Maman Ibrahim, CISSP, CCSP, explains how he has used the concept of uncertainty to help cybersecurity leaders develop their skills and understanding to increase cyber resilience.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
I once sat with a manager who confessed: "I know precisely what needs fixing, but I can't get my team or the business to move." His technical knowledge was impeccable, but he lacked the resilience to navigate organizational friction. He wasn't unique in facing this challenge. Working with dozens of security teams, I’ve seen how cybersecurity leaders frequently face impossible demands:
"Secure everything, but don't slow the business."
"Be compliant, but with fewer resources."
"Prevent breaches, but justify every penny spent."
Such demands put cybersecurity leaders under pressure, resulting in reactive decisions that undermine their strategies.
The Power of Doubt: My Approach
I coached a security team through a disruption alert that exposed critical gaps in their incident response. Instead of rushing to implement more tools, I asked them: "What if our assumptions about our readiness are wrong?"
This simple question and the responses to it ultimately transformed their approach. We discovered that their recovery plans hadn't been tested against current threats and business stakeholders had unrealistic expectations about recovery timelines.
Viewpoints tend to change immediately when I introduce an element of doubt as a strategic asset rather than a weakness – an approach I've since refined to expand thinking in three categories:
Festina Lente – Hurry Slowly
The Roman maxim Festina Lente is the idea that true speed comes from disciplined patience.
An organization I worked with faced regulatory pressure after a data breach in its industry. The instinctive response was to rush to apply compliance fixes. I slowed them down with the question: "What if speed hurts our security posture?"
Addressing this question revealed that they were fixing symptoms while missing systemic issues. By deliberately pausing, we identified authentication weaknesses across their vendor ecosystem that would have remained vulnerable despite their compliance rush.
Challenging Boundary Assumptions
Working with a manufacturing group that was convinced their security issues were purely technical, I asked: "What if the problem extends beyond our systems?"
We expanded their scope to examine supply chain partners, revealing a third-party software component that was introducing critical vulnerabilities. Their narrow focus would have exposed them despite millions spent on internal controls.
Testing Impact Assumptions
Another team prioritized threats based on technical severity alone. I introduced doubt about their impact assessment by asking: "What if we're protecting the wrong things?"
We mapped security controls against actual business processes and identified that the team had failed to adequately protect its crown jewel customer data while overinvesting in less critical systems.
Applying a Doubt-Based Approach
These experiences have shaped my doubt-based framework. Here's how it works in practice:
Micro-Pauses and Cross-Functional Doubt Sessions
I coached a SecOps Manager to institute micro-pauses before responding to security alerts. This simple practice reduced false positives by 40% and improved team morale. When a legitimate ransomware attempt emerged, this pause allowed them to distinguish it from regular alerts and respond appropriately. "Is this truly urgent, or does it just feel urgent?" became their mantra.
Influenced by the concept of quality circles, where "small groups of employees regularly meet to identify, analyze, and solve work-related problems”, which originated in Japan in the 1960s," bi-weekly "open circles" enabled security leaders to share their most significant uncertainties with operations, compliance and business unit peers.
These sessions helped to uncover misaligned expectations about cybersecurity's role during digital transformation.
Business-Anchored Security Decisions
Working with the finance ops team, I replaced their technical-first cybersecurity approach with two business-anchored questions:
"How does this security control protect our customer promise?"
"Which option best preserves our reputation if compromised?"
This reframing helped them prioritize identity protection over less visible infrastructure controls, a decision that paid off when competitors suffered reputation damage from customer-facing breaches.
Debrief Sessions
I refocused post-incident reviews at one manufacturing site from blame sessions to learning opportunities. Instead of asking "Who missed this?", we asked "What did this teach us?"
This shift revealed that the organization’s security tools were technically sound but poorly integrated with operational workflows. When a supply chain attack hit its industry, the organization adapted faster than its peers because it has built a learning culture.
Results: Measurably Increased Resilience
My approach has delivered tangible outcomes:
- A 60% reduction in security leader burnout at one organization
- Faster recovery from incidents (30% improvement in mean time to restore)
- Better business-security alignment, with security increasingly viewed as an enabler
- More effective resource allocation, focusing on actual business risks rather than technical checklists
The most effective security leaders are those navigating uncertainty. They use doubt strategically, questioning assumptions without becoming paralyzed; it ensures against any complacency. That’s important: resilience isn't innate - it's a state built through daily practices tailored to the chaotic reality of security operations.
By building resilient security leadership, organizations can adapt rather than break when uncertainty strikes. That's been the real lesson: the security strategies that work are not aiming for perfect protection, but for ideal adaptability.
Maman Ibrahim, CISSP, CCSP, has over 20 years of experience in the pharmaceutical industry, manufacturing and business services. He has held leadership and advisory roles with responsibility for cybersecurity and digital risks, as well as audits. His cybersecurity work encompasses contributions to standards and the WEF Cyber Resilience Compass.