Originally published as "Jazz and Cybersecurity: Improvisation, Harmony, and Innovation" in May 2024. Revisited and expanded in June 2026.
Editor’s note: This article revisits and expands upon "Jazz and Cybersecurity: Improvisation, Harmony, and Innovation," originally published on LinkedIn in May 2024. It is not a rewrite. It is a reconsideration — the same starting idea, examined again after additional years of work in security leadership, governance, risk, board service, and AI advisory. Some of the original conclusions still hold. Others look different now.
I have a habit of listening to jazz when I work through a problem that doesn’t resolve cleanly. Lately it has been Dave Brubeck, and on certain evenings, Miles Davis’s Sketches of Spain — a record that sounds composed and improvised at the same time, which is part of why it stays interesting after the hundredth listen. The record feels simultaneously structured and exploratory, which may be why it remains such a useful metaphor for cybersecurity.
A couple of years ago I wrote a short piece connecting jazz to cybersecurity. The argument then was about improvisation, technical mastery, and innovation — the idea that great security practitioners, like great musicians, improvise their way through novel problems with skill earned over time. I still believe a version of that. But coming back to the idea now, I find I was emphasizing the wrong part. I was fascinated by the solo. I underweighted everything that makes the solo possible.
This is what experience tends to do to a familiar idea. It doesn’t replace it. It moves the center of gravity.
The Brubeck lesson: structure creates freedom
The easiest place to see this is Take Five. It is the piece everyone knows, and it is remembered as a feat of freedom — the unusual time signature, the loose feel, the famous solos. What is easy to miss is how disciplined it is. The 5/4 meter never wavers. The piano vamp underneath holds steady the entire time. Paul Desmond can wander on the saxophone precisely because nothing underneath him is wandering. The freedom is real, but it is borrowed against a structure that does not move.
That is the part I want to sit with, because it inverts the usual intuition. We tend to think of structure and freedom as opposites — that more of one means less of the other. In disciplined creativity they are the opposite of opposites. The structure is what makes the freedom usable. Remove the steady meter and the solo isn’t liberated; it collapses into noise.
The same inversion holds in organizations. The teams that adapt best under pressure are almost never the ones with the fewest rules. They are the ones whose fundamentals are so well established that no one has to think about them in the moment. The structure has been internalized, so attention is free to go where the novelty is. Freedom in a security program is not the absence of structure. It is the dividend that structure pays.
Freedom in a security program is not the absence of structure. It is the dividend that structure pays.
Governance is the chord progression
If structure creates freedom, then governance is where that structure lives. And the most useful way I’ve found to describe governance to a board is that it is the chord progression.
A jazz musician improvising over a standard is not inventing from nothing. There is a progression underneath — a sequence of chords everyone in the ensemble knows — and it defines the space the soloist plays in. It tells you which notes will resonate and which will clash. It does not dictate the melody. It makes a coherent melody possible. Two musicians who have never met can play together convincingly because they share the changes.
Governance does the same work for an organization. Risk tolerance, policy, decision rights, escalation paths, the standards a decision is measured against — these are the changes. They don’t tell anyone exactly what to do when something unexpected happens. They define the harmonic space inside which a good response will resonate and a bad one will clash. They let people who weren’t in the room together still act in a way that holds together.
The objection I hear most often is that governance constrains. That it slows people down, that it is the enemy of innovation. I understood that objection better earlier in my career than I do now. In practice, the organizations with the weakest governance are not the most innovative. They are the most anxious. Every decision is relitigated because there is no shared progression to play over. Governance, done well, is not the brake. It is the thing that lets the rest of the organization move without having to stop and negotiate the key signature every time.
Incident response as improvisation
Nowhere is this clearer than in incident response. Every organization I’ve worked with has a plan. Very few have a plan that survives first contact with an actual incident — and the ones that handle incidents well have made peace with that fact rather than fighting it.
A response plan is not a script that predicts the incident. It can’t be; the next incident will not have read the document. The plan exists to support decision-making under pressure — to establish who has authority, what the thresholds are, who gets called, what the first moves look like — so that when reality diverges from the plan, and it will, people are improvising from a known position rather than from panic.
