Pessimists don’t build companies. Throwing yourself soul-first into building a startup that is likely, according to all statistics, to fail, requires confidence, guts, grit, but above all else optimism.

That’s great. Founders must assume high levels of risk in order to succeed. No risk, no reward. “Damn the torpedoes, full speed ahead!” is a good business strategy when you have nothing and you’re hunting exponential upside risk.

It is a somewhat less good strategy when your goal is to avoid exponential downside risk.

But people still make the same mistakes over and over again. That’s because human beings consistently underestimate risk. Nothing to do with cyber, per se. Studies have shown we fret about lightning strike, or terrorist attack, or rare forms of cancer, when we should care more about looking both ways when we cross the street, wearing our seatbelts, not smoking, eating healthy, and so forth.

This human tendency to underestimate risk has concrete ramifications for me as a CISO managing cybersecurity risk: “Invisible things I don’t understand are going to hurt us? And you want me to spend how many millions of dollars to reduce that downside risk?”

Communicating this risk, and the Security ROI of spending money to do something about that risk, might just be the most important part of a CISO’s job. This is where business priorities, financial impact, and technical mitigations intersect.

Injecting pessimism into a leadership conversation, in other words.

That is a difficult diplomatic dance, and with optimists who don’t like hearing about risk. They are so focused on creating a reality that conforms to their vision that they can be reluctant to engage with reality as it is, which has a tendency to bite you hard if you ignore it for too long.

Risk versus opportunity—that is the leadership challenge for any business, and struggling to judge cybersecurity risk can be a challenge for non-technical optimist leaders who don’t understand the risk. It's hard enough to see reality unfiltered, much less perceive risk that you don’t understand—even in the presence of all available facts.

I’ll be honest. I’m a security guy, and I have my blind spots too. My weakness is that I tend to see things through a negative filter—whatever the opposite of rose-colored glasses is, that’s me. In order to be effective, I have to struggle to compensate for that tendency in order to zoom out and see the big picture that includes opportunity.

My job as CISO isn’t just to manage security risk, it’s to do so in order to enable optimists to create value for the business.

The problem, of course, is that optimists have the opposite problem. They can sometimes be so attached to their rose-colored glasses—so focused on dreaming their vision into reality—that they can become blind to the risk in reality, and wind up walking face first into a volcano.

In war, pet theories are a way to get destroyed. Rose-colored glasses get people killed and businesses rekt. When dealing with nation-state violence—sovereign violence that operates outside the law or ethics—there are no rules, only an adversary prepared to do anything to achieve their geopolitical goals.

On the cyber domain, we live and work on a live-fire battlefield where nation-states and organized criminals shoot first and ask questions later. This is not a court case, we are not lawyers. There are no rules—for attackers, anyway. As defenders we must always obey the law, but attackers can strike whenever they like, however they like, and with no warning.

This is a risk most businesses need to grapple with, and some verticals more than others. If you work in cryptocurrency, or secure water treatment plants, or hydroelectric dams, the business risk you face is that a sovereign military invades your networks, steals everything of value, and lays waste to everything in its path.

But most people don’t understand this, and based on many years of trying to explain it to them, I have concluded that they aren’t going to understand. Because humans are bad at understanding risk, and because the majority of humans don’t understand computers+internet well enough to understand how cybersecurity risk works, I have come to a reluctant conclusion: The least bad solution to systemic security issues is regulatory compliance.

I say this as a long-time critic of bad cybersecurity regulations. They’re bad. Like, dumpster fire awful. But if there’s one thing every non-technical business leader understands deep in their bones, it’s legal risk.

Don’t get sued. Don’t get fined. Either spend money to be compliant, or be prepared to engage with regulators who have, at the very least, a domestic monopoly on physical violence.

Maybe the best way to solve for systemic cybersecurity risk really is creating a legal proxy for that risk.