I spent fifteen minutes telling the PayPal CEO everything that was wrong.
It was a meeting at PayPal to walk through security issues we had found in one of our products. The CEO was there, along with a group of executives. I had prepared thoroughly. I had even been coached on my approach. And the coaching I had absorbed, the age-old security culture I had inherited, told me the job was to make the CEO understand how bad things were. So that is what I did. Fifteen minutes, a comprehensive catalogue of problems, delivered with precision.
He interrupted me. He was visibly annoyed.
"I don't need you to tell me that things are bad," he said. "I know they are. What are you doing about it?"
Several things landed on me at once.
The first was the obvious one. I had performed rigor and mistaken it for usefulness. I had given him a diagnosis and stopped, as if naming the problems were the same as addressing them.
The second was worse, and it took the sting of the first moment to see it. I had aimed the bad news at the wrong people. The CEO and the executives in that room could not fix the vulnerabilities I was describing. The product owner could. The engineering team could. And they were not in the room. I had built no alliance with the people who could actually act. I had turned a problem that needed partners into a presentation that needed an audience.
We stopped the meeting. We agreed to reconvene when I could bring actual solutions and the right stakeholders to work them. And I walked out with the lesson that reorganized how I lead: state reality, inspire hope.
Here is why that lesson is really an argument for optimism, and why optimism is the better tactic, not the softer one.
The Romance With Pessimism
In security, we have a particular romance with pessimism. We mistake it for sophistication. The leader who can recite every vulnerability, who opens with "assume breach," who reminds everyone that it is not if but when, sounds like the adult in the room. The optimist sounds naive by comparison. Soft. Like someone who has not seen what we have seen.
I think that is exactly backwards.
Pessimism feels like rigor, but it is mostly the easy part. Anyone can list what is broken. It takes no courage and no judgment to catalogue risk. What is hard, and what is actually the job, is what you say next. The leader who only states reality has done the easy ninety percent and skipped the part that mattered.
Because a catalogue of broken things does not move anyone. It does not produce a decision, a budget, or a fix. It produces the particular numbness that sets in when people are told the situation is dire and handed no way through it. Fear is not a strategy. The room that leaves your briefing frightened does not leave it activated.
What Optimism Actually Is
This is what optimism actually is, and it is not what its critics think.
Optimism is not the absence of clear-eyed assessment. It is what you do after the assessment. You state the reality, fully and honestly, and then you pair it with a path. A real one. Here is what is broken, here is what we are doing about it, here is the sequence, here is the date it closes, and here are the people who own it with me. The reality earns your credibility. The path, and the alliance behind it, is what converts that credibility into movement.
State reality, inspire hope. State the reality, because anything less is dishonest and your people can smell a sugarcoated briefing from across the building. But inspire the hope, because hope is the only thing that produces action. Hope here is not a feeling. It is a tactic. It is the deliberate act of giving people a credible reason to believe the problem is workable, and therefore a reason to move on it.
The pessimist will tell you this is just realism with better marketing. It is not. The difference is in what it produces. Pessimism produces a frightened, frozen organization that treats security as a tax and the security team as the bearers of bad news. Optimism produces an organization that believes the problems are solvable and acts on them. Same facts. Opposite outcomes. The variable is not the reality. It is what the leader does with it.
The Job Has Shifted
There is a reason this matters more now than it used to. Our audience has changed. Security leaders spend more time in front of boards, executives, and customers than in front of a console. Those audiences do not need convincing that the threat is real. They are already convinced. What they need is the thing the fifteen-minute catalogue cannot give them, a credible belief that it can be handled and a plan they can support. The job has shifted from raising the alarm to leading the response. Pessimism is the language of raising the alarm. Optimism is the language of leading the response.
You Earn the Right to Be Optimistic
None of this is false confidence. The fastest way to destroy your credibility is to inspire hope you cannot back up. State reality is the first half for a reason. You earn the right to be optimistic by being honest first. The leader who skips the reality and goes straight to reassurance is not an optimist. He is a liar, and he is found out the first time something breaks.
But the leader who does both, who tells the hard truth and then leads people through it with the right partners beside him, is the one who gets the budget, keeps the team, and earns the trust of the room. Not because optimism feels better. Because it works better.
The CEO was not asking me to be cheerful. He was asking me to do my actual job. Not to tell him things were bad, he knew that, but to tell him what we were going to do about it, with the people who could actually do it, and to make him believe we could.
I had handed him the diagnosis and called it a day. He was waiting for the part that mattered.
State the reality. Then give them somewhere to go.