In the military, risk isn’t a cell on a spreadsheet. It’s not a theoretical probability score. It is a tangible, visceral reality.

As an Infantry Leader, I learned to make decisions in environments where the information was incomplete, the stakes were life-and-death, and the timeline was “now.”

Today, I help business leaders navigate a different kind of battlefield—cybersecurity. While the tools have changed from rifles to firewalls, and the terrain has shifted from the physical to the digital, the fundamental principles of survival remain exactly the same.

Most organizations fail at cybersecurity not because they lack the technology, but because they lack the mindset to manage risk effectively. Here are three lessons from my time in combat that apply directly to protecting your business.

1. Complexity is the Enemy of Security

In the field, if a plan is too complicated, it fails. If a piece of gear has too many moving parts, it breaks.

In cybersecurity, we often see the opposite. Organizations buy dozens of complex, expensive tools—EDR, SIEM, SOAR, DLP—hoping that “more” equals “safer.” Instead, they create a noisy, unmanageable mess. They have 50 locks on the front door, but the back window is wide open because nobody configured the alerts properly.

The Lesson: Simplicity saves lives. A simple, well-executed defense is infinitely better than a complex, theoretical one. Focus on the basics: know your assets, patch your systems, and train your people. Don’t buy a new AI-powered tool until you can prove you’ve mastered the fundamentals.

2. You Can’t Eliminate Risk, Only Manage It

A common mistake executives make is asking for “100% security.” They want a guarantee that they won’t be breached.

In combat, you never assume you are safe. You assume the enemy is out there, and you assume they are competent. You don’t try to eliminate the risk of being attacked; you manage your posture so that when an attack happens, you can survive it and continue the mission.

The Lesson: Shift from “Prevention” to “Resilience.” Stop trying to build an impenetrable wall. It doesn’t exist. Instead, invest in [Link to your ‘OT Cybersecurity’ service]resilience[/Link]. How quickly can you detect an intruder? How fast can you isolate a compromised system? How long would it take to restore your [Link to your ‘IT/OT’ article]critical OT operations[/Link] from backups?

The goal isn’t to never get hit. The goal is to never get knocked out.

3. Decentralized Command (Trust Your Team)

You cannot micro-manage a firefight from headquarters. By the time the order goes down the chain, the situation has changed. You have to trust your team leaders to make decisions based on the “Commander’s Intent.”

In business, I see leaders who bottle up every security decision. They require a CISO or VP signature for every firewall change or software approval. The result is paralysis. While you are scheduling a meeting to discuss a vulnerability, the attacker is already moving laterally through your network.

The Lesson: Empower your people. Set clear guardrails (policy) and a clear mission (strategy), then step back. Give your security analysts and engineers the authority to act when they see a threat. Speed is a weapon. If your governance structure slows you down, it is a vulnerability.

Leading Through the Chaos

Whether in the desert or the data center, chaos is the constant. The leader’s job isn’t to panic; it’s to provide clarity.

It brings order to the chaos by stripping away the noise, focusing on the critical risks, and executing a simple, adaptable strategy.