Stop Overthinking Your Security Decisions
Jul 2025
It's the middle of the night, your phone keeps vibrating with security alerts, and you're staring at incomplete data trying to figure out if this is a real breach or another false alarm.
Years ago, someone shared a version of Colin Powell's 40-70 rule with me for exactly this kind of situation. You aim to make a decision once you have somewhere between 40% and 70% of the information you need. Acting with less than 40% turns the decision into a guess, while waiting past 70% often means losing the window to act at all. The goal sits in that middle ground, where you move quickly enough while still having enough insight to make a good call.
For those of us in security, this is rather weird. We train to gather evidence, analyze logs, and build airtight cases, but while we hunt for the perfect smoking gun, attackers are already three steps ahead.
Think about your last major incident. You probably didn't wait for the complete attack timeline before containing the threat, because the damage would have been done by then. You made the call with partial information, and that was the right move. The same logic applies to a SOC analyst deciding if an alert needs escalation, a security manager choosing between vendor solutions, or a CISO presenting to the board after an incident. Perfect information rarely shows up in any of these situations.
I've watched too many security teams fall into analysis paralysis, spending weeks evaluating every possible feature of a tool instead of focusing on their core needs, or delaying basic controls while waiting for a perfect risk assessment. The threats don't wait for any of that.
I've been there myself, and the person who taught me this approach drilled it into us hard.
Start paying attention to your confidence level before you decide. If you're at least 40% sure, you're not shooting in the dark. If you're approaching 70%, it's time to act before the opportunity passes.
None of this means being reckless. It means being decisive with information that's incomplete but sufficient, especially since most security decisions aren't permanent and can be adjusted as new details come in. Our adversaries certainly don't wait for perfect intelligence before they strike, and they act on limited information constantly. There's a lesson in that, and your Red Team can probably confirm it.
Next time a security decision has you stuck, ask if you know enough to avoid a serious mistake without having waited so long that the moment already passed. If so, make the call and move forward, because in security, the biggest risk usually isn't an imperfect decision. It's no decision at all.