The Chief Insecurity Officer
What if the CISO's job isn't to maximize security but to calibrate the right amount of insecurity? Reframing the role this way turns security leaders from obstacles into enablers of business velocity.
“The job of a CISO is to let just the right amount of insecurity in,” said my friend Gal, a security pragmatist. He was channeling Ian Amit’s perspective that security leaders exist to advance the business while managing risks.
Historically, we’ve framed the CISO role as securing the organization. But the business requires some level of insecurity to function. For work to happen, information must flow. Apps must be used. Links must be clicked. Sales needs to share proposals over channels you don’t fully control.
If we frame our role around security, stakeholders hesitate to get us involved out of fear that we’ll get in the way. Frame it around acceptable insecurity, and we’re calibrating how fast the business can move. We become essential to that velocity.
To let in just the right amount of insecurity, find the balance between careless exposure and controls that strangle velocity. Here’s how.
Understand the Business Pace
Start by learning how fast the company wants to move toward its objectives. This requires curiosity, asking the right questions, and participating in discussions about business goals. I think of that as achieving business alignment.
A diagnostic: Can you name your company’s product launches coming this quarter and identify which security decisions could delay them? If not, you need to dig deeper.
Define Acceptable Insecurity
Next, establish how much insecurity the organization can absorb without stumbling. Frameworks such as ISO 27005 and 31000 offer a starting point for defining risk appetite and tolerance, but they often produce policies that are disconnected from reality. We need to develop practical, repeatable workflows for distinguishing acceptable from overly insecure situations.
A diagnostic: Can you articulate why a specific security risk is acceptable in terms that your CFO would understand? Can you do the same for a risk you consider unacceptable? If not, you’re operating on instinct rather than calibrated criteria.
Measure the Gap
Next, measure the gap between the current state of insecurity and the acceptable state. This requires knowing how your controls actually perform, not just that they exist. Look not only for areas that are insufficiently secure, but also for controls that are too restrictive. The latter is just as important.
A diagnostic: A marketing team wants to use an AI writing tool. Your security review takes six weeks. By week two, half the team has signed up with personal emails. Can you detect this? Can you determine whether this workaround is acceptable and explain the logic to your peers? Can you tell when acceptable boundaries are being bypassed?
Apply This to AI
To see this approach in action, apply it to AI, where pressure is high and risk boundaries are still forming.
Walk through the framework:
- Understand the pace. How urgently does leadership want AI capabilities? What’s the cost of delay?
- Define acceptable insecurity. Which data can AI tools access? What oversight is required? For instance, a team wants to feed customer support tickets into an LLM to draft responses. The tickets include names and account numbers. Is that acceptable if these details are redacted? What if they aren’t?
- Measure the gap. What’s the current state? Are existing policies blocking experimentation that doesn’t introduce meaningful risks, or is sensitive data flowing to unapproved tools?
The Reframe Matters
How you frame your role shapes every conversation, even if it’s just in your mind. Security leaders who maximize security become obstacles. Those who calibrate insecurity become enablers.
Frame your role around insecurities rather than security, and you might earn the title of Chief Insecurity Officer. The acronym still works.