The Unknown Unknowns: Why Best CISOs Prepare for Surprise | Vyfority
Strategic Risk Briefing

The Best CISOs Prepare for the Unknown.

Why “Unknown Unknowns” are the most dangerous category of risk, and how to build a business case for Offensive Security.

Dean Kastelic

Dean Kastelic

Principal Consultant

I often use the concept of ‘known knowns,’ ‘known unknowns,’ and ‘unknown unknowns,’ popularised by Donald Rumsfeld, to explain cybersecurity threats.

While not originally his, this concept is widely used in military, risk, and project management and it naturally translates to cybersecurity. It is especially useful when making the business case for an advanced SOC and a proactive offensive security program.

“If we fail to prepare for unknown unknowns, we are simply waiting for a crisis.”

The Cyber Threat Matrix

We Know / We Know

Known Knowns

Phishing, Ransomware.

→ Defences: MFA, EDR

We Know / We Don’t Know

Known Unknowns

Zero Days, AI Attacks.

→ Defences: Advanced SOC

Irrelevant

Unknown Knowns

Institutional Knowledge.

⚠️
We Don’t Know / Don’t Know

Unknown Unknowns

Unforeseen Scenarios.

→ Defences: Red Teaming

Figure 1: Mapping cyber risk categories to required capabilities.

1. Known Knowns (The Baseline)

These are risks we understand: phishing, ransomware, social engineering. Because they are familiar, we have deployed established defences (email filters, MFA). Most cyber programs focus their efforts here.

2. Known Unknowns (The Advanced SOC Case)

We know they exist (e.g., zero-day vulnerabilities, AI attacks), but we can’t predict when they will occur.

To combat these, we need to go beyond basic log monitoring. We need an Advanced SOC where threat intelligence and vulnerability management are integrated into detection and response.

3. Unknown Unknowns (The Red Team Case)

These are the most dangerous. Threats we can’t foresee because they exist outside our current understanding (like WannaCry before 2017).

Addressing these requires a strategic offensive program: incident response drills, and most critically, continuous red-team exercises.

A Warning on Red Teaming

Red-team exercises are only feasible if your security posture is reasonably good. Otherwise, you are just confirming a “known known” (that you are easy to hack). In that situation, conduct an “Assume Compromise” exercise instead.

The Board Conversation

It is crucial to record your awareness of ‘unknown unknowns’ in the risk register. Even if the board declines to fund an offensive program, you have acknowledged the risk.

By highlighting these blind spots to the board before an event occurs, you shift the narrative from “blame” to “shared risk acceptance.”

We sometimes get flak for referring to military concepts. I don’t get why. Cybersecurity helps to borrow concepts from advanced fields like national defence. Framing risk this way is essential for getting buy-in for high-functioning SOCs and offensive programs.

Test Your Unknowns

Is your program ready for a Red Team, or still fixing basics?

Get the Diagnosis