How to Lead With Confidence When Certainty Disappears

How to Lead With Confidence When Certainty Disappears

For much of my career, I lived in worlds where precision mattered. The hardest shift from a technology or security leader to CEO is trading certainty for judgment. In this executive leadership world a key ability is being able to lead with confidence when certainty disappears.

From Precision to Ambiguity

As a technologist, architect, CTO, and CISO, I was trained to look for edge cases, root causes, system behavior, technical truths, and to have defensible answers. When something failed, the goal was to understand why as soon as the disaster was dealt with. When risk surfaced, the goal was to measure it, contain it, and communicate it. When a system needed to scale, the goal was to design something resilient enough to survive negative impact.

That background is incredibly valuable as it sharpens how you think. It also teaches you to respect complexity while separating signal from noise. That operating system also gives you a deep appreciation for how fragile things can become when assumptions go untested.

The Real Shift: Certainty to Judgment

Becoming a CEO requires a different operating system.

The hardest shift is not going from technology to business. It is going from certainty to judgment.

In technical leadership, you often have the luxury of eventually getting to a correct answer. The system works or it does not. There is a reality to a functional state. A control is effective or it isn’t. An architecture scales or it breaks. Vulnerabilities are exploitable or they aren’t. Even when there is debate, there is usually a path toward some solution.

As CEO, the path is rarely that clean.

Leading When the Answer Is Not Obvious

Unfortunately, CEOs have to make decisions with incomplete information. That is simply part of the job’s reality. You balance financial realities, customer needs, market timing, employee morale, board expectations, competitive pressure, and operational constraints. There is a mental state where you are constantly choosing between options that all carry risk. Sometimes the decision is not between right and wrong. It is between imperfect and necessary.

That is a very different kind of pressure.

Risk Is Only One Part of the Equation

A CISO is often rewarded for identifying what could go wrong. A CEO is responsible for deciding what must go forward irrespective of risk.

That does not mean ignoring risk. It means understanding that risk is only one part of the enterprise equation. Growth has risk. Inaction has risk. Delay has risk. Over-analysis has risk. Moving too slowly can be just as damaging as moving too fast.

This was one of the most important mindset changes for me.

As a security leader, I spent years helping organizations avoid bad outcomes. I analyzed as many angles as I could and prepared in the most realistic way possible. As a CEO, I still care deeply about avoiding bad outcomes, but I also have to create the conditions for positive outcomes. After all, I have a company to run and grow. That means building momentum, making tradeoffs, allocating capital, setting priorities, developing leaders, and helping the company move with conviction even when the data is not perfect. Sometimes it means deciding between a gamble that could improve ARR or mitigating risk.

Technical Depth Can Become a Constraint

As expected, technical leaders often bring a powerful bias toward depth. We want to understand details and inspect machinery. Often, knowing why something is happening is essential before action takes place.

That instinct is useful. But it can also become a constraint.

As an example, imagine a scenario where sales leadership does not know intimate details about a potential customer. You ask questions such as who the economic buyer really is, what the internal deadlines are, or what their budget is. These are details that dictate how real a deal is and whether you put that data in front of the board. But realistically, those details are likely not made known to a sales person by the potential customer. My bias for depth just became both a constraint and source of frustration.

The CEO’s Job Is to Build Decision Capacity

Realistically, a CEO cannot personally inspect every system, approve every decision, or resolve every ambiguity. The job is not to become the ultimate escalation point for every hard problem. Staying focused, as a CEO you want to build an organization that can make better decisions without waiting for you.

That requires trust.

Trust in people, in operating rhythms, in the quality of the strategy, in the mechanisms that surface truth early. It also requires a leadership tier that understands the business, mission, constraints, and relevant standards.

As a CEO you must accept that no amount of technical brilliance eliminates uncertainty.

Judgment Is the CEO’s Most Important Tool

Given the reality of uncertainty, judgment becomes the CEO’s most important tool.

Judgment is not instinct alone. Nor is it guessing. Judgment is the ability to combine facts, experience, pattern recognition, timing, and foreseen consequences into a decision that moves the organization forward.

Good judgment asks:

  • What do we know?
  • What do we not know?
  • What assumptions are we making?
  • What happens if we are wrong?
  • What must be true for this decision to work?
  • What is the cost of a given decision?
  • What is the cost of not deciding now and waiting?
  • Who needs clarity now?

The Company Is Now the System

Some of those questions are familiar to technical leaders. They sound a lot like risk analysis, incident response, architecture review, and threat modeling. The difference is that, as CEO, they now apply to areas (e.g., Sales, Marketing, HR) technical leaders seldom manage. In fact, they now apply to the whole company.

Strategy becomes an architecture problem. Culture becomes a scaling problem. Communication becomes a signal integrity problem. Talent becomes a resilience problem. Cash becomes an operating constraint. Execution becomes the ultimate proof point.

The CEO role forces you to widen the aperture.

You can no longer look only at whether something is functional or technically sound. You have to ask whether it is commercially viable, operationally executable, strategically aligned, and fiscally responsible. You have to think about how decisions cascade across customers, employees, investors, partners, and the broader market.

