← Back to Library

11 generalist mental models applied to cyber: CISOs’ and founders’ guide

Ross Haleliuk · Venture in Security · ·12 min read
Commentary by Hex Index staff

Ross Haleliuk challenges the cybersecurity industry's obsession with novelty by arguing that timeless mental models from economics and philosophy explain why security fails far better than the latest AI tool ever will. This isn't just a list of buzzwords; it is a rigorous reframing of how CISOs should allocate capital, suggesting that the "next big thing" often distracts from the boring fundamentals that actually stop breaches.

The Economics of Security Fatigue

Haleliuk begins by dismantling the industry's tendency to overvalue new solutions and undervalue basics. He invokes Sturgeon's Law to cut through the noise: "Ninety percent of everything is crap." When applied to cybersecurity, this means most alerts, threat intelligence feeds, and even conference talks offer diminishing returns. Haleliuk writes, "Most security products are garbage... but it's not only that security products are garbage; it's also most of everything." This blunt assessment forces a necessary confrontation with the reality that signal-to-noise ratios in modern Security Operations Centers (SOCs) are often abysmal due to volume, not just sophistication.

11 generalist mental models applied to cyber: CISOs’ and founders’ guide

He then pivots to the Pareto Principle, noting that while there are thousands of vendors, "only a handful of controls drive the majority of security outcomes." The argument here is that organizations waste resources on edge cases while neglecting asset inventory and multi-factor authentication. As Haleliuk puts it, "Any company that invests in asset inventory, MFA, EDR... will get to like 90% coverage." This framing is particularly effective because it shifts the conversation from "how do we stop the advanced persistent threat?" to "why haven't we fixed the basics yet?" Critics might argue that sophisticated adversaries now bypass these standard controls with ease, but Haleliuk counters by emphasizing that most breaches still stem from unpatched vulnerabilities and poor access management.

Security is boring, and what stops breaches are things like least privilege, network segmentation, asset inventory, strong authentication and MFA.

The Law of Diminishing Returns extends this logic further. Haleliuk observes that founders often struggle to accept that "the first, most fundamental security investments produce enormous value, but as time goes by, additional controls produce progressively smaller gains." This is a crucial distinction for investors and executives who expect linear returns on security spend. Once the foundational layers are in place, adding more tools yields only fractional improvements, yet organizations often continue to buy them anyway.

The Trap of Metrics and Complexity

Moving into organizational dynamics, Haleliuk applies Goodhart's Law: "When a measure becomes a target, it ceases to be a good measure." He illustrates this with compliance frameworks, noting that companies often do the minimum to check boxes rather than genuinely improving their posture. "In 9 out of 10 cases, the 'measure becomes a target', and so instead of thinking about how to level up their security posture, companies are just doing the minimum to check the boxes." This insight explains why audit-ready organizations can still be easily breached; they optimized for the metric, not the outcome.

He also addresses the human element with the Principle of Least Effort and Hanlon's Razor. Haleliuk argues that security fails when it fights human nature: "If security controls are annoying, users will bypass them." He suggests that most incidents aren't malicious acts but errors born of confusion or complexity. "Never attribute to malice that which is adequately explained by stupidity," he writes, noting that many data loss alerts are simply employees trying to do their jobs inefficiently. This perspective encourages a shift from blame to design, advocating for systems where the secure path is also the easiest one.

Complexity creates risk, and in most cases, the simplest explanation and the simplest solution are the right ones.

The piece also touches on structural failures through Conway's Law, which states that organizations design systems mirroring their communication structures. Haleliuk points out that security suffers when ownership is fragmented across IT, cloud, and infrastructure teams. "Over time, org boundaries evolve into technical boundaries," he notes, leading to a lack of visibility where no single team owns the complete risk picture. This is a sobering reminder that technology cannot fix organizational silos; in fact, it often mirrors them back at us.

