This week's C2 Corner features Jess Jimenez, the Interim Head of Security at Dropbox where she leads global teams across enterprise and product trust and security. With more than 25 years of experience spanning Fortune 100 companies, financial services, and defense, she brings a pragmatic, risk-focused approach to building resilient programs. A frequent industry speaker and mentor, Jess is passionate about advancing security leadership and developing inclusive, high-performing teams.
Boards and executives press us with the same questions: Are we secure enough? What value is Security delivering? Which business outcomes are we enabling? Answering those questions credibly requires more than static frameworks or backward-looking metrics. It requires a system that shows momentum and impact.
Over the years, we’ve turned to frameworks and metrics for answers: NIST CSF maturity tiers to ISO certifications, FAIR-based risk quantification, and operational measures like Mean Time To Detect (MTTD) and Mean Time to Recover (MTTR). Each serves a purpose in benchmarking, demonstrating diligence, and tuning operations. But they all share a limitation: they capture state, not motion. They don’t tell us where momentum is building or where friction is slowing us down.
The concept of the flywheel isn’t new. Jim Collins popularized it in business, and Phil Venables rightly highlighted its application in Security. Where I see an opportunity is in going further: using flywheels not just as metaphor, but as management system. Done well, they help us measure momentum, identify bottlenecks, and tell a more compelling story about Security’s value to the business.
Frameworks show where you are. Metrics show how you’ve performed. Flywheels show where momentum is building and where the next investment will compound.
Where Frameworks and Metrics Fall Short
Security programs are no strangers to measurement. Maturity models such as NIST CSF 2.0 or the ISO 27000 series give us tiers of capability. They are useful for benchmarking, but they’re snapshots in time and they often require year over year heavy assessment cycles to generate trends. Operational metrics like MTTD and MTTR quantify efficiency, but they are lagging indicators by nature. Governance metrics such as certifications, audits, and compliance posture demonstrate diligence, but rarely prove that risk has been materially reduced.
These are all important tools. But they don’t capture the reality that security is a dynamic, interconnected system. Improving one capability often amplifies progress in another. That’s the essence of a flywheel.
Security Flywheel Mapping
A flywheel describes momentum, not just state. The flywheel demonstrates how progress in one part of the system reinforces another, creating compounding impact. In Security, flywheels are critical. For example, when we build “secure by default” guardrails into our engineering environments, we don’t just reduce vulnerabilities. We improve detection quality, speed response, and feed intelligence back into stronger controls, improving the guardrails. The loop reinforces itself. Similarly, investing in early-stage product security reviews, augmented by secure code libraries and automated security testing isn’t just about fewer defects; it accelerates product and feature delivery, improves customer trust, and strengthens the business case for further security investment.
Every flywheel has four dimensions: leading indicators that show momentum building, lagging indicators that demonstrate impact, accelerants that spin the wheel faster, and drag points that introduce friction and slow us down. Viewed this way, a flywheel becomes more than a metaphor. It’s a management model: a way to see where progress is reinforcing itself, where it’s stalling, and how to frame Security’s impact in terms executives understand: momentum, leverage, and value creation.
Example Flywheels in Practice
Here are a few illustrative flywheels, with indicators, accelerants, and drag points. Use these as starting points for mapping your own.
What stands out is that accelerants are often targeted, practical investments—a better prioritization tool, more automation, a streamlined process. Small changes, if applied in the right place, can compound quickly across the loop.
By structuring flywheels in this way, we trace how early inputs cascade into outcomes, where momentum can be accelerated, and where drag must be managed.
How CISOs Can Apply Flywheels
Putting flywheels into practice is a tool for discipline in leadership. Focus on the loops that are critical to your program rather than spreading attention thin. Within each loop, select a handful of leading and lagging indicators that matter and can be measured without overwhelming the team.
Interrogate the system: where is momentum naturally building, and where is it stalling? Accelerants, whether AI, automation, new tooling, or additional staff, should be directed to loops where investments can be leveraged into outsized impact. Conversely, recognizing drag points helps avoid wasteful spend or exposes areas where process redesign may yield more than resource allocation.
Most importantly, flywheels give us a language for storytelling. Boards don’t just want metrics; they want to understand how Security’s work compounds into resilience and trust. When we present flywheels, we shift the conversation from cost and compliance to momentum and strategic advantage.
Why This Matters
For boards and executives, flywheels provide a different lens for understanding Security. Traditional metrics and maturity scores capture compliance and efficiency, but they don’t explain whether the program is getting stronger with each cycle. Flywheels highlight momentum, where small investments generate compounding returns, where friction erodes value, and where resilience is built quarter after quarter.
When framed this way, Security shifts from being seen as a cost center to being recognized as a strategic system of reinforcing loops that create trust, enable growth, and sustain business advantage.
Closing Thought
For CISOs and practitioners, the takeaway is practical: flywheels are a management system, not just a metaphor. By mapping those loops, defining indicators, and surfacing drag, we create a living model of our programs. Use this model to guide trade-offs and to tell a sharper story about where to invest or where to cut.
So here’s my challenge: this quarter, pick one flywheel in your program and map it. Overlay which teams drive each stage. Then bring that story to your leadership team, not as another compliance update, but as evidence that Security doesn’t just defend the business. It builds compounding resilience and trust.
The question isn’t only ‘Are we compliant?’ or ‘Are we efficient?’ The real question is: are we building compounding momentum that makes the business stronger and more resilient with every cycle?