Credibility Changes at the CEO Level

That broader blast radius for each decision made is where the CEO transition can feel uncomfortable for deeply technical leaders.

We are used to being credible because of what we know. As CEO, credibility increasingly comes from how we decide, how we communicate, and how we create clarity for others, even when conditions are hazy.

The organization does not need the CEO to have every answer.

It needs the CEO to establish clear direction.

It needs the CEO to make the hard calls.

It needs the CEO to define what matters most.

It needs the CEO to be calm when the data is incomplete and when the pressure is on.

It needs the CEO to turn ambiguity into action.

Conviction Without False Certainty

To be clear, none of this means pretending to be certain. In fact, false certainty is dangerous. People can feel when a leader is manufacturing confidence. The better posture is honest conviction: here is what we know, here is what we believe, here is what we are going to do, and here is how we will adapt as reality teaches us more.

That is a different kind of leadership maturity.

The transition from CISO or CTO to CEO is not a rejection of technical depth. It is an expansion of it. The same disciplines still matter: systems thinking, adversarial understanding, resilience, risk management, architecture, and operational rigor.

The difference is that they must be applied at a broader level.

The company is now the system.

The market is now the threat model.

The competition is now an adversary.

The strategy is now the architecture.

The people are now the execution layer.

And the CEO is responsible for whether all of it works together under pressure.

Your Expertise Got You Here. Judgment Determines What Happens Next.

For technical leaders aspiring to broader executive roles, this is the real lesson: your expertise got you to the table, but judgment determines your impact once you are there.

Depth still matters. Precision still matters. Technical fluency still matters.

But the role changes.

You are no longer only protecting the business.

You are leading it.

You are growing it.

And leadership, at the CEO level, is the discipline of making consequential decisions before certainty arrives.

From 4X CISO to CEO: What Leadership Looks Like Now

Andres Andreu reflecting on leadership lessons from moving from CISO to CEO

For years, I led from the seat of a Chief Information Security Officer (CISO). From 4X CISO to CEO.

As a CISO I learned “healthy paranoia”. I learned to see around corners. I learned to prepare for failure without becoming ruled by it. I learned that resilience is not a slogan, trust is not soft, and pressure reveals what an organization really is.

Then I became a CEO.

The title changed, but that was not the real transition. The real transition was this: the scoreboard changed.

Success means something very different now.

As a CISO, much of the job revolves around reducing downside. You protect value. You harden systems. You reduce exposure. You prepare for impact. Success often shows up as the absence of disaster.

As a CEO, that is no where near enough.

A CEO still has to manage downside. But the real job is broader and frankly, harder. You have to create upside even the upside is not obvious. You have to allocate capital, focus people, accelerate execution, build trust, and make the company stronger under pressure. You are no longer measured only by what you prevent. You are measured by what you build, what you compound, and whether the organization can win.

That shift has changed how I think about leadership.

It has not made me less disciplined. It has made me more complete.

Here are the lessons that came into focus for me in the move from CISO to CEO.

Protecting value and creating value are not the same job

Security leaders are trained to think in terms of exposure, controls, failure paths, and resilience. That training is valuable. In fact, in a volatile world, it is a serious leadership advantage. But …

The CEO role forces a wider lens.

You cannot lead a company by focusing only on what might break. You have to decide what deserves energy, capital, and conviction. You have to place bets. You have to define where the company will lead, where it will differentiate, and where it will refuse distraction. You also have to make the hard choices between protecting something or paving a path to new revenue.

That is a major shift.

A CISO protects value.

A CEO creates, compounds, and defends value.

The distinction matters because it changes the posture of leadership. It moves you from preservation alone to purposeful construction.

Risk is only part of the story

For a long time, one of the most important questions in my world was: What could go wrong?

That question still matters. It always will.

But CEOs have to ask a broader set of questions:

What are we building?
What are we solving?
What are we choosing not to do?
Where are we underinvesting?
What will matter six quarters from now, not just six weeks from now?

This is where many leaders get trapped. They confuse awareness of risk with clarity of direction.

These are not the same.

A company can become highly fluent in threat, friction, and constraints and still fail to move. It can become excellent at discussing complexity and poor at converting that complexity into action.

The CEO’s job is not to eliminate uncertainty. The CEO’s job is to move the organization through uncertainty with judgment.

That is a different discipline.

Capital allocation spells truth

One of the clearest lessons of becoming CEO is that strategy sounds impressive in slides but reveals itself in budgets.

Capital allocation exposes the truth.

You can say innovation matters. But if you do not invest in data quality, operating discipline, and workflow redesign, then innovation does not really matter.

You can say trust matters. But if you underfund execution, transparency, and customer experience, then trust does not really matter either.

You can say growth matters. But if priorities are bloated, ownership is vague, and friction is tolerated, then growth is a cheap talking point.

This is one of the hardest truths in leadership: strategy is not what you announce. Strategy is what you consistently fund, reinforce, and protect.

The CEO sees that more directly than anyone else.

Money is not just a resource. It is a declaration of belief.

Clarity scales better than intensity

Earlier in my career, I thought strong leadership often meant pushing harder, doing more, leading in very visible form.

