Cybersecurity leaders have spent years investing in new tools, expanding control frameworks, and refining governance programs. Yet many organizations still struggle with the same fundamental problem: security initiatives that look mature on paper fail to create alignment, confidence, or better decisions across the business.
That challenge was at the center of a recent CYBR.Minded podcast discussion between host Dr. Dustin Sachs and Tammy Moskites, founder and CEO of CyAlliance. Their conversation focused on a topic that rarely receives as much attention as technology or compliance: trust.
Check out the full episode:

While security programs often measure success through dashboards, audit results, training completion rates, and control coverage, Moskites argued that the real test of a security program is whether people throughout the organization trust one another enough to make effective decisions together.
The discussion began with a question many organizations continue to wrestle with: Why do security programs appear mature while important gaps remain?
According to Sachs, organizations frequently respond to those gaps by adding more controls, more reporting, and more accountability structures. Yet the disconnect often persists because cyber risk is being viewed through different lenses across the business. Security teams, executives, boards, and operational leaders may all be looking at the same problem while interpreting it very differently.
For Moskites, that disconnect is often less about technology and more about trust.
Different Perspectives, Different Priorities
One of the key themes throughout the conversation was the reality that every stakeholder approaches cybersecurity from a different perspective.
“The board of directors, they're all worried about shareholder value,” Moskites explained. “The CEO and CFO are worried about bottom-line numbers. The CISO is worried about security.”
None of those priorities are wrong. In fact, they are exactly what those leaders should be focused on. Problems emerge when those perspectives become disconnected from one another.
Security leaders often assume that everyone shares the same understanding of risk. Business leaders may assume security teams fully understand operational realities. Boards may believe they are receiving a complete picture while management assumes leadership understands the nuance behind security decisions.
More about trust in cybersecurity:


When those assumptions drift apart, trust begins to erode.
Moskites emphasized that successful organizations build systems of trust that allow those different priorities to coexist. Instead of forcing everyone to think alike, effective leaders create environments where stakeholders understand one another well enough to make informed decisions together.
That alignment becomes particularly important during periods of uncertainty, when risk decisions become less about technical controls and more about judgment.
Security Is a Human System
The conversation repeatedly returned to the idea that cybersecurity performance is shaped by people as much as technology.
Sachs noted that organizations often focus on measurable activities such as ticket volume, training completion, audit results, or policy adoption. Those metrics are useful, but they do not necessarily reveal whether decision-making is improving.
An organization can become busier without becoming better.
What leaders truly need to understand is whether employees trust the information they receive, whether teams understand the context surrounding security decisions, and whether people feel empowered to act when circumstances require action.
Trust affects how individuals interpret risk signals. It influences whether concerns are raised early or ignored. It determines whether difficult conversations happen before problems escalate.
Most importantly, trust shapes how organizations respond under pressure.
As Sachs observed during the discussion, security often breaks down long before a technical control actually fails. Problems emerge when people no longer share assumptions about urgency, ownership, responsibility, or acceptable tradeoffs. At that point, dashboards may still appear healthy even while resilience is quietly deteriorating.
Building Confidence Before a Crisis
The practical implications become most visible during incident response.
Organizations facing active security incidents rarely have the luxury of lengthy decision-making processes. Teams must move quickly, often with incomplete information and under significant pressure.
Sachs described a familiar scenario in which analysts identify a problem but lack the authority or confidence to act immediately.
“The last thing you want when an alert comes in or when there's an incident is the analyst saying, ‘I'm sorry, I got to go talk to my manager,’ who's going to have to talk to his manager,” Sachs said.
That type of hesitation can introduce costly delays at precisely the wrong moment.
Moskites emphasized the importance of building trust before a crisis occurs. Tabletop exercises, training programs, governance structures, and clearly defined responsibilities all help create confidence in decision-making. They establish expectations and relationships that allow organizations to move faster when pressure mounts.
The conversation concluded with a reminder that cybersecurity leadership requires balancing urgency with thoughtful judgment.
Borrowing from Daniel Kahneman's concept of “thinking fast and slow,” Sachs noted that some situations require immediate action while others demand careful deliberation. Effective organizations understand the difference because they have already built the trust, communication pathways, and decision frameworks necessary to support both approaches.
The message from Moskites was clear: cybersecurity is not simply a technology problem. It is a leadership challenge rooted in communication, trust, and shared understanding. Organizations that focus exclusively on controls and compliance may improve their metrics, but organizations that build trust improve their ability to make good decisions when it matters most.


