Most security leaders quietly live with a paradox they rarely name out loud. Until you truly look inside the box of your environment, your organization is both secure and compromised. The dashboards might be green and the audit reports reassuring, but the uncomfortable reality is that you do not know your actual state until you observe it directly and often.
Meeting the cat — a paradox with teeth
Many readers will have heard of Schrödinger’s cat in passing, but the details blur over time, so it is worth revisiting what the analogy means before applying it to security. It is a thought experiment in quantum physics that illustrates how strange the rules of the microscopic world seem when applied to everyday objects, such as a cat in a box.
In the classic setup, a cat is placed in a sealed box with three components: a tiny radioactive source, a detector that can sense whether an atom decays and a vial of poison that will be released if the detector triggers. As long as the box stays closed, quantum mechanics describes the radioactive atom as being in the superposition of both decayed and not decayed at the same time.
From the outside, the cat appears to be both alive and dead until someone opens the box and checks. The instant an observer looks, the uncertainty collapses into a single outcome: alive or dead, but not both. Schrödinger proposed this not because he believed in half-dead cats, but to criticize simplistic interpretations of quantum theory and force people to confront how odd it is to treat unobserved systems as if they occupy multiple states at once.
That structure, a system that exists in multiple possible states until observed, then collapses into a single real state, is exactly what makes Schrodinger’s cat such a powerful way to talk about modern cybersecurity.
The two companies every leader runs
When I first moved into security consulting, I realized many leaders were effectively running two different companies at once: one that looked safe in audits, dashboards and policy documents and another that attackers were probing and learning to exploit beneath the surface. In board papers, the organization appeared controlled, compliant and orderly in logs and incident reviews, but in practice, it looked messy, improvised and full of blind spots.
Over time, I began to describe these two states as the “paper company” and the “real company.” The paper company is defined by controls. It is the version of the organization that appears in frameworks, policies, architecture diagrams and maturity assessments, with named owners, mapped processes and reassuring traffic-light reports.
The real company is defined by behavior. It is the version that appears in telemetry, threat intelligence, red team findings and post-incident reviews. It is shaped by how people actually work, by shortcuts embedded in processes, by legacy systems nobody wants to touch and by integrations that were never fully documented.
The paradox is that leadership conversations usually assume only the paper company exists. When a board asks, “Are we secure?”, the answer typically references policies, certifications and tool coverage, all attributes of the paper company, while attackers interact only with the real one. Until leaders can see the real company clearly and regularly, they are effectively managing a cat-in-a-box: they must act as if they are both secure and compromised, without knowing which state is currently true.
Security as an observation problem, not just a control problem…
Most security strategies still treat protection primarily as a control problem: deploy more controls, map more requirements and close more findings. Controls matter and as an adviser, it would be irresponsible to downplay them. Yet major incidents keep reminding us that controls can be in place on paper while attackers move laterally through gaps in visibility, misconfigurations and exceptions that nobody has examined closely for months.
Thinking in Schrodinger’s terms reframes this security issue as also and increasingly an observation problem. In physics, measurement collapses a quantum system from many possible states into one observed reality. In security, detection plays the same role. Until there is a concrete signal, such as an alert, a log correlation, an anomaly investigation or a third-party notification, you cannot categorically state whether an attacker is present. You can discuss probabilities and expectations, but not current facts.
Seen through that lens, three truths emerge:
1. The absence of evidence (alerts) is not evidence of absence (safety)
It may simply mean your tools cannot see where the attacker is or that signals are not being correlated and interpreted effectively. A quiet SIEM can indicate resilience or complete blindness; without deeper observation, you do not know which.
2. Dwell time is a measure of unobserved reality
Every day an attacker remains undetected is a day when leadership operates under a false assumption about the system state. The longer the detection gap, the longer your organization lives in a “secure and compromised” superposition.
3. External discovery is a symptom of observation failure
When regulators, customers or partners are the first to tell you something is wrong, it is a strong signal that the box has been opened only from the outside.
Once you see security as an observation problem, the question “Are we secure?” starts to feel like the wrong question. A better set of questions sounds more like:
- How quickly would we know if a high-value identity or system were compromised?
- Which parts of our environment are effectively unobserved, from a telemetry or logging perspective?
Advising leaders through the paradox
As a consultant, the goal isn’t to embarrass organizations for their uncertainty but to normalize and systematically reduce it. Complex environments have blind spots and risks arise from ignoring them.
The work involves three shifts in thinking and action:
- Change the questions in the boardroom. Instead of asking “Are we secure?”, ask “Where do we have strong evidence and where are we guessing?” This honesty aligns decisions with reality and clarifies investment needs.
- Measure certainty, not just controls. Include metrics such as telemetry coverage, detection speed and red team findings to assess how well the organization uncovers threats. Cognitive biases among practitioners exacerbate these gaps.
- Reward the surfacing of ambiguity rather than punishing uncertainty and encourage teams to admit gaps and improve observation, fostering trust over time.
Bringing the paradox down to earth
Collapsing the paradox in a real enterprise is not about finding a single magic control that proves you are safe; it is about building habits of observation that continually narrow the gap between the paper company and the real one. In practical terms, a few patterns make an outsized difference. What does the transition from superposition to observation entail within an enterprise environment? From a consultant’s perspective, certain patterns significantly influence the process:
- Treat threat hunting as routine, not heroic. Many organizations treat hunts as occasional special projects, often driven by a specific concern or regulatory pressure. A more effective model is to operationalize them as a standing function, a way to continuously test assumptions about where attackers could hide and to validate that existing detections still work as expected.
- Design telemetry with questions in mind. Instead of starting with “what logs can we capture easily?”, start with “what questions would we want to answer after an incident and what would we want to observe in real time?”. Work backward from those questions to determine the required telemetry and analytics. That keeps the focus on understanding behavior, not just filling storage.
- Integrate external observation into your picture of reality. Bug bounties, penetration tests, independent assessments and sector information-sharing are all ways to let others open the box from different angles. The key is to fold those observations back into your own narrative, rather than treating them as disconnected exercises.
Over time, these practices narrow the gap between the paper company and the real company. Leaders still need policies, controls and reports, but those artefacts begin to reflect observed behavior much more closely than aspirations.
Leading in a world of half-open boxes
The most honest statement a security leader can make is not “we are secure” but “here is what we know, here is what we do not know yet and here is how quickly we are closing that gap.” That is essentially a commitment to continuous observation. It also reframes security from a static state to a dynamic practice, which aligns with how modern digital businesses operate.
Schrödinger’s cat reminds us that unobserved systems can exist in multiple states simultaneously. In cybersecurity, this means a quiet environment can be both resilient and deeply compromised until proven otherwise. The job of security leaders and their advisers is not to pretend the paradox does not exist, but to build the technical, organizational and cultural capabilities that enable the organization to open the box early and often and to be ready to act on whatever is found when it is.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?