You want certainty. In life. In business. Guess what—you can't have it. Much less in cybersecurity, an adversary-rich environment full of known unknowns and unknown unknowns (so-called "Black Swans").

Making decisions while groping your way through fog is what you get to do all day long as a CISO. Yay for me, I guess? Shrug emoji here.

But this extreme level of uncertainty unnerves those with less experience or who are less technical, especially executives who are trying to get a handle on the problem so they can manage the business risk.

This widespread discomfort with uncertainty is why, across our industry, security certifications and security compliance are so soothing. Security compliance is anxiety relief for tunnel vision executives unable, or unwilling, to expose themselves to the fog of the unknown.

If you artificially narrow the scope of the problem, you can then triumphantly proclaim that you have solved it.

Note that I'm not calling out any specific individual or employer—much less my current employer!—but noting the broad trends that are clearly visible in the cybersecurity biz today.

Your ISO 27001 certification is about as useful at stopping real attackers as the Maginot Line. Generals always fight the last war. But your company's adversaries are always innovating something new.

Forward-thinking cybersecurity strategy means grappling with uncertainty as your daily toil. But few companies can stand this level of uncertainty and ambiguity, they want to collapse the problem into a narrow problem space so they can wrap their heads around it—but doing this is about as useful as sticking your head in the sand and hoping the problem goes away.

Pragmatic cybersecurity leadership is as difficult as leading troops into a war zone (minus the dying part, at least until civilian cybersecurity leaders get targeted for assassination, but I digress). Chaos rules everything around me. Chaos will rule everything around you. You can manage probabilities but you can never guarantee outcomes. Your strategy must even include the ability to take losses—and even lose battles—in order to win the war.

And here is where the war metaphor fails: There is no end to the defensive war as a civilian cybersecurity leader. A CISO is a general with one hand tied behind their back: Forbidden by law from ever attacking, and able only to defend against an adversary that is mostly invisible.

It's like boxing blindfolded with Mike Tyson. You can dodge and weave all you like but at some point you are going to take a punch. It's going to hurt.

Your business can no more achieve certainty in managing cybersecurity risk than you can achieve certainty in market risk. You don't expect your General Counsel to promise you no lawsuits; you don't expect your CFO to promise you no macroeconomic events, like a recession; so why would you expect your CISO to promise you that you'll never get hacked?

The human tendency to want to simplify the complex and "solve" for one variable in a complex equation—and then triumphantly announce a mathematical breakthrough—is only natural, and must be resisted.

Black Swans—unknown unknowns—come from all sorts of unexpected places. And the sad thing about cybersecurity is that most risks are not Black Swans at all, at least not to cybersecurity professionals. But a known risk to me can be a true Black Swan to a non-technical CEO or Board member if they do not understand the risk and are surprised when a Black Swan risk materializes.

Cybersecurity risk can destroy your business if your only goal is ensuring security compliance.

Managing real cybersecurity risk means groping forward in a fog surrounded by adversaries who want to hurt you. Get comfortable with the anxiety. There is no way to collapse that anxiety into certainty without deliberately blinding yourself.

Take a deep breath. They're out there. Somewhere. Hunting you and your employer.

Keep calm, and carry on.