Pursuing complete information before making security decisions is paralysing organisations and leaving them vulnerable. While traditional approaches emphasise gathering comprehensive data, experienced security leaders recognise that effective risk management often requires acting with incomplete information within critical time constraints.
Security veterans Steve Zalewski and Dan Haagman propose that successful risk management demands comfort with uncertainty, supported by experience-driven pattern recognition and organisational muscle-building exercises.
Context
Previous Cyber Strategy Collective essays have explored how risk management has become overly focused on controls and metrics and how security leaders can strategically exploit risk rather than simply avoid it. This piece completes the picture by addressing a critical challenge: how to make effective decisions when perfect information isn't available and pressures are mounting.
The increasing pressure on security leaders is evident in recent data. CSO Online reports that more CISOs are dissatisfied with the role today than ever before. The top reasons for this include a lack of executive support and high levels of burnout among security leaders.
Adding to those factors, personal liability for security decisions has increased with recent SEC regulations. The requirement to report material incidents within four business days compresses decision-making timeframes, even as incidents become more complex.
In this collaborative essay, Steve Zalewski, board advisor to security companies and VC firms and former CISO of Levi Strauss, and Dan Haagman, CEO of Chaleit, explore how security leaders can develop the confidence to make sound decisions under pressure, managing stakeholder demands and operational necessities while protecting critical business assets.
Drawing on metaphors from medicine, firefighting, and chess, they argue that effective risk management isn't about having perfect information but making timely decisions that balance immediate needs with long-term objectives.
Challenges
The following challenges test CISO's ability to protect the business while dealing with uncertainty and mounting pressures.
The illusion of complete information
One of the fundamental challenges in cyber security leadership is the tendency to seek complete information before making decisions.
As Steve notes, "Collecting all the data to verify in your own mind that the decision you're making is right can actually result in more harm to the business than less." The pursuit of certainty can delay decision-making, particularly during critical incidents where time is a crucial factor.
The challenge is particularly acute for newer security leaders who may lack the experience to feel confident making decisions with incomplete information. This can lead to analysis paralysis, where the pursuit of more data becomes a substitute for action.
Overemphasis on prevention
Steve and Dan highlight a critical reality: no organisation can prevent every breach. Attackers constantly evolve, exploiting zero-day vulnerabilities, leveraging social engineering, and finding new ways to bypass defences.
The focus on prevention can lead organisations to over invest in tools while underestimating the importance of resilience — detecting, containing, and recovering from inevitable incidents.
The obsession with prevention often creates a false sense of security. Organisations may believe that by achieving compliance or implementing the latest technology, they are secure. Yet, as Dan puts it, "missed investment in the prevent area" often leads to security theatre — actions that look impressive but fail to address the most critical vulnerabilities or prepare for real-world scenarios.
Steve compares the CISO with a battlefield surgeon. In a crisis, spending too much time trying to "heal" every patient perfectly can lead to catastrophic delays in treating others. Similarly, a cyber security strategy that is overly focused on prevention risks leaves the organisation unprepared for the inevitable breaches that prevention tools cannot stop.
Dan adds that cyber security is no longer about protecting "buildings and people." Instead, it requires triaging risks and focusing on what matters most: keeping the business operational during an attack. Organisations that ignore resilience often scramble during incidents, struggling to respond effectively due to a lack of preparation and clarity.
Stakeholder management under pressure
Another prevalent challenge for CISOs is dealing with complex stakeholder dynamics and often operating amid conflicting interests during security incidents. The regulator demands transparency and data, the CFO worries about cost, and the CEO focuses on brand and revenue impact.
Balancing these pressures while managing an active incident creates an almost impossible dynamic.
The challenge is further complicated by the need to manage conflicting priorities among different business units.
A CISO's job, in Steve's words, is to ensure that "no one line of business accepts more risk for another line of business." This requires engaging with stakeholders across all units, translating technical risks into business impacts, and aligning everyone toward shared objectives.
However, managing these dynamics is not straightforward. When the CISO prioritises protecting critical business functions, they may encounter resistance from leaders whose areas receive less focus.
CISOs can feel lost in balancing all stakeholder needs while keeping the company secure. And here’s where experience — or lack of it — plays a crucial role.
The tenure trap
The average tenure of a CISO typically ranges between 18 and 26 months, which is way shorter than the 4.9 years of the C-Suite, for example, according to a 2023 CISO Global Report.
