← Back to Library

Blind men and the elephant: The story of cybersecurity

Ross Haleliuk · Venture in Security · ·11 min read
Commentary by Hex Index staff

Ross Haleliuk cuts through the noise of the cybersecurity industry with a simple, devastating truth: there is no single definition of security because there is no single way to build a security program. He argues that the field's chronic disagreements stem not from incompetence, but from the diverse, non-standardized backgrounds of the people leading it. For busy leaders trying to navigate a fragmented landscape, this reframing turns confusion into a strategic asset.

The Architecture of Perspective

Haleliuk begins by dismantling the myth of a shared professional foundation. Unlike accounting or biology, where formal education creates a common baseline, security professionals arrive from "all walks of life," learning on the job. He writes, "There isn't much of a shared baseline. People come in from all walks of life, learn on the job, and only later pick up more standardized knowledge through certifications or experience." This observation is crucial because it explains why a CISO from a software background might view a vulnerability as a code flaw to be patched, while one from a compliance background sees it as a regulatory liability to be documented.

Blind men and the elephant: The story of cybersecurity

The author's analysis of how specific backgrounds shape mental models is particularly sharp. He notes that leaders with software engineering roots "tend to see security as something you can build and improve through better systems," often treating it as a competitive advantage. In contrast, those with IT infrastructure backgrounds focus on the gritty reality of "keeping the business running" across thousands of employees, prioritizing visibility and reliability over architectural elegance. This distinction matters deeply for organizations trying to implement new tools; a solution that delights an engineering team might fail to address the operational constraints of a massive, legacy-heavy enterprise.

"Each person in security comes with a completely different mental model. So who's right? They are all right, and they are all wrong at the same time."

This insight echoes the historical challenges of "Security through obscurity," a concept Haleliuk's publication has explored in depth. Just as relying on secrecy failed because it assumed attackers would never see the inner workings of a system, relying on a single security perspective fails because it assumes one view can capture the entire threat landscape. Haleliuk suggests that the industry's diversity is a feature, not a bug, but only if leaders can synthesize these disparate views.

The Elephant in the Room

The second dimension of Haleliuk's argument shifts from the people to the environment. He argues that "there's no single right way to secure a company, because there's no single definition of what needs to be secured." A B2B software platform faces fundamentally different risks than a hospital or a manufacturing plant. The author warns that the industry often forgets this reality, leading to generic advice that fails in specific contexts.

He illustrates this by contrasting the needs of different sectors. A former law enforcement professional might excel at "investigation and accountability," building strong incident response teams, while a leader with a military background focuses on "defense strategy, planning, and execution," ensuring disciplined preparation for worst-case scenarios. Neither approach is universally superior; their value depends entirely on the organization's specific constraints and threat model. Haleliuk points out that panels featuring only SaaS CISOs offer limited value compared to diverse groups representing regulated industries, operational technology, and other sectors.

Critics might argue that this relativism makes it harder to establish industry-wide standards or baseline security postures. If every organization is an "elephant" of a different shape, how do regulators or auditors enforce consistency? However, Haleliuk's point is not that standards don't exist, but that their application must be nuanced. As he puts it, "It's all these nuances that make specific controls very effective or utterly useless."

"Real security comes from understanding the system, the business, the risks, and the tradeoffs as a whole, and figuring out what is appropriate for this specific environment at this specific stage."

This perspective challenges the "one-size-fits-all" mindset that often plagues procurement and policy. It suggests that the most effective security leaders are those who can translate their specific background into a broader understanding of the organization's unique risks, rather than forcing their organization to fit a pre-existing mold.

Bottom Line

Haleliuk's strongest contribution is the reframing of security disagreements as a natural result of diverse expertise rather than a failure of leadership. His argument holds up well against the reality of modern, complex enterprise environments where a single technical fix rarely solves a systemic risk. The biggest vulnerability in this approach is the difficulty of execution: synthesizing these conflicting perspectives requires a level of cross-functional fluency that many organizations struggle to achieve. Leaders should watch for how their own teams' backgrounds are shaping their risk appetite and ensure they are not inadvertently building security programs that only solve for one part of the elephant.

Deep Dives

Explore these related deep dives:

  • Security through obscurity

    This cryptographic fallacy illustrates the 'blind man' error of assuming that hiding a system's design is sufficient for protection, a perspective often held by those who prioritize secrecy over rigorous testing.

  • Information silo

    The article's core argument about security professionals failing to see the whole picture due to their specific backgrounds is a direct manifestation of this organizational phenomenon where departments refuse to share information or cooperate.

  • Common Criteria

    This international standardization effort represents the industry's struggle to create a shared baseline of knowledge and evaluation, directly addressing the author's point that security lacks the formal educational foundation found in fields like accounting.

Sources

Blind men and the elephant: The story of cybersecurity

by Ross Haleliuk · Venture in Security · Read full article

Blind men and the elephant.

There’s an old story about a group of blind people who come across an elephant for the first time. Since they can’t see it, each of them tries to understand what it is by touching a different part. One person grabs the trunk and says the elephant is like a snake, another feels a leg and says it’s like a tree, a third touches the ear and thinks it’s like a big fan, and someone else holds the tail and says it’s like a rope. Each of them is sure they are right, because what they feel is real to them, and they definitely are, even if they don’t fully realize that each of them only has one part of the story. I’ve seen different versions of this story; in some, people start arguing and fighting over who is right, and in others, they work together to complement each other’s learning and perspectives.

This issue is brought to you by... Island.

Say Yes to AI—Without Leaking Your Data.

Employees are already using AI tools, whether you’ve approved them or not. The real risk isn’t AI itself. It’s sensitive data slipping into prompts with zero visibility or control.

Island AI Protect secures AI at the point of use: the browser. It monitors every prompt and response in real time, blocking or redacting sensitive data while giving security and IT teams full visibility into AI usage.

No bans. No friction. Just safe, governed AI adoption.

I am sure you already understand where I am going with this, and if you do, you are probably almost right. I say “almost” because there are two ways in which this story manifests itself in security.

Image Source: Sketchplanations

Our individual backgrounds define how we see security.

There are many things about cybersecurity I find fascinating, but one of the biggest is that, as an industry, we can’t agree on what security is, how to do it well, or even what matters most. I’ve realized that this isn’t random, and everything comes down to where people come from. How someone sees security is largely defined by the roles they’ve held, the kinds of companies they’ve worked in, and what they’ve been responsible for.

A big reason for this, I think, is that very few people actually go to school to study security in a formal way. That’s very different from other ...