If there is one thing the cybersecurity industry loves, it’s a maturity model. We love charts that tell us we are currently a Level 1 (toddler with a screwdriver) and that, with just eleventy million dollars and a prayer, we could eventually become a Level 5 (omniscient cyber-deity).
But a new book from an award winning CISO has proposed a radical, terrifying new concept that goes against every instinct in our paranoid little hearts: stop trying so hard.
According to the book, the key to leadership isn't fixing everything - it's ruthlessly defining the areas where you are allowed to be barely competent.
Be bang average
For years, we have been told that good enough gets you hacked. But apparently, trying to be an A-Grade student in every security domain is actually what kills you.
The book argues that seeking perfection in everything is a security and strategy failure. If you try to get an A in cloud security, network control, secure coding, endpoint protection, and explaining to the CEO why he can't use his birth year as a password, you end up with C grades across the board.
The solution? Compliance.
That’s right. You are now strategically authorised to look at a massive pile of security debt and say, "Eh, looks compliant enough." The goal is to be ruthless about where you can afford to be mediocre so you can save your energy for the two or three things that actually matter.
Finally, a framework that validates my decision to ignore the printer vulnerability alerts for six consecutive months. I'm not lazy; I'm prioritising excellence elsewhere.
The eyes on, hands off approach
Perhaps the most beautiful part of this philosophy is how it handles the crushing weight of decision-making. The playbook suggests a technique called situational awareness, which is a military term used by corporates to mean "making it someone else's problem".
The logic is sound. The CISO cannot prioritise for everyone because the speed of change is too fast. Instead of micromanaging, leadership should adopt an "eyes on, hands off" approach.
Here is the translation for the non-executive folks:
Eyes on: I am watching you.
Hands off: I am not going to help you change anything.
The book claims this is because developers and contract owners have better, fresher information than the CISO. This is objectively true, mostly because the CISO has been in budget meetings for the last 400 hours.
By broadcasting intent, you empower asset owners to figure out the backlog themselves. Essentially, you tell them, "We need to be good at vulnerabilities," and then you back away slowly while they fight over whose job it is to patch the three-year-old Jenkins server.
Efficiency is for Boomers
The book takes one final shot at the old guard by declaring that efficiency is an artefact of the industrial age.
If you are obsessing over clearing your Jira tickets faster, you are doing it wrong. The goal is effectiveness, which apparently involves being adaptable enough to drop the list entirely when the situation changes.
So, the next time your Project Manager asks why the ticket queue is growing, just tell them you have moved past the industrial concept of doing things and are now focusing on the information-age concept of vibing with the ecosystem.
The Bottom Line
Prioritisation is an economic exercise. If a security control slows down the business without reducing risk, it is a bad priority.
So, go forth and be mediocre. Pick two things to be amazing at - maybe finding vulnerabilities and screaming into voids - and let everything else slide into the warm, comfortable embrace of pass/fail.
After all, you can't dilute your resources if you simply refuse to use them.
About the Author
Subscribe before we're patched
Like a vitamin you ingest with your eyes. The best cybersecurity parody, delivered.
