Pythia Cyber Elevator Pitch 2026-06-11

Like everyone else, we get asked "what's your elevator pitch?" We always have one, but we find it a useful exercise to revisit and revise ours to better fit this ever-changing world of cybersecurity. Here is our latest elevator pitch.

Cybersecurity is a risk management function. Management is mostly about people. Many Cybersecurity Programs (CSPs) are rigorous and based on a valid, tested foundation such as the NIST CSF. Few CSPs have been implemented with an eye to how the people involved will behave. We help you make your CSP more effective by making it more rooted in human behavior.

Running a CSP is like putting on a play: a good script is a necessary but not sufficient condition for a good performance. A single good performance is nice, but that does not make a successful run. Having good policies and good procedures based on those policies is a fine start, but if your cast and crew don't deliver then you don't have good cybersecurity.

Those of us who have seen a variety of organizations try to protect their digital assets have seen a tendency to focus on the procedures and the CS team. The rest of the company gets pretty useless mandatory annual training.

What does Pythia Cyber do differently? We bring the science and the evidence. We keep the rigor and the formal framework but we add awareness of talent and behavior. Talent is what a person can do. Behavior is what a person actually does. Experience is what a person has done.

Skill is facility with a particular task; talent makes acquiring skills easier but experience makes a particular skill better. For example, I cannot dunk a basketball, I don't have the raw physical talent for it. I will never be able to dunk a basketball. I can juggle three objects because I spent an embarrassing amount of time and energy to acquire and hone that skill. However, I have no particular talent for juggling: I can only do the one kind of juggling of the one kind of ball-like object and only three at a time. If I were hired for my ability to juggle three bean bags I would be great at that but if the requirements changed and I needed to juggle four bean bags or even three bowling pins, I would be a dismal failure. So use skill as a proxy for talent at your peril.

Thanks to our research psychologist roots and our grounding in psychometrics, we actually assess talent, we assess tendencies toward unwanted behavior and we measure attitudes. Based on those measurements we give you insight into how your people view their environment. Based on those insights we help you change those attitudes and the behaviors that go with them.

We apply this awareness of talent and behavior to the two very different aspects of cybersecurity: the internal aspect of building and running the group that builds and runs the CSP and external aspect of interfacing with the rest of the company. This allows us to do what no one else can do: help you make your great CSP more effective by improving whatever is lacking.

Don't have a formal CSP? We can help you create one in a NIST CSF-compliant way. Need to staff your CS group? We can help you do that in a talent-aware way. Is your corporate culture not engaged with cybersecurity? We can help you change people's behavior. Need to know what behavior needs to change? We can help you with our NIST CSF-based process review to aid in targeting behavior that needs to change.

In the end your CSP is either effective or it is not. It is either cost-effective or it is not. You need to be aware of the formal requirements, you need to understand and embrace being evidence-based and you need the right people in the right jobs doing the right things. Behavior and talent are a huge part of why you will succeed or fail. We can tie rigor and formality to talent and behavior. Ask us how.