The cybersecurity profession today has a dogma problem. This should not come as a great surprise. As I highlighted in a blog post last week, the KNOWN UNKNOWN and UNKNOWN UNKNOWN risks we must manage in cybersecurity cause anxiety and stress and we reach for any mental model that will collapse the infinite problem space into a finite little box that our poor mammalian brains can grasp.

This is a human flex. In the face of the unknown and the terrifying, humans have always turned to religion—that is, dogma. A religious belief that if you build a life-sized model of an airplane out of wood, the magical metal ones will bring you yummy Spam.

Cargo cult security, in other words.

If only we could turn unmeasurable security risk into codified law. Then all we’d have to do is obey the law (or calculate the likelihood of enforcement and break the law, but that’s another blog post). And so a quarter century of security compliance as a proxy for real security ensued.

It’s beginning to dawn on people that the law is the wrong instrument for managing security risk. (Pretty bloody obvious, you might say, but the people who make the law are not typically cybersecurity experts.) So now we’ve veered into grasping at the Cyber Risk Quantification (CRQ) straw, desperately begging statistics to do the job of a military general.

So I’ve spent all this time criticizing the wrong way to do things, so what is the right way to do things?

The hardest job a CISO has is to sit in the unknown and get comfortable there. To face the ambiguity with a smile, to lead from a place of calm, and to make decisions in the face of uncertainty.

Playing defensive security in the face of KNOWN UNKNOWN risks and UNKNOWN UNKNOWN risks requires flexibility of mind, and not dogmatic rigidity of mind. Faith is useless. Being open to new information and changing your mind is vital when playing defense against active adversaries who wish to cause you catastrophic harm.

That is a hard job, it is a highly personal journey, it is not quantifiable, not subject to blind following of a rule book or faith in a particular dogma or creed, and it is not scalable or copy/pastable.

Naturally this drives people insane. Running a business is all about the money. Bean counters want to quantify their incomings, their outgoings, and their risk. And here I am waving my arms talking about the unknown likelihood that a foreign military is going to invade our networks and destroy us like a bunch of marauding Vikings.

Yet that is the reality of managing enterprise security risk, and anything less does not recognize reality, does not live in reality.

That means you need to keep constant watch on yourself and your team members for hints of dogma. How can you spot it?

“But this [security measure] is the right thing to do.”

Well, no. There is no “right thing”. Security is not some sort of moral crusade. We’re here to manage risk to serve the business to meet their risk appetite.

“But things shouldn’t be this way.”

Why not? “Should”? Says who? What does that even mean?

Pay attention to how you talk and think and see if you can spot yourself using words like this. If you are, you may like to reconsider the way you think about enterprise security risk management.

Abraham Lincoln famously said “My policy is to have no policy.” This is an elegant way of saying dogmatic leadership results in bad outcomes, and pragmatic leaders do what they have to do to solve the big problems in front of them.

You cannot take the easy way out. There are no shortcuts. There is no copy/paste list for success in defensive cybersecurity. It just doesn’t work that way.

You actually have to live in the moment, and think for yourself, and make hard decisions even when you only have a hint as to the true nature of reality.

Engage with reality as it is, not as you wish it be.