I no longer believe that.

Strong leadership now means clarifying faster.

Companies do not scale on intensity alone. They scale on clarity. They scale when people know what matters, who you are selling to, who owns what, how decisions get made, what good looks like, and what deserves to be ignored.

Intensity without clarity creates motion, not momentum.

This becomes even more important at the CEO level because ambiguity compounds as it moves through the organization. A vague executive statement becomes a confused team priority. A confused priority becomes wasted time. Wasted time becomes operating drag. Operating drag becomes missed expectations.

That is why clarity is not just a communication skill. It is an operating advantage.

The larger the company, the more expensive vague leadership becomes. But, it also takes longer to unearth that type of situation. In smaller companies vague leadership exposes itself way quicker as there are fewer buffers.

Trust is not soft. Trust is throughput.

Too many leaders still talk about trust as if it belongs in the category of culture alone.

It does not.

Trust affects speed. Trust affects execution. Trust affects retention. Trust affects customer confidence. Trust affects whether people escalate intelligently or defensively. Trust affects whether hard truths surface early or get buried until they become an expensive burden.

In low-trust environments, everything takes longer. People protect themselves. Decisions loop slowly. Teams revisit the same conversations. Energy leaks everywhere. Indecision reigns.

In high-trust environments, accountability gets stronger, not weaker. Standards become easier to uphold because intent is clearer and friction is lower.

This is one of the biggest mindset expansions I have had as a CEO.

Trust is not theater.

Trust is infrastructure.

And in many organizations, it is the hidden variable behind execution quality.

Resilience matters more than compliance

Compliance matters. It builds baseline discipline. It creates structure. It can improve consistency.

But compliance is not the same as resilience.

A compliant company can still be fragile.

A resilient company absorbs pressure without losing direction. It adapts when conditions change. It makes decisions based on imperfect and/or incomplete information. It keeps operating even when the environment turns hostile.

That distinction matters now more than ever.

The modern business environment does not reward organizations simply for looking prepared. It rewards organizations that can keep moving when things break.

This is where my years in security still shape me deeply. I know what fragility looks like. I know how fast confidence erodes when stress exposes weak assumptions. I know the difference between a control that looks good and a capability that holds.

As CEO, that lesson only became more important.

Build for the test, not just the audit.

The CEO’s steadiness becomes part of the operating model

This may be the most personal lesson of all.

The CEO carries more than accountability. The CEO carries signal.

The ecosystem around you (employees, the board, investors, peer CEOs, partners, customers) watch how you process. How you process pressure. How you process the sea of bad news with the sprinkle of good here and there. They watch how you handle incomplete information, mixed results, difficult tradeoffs, and external noise. They watch your tone when momentum slows. They watch your posture when the answer is not obvious.

This does not mean a CEO needs to project false certainty.

It does mean the CEO has to project steadiness.

And do so irrespective of what is at hand. That steadiness matters because organizations borrow emotional direction from leadership. When the environment is noisy and/or unsteady, the CEO helps determine whether the company becomes reactive, distracted, disciplined, or resolved.

That is not abstract leadership philosophy. It’s not a textbook principle taught in business school. That is operational reality.

Steadiness preserves focus. Focus preserves execution. Execution preserves trust.

In the end, leadership is not about being right. It is about steering the organization towards an outcome, making sure employees stay oriented while the organization works through challenges and hurdles.

Security-Centric Steadiness

Security teams alone cannot secure a company from threats. The company’s organizational culture, risk tolerance, and investments are defined collectively by leadership, in many organization this means a roll up to the CEO. It is ultimately the CEOs responsibility to:

  1. Set the tone (organizational culture): if the CEO treats security as a priority, it permeates the entire organization. If neglected, it breeds a relaxed, vulnerable afterthought culture.
  2. Define risk tolerance: the CEO must decide what level of risk is acceptable and where to invest in defense, rather than assuming the CISO can stop 100% of attacks alone. This is a challenge as a lot of CEOs, for the sake of self-preservation, shy away from explicitly taking a stance on risk. Even if a CEO isn’t signing an acceptance/rejection of risk they can define tolerance levels.
  3. Create cross functional alignment: silos break down due to force from the top, IT, Legal, HR, and Operations work together to protect the company when that is a mandate coming from the CEO.

What I carried with me from the CISO seat

I did not leave my CISO instincts behind when I became CEO.

I feel I brought the best of them with me.

I still believe in disciplined thinking.
I still believe in resilience under pressure.
I still believe in asking hard questions early.
I still believe that trust takes years to build and minutes to lose.
I still believe leaders should prepare for failure without becoming defined by fear.

But the CEO role forced me to widen the aperture.

The mission is no longer only to defend the enterprise.

The mission is to build an enterprise that can win.

That means creating trust, not just protecting it. It means creating momentum, not just preventing disruption. It means turning discipline into direction, and direction into execution.

That is the real shift.

Final thought

Going from a 4X CISO to CEO did not make me think less about security. It made me think more completely about leadership. I still believe the best leaders see the angles and see around corners. Now, I also believe they have to be able to build through those angles and corners.