In information security, we tell ourselves control is everything. We build frameworks, write policies, automate scans, and obtain certifications, all in service of reducing uncertainty. The assumption is that if we can standardize enough, checklist enough, observe enough, we can make risk manageable. Containable. Controllable.

But security doesn't always work that way. Sometimes, the most meaningful insights emerge from curiosity, improvisation, even accidents. A vulnerability found by intuition, a misconfiguration noticed in a moment of idle exploration, a pattern that just felt wrong. These moments don’t arrive on schedule, and they can’t be forced. They resist instrumentation.

Sociologist Hartmut Rosa calls this "uncontrollability", and argues that it isn’t a flaw to be fixed, but a vital feature of how we relate meaningfully to the world.

Summarizing Rosa's key concepts

Hartmut Rosa's essay, The Uncontrollability of the World (originally Unverfügbarkeit, 2018) is a short but powerful philosophical reflection on modern society’s obsession with control.

Rosa starts by stating that modern humans relate to this world through a set of "points of aggression", and that modern societies who wish to exist and prosper need to establish a state of dynamic stabilization. That is, in order to stay stable, they need to change.

"A modern society is one that can stabilize itself only dynamically, in other words one that requires constant economic growth, technological acceleration, and culture innovation in order to maintain its institutional status quo." - Hartmut Rosa, The Uncontrollability of the World

Rosa argues that modernity is driven by a deep desire to make the world controllable across four dimensions - to make the world visible, reachable / accessible, manageable, and useful. This impulse is behind scientific progress, bureaucratic systems, technological development, and even personal self-optimization.

The flipside and reality, however, is unverfügbarkeit, or uncontrollability - the central concept in this Rosa essay. It refers to the idea that the most meaningful aspects of life, such as love, inspiration, nature, art, and even democratic participation, cannot be forced or controlled. They resist instrumentalization, they cannot be predicted, and they cannot be engineered.

Rosa uses snow as an example of uncontrollability:

"Falling snow is perhaps the purest manifestation of uncontrollability. We cannot manufacture it, force it, or even confidently predict it, at least not very far in advance. What is more, we cannot get hold of it or make it our own. Take some in your hand, it slips through your fingers. Bring it into the house, it melts away. Pack it away in the freezer, it stops being snow and becomes ice."

In contrast to viewing human interaction as a "point of aggression", Rosa proposes viewing it as a "point of resonance" - a major theme in Rosa's broader work. He suggests that a fulfilling life is one in which we have resonant relationships with people, things, and the world itself. Resonance involves openness, responsiveness, and transformation. But when we try to control everything, resonance is lost.

Rosa proposes five theses regarding controllability. Quoting them verbatim:

• The inherent uncontrollability of resonance and the fundamental controllability of things do not constitute a contradiction per se.

• Things we can completely control in all four dimensions lose their resonant quality. Resonance thus implies semicontrollability.

• Resonance demands a form of uncontrollability that "speaks", that is more than just contingency.

• An attitude aimed at taking hold of a segment of the world, mastering it, and making it controllable is incompatible with an orientation toward resonance. Such an attitude destroys any experience of resonance by paralyzing its intrinsic dynamism.

• Resonance requires a world that can be reached, not one that can be limitlessly controlled. The confusion between reachability and controllability lies at the root of the muting of the world in modernity.

Paradoxically, Rosa says, the more we try to control the world, the more it slips away from us. Even when we are successful in achieving a desired level of control in a specific area, that will often trigger or uncover a new level of uncontrollability.

Rosa acknowledges the personal and institutional necessity for control, but argues that we need to accept and even cherish the uncontrollable aspects of life. Rather than seeking total mastery, we should cultivate an attitude of openness and responsiveness, welcoming the unexpected and uncontrollable as a source of genuine meaning and vitality.

The allure of control in security

Compliance frameworks, control objectives, policy documents, dashboards — security loves a detailed checklist! These are necessary, but often promise more than they deliver. They offer a sense of control, but not always actual security.

Control is seductive. Security teams are tasked with protecting sprawling systems, evolving architectures, and human behavior that resists prediction. In the face of that messiness, standards and frameworks offer comfort. A checklist can be completed. A dashboard can be tuned to show progress. A policy can be enforced.

And these tools aren’t bad... they’re necessary. Without shared language and repeatable practices, security efforts devolve into ad hoc chaos. Controls give structure, especially in large organizations where consistency matters.

But Rosa would argue that when control becomes the goal rather than a tool, something is lost. We begin to relate to systems not as living, dynamic environments, but as objects to be optimized and subdued. We reduce complexity to surface metrics. We trade engagement for manageability. And in doing so, we risk losing the very thing that makes security work effective: our ability to feel the system. To hear its feedback. To resonate with it.

Security as resonance

Real insight and understanding often come from messy, creative engagement with systems. Consider a staff engineer poking through logs and stumbling onto a strange pattern. A security researcher following a gut feeling into a complex chain of misconfigurations. An IR team improvising in the moment — not because the runbook told them to, but because the system demanded a different kind of attention.

Rosa uses the term resonance to describe a mode of relationship in which we are open, responsive, and transformed by what we encounter. It’s not passive observation, and it’s not domination. It’s a dialogue. A call and response. These moments of resonance are characterized by presence, curiosity, and a willingness to be surprised. They often lead to insight, but they can’t be mandated, measured, or scheduled. You can’t add “get inspired” to your quarterly OKRs.

These moments are generally not available on demand. They can’t be scheduled or controlled, but they’re crucial.

The cost of over-control

Rosa notes a paradox at the heart of modern life: the more control we gain, the more we expose ourselves to new forms of uncontrollability. We standardize infrastructure, only to encounter new threat surfaces. We automate deployments, and now face supply chain attacks. We centralize visibility, and invite single points of failure. The world is a moving target, as it reorganizes itself in response to our attempts to manage it.

In security, this shows up constantly. We patch the vulnerability, but open a different hole through tooling. We tighten identity controls, and attackers pivot to social engineering. Each success at control gives rise to new forms of surprise. Rosa would say uncontrollability isn't a bug of the system. It's an inherent feature of living systems in motion.

When security becomes solely about control - checklists, audits, and enforcing uniform behavior - we lose access to the deeper layers of understanding. Teams become focused on looking secure rather than being secure. We optimize for what can be measured: coverage percentages, policy adherence, ticket closure rates. But risk doesn’t only exist in the things we measure.

In this mode, alienation sets in. Engineers experience security as an imposed external force, not a shared concern. Security teams themselves can begin to drift into enforcement mode, managing policies and pushing standards, but disconnected from the systems and people they’re meant to protect. Rosa would call this a loss of resonance: the system no longer responds. It either obeys or ignores.

Worse, we start to believe our own metrics. Dashboards full of green give a false sense of safety, even as vulnerabilities hide in the corners no scanner touches. The urge for control, taken too far, numbs our instincts. It leaves no room for friction, and friction is often where the truth lives.

When OKRs replace insight

Tech companies often adopt OKRs to bring clarity and focus - to translate big goals into measurable, actionable outcomes. It’s a form of control, meant to align efforts and reduce ambiguity. But over time, teams start optimizing for the OKRs, not for the actual goals they were meant to support. The metrics become the mission.

Worse, by reducing success to what’s measurable, OKRs can crowd out the creative, exploratory work that doesn’t fit neatly into a quarterly checkbox. The more tightly you define the outcomes, the more the system resