February 4, 2025

Control is an Illusion: Rethinking cybersecurity and leadership strategies

One of the biggest fallacies in cybersecurity—and in leadership—is the belief that we can control outcomes. This illusion sets usup for frustration, wasted effort, and, ultimately, failure.

In cybersecurity, people often obsess over the things they cannot control: who will attack, when it will happen, or how sophisticated the threat will be. But here's the truth: you can’t control the attackers. You can’t dictate when or how they’ll strike. The attackers do not have to play by the same rules and deal with resource constraints like defenders do.  What you can control is how you respond. But even that framing isn’t complete. The real power lies in understanding the difference between control and influence.

There are few things in this world we can control—but much can be influenced.

As a CISO, you can't prevent all breaches, but you can influence how prepared your team is to respond. You can’t stop a phishing attempt from landing in an employee's inbox, but you can influence how likely they are to recognize and report it. You can’t guarantee that your security tools will catch every anomaly, but you can influence how quickly your organization detects, analyzes, and mitigates threats.  In short, through *influence*, not control, you can create outcomes that minimize the impact of any security incidents that occur.

The illusion of control often leads to unrealistic expectations from other business leaders. They want guarantees, assurances, and absolute security; they want risk removal, not risk reduction.  But cybersecurity doesn’t work like that. What a security program can provide is a well-managed risk profile, a resilient response plan, and a culture of security awareness that influences how the entire organization operates.

I once had a supervisor who requested that I add a team OKR (Objectives and Key Results) that we would have no incidents for the year.  To say that I was stunned by this request would be understating my shock. Not only did this person believe that a security program could control this sort of outcome, but that this should be expected!  In other words, if we had an incident, our team had failed.  I refused this request,and instead entered an Objective that we would have no *material* incidents—ie, incidents that had a material impact on the business.  From my own team metrics, I knew that in the previous year 99.4% of incidents had zero impact on the business; the other 0.6% were non-material.  We cannot control who attacks us, but we can absolutely control how we detect and respond to attacks.

Shifting from a mindset of control to one of influence is critical. It helps security leaders focus resources and energy on areas where they can make a real difference. Instead of chasing the impossible goal of complete control, we build systems, processes, and teams that are adaptable, responsive, and resilient.

Influence is proactive. By fostering cross-functional relationships, security can influence corporate strategy, product development, and even customer trust. When security is woven into the fabric of business operations, it becomes a differentiator, not just a safeguard.

Control is an illusion, but influence is a powerful tool. Recognizing this shifts how we approach risk, strategy, and leadership in cybersecurity.

Where are you focusing your influence in your organization? I'd love to hear how others are navigating this balance.

Joshua Brown
Chief Information Security Officer | Advisory Board Member | Author | Mentor | 2X Top Global CISO

Don't miss these stories:

January 21, 2025
The Real (Business) Value of Cybersecurity

Cybersecurity done right is a business enabler, not a hindrance. By focusing on five key areas, you can position your cybersecurity program to drive business differentiation, collaboration, and better business outcomes.

January 9, 2025
Great Leaders Must Develop Emotional Intelligence

Emotional intelligence (EQ) is not a soft skill--it's the hardest skill for leaders to develop. Without it, you may be a boss, but you won't ever be a leader. To create great outcomes, you need to inspire and elevate those around you. Here are some areas to focus on as you develop and mature your own EQ.

December 27, 2024
Building High-Performing Teams: The Foundations of Trust, Clarity, and Collaboration

High-performing teams don’t happen by accident—they’re intentionally cultivated. By establishing clear expectations, fostering trust, empowering team members, and prioritizing collaboration, leaders can create a culture where teams thrive. This blog explores actionable steps and strategies to help you build a high-performance culture that drives meaningful outcomes.

HomeAboutSERVICESBLOGCONTACT

Copyright ©2025 Digital Defense Consulting