Stop Overthinking Your Security Decisions

Jul 2025

Imagine this: It's 2 AM, your phone is vibrating with security alerts, and you're staring at incomplete data trying to figure out if you're dealing with a real breach or just another false alarm. Sound familiar?

Years ago, someone shared a similar approach to Colin Powell's 40-70 rule with me, specifically to help with this kind of situation. Here's how it works: you should aim to make a decision when you have somewhere between 40% and 70% of the information you need. If you act with less than 40%, you're pretty much just guessing, which isn't ideal; but if you wait until you have more than 70%, you might actually miss out on a good opportunity because you took too long.

It's all about finding that sweet spot between acting quickly and having enough insight to make a good call.

For those of us in the world security, this hits different. We're trained to gather evidence, analyze logs, and build airtight cases. But while we're hunting for that perfect smoking gun, attackers are already three steps ahead.

Think about your last major incident. Did you wait until you had the complete attack timeline before containing the threat? Probably not, because by then the damage would've been done. You made the call with partial information, and that's exactly what you should have done.

The same applies whether you're a SOC analyst deciding if an alert warrants escalation, a security manager choosing between vendor solutions, or a CISO presenting to the board about a recent incident. Perfect information is a luxury we rarely have.

I've seen too many security teams get stuck in analysis paralysis. They'll spend weeks evaluating every possible security tool feature instead of focusing on their core needs. Or they'll delay implementing basic security controls while waiting for the "perfect" risk assessment. Meanwhile, the threats aren't waiting.

I've been there myself. The person who taught me about making decisions with limited information really drilled it into us.

Start thinking about your confidence level before making decisions. Are you at least 40% sure this is the right call? Then you're probably not shooting in the dark. Are you approaching 70% certainty? Time to pull the trigger before the opportunity passes.

This doesn't mean being reckless. It means being decisive with incomplete but sufficient information. Most security decisions aren't permanent anyway, you can adjust course as you learn more.

The best part? Our adversaries aren't waiting for perfect intelligence before they strike. They act on limited information all the time. Maybe it's time we learned something from them. (And maybe go talk to your Red Team....)

Next time you're stuck on a security decision, ask yourself: Do I know enough to avoid a terrible mistake, but not so much that I've let the moment slip away? If yes, make the call and move forward. Because in security, the biggest risk isn't making an imperfect decision, it's making no decision at all.