Decision Gates, Not Decision Rooms: What Preflight Planning Taught Me About Executive Presence
CISOs who wait until they're in the room to figure out what they want have already lost. Here's how preflight discipline changes that.
Jason Walker
State CISO, Florida
Picture this: you are on final approach, weather is deteriorating faster than the forecast predicted, and your minimums are coming up fast. This is not the moment to start a philosophical discussion with yourself about whether you should have filed an alternate. That decision needed to be made on the ground, in the planning phase, before you ever pushed the throttle forward. If you are figuring it out at decision height, you are already behind the airplane.
I have watched security leaders walk into executive briefings the same way some pilots fly: improvising at the worst possible moment, hoping clarity arrives before the situation does. It almost never works.
Here is what most people get wrong about executive presence in security leadership. They treat it as a communication skill. They read the articles, they practice the confident tone, they learn to lead with business impact instead of technical jargon. All of that is fine as far as it goes. But it mistakes the performance for the discipline underneath it. The calm in the room is not something you generate in the room. It is a product of decisions you already made before you walked through the door.
The preflight analogy runs deeper than most security leaders realize, and I want to unpack it seriously because I think it reframes the whole problem.
In aviation, a preflight risk assessment is not about achieving certainty before departure. Certainty is not available for purchase. What you are actually doing is establishing decision gates in advance: if visibility drops below X, I divert; if I lose this system, I declare; if fuel hits this number, I land now regardless of what is happening. You are not deciding in the moment. You are recognizing a condition you already analyzed and executing a pre-authorized response. The pressure of the moment does not get a vote.
Managing security operations across 35 agencies, I have learned that the CISO who walks into an executive meeting without pre-established decision gates is not bringing executive presence into the room. That CISO is bringing improvisation dressed up as confidence. Those are not the same thing, and sharp executives can feel the difference even when they cannot name it.
FAIR risk quantification has sharpened this for me at the doctoral research level. One of the things the FAIR model forces you to do is decompose risk into components with ranges, not point estimates. You are not saying "this is a high risk." You are saying "here is the probable frequency of loss events, here is the probable magnitude, here are the factors that move those ranges." That decomposition is uncomfortable work. It requires you to commit to a framework before you have all the information you wish you had. But that discomfort is exactly the preflight discipline that generates real executive presence later.
When I walk into a briefing with the Governor's office or a cabinet secretary, I am not walking in to figure out what they should decide. I have already worked that out. I have already identified the decision gates: what risk levels are acceptable given the agency's mission and capacity, what conditions would require escalation, what options exist at different resource levels, and what my recommendation is given the current state of those variables. The narrative is not something I construct in real time under pressure. It is something I confirm against conditions I already mapped.
This is the piece the executive presence literature consistently misses. It focuses on how you show up, not on the structural work that makes showing up with clarity even possible. Telling CISOs to "control the narrative" without teaching them to construct the narrative before the meeting is like telling a pilot to stay calm during an emergency without teaching them to chair table the emergency procedures before the flight. The calm is downstream of the preparation. You cannot manufacture it in the moment on willpower alone.
Here is the harder truth: many security leaders avoid the pre-work because it requires them to commit. Building decision gates in advance means being accountable to a framework. It means your recommendation has a traceable logic that can be examined and challenged. It is easier to stay flexible, to "read the room," to adapt your position to whatever the executives seem to want. That is not executive presence. That is followership wearing a leadership costume.
The organizations I see with the most effective security governance have one structural thing in common. Their security leadership arrives at decisions with a decision package that was built away from the pressure, stress-tested against the data, and aligned to business impact before anyone sat down at the table. The meeting is not where they figure out the answer. The meeting is where they communicate a decision that is already structurally sound and defend it calmly because they already war-gamed the objections.
Here is what that looks like in practice across a multi-agency environment. Before any significant briefing, I run what I call a decision architecture review. I identify the specific decision the executives need to make. I quantify the risk in FAIR terms so I have ranges, not rhetoric. I map the options against agency mission priorities, not just security best practices. I identify the conditions under which each option becomes the right call. And I determine my recommendation before I enter the room. By the time I sit down, I am not solving a problem. I am communicating a solution and adjusting based on information I did not have.
The adjustment piece matters. Pre-establishing decision gates does not mean rigidity. It means you have a framework sturdy enough to absorb new information without collapsing into confusion. A pilot with solid pre-flight planning and solid decision gates can handle unexpected conditions because the structure is already there. The unexpected does not create chaos. It triggers a gate you already built.
If you are a security leader who wants genuine executive presence, here is the direct advice: stop treating the executive meeting as the work. The meeting is the output. The work happens before. Build your decision architecture away from the pressure. Use a quantitative risk framework to force precision. Establish your recommendation and your reasoning before anyone is watching. Know your decision gates in advance.
When you walk into that room having already made the hard calls, the calm is not something you perform. It is simply what remains when the preparation is done.
The briefing is not where you find your footing. That is where you land the airplane you already flew.