This "tenure trap" poses significant challenges for organisations and cyber security professionals. As Steve and Dan discuss, this rapid turnover limits the ability of CISOs to develop deep institutional knowledge, achieve meaningful change, and benefit from the compounding effects of experience within a single company.
Short CISO tenures, often due to burnout, unrealistic expectations, blame shifting, and the high demand for experienced cyber security leaders, can have significant negative impacts on organisations:
- Lack of continuity. Each new CISO brings their priorities and approach, often abandoning or overhauling existing initiatives. This can lead to wasted resources, confusion, and gaps in protection.
- Missed opportunities for organisational maturity. Steve emphasises the importance of learning from past decisions to refine security strategies. When CISOs leave before their decisions have been fully tested, neither they nor the organisation gain the full benefit of that learning cycle.
- Loss of trust and relationships. A revolving door of CISOs prevents the development of trust and understanding, making it harder to align security efforts with business objectives.
- Increased risk exposure. The transitional periods between CISOs can leave organisations vulnerable, particularly if the departing CISO's knowledge is not adequately documented or passed on.
Addressing these challenges requires both structural changes within organisations and a shift in how the CISO role is perceived and supported. Let's turn to solutions.
Solutions
Steve and Dan's combined decades of experience point to several practical approaches that can help security leaders solve the challenges above and make effective decisions under pressure.
Balance information with action
Rather than viewing incomplete information as a liability, experienced security leaders learn to operate effectively within uncertainty. This approach requires:
- Understanding when you have "enough" information to make a reasonable decision.
- Accepting that decisions may need to be revisited as more information becomes available.
- Focusing on protecting key business assets rather than attempting to secure everything equally.
- Developing comfort with ambiguity while maintaining decision-making confidence.
The key is developing what Steve calls "the confidence of experience" — the ability to recognise patterns and make informed decisions even with incomplete information. This confidence comes from repeated exposure to similar situations and learning from both successes and failures — more on this below.
Prioritise protection based on business value
Historically, cyber security was viewed like traditional firefighting — rushing in to put out the fire and save as much of the building as possible. However, just as modern firefighters prioritise saving lives, today's CISOs must first protect critical business operations before addressing technical remediation.
According to Steve, a shift from pure security to risk management involves answering a fundamental question: "Is your primary goal to secure the company, even if it means disrupting efficient processes? Or is it to protect the business within the constraints of acceptable risk and revenue potential?"
For CISOs, this kind of thinking means:
- Identifying and protecting critical business processes.
- Understanding the acceptable level of security "friction" for different business units.
- Making explicit decisions about which assets require the highest levels of protection.
- Aligning security measures with business objectives.
- Understanding and managing executive politics and relationships.
From his experience at Levi's, Steve describes how he defined his position: "My role was to translate security needs into business terms. I had to understand how security aligned with the goal of selling more jeans and then communicate the associated risks to the leadership team."
Steve's approach involved balancing the need for security with the business's risk tolerance — differing from traditional CISO roles, which often focus solely on technical security. By prioritising business risk, he aimed to demonstrate the value of security to the executive team.
Play chess, not checkers
Steve introduces a powerful metaphor to describe the decision-making required of a CISO: the difference between playing chess and playing checkers.
Checkers is a game of straightforward moves and predictable outcomes. With limited variables and rules, players can map out potential moves with a high degree of certainty. It resembles traditional risk management approaches where threats are treated as isolated incidents, and solutions are applied in a one-size-fits-all manner.
However, as Steve points out, this approach fails in complex, high-stakes environments. In cyber security, attackers don't play by a fixed set of rules, and no two breaches unfold in the same way. Attempting to manage such complexity with a "checkers mindset" can lead to oversimplified strategies that crumble under real-world pressure.
Chess, by contrast, requires players to anticipate multiple moves ahead, adapt to an opponent's strategy, and think critically about both immediate and long-term consequences.
Chess reflects the reality of being a CISO. Cyber security is too complex to predict every potential scenario or have perfect information. Instead, effective leaders rely on patterns and experience.
A skilled player doesn't need to calculate every possible outcome because years of practice help them recognise patterns and make informed guesses. Similarly, over time, CISOs build the muscle memory to assess situations quickly and act decisively, even with incomplete data.
