopping the wrong threats is no better than doing a terrible job stopping the right threats. Human behavior can be very hard to predict unless and until you have a great deal of experience with how that particular person behaves in that particular environment. That person's previous experience in a different environment is a possible proxy for their future experienc...

At Pythia Cyber our focus on blending behavioral science with classic cybersecurity means that we have to address something other cybersecurity consultants do not: wishful thinking. Magical thinking, if you prefer. The tendency of people to believe whatever they have to believe in order to accommodate an inconvenient truth. At the top of the list of inconvenient truths is that experience in a previous position is a mediocre predictor of success in a new position. We all have firsthand experience of the new hire for "the exact same job" who cannot cut it. Near the top of the list is that credentials are a mediocre measure of capability. We all have walked into the cubicle of a mediocre colleague only to find their walls covered with certificates of courses passed and plaques of participation in impressive projects. Believe me, we understand why people cling to these ideas despite the personal contradictory experience. Not only is the dream so appealing (more below) but this te...

  The cybersecurity technical conversation is mature. There are frameworks, certifications, vendors, and a generation of professionals who have built careers around the technical layer. The talent conversation is improving, thanks in part to voices like Eric Cole's that have pushed the industry to look honestly at how it recruits, develops, and retains the people who do security work. The conversation about how technology, talent, and organization combine to produce actual security outcomes is still developing. It happens when a CISO realizes that a technically excellent program is still being compromised through behaviors the SOC doesn't see. It happens when a board recognizes that the cybersecurity function is reporting metrics rather than shaping decisions. It happens when an executive team asks why the cybersecurity investments of the past five years haven't translated into the resilience they expected. The bilingual axis runs through all of these conversations. Cyberse...

The HR Guru JP Elliott is back at it with a recently published piece on what he calls "decision leadership." His argument: the best HR leaders don't just execute decisions, they improve the quality of the decisions themselves by asking better questions, framing decisions more precisely, surfacing trade-offs that would otherwise stay hidden, and bringing a clear point of view. He frames the capability as Ask, Frame, Advise. This framework applies even more powerfully in cybersecurity. With credit to JP for the concept, we want to translate it into cybersecurity because the gap he describes between leaders who support decisions and leaders who shape them is at least as wide and the consequences are at least as significant. This post is written to two audiences. For executives who hire and resource cybersecurity leadership: this is what your organization should expect, and what you lose when you don't get it. For cybersecurity leaders moving toward senior roles: these ar...