The Art of Breaking Things Safely: Why Great Leaders Ignore the Rules

In cybersecurity, we defend the perimeter. In leadership, we have to expand it. Here is the case for strategic rebellion.

Originally published on my Blogger site on July 17, 2025. Preserved here on Substack.

In my line of work, we are paid to be paranoid.

We build firewalls. We enforce compliance frameworks. We write policies that say “No.” In cybersecurity, a broken rule usually means a breach, a fine, or a very bad headline.

But here is the paradox that kills careers: The mindset that makes you a great defender makes you a terrible leader.

If you are only managing compliance, you aren’t leading; you’re policing. Today’s C-Suite requires leaders who can orchestrate transformation, not just guard the perimeter. The most effective executives I’ve met share a terrifyingly simple trait: they know exactly which rules to break.

This isn’t about reckless rebellion. It’s about strategic disruption. It’s the difference between a vulnerability (an accidental break) and an exploit (an intentional one).

The Science of “Productive Deviance”

Pablo Picasso famously said, “Learn the rules like a pro, so you can break them like an artist.”

In corporate speak, we call this innovation. In reality, it looks like disobedience.

Consider the story of the Post-it Note. It wasn’t a planned R&D win. In 1968, Dr. Spencer Silver tried to build a super-adhesive for aircraft. He failed. He made a weak, useless glue that couldn’t hold anything permanently.

For years, it was a “failure.”

It only became a billion-dollar product because another employee, Art Fry, broke protocol. He ignored the “useless” label and bootlegged company resources to solve a personal problem (his hymnal bookmark kept falling out).

If 3M had enforced strict adherence to “successful projects only,” the Post-it would be a trash can footnote. Instead, they had the “15% Rule”; sanctioned time for employees to go rogue.

The Lesson: If your organization punishes every deviation from the plan, you aren’t building security. You’re building sterility.

Why Netflix Won (And Why You Might Lose)

We all know the Netflix vs. Blockbuster story. But we forget the violence of the pivot.

In 2007, Reed Hastings didn’t just start streaming; he actively cannibalized his own profitable DVD business. He broke the cardinal rule of business: Don’t kill the cash cow.

Traditional logic said, “Protect the revenue.” Netflix broke that rule because they understood a deeper truth: The biggest risk isn’t experimentation; it’s clinging to what worked yesterday.

In cybersecurity, we see this constantly.

• We cling to perimeter defenses in a Zero Trust world.

• We cling to password rotation policies even after NIST says they are bad.

• We cling to compliance checklists while AI re-writes the threat landscape.

The Case for “Purposeful Play”

“Play” is a dirty word in the boardroom. It sounds like ping-pong tables and wasted budget.

But let’s reframe it for the technical crowd: Play is just simulation.

When a Red Team attacks a network, they are “playing” the role of the adversary. When engineers run Chaos Engineering (shutting down servers randomly to test resilience), they are “playing” with disaster.

Research from the Museum of Play shows that teams with playful leaders generate 45% more original ideas.

I’ve seen security teams breakthrough complex problems not by staring at logs, but by gamifying threat hunting. When you lower the stakes of failure through simulation (play), you raise the ceiling of innovation.

The Google Model: Structured Chaos

Google’s “20% time” policy gave us Gmail and AdSense. It wasn’t luck. It was structured chaos.

The key insight for leaders is that play isn’t the opposite of productivity. It’s a catalyst.

If your team is 100% utilized on “business as usual” tasks, you have zero capacity for the breakthrough that saves the company next year. You are optimizing for efficiency, but you are fragile to change.

Your “Safe Rebellion” Action Plan

You don’t need to burn down the employee handbook to apply this. You just need to create pockets of safe rebellion.

1. The “Why Do We Do This?” Audit

Identify one rule, report, or meeting in your org that everyone follows but no one can explain.

• Is it required by regulation? Keep it.

• Is it “just how we’ve always done it”? Break it. See what happens.

2. The Failure Party

Amazon’s Jeff Bezos said, “Failure and invention are inseparable twins.” Host a session where you, the leader, share a recent experiment that flopped. Normalize the data gathered from the failure. If the CISO can admit a mistake, the junior analyst won’t be terrified to report a near-miss.

3. The 15% Experiment

You might not have 3M’s budget, but you can give your team time. Allow your engineers 2-3 hours a week to work on anything that improves the security posture, off the roadmap. No approvals needed. You will be shocked at the automation tools and threat intel scripts that emerge when you stop micromanaging.

The Leadership Edge

The future belongs to leaders who can navigate ambiguity.

In cybersecurity, our job is to protect the organization. But sometimes, the best way to protect the future is to break the rules of the present.

The most dangerous thing you can do as a leader is play it safe when the world is on fire.

Your next move: Find a rule to break this week. Do it intentionally. Do it strategically. And see what grows in the crack you create.

References

• How a Playful Mindset Can Boost Creativity (HBR)

  • Why it matters: Hard data on why “serious” business needs a lighter touch to drive innovation.

• The Power of Productive Failure (Forbes)

  • Why it matters: A look at how Amazon and other giants monetize their mistakes.

• 9 Ways Senior Leaders Sabotage Innovation (CCL)

  • Why it matters: A mirror for executives to see if they are the bottleneck they are trying to remove.