Tabletop exercises and simulations serve as the "practice games" that allow organisations to refine their response strategies. These exercises help executive teams understand the dynamics of playing chess rather than checkers, enabling them to contribute more effectively during actual incidents.
Ultimately, as Steve and Dan agree, the goal isn't perfection but sound decision-making. A good chess player doesn't win every game, but they learn from every move, continuously improving their strategy.
Build organisational muscle
Steve extends the chess metaphor with a vivid example of a breached email account — a scenario that encapsulates the complexity, trade-offs, and decision-making pressures CISOs face.
Imagine an incident that begins with a phishing attack that compromises an executive's credentials, giving attackers access to sensitive information. Over three days, the security team works to chase the attackers out, but the situation spirals out of control. The CISO is faced with a critical choice: initiate a company-wide password reset that will disrupt operations for 72 hours or risk letting the attack continue.
The decision isn't just about cyber security but business impact, communication, and prioritisation — and the CISO can't make it alone.
To make the scenario more interesting, imagine the CEO is on vacation, and the deputy CEO must give the green light to the CISO to shut down communications.
"How does the organisation react?" Steve asks, again highlighting that practising is the only way to prepare for when something similar does occur.
This type of scenario makes the executive team acutely aware of the speed and severity of potential cyber attacks. Building organisational muscle is not for perfection but for strengthening decision-making capability.
Embrace compound learning
While cyber security incidents often demand immediate decisions, the ability to learn from those decisions over time is just as critical.
Dan emphasises the importance of a CISO staying in their role long enough to see the outcomes of their choices. Decisions, revisited and refined, lead to compounded learning, building both organisational maturity and personal expertise.
To encourage compounded learning and escape the tenure trap, companies need to:
- Create incentives for CISOs to remain in their roles long enough to build trust and refine strategies.
- Treat mistakes as opportunities for growth, both for the CISO and the organisation, and provide resources for continual improvement.
- Encourage cross-functional dialogue to ensure security priorities align with broader business objectives.
- Invest in "two-deep leadership". Steve points out the importance of building a pipeline of deputy CISOs and other security leaders who can step in when necessary to ensure continuity and prevent the organisation from relying on a single individual.
As Dan reflects, a CISO who lives with their decisions and learns from them is far more likely to create lasting value for the organisation.
Key takeaways
- Accept uncertainty. Rather than pursuing complete information, gather enough data to make reasonable decisions within time constraints.
- Prioritise critical assets. Focus on saving the people first, then the building. Use resources to protect key revenue-generating and brand-critical operations, then focus on remediation.
- Understand the business context. Security decisions must be made within the context of business objectives and acceptable levels of friction. This requires strong relationships with business leaders and an understanding of business operations.
- Value experience. Like chess masters, security leaders must build pattern recognition and learn from both successes and near-misses. This includes creating opportunities for controlled learning through exercises and simulations.
CISOs have a tough job, but one that gives them a chance to have a big impact on the company. They need to balance the needs of different parts of the business, learn from past experiences, and encourage everyone to make decisions that consider risk.
At the end of the day, as Steve notes, "It's less about being right and more about making confident decisions with acceptable outcomes."
Making effective security decisions under uncertainty is a critical skill developed through experience and practice.
To hear more insights from Steve Zalewski , you can tune into his regular discussions about security leadership on the Defense in Depth podcast, part of the CISO Series co-hosted with David Spark and Geoff Belknap.
And if you need support building the muscle memory needed to navigate uncertainty confidently, let's talk. Chaleit's partnership model is built for long-term compounding results, not hit-and-run wins.
About the authors
Steve Zalewski
Steve Zalewski is a Board advisor to security companies and VC firms, providing guidance on market fit and direction.
In addition, his practice provides retained CISO and security advisory services to clients to address program design, assessment, due diligence, and board reporting.
He is the former CISO at Levi Strauss & Co and has held senior security positions at Pacific Gas & Electric and Kaiser Permanente. His credentials include CISSP, CISM and CRISC security certifications.
Steve co-hosts the CISOSeries Defense-in-Depth Podcasts and is a frequent speaker and panel moderator for webinars and industry events.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit and a seasoned leader in global cyber security consulting.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Steve Zalewski. Dan Haagman's views also reflect the official stance of Chaleit, while Steve Zalewski's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.