The AI Paradox and Timeless Truths

Perhaps the most provocative application of these models comes when Haleliuk discusses artificial intelligence through the lens of Jevons Paradox. The paradox suggests that as efficiency increases, consumption rises rather than falls. "If AI helps security analysts process twice as many alerts, companies won't suddenly decide to process only half as many," Haleliuk writes. Instead, they will collect more logs and enable more detections, creating a larger surface area to protect. This serves as a critical counter-narrative to the hype that AI will solve the talent shortage by simply automating away the work; instead, it may just expand the scope of the problem.

He closes by invoking the Lindy Effect, which posits that the longer an idea has survived, the longer it is likely to continue. In an industry obsessed with "next-gen" solutions, Haleliuk argues that we should trust concepts that have stood the test of time. "The fact that these ideas have survived for so long doesn't mean that they are outdated, it just means that they work." This ties back to his earlier references to Chesterton's Fence and Occam's Razor: before tearing down old rules or building complex new stacks, we must understand why the simple, enduring solutions exist in the first place.

Bottom Line

Haleliuk's strongest contribution is the disciplined application of non-technical frameworks to a field drowning in technical jargon, forcing leaders to see security as an economic and organizational problem rather than just a technological one. The piece's main vulnerability lies in its potential dismissal of truly novel threats that do require breaking old rules, but his core thesis remains sound: fundamentals are the only reliable anchor in a shifting landscape. For busy executives, the takeaway is clear—stop chasing the next trend and start fixing the boring stuff.

Deep Dives

Explore these related deep dives:

  • Goodhart's law

    The article warns that AI-driven alert triage without feedback loops becomes 'toil,' a direct manifestation of this principle where a metric (closed alerts) ceases to be a good measure once it becomes the target.

  • G. K. Chesterton

    This concept explains why security teams often fail when removing legacy controls or tools without understanding their original, hidden purpose, mirroring the article's call for deep investigation over quick fixes.

  • Conway's law

    The piece discusses how security architecture is shaped by organizational communication structures, making this sociological principle essential for understanding why detection logic often fails to scale across different teams.

Sources

11 generalist mental models applied to cyber: CISOs’ and founders’ guide

by Ross Haleliuk · Venture in Security · Read full article

Cyber is absolutely unique, but the laws of physics very much apply to it. The way all this plays out in real life is kind of fascinating. On one hand, security is unique in that, first and foremost, it is a horizontal, not a vertical, meaning security touches all industries, tech stacks, market segments, categories of customers, and you name it. Cyber is unique because there is a motivated adversary who is always learning, adapting, and trying to overcome whatever obstacles we put in front of them to achieve their goals.

On the other hand, the very same laws and principles that apply to other industries and areas of life more broadly do apply to security. It’s easy to forget, but that is just a fact. In this piece, I am talking about 11 frameworks (mental models, principles, or whatever you want to call them) that 100% apply to cyber.

This issue is brought to you by... Panther.

Chatbots close alerts. Agents with native access to detections close the loop..

Most AI SOC tools speed up alert triage but stop after closing the alert. This webinar digs into what happens to that judgment: does it feed back into your detection logic, or does it just evaporate? Jack Naglieri (Panther CEO), Spencer McGalliard (AVP of Cyber Defense & Engineering at HealthEquity), and Francis Odum (Software Analyst Cyber Research founder) come at this from three angles: the platform building the closed loop, the security team living inside it, and the analyst tracking where the industry is headed. Together, they make the case that triage without feedback is still toil, and walk through what it actually looks like when investigation outcomes feed back into detection logic, shrink alert volume, and pull teams out of perpetual firefighting.

Generalist mental models applied to cyber: CISOs’ and founders’ guide.

Sturgeon’s Law.

Sturgeon’s law states, “Ninety percent of everything is crap”. This law, created by the American science fiction author and critic Theodore Sturgeon, very much applies to cybersecurity.

Think about it this way: most alerts, findings, threat intel, vulnerabilities, and even security products provide limited value. I often see that people get frustrated and take it to social media to say that security products are garbage, but it’s not only that security products are garbage; it’s also most of everything. Most conference talks are just repeating the same basic “knowledge” that everyone has read 1,000 times. ...