This is exactly what separates an experienced jazz musician from a talented beginner. Both can play the notes. The difference shows up when something goes sideways — a tempo drifts, someone enters early, a string breaks. The beginner stops. The experienced player absorbs the disruption and keeps the music going, because they have internalized the structure deeply enough to adapt inside it. Experienced responders are the same. They are not following the plan more faithfully than everyone else. They have internalized it well enough to leave it when they need to.
The rhythm section of cybersecurity
Solos get remembered. Rhythm sections win the gig. The bass and drums hold the time and the harmony, and when they are doing their job, no one in the audience is thinking about them at all. That invisibility is the work. It is also why rhythm sections are chronically undervalued by people who confuse visible effort with importance.
Security has a rhythm section, and it is undervalued for the same reason. Identity and access management. Asset inventory. Configuration and infrastructure hygiene. Governance routines. The unglamorous operational discipline of knowing what you have, who can touch it, and whether the basics are actually being maintained. None of it makes a conference keynote. All of it determines whether anything else in the program functions.
When a security program fails, the post-incident review rarely uncovers a missing exotic capability. It uncovers a quiet failure in the rhythm section — an identity that should have been deprovisioned, an asset no one knew was exposed, a control that was documented but not operating. The fundamentals were keeping time until they weren’t, and because no one was listening to them, no one noticed they had stopped.
Leadership and restraint
The best bandleaders I’ve listened to share a trait that took me a long time to appreciate: they create space for other people to play. Miles Davis is the canonical example — a player remembered as much for the notes he left out as the ones he played, and for assembling musicians and then giving them room. The leadership was not in dominating the performance. It was in setting the conditions and then getting out of the way.
I think this is the part of cybersecurity leadership that gets least attention, because it looks like doing less. Earlier in my career I would have measured a strong security leader by how many decisions they personally made. I would measure it differently now. The role is not to make every call. It is to build the conditions under which good calls get made by the people closest to them — clear authority, clear thresholds, enough trust that escalation is a tool rather than a reflex.
The same is true at the board level. A board does not govern by reaching down into operational decisions. It governs by ensuring the structure exists for those decisions to be made well, and by asking the second question that tells you whether it is. Leadership as restraint is harder than leadership as control, because restraint requires having built something you can actually trust. But it is the only version that scales.
AI as a new instrument
This is the part of the original essay I could not have written in 2024, at least not honestly. AI has moved from the margin of these conversations to the center of them, and the framing I keep coming back to is musical: AI is a new instrument added to the ensemble, not a replacement for the musicians.
A new instrument changes what the ensemble can do. It also has to learn the progression. Drop a powerful new voice into a band with no sense of the changes, no awareness of when to play and when to lay out, and it does not elevate the music — it overwhelms it. The instrument is only as good as its integration into the structure around it.
That is the governance work AI actually demands. Not a separate AI program bolted to the side of the organization, but the same questions the rest of governance already answers, asked of a faster and louder participant: who is accountable for what this produces, what standard is it measured against, where are the thresholds, and who has the authority to stop it. AI does not need to be feared into a cage. It needs to be brought into the ensemble — given a part, held to the progression, and kept aligned with where the organization is actually trying to go. The transformative technologies that get adopted well are the ones that respect the structure they join. The ones that get adopted badly are the ones allowed to solo over everyone else from the first bar.
Closing reflection
By the time the record finishes, the thing that stays with me is not any single solo. It is that the whole performance held together while leaving room for the unexpected. The musicians did not eliminate uncertainty — a performance with no uncertainty is not jazz, and it isn’t very interesting either. They built enough shared structure that uncertainty became something to play with rather than something to fear.
That is the closest thing I have to a thesis about cybersecurity after these years of doing the work. The goal was never to eliminate uncertainty. It can’t be done, and the programs that try end up brittle, optimized for a world that doesn’t arrive. The goal is to build enough structure — enough governance, enough discipline in the fundamentals, enough clarity about who decides — that when uncertainty does arrive, and it always does, the organization can still perform.
Great jazz ensembles are not the ones that never get surprised. They are the ones that sound composed when they are. Great security programs are the same. They succeed not because they saw everything coming, but because they knew how to play when something didn’t.
