Cyber Cyber Cyber Cyber

Cyber Cyber Cyber Cyber

Share this post

Cyber Cyber Cyber Cyber
Cyber Cyber Cyber Cyber
The CISO as a Defense-only Military Leader
User's avatar
Discover more from Cyber Cyber Cyber Cyber
Crypto CISO, at your service
Already have an account? Sign in

The CISO as a Defense-only Military Leader

Why Measuring Cybersecurity Risk is Impossible

J.M. Porup's avatar
J.M. Porup
Dec 21, 2022

Share this post

Cyber Cyber Cyber Cyber
Cyber Cyber Cyber Cyber
The CISO as a Defense-only Military Leader
Share

“You cannot manage what you cannot measure.” Blah blah blah whatever.

Tell me: How do you measure the likelihood of marauding bands of gangsters holding your business hostage and demanding a ransom?

How do you measure the risk of a foreign army waging de facto war on your company?

From which direction will the enemy attack? When? With what force? For how long? How much damage will you take? What about the known unknowns (“grey swans”) and the unknown unknowns (“black swans”)?

These are strategic questions that cannot be measured.

That's why it's called the “art of war,” and not the “bean-counting of war.”

Thanks for reading Cyber Cyber Cyber Cyber! Subscribe for free to receive new posts and support my work.

There is a reason all insurance policies have a war exclusion: The risk of war is not insurable. It is not measurable using any meaningful actuarial standard.

So as a CISO, your job is the military defense of your employer. But your CEO and board are demanding concrete KPIs for your team. How do you communicate this to your CEO and the board?

Well here's a good start: Legal and financial risk management generally assumes a competent legal system to fall back on. It also assumes fundamental things like, I dunno, nation-state borders.

If that last bit sounds crazy to you, consider that the Treaty of Westphalia is obsolete. That foundational cornerstone of modern international law that defines physical borders as sovereign limits? Yeah, that's a dinosaur.

When a foreign country's soldiers cross into your territory, boots on the ground, that's an act of war... but what if they hack your country instead?

Where are the borders? If North Korea attacks and destroys my employer, an American company, is that an act of war? I think folks in Washington would chuckle if I seriously suggested such a thing.

The U.S. military and border police are not going to defend my employer from attacks by foreign armies or international criminal gangs.

We are on our own, folks. The cavalry isn't coming. We live next door to every military, intelligence agency, and gangster in the world.

Cybersecurity grapples with raw power problems presented by adversaries who operate outside of the law and without consequence.

The only difference between a CISO and a military general—and it is a big and important difference—is that a CISO is 100% defense-only, and may never, under any circumstances, engage in offensive security operations against their adversaries.

If you think ethical, legal defense matched against extra-legal raw power offense is not a fair fight, then you would be right. But that is the world we live in today.

In a land war, a general might choose to attack a foreign battery of artillery as a means of defending his front lines. In cybersecurity, a CISO has no choice but to suck it up and take whatever punch that gets thrown.

So what can you measure in cybersecurity? You can measure the effectiveness of security at the tactical level. Are things buttoned down and in good order? Are you getting the basics right? This can and should be measured.

But at the strategic level, trying to measure cybersecurity risk in the face of human adversaries will only narrow your field of vision, and you'll wind up like the French and their fabled Maginot Line.

Y'all did high school world history, I hope? Cuz the Germans just went around.

Thanks for reading Cyber Cyber Cyber Cyber! Subscribe for free to receive new posts and support my work.

Share this post

Cyber Cyber Cyber Cyber
Cyber Cyber Cyber Cyber
The CISO as a Defense-only Military Leader
Share

Discussion about this post

User's avatar
If Education is the Solution to Your Security Problem, Then You've Already Failed
Security Governance is the Only Approach that Works at Scale
Nov 16, 2024 • 
J.M. Porup
2

Share this post

Cyber Cyber Cyber Cyber
Cyber Cyber Cyber Cyber
If Education is the Solution to Your Security Problem, Then You've Already Failed
"Defense in Depth" is Wrong
That word. It does not mean what you think it means.
May 27, 2024 • 
J.M. Porup
1

Share this post

Cyber Cyber Cyber Cyber
Cyber Cyber Cyber Cyber
"Defense in Depth" is Wrong
How do you measure a CISO's job performance?
This is how I measure my own
Jun 26, 2023 • 
J.M. Porup
1

Share this post

Cyber Cyber Cyber Cyber
Cyber Cyber Cyber Cyber
How do you measure a CISO's job performance?

Ready for more?

© 2025 J.M. Porup
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Create your profile

User's avatar

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.