The biggest challenge you face as a CISO isn’t technical, it’s having the right mental attitude in the face of anxiety that would make the Buddha struggle.

Offensive security engineers have it good, I feel. The job is binary: Can you pop the client? Job done. Write up a report and go pop the next client. Your job performance is pretty easy to measure: can you hack? Can you write a report? And if you can’t pop the client the odds are it’s because you suck at hacking, not because the client has great security.

Defensive security is a much different beast. And beast it is. Consider: Are we secure?

What does that mean? How secure is secure? How do you measure security? What are the odds? How much money should we spend to get to the aforementioned “secure state”?

And yet it is impossible to ever achieve 100% security. You could spend all the energy in the known universe and never reach 100%. It's an exponential curve, and you want to be in the sweet spot of balancing cost and security benefit (Security ROI).

KNOWN KNOWN risks? OK, I guess we can do something about those. What about the KNOWN UNKNOWN risks? Errrh, OK, I guess we’ll do what we can about those, and try not to lose sleep at night. What about the UNKNOWN UNKNOWN risks, the Black Swans we face in a Black Swan-rich environment?

So a modern defensive security leader faces external security risk of an unquantified and catastrophic nature, and internal security risk from stakeholders who want to move fast and break things and spend as little money on security as possible. And then—often but not always—hold you as CISO in the wings as the scapegoat-in-waiting to throw to the wolves when something bad happens.

How do you deal with that?

That is the central problem for the CISO to solve. To hold in your mind all those elements at once, to do what you can, to accept what you can’t, to defend your employer against external risks to the best of your ability, to manage sideways and upwards the internal stakeholders who don’t get it, and be at peace with that.

The older I get, the more I think that anxiety is the central human experience we each have to deal with in our own way. If human beings are “time stuff”, then anxiety over the future is the fundamental religious and philosophical question a human being has to grapple with.

Defensive security takes that experience and puts it on steroids.

One way to solve the problem is to collapse the infinite problem into a finite problem set, either using security compliance or cyber risk quantification. Neither does the job though. Dogma may be the opiate of the masses but it sure is terrible at securing organizations against aggressive and sovereign adversaries.

Another common result is to get stressed out about it. Well, is being CISO worth getting an ulcer or a heart attack? That's a big hell no, jolly rodger. And making yourself sick sure doesn’t do anything at all to make your employer more secure.

So finding and walking the path of calm, of security leadership that is effective, engages with reality, and manages anxiety is, at bottom, the most important problem a CISO has to solve.

Manage the budget to maximize Security ROI? Check.

Manage your anxiety and stress levels—and those of your team and executive leadership? Also check.

Keep Calm and Carry On.