James’ Rules for Cybersecurity (2025)

#1

No single throat to choke.

Design governance so no one person can dictate security outcomes, use peer review, change control, and separation of duties.

#2

Influence is the control plane.

Security wins through persuasion and partnership; build coalitions with product, engineering, legal, and operations.

#3

Beware false simplicity.

If it looks easy, you’re missing complexity. Seek expertise before committing to security positions or designs.

#4

Sleep on irreversible choices.

For non-urgent decisions, require a cool-off period; for incidents, rely on pre-approved playbooks and act decisively.

#5

Decide on data, or state the guess.

Use telemetry, evidence, and risk models; when certainty is impossible, label assumptions and time-box a follow-up.

#6

Hire for judgment and integrity.

“People picking” is the CISO’s leverage. Prioritize ethics, curiosity, and delivery over résumés and tooling familiarity.

#7

Tell the truth, especially up the chain.

Precision beats spin. Inaccurate status is technical debt that compounds.

#8

Integrity is your ultimate control.

Openness and honesty build trust with customers, regulators, and the board, critical when things go wrong.

#9

Invite dissent; pay for it if needed.

Red teams, external reviews, and peer advice are force multipliers. Make listening a muscle, not a motto.

#10

Access given is risk accepted.

Least privilege by default; treat every grant as a durable liability and review it continuously.

#11

Delegate ownership, not tasks.

Once you assign responsibility, get out of the way. Coach in the open; don’t override in the shadows.

#12

If it’s not written, it’s not real.

Document policies, standards, SLAs, and risk acceptances. Memory fades; paper (and tickets) persist.

#13

Deadlines don’t mitigate risk.

Escalate when time pressure collides with safety. “We were late” is not a control.

#14

Make security visible, without theater.

Communicate roadmaps, metrics, and trade-offs. Optics support outcomes, but never replace them.

#15

Resilience funds the mission.

Cash flow equates to availability. Protect the revenue path first: identity, payments, uptime, and fraud controls.

#16

Evolve or be outpaced.

Threats adapt; so must we. Continuously raise the bar on detection, identity, and third-party risk.

#17

Blame fixes nothing; learning fixes everything.

Encourage reporting, run blameless reviews, and change systems so the same mistake can’t recur.

#18

Plan to capacity.

Plan capacity based on available resources and organizational priorities. Sequence and scope work realistically to ensure commitments can be met reliably and effectively.

#19

Value finishers.

The rare trait is getting things done. Define “done” to include testing, documentation, and operational readiness.

#20

Your calendar is a strategy doc.

If it’s packed, you’re not delegating. Reserve time for risk, people, and architecture.

#21

Meeting sprawl is risk sprawl.

Favor concise decision memos and async updates. Aim to reduce meeting time materially each quarter.

#22

Recognition is free fuel.

Celebrate engineers, analysts, and business partners who move risk down and reliability up.

#23

Credit flows downhill; accountability flows up.

Leaders highlight the team, own the misses, and protect their people.

#24

Take smart risks, visibly.

Security is risk management, not risk avoidance. Align choices to explicit risk appetite and business goals.

#25

Nurture your top 20%, and build depth.

Identify key contributors, prevent burnout, and create redundancy so no single person is a single point of failure.

#26

Psychological safety drives reporting.

People do their best work, and surface issues early, when it’s safe to speak up.

#27

Every vendor is temporary.

Design for exit: data egress, key ownership, off-boarding, and continuity plans from day one.

#28

Preparedness beats heroics.

Tabletops, runbooks, golden signals, and tested backups win more than late-night brilliance.

#29

Hold the hiring bar.

An empty seat is safer than the wrong hire, especially in roles that touch keys, identity, or payments.

#30

Don’t punish bad news.

Reward early escalation. If messengers get shot, telemetry goes dark and risk goes up.

#31

Synthesis: lead with clarity and courage.

Governance over heroics, influence over authority, and truth over optics. These are the levers that bend risk in your favor.