Here We Go Again…

Years ago, I convinced myself that the C-level was the destination. That was actually the entire reason I started down the university path at Athabasca University. The idea was simple: climb the ladder, become a CTO or CIO, put on a suit, attend meetings about meetings, and eventually say things like "let's circle back on that."

Then reality happened.

The deeper I got into the university education, the more I realized I like the tech too much, I like hacking too much. I genuinely love cybersecurity. The idea of spending all day inside PowerPoint and budget meetings slowly started sounding like psychological warfare.

So I abandoned the executive dream to keep close to cybersecurity and hacking.

At the time, I was younger and significantly more confident than knowledgeable. You know, the classic progression. Learn a little, become dangerously overconfident, learn more, realize you knew absolutely nothing.

Well… about a decade later, here we are again. The plan is a bit different this time though.

Back then, CISOs existed, but they were kind of mythical creatures. You heard rumors about them but rarely saw one in the wild. Now they're quite common, and the majority are focused solely on cybersecurity. That led me to the dangerous thought, "Oh no… this might actually be my calling."

The executive fox — the CISO dream

I've spent over 20 years designing, implementing, monitoring, and maintaining cybersecurity programs across different environments. Those roles also involved managing small security teams, which taught me that leadership is difficult and security people are wonderfully weird.

Over the years, I've also had the opportunity to learn from some absolutely incredible leaders in technology and cybersecurity. You know who you are. Some of you probably also know exactly which bad habits I inherited from you. So realistically I don't think the end goal is impossible anymore.

Like any technical project, the answer is obvious: make a plan, build a roadmap, and probably create several spreadsheets that nobody else will understand.

Summarized Plan

Goal: Lead a cybersecurity program as a CISO.

Requirements

  • Additional education and training
  • Improve the whole "people skills" thing
  • Build out my professional network
  • Continue maintaining strong technical cybersecurity knowledge
  • Somehow avoid turning into a PowerPoint-only lifeform

Roadblocks

  • Me, specifically my personality
  • Limited number of CISO positions
  • Lack of senior leadership experience
  • The possibility that I'll get distracted by some other technical unicorn halfway through the journey

Timeline: Approximately 5–8 years or 12 minutes, really who knows?

The Frustration So Far

And so, down the yellow brick road I went. First stop: ISACA and the CISM certification (Certified Information Security Manager).

Honestly, it seemed like the logical first step. It adds management-focused security knowledge, helps round out the leadership side of things, and certainly doesn't hurt when applying for senior cybersecurity positions. Besides, if somebody is going to certify me in security management, it might as well be the people who have been doing it forever.

So far so good. Then I hit the risk management material, and immediately I drove headfirst into a wall. Quantifying cybersecurity risk in monetary value sounds simple enough at first: Single Loss Expectancy (SLE), Annual Loss Expectancy (ALE), and so on.

Easy, right?

Except my brain instantly rejected it. The problem isn't the formulas themselves. The problem is that the inputs often feel like educated guesswork wrapped in spreadsheets wearing a fake mustache pretending to be science.

  • Asset value? Estimated.
  • Exposure factor? Estimated.
  • Annual rate of occurrence? Estimated.

Congratulations — we have mathematically precise nonsense.

This is where my mind starts throwing exceptions. I'm very much a person who prefers precision. If two competent people calculate the same thing in the same environment, I expect reasonably similar outputs. Apparently, cybersecurity risk management sometimes prefers interpretive dances and slam poetry instead.

Around this time, I remembered a conversation I had a few months ago with someone extremely knowledgeable in this space (again you probably know who you are). We ended up discussing this exact problem. How do you assign meaningful value to cybersecurity risk? It was one of those conversations where your brain lights up because you are drinking from a fountain of knowledge like you just got out of the desert. Unfortunately, we ran out of time before fully getting into the deeper concepts. Which naturally made things worse for me because now I have questions. Lots of questions.

So deeper down the rabbit hole I went:

  • FAIR
  • Infonomics
  • Estimation ranges
  • Confidence scoring
  • Bayesian Statistical Analysis
  • Enough probabilistic modeling to make me question my life choices
Deep in the rabbit hole of risk quantification

At some point I realized an uncomfortable truth. I could probably spend the next several years studying nothing but cybersecurity risk quantification. Unfortunately, I still need to do things like eat and pay bills. So what's the solution? Simple, buy another book. Education is weird like that. You start reading one book and somehow end up with ten more books stacked beside your desk while convincing yourself this is completely normal behavior.

Instead of going ultra-deep into a single framework, I decided to look for something broader and more reusable across different domains. That eventually led me toward Bayesian statistics. Apparently, I looked at cybersecurity risk quantification and thought, "You know what this needs? More math."

The book that is on the way is How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen. I have no idea yet whether this book will fully click with me, partially click with me, or cause me to build an entire application to do all the work for me at 2 AM while questioning reality.

There may eventually be a review, or a breakdown, or a full descent into madness. We'll see how things go.

What I do know is that I have a goal, and I've officially started working towards it.