From the Desk of Keith Formell

Perspective

Posture Is a Decision

Why an organization's risk appetite sets its security posture long before any control does.

By Keith Formell

Every security program is the downstream expression of a decision most organizations never realize they made. Long before a firewall rule is written or an endpoint agent is deployed, leadership has already answered the only question that finally matters: how much risk are we actually willing to carry? Everything after that — the architecture, the budget, the controls — is the implementation of an answer that was set in a boardroom, not a security operations center.

Technology doesn't create organizational discipline; it reveals whether discipline was already there.

I've spent more than twenty-five years building and securing enterprise technology — across public-sector law enforcement, national manufacturing, consulting, and my own ventures — and the lesson that has held up in every one of those environments is the same one:

An organization's risk appetite sets its security posture long before any control does.

It sounds abstract until the day it isn't.

As CIO of a North American multi-plant food manufacturer, I led the complete rebuild of the enterprise systems environment in forty-six days following a nationwide cyberattack. Production-critical operations had to come back under extreme time pressure, with the whole business watching. What I took from those forty-six days had nothing to do with any particular tool. It was that the speed and shape of a recovery are decided long before the incident — by the choices an organization has already made about what it is willing to lose, what it has funded, and what it has only documented.

That last distinction is the one that hurts: the gap between documented risk and funded remediation. Most organizations are good at the first half. Risk registers get built. Assessments get filed. Findings get logged in tidy red-amber-green. Then the remediation that would close them competes for budget against everything else — and loses, quietly, year after year, until the day the risk stops being theoretical. The register said it would happen. Nobody funded the fix. That is not a controls problem. It is a risk-appetite problem wearing a controls costume.

Which is why I think security belongs in the conversation about appetite, not only the conversation about architecture. A security leader who speaks only in controls is answering a question leadership hasn't consciously asked. The harder, more useful work is making the appetite explicit — naming, in plain terms, what the organization is choosing to accept, so the acceptance becomes a decision somebody signed rather than a default nobody owned. Once the appetite is honest, the posture follows almost mechanically — architecture becomes implementation.

I come at this as an operator as much as an executive. I've built and run my own ventures since the 1990s, from zero, which means I've sat on the side of the table where the cost of security is real money out of a budget I am personally accountable for. That changes how you weigh things. It makes you allergic to security theater — controls that exist to be pointed at rather than to reduce loss — and honest about trade-offs, because you are the one who pays for them either way. The best security leaders I know carry that instinct: they spend the organization's risk budget the way they would spend their own.

That same principle extends naturally into AI governance, where leaders face the same decision under greater uncertainty. An organization's appetite for AI risk — for unverified outputs, ungoverned data, decisions made by systems no one can fully audit — sets its AI posture long before any guardrail is configured. I treat AI the way I treat any production system: provenance, source-of-truth governance, version control, and guardrails against the failure modes that make it dangerous at scale. The security discipline isn't a constraint on AI; it's what turns AI from a liability into a capability an organization can stand behind. But none of that work matters until leadership has decided, out loud, how much it is willing to trust a machine. Same question. Higher stakes.

Twenty-five years in, the discipline I keep returning to is the simplest one: design it right, secure it, and sign your name to it. The signature is the part most people skip — and it's the whole point. Security isn't a posture you buy or a control you deploy; get the appetite honest, fund what you claim to care about, and the rest is engineering. Because in the end, controls don't accept risk. Architecture doesn't accept risk. People do.

— Keith Formell

← keithformell.com

© 2026 Keith Formell · New Lenox, Illinois