I read shadows for a living.

This is a dangerous pursuit because the human brain sees patterns even when they don’t exist.

Stare at clouds long enough and you’ll see a face. Stare at insufficient data long enough and you'll hallucinate. This can result in paranoia, an occupational hazard as a CISO.

But all the same you have to do the work. You never have enough information, but you still have to make decisions.

All I see sometimes are the faint outlines of a shadow. What is casting the shadow? I don't know. It could be a nation-state attacker. It could also be a tree.

So let's take a deep breath and test scientific hypotheses at an advanced cadence to better grapple with an unknown reality.

We can strategically deploy controls to defend against known unknowns. This helps. It's not enough, though.

Holding lightly to multiple competing hypotheses becomes a vital mental tasks as a CISO. Don’t get caught up in your pet theory! New information could destroy that theory on a moment’s notice. Be prepared to change course without hesitation.

Also, shadows are dangerous. Anyone with street smarts stays away from dark alleys. Not because you know there is a mugger lurking there—you don’t, and most dark alleys are empty.

You avoid dark alleys because there could be a mugger there, and it’s a reasonable risk management approach to walk in the light. Criminals generally don’t like to get caught, even nation-state intelligence agencies that can act with impunity.

Notice the shadows around you. Shine light on them if you can. Stay away from them if you can’t.

And remember: sometimes a shadow is just a tree. Take a deep breath and get comfortable with not knowing. Control freaks will fail in a CISO role.