Confidence Is Not a Security Control
State CISOs are losing confidence, and that might be exactly right. Here's why calibrated uncertainty beats false confidence in cybersecurity leadership.
Jason Walker
State CISO, Florida
Here is a number that should concern you: 22%. That is the percentage of state CISOs who describe themselves as "extremely" or "very" confident in their ability to secure government data, down from 48% just a few years ago. Every headline about this survey treats that drop like a five-alarm fire. Leadership is crumbling. Morale is collapsing. The sky is falling.
I read it differently.
When I was learning to fly helicopters, one of the first things my instructor drilled into me was this: the hover is the most dangerous moment. Not the autorotation. Not the crosswind approach. The hover. Because in a stable hover, everything feels controlled. The aircraft is where you want it. The controls feel right. And that feeling of stability is precisely when spatial disorientation sneaks in and kills you. Your body is lying to you, and you are too comfortable to notice.
Overconfidence in a stable hover has ended careers. It has ended lives.
So when I read that nearly half of state CISOs were "extremely confident" in 2022, my first thought was not "those were better days." My first thought was: what exactly did they think they knew?
Confidence is a feeling. It is not a control. It is not a framework. It is not a number you can take to a budget committee and defend. Confidence tells you nothing about whether your detection coverage is adequate, whether your incident response plan has been tested against a realistic scenario, or whether the third-party software your agencies have been running for three years has a vulnerability that was disclosed six months ago and still has not been patched. Confidence is what fills the space where measurement should be.
The real problem the survey is pointing at is not the drop in confident CISOs. The real problem is that we built the original 48% number on sand.
I run cybersecurity for dozens of state agencies and hundreds of thousands of devices. My job is not to feel good about that. My job is to know, with the most precision I can muster, where the actual risk lives. That means I need to be able to answer questions that do not have comfortable answers. What is the probability of a material breach in the next 12 months? What is the expected loss if it happens? Which controls, if funded today, would move that number the most? These are not philosophical questions. They are arithmetic problems with real inputs, and right now most of state government is not doing that arithmetic.
Instead, we have been doing something that feels like risk management but is not. We conduct assessments. We generate findings. We track remediation percentages. We report compliance with frameworks. None of that is wrong, but none of it tells a governor or a budget director what they actually need to know, which is: what bad thing is likely to happen, how bad would it be in dollars and days of disruption, and what would it cost to make that less likely?
Until we can answer those questions with numbers instead of feelings, "confidence" is the only currency we have. And it is counterfeit.
What I want to see from state CISOs is not more confidence. I want to see more precision. Replace "we feel good about our posture" with "here is our probability-weighted loss exposure by threat category." Replace "we are working on it" with "here is the delta between where we are and where we need to be, expressed in dollars and risk reduction." Replace the annual PowerPoint to the legislature with a living model that any decision-maker can interrogate.
That kind of honesty is uncomfortable. It means admitting that you have gaps. It means quantifying things you would rather leave vague. It means telling a room full of people who control your budget that you cannot defend everything and you need them to help you choose what matters most.
But that discomfort is the job. The helicopter pilot who trusts instruments over instinct is not a pessimist. That pilot is a professional.
The survey lands on something real when it points to AI. Not because AI is new, but because it has fundamentally changed the cost structure of an attack. Phishing campaigns that used to require skilled social engineers now run at scale with language models doing the drafting. Vulnerability discovery that used to require hours of manual enumeration now happens in minutes. The asymmetry between offense and defense, which was already brutal, has gotten worse. Vendors are embedding AI features into products without giving state security teams adequate notice, let alone control. That is a real governance problem and it is not going away.
But the answer to that is not to feel better or feel worse. The answer is to measure it. Map the exposure. Model the loss. Build the governance framework before the vendor does it for you.
I am not pretending this is easy. I know what it is to sit in a room where the ask is for more resources and the answer is a flat budget or a cut. I know what it is to watch a threat environment accelerate while your team count stays the same. I am not dismissing the constraint. I am saying that the constraint does not get solved by projecting confidence you do not have. It gets solved by giving decision-makers the precise picture they need to make a defensible choice.
If 22% of state CISOs feel genuinely uncertain right now, I think that is correct. The environment deserves uncertainty. The question I would ask every one of them is: have you replaced the confidence with measurement? Because uncertainty without a framework is just anxiety. Uncertainty with a quantified risk model is something you can work with.
The hover feels stable right now for nobody in this profession, and that is probably healthy. What matters is whether you are flying on instruments or flying on instinct.
Fly on instruments.