Sign in Subscribe
5 min read

🧭 When Risk Isn’t a Number: Communicating Ambiguity Without Fear

Risk is rarely just a number. This article explores how CISOs can communicate uncertainty with clarity, confidence and strategic maturity — without hiding behind false precision or creating unnecessary fear.
Share
🧭 When Risk Isn’t a Number: Communicating Ambiguity Without Fear
Image by Лечение наркомании from Pixabay

Uncertainty is the only certainty there is, and knowing how to live with insecurity is the only security

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

If you are a Chief Information Security Officer (CISO) or a Chief Information Officer (CIO) in an enterprise that has just achieved ISO/IEC 27001:2022 certification, the champagne may have barely dried on your risk register. But now the real work begins.

You’re no longer only a manager of risk—you’re a communicator of uncertainty. And that’s a different skill altogether.

🔍 The Illusion of Precision in Risk Ratings

Risk matrices, heat maps, scoring models—these are the comforts of control in a world that rarely allows it. When risks are reduced to numerical outputs—“12 = medium”, “20 = high”—it creates the illusion of decisiveness and objectivity.

But reality does not submit to matrices.

In the real world:

  • You don’t always know the true likelihood of a zero-day exploit.
  • The impact of a data breach may not depend on data volume, but political context.
  • The “threat actor capability” can change overnight based on geopolitical developments.
  • Human behavior within your workforce cannot be reduced to a binary insider/not-insider classification.

ISO/IEC 27001:2022 subtly acknowledges this reality by shifting emphasis from static controls to dynamic, risk-based decision-making. But few leaders are trained in how to speak confidently about ambiguity—especially when the board expects answers, not questions.

So, how do you lead when risk isn’t a number?

🧠 From Risk Scores to Risk Sense-Making

We need to shift from quantitative reductionism to qualitative clarity.

That doesn’t mean abandoning rigor—it means understanding what cannot be known and articulating uncertainty constructively.

This is what distinguishes a strategic CISO from a tactical one.

Risk sense-making involves:

  • Acknowledging uncertainty without appearing indecisive.
  • Mapping multiple futures without prescribing one.
  • Identifying “signposts” and “triggers” rather than false certainties.
  • Using informed judgment, not hiding behind models.

This is not easy. But it is essential.

📣 Why Communicating Ambiguity Is a Leadership Skill

Your ability to communicate uncertainty without fear is now a core leadership competency.

Security leaders are increasingly at the intersection of geopolitics, regulation, technology, and human factors. When your organization asks, “Are we safe?”, they are not asking for a number. They’re asking for confidence, narrative, and strategic framing.

The board needs clarity—but not false clarity. They need courageous transparency.

Here are three archetypes of poor risk communication:

1. The Overconfident Quantifier:

  • “This risk is a 16. We reduced it to 8.”
  • Sounds decisive. But it invites no conversation about blind spots, assumptions, or scenarios.

2. The Fearmonger:

  • “If we don’t act, disaster is inevitable.”
  • May achieve short-term attention, but erodes trust and damages credibility.

3. The Ambiguity-Averse Technocrat:

  • “We have full control through our SIEM, EDR, DLP, and AI-powered threat modeling.”
  • Communicates comfort, not insight.

None of these helps leadership think strategically.

Instead, effective CISOs adopt the mindset of the Strategic Interpreter.

🧭 Strategic Interpreters Frame Uncertainty, They Don’t Eliminate It

Strategic ISMS leadership in 2025 means standing in the tension between certainty and chaos—and narrating that space confidently.

How to Do This in Practice:

1. Speak in Scenarios, Not Scores

  • Instead of: “There’s a 40% chance of data exfiltration via phishing in the next 12 months.”
  • Say: “Given increased spear-phishing activity and partial MFA rollout, we see two plausible scenarios: one where attacker access is limited to front-end systems, and one where they pivot via legacy VPN tunnels. The second has lower likelihood but high impact.”

2. Use Conditional Language with Intent

  • Avoid vague hedging. Instead of: “There’s some uncertainty about this threat.”
  • Try: “This risk depends heavily on whether upcoming legislative changes require data localization. We’re tracking those closely, and this scenario would activate a different mitigation path.”

3. Make Your Assumptions Explicit

  • “This assessment assumes that our third-party supplier discloses breaches within 48 hours, which is contractually agreed but historically inconsistent.”
  • This builds trust—and sets the stage for governance interventions.

4. Visualize Unknowns Without Fear

  • Use “uncertainty bands”, range estimates, or red/yellow/green confidence markers—not to oversimplify, but to anchor expectations.
  • “We assess this with medium confidence. The threat vector is well understood, but internal readiness is unclear.”

Confidence levels are not weakness. They are honesty.

🌐 ISO/IEC 27001:2022 and the Maturity of Risk Thinking

The 2022 version of ISO/IEC 27001 doesn’t just add Annex A controls—it embeds a maturity shift in how organizations treat risk.

Key takeaways:

  • Risk is no longer just about asset threats. It’s about context, dependencies, and intentionality.
  • Control objectives now reflect not just technical outcomes, but strategic posture (e.g., A.5.23: Information Security for Use of Cloud Services).
  • The standard implicitly supports risk decisions made in uncertain, dynamic environments.

If you’re only assigning numerical risk scores to satisfy auditors, you’re missing the strategic opportunity.

🎯 The Role of the CISO as a Strategic Integrator

CISOs today must move beyond compliance and governance. You must become a translator of complexity into meaning.

Your unique responsibilities include:

  • Synthesizing threat intelligence, regulatory change, and internal posture into executive narratives.
  • Surfacing “unknown unknowns” in a way that does not paralyze, but prepares.
  • Building trust by framing doubt as manageable, not frightening.

In other words: ambiguity is no longer the enemy. It is your domain.

🛠 Practical Blueprint: Tools for Confident Ambiguity

Here’s how you can embed this strategic mindset in your ISMS communications and leadership style:

1. Risk Dialogues Instead of Risk Reports

Frame your quarterly reports as dialogues with business leaders. Include open-ended questions, such as:

  • “What changes in your environment would invalidate our assumptions?”
  • “Which of our risk indicators are you most uncertain about?”

This opens up ambiguity as a space for collaboration.

2. Uncertainty Mapping in Executive Briefings

When briefing the board, include a slide titled: “What We Don’t Know Yet”

Structure it around:

  • Assumptions
  • Data Gaps
  • External Variables (e.g., geopolitical, legal)
  • Emerging Signals

This builds a maturity model of governance thinking.

3. Calibrated Language in Board Communications

Use structured expressions such as:

  • “We assess this threat with medium confidence, contingent upon…”
  • “We foresee three plausible evolutions, each with different impacts on…”
  • “Our mitigation strategy prioritizes adaptive response over absolute prevention.”

This is how you own ambiguity without sounding vague.

4. Escalation Frameworks for Unfolding Scenarios

Define “tripwires” in your ISMS risk processes—conditions that, if met, trigger new assessments or escalation.

E.g., “If threat actor group X targets NGO sectors in more than 3 regions, we activate our cross-border contingency measures.”

This is ambiguity structured for action.

🧠 Final Thought: Confidence Is Not Certainty

To lead in security today is to navigate the gray zone—between overconfidence and indecision, between technical granularity and executive clarity.

If you can express ambiguity not as a weakness but as a capacity for reflection and action, you will elevate your role beyond compliance.

You will become what ISO/IEC 27001:2022 truly requires:

A strategic interpreter of risk in a volatile world.

And you’ll be the voice your organization trusts—not because you pretend to know everything, but because you know how to lead when not everything can be known.

📣 Let’s start a conversation:

How are you integrating ambiguity into your risk communications? What strategies help your board deal with uncertainty constructively?

Drop your thoughts or connect with me to exchange leadership practices at the intersection of risk, uncertainty, and strategy.

Publication Note & Disclaimer
This article was originally published on LinkedIn on June 13, 2025 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

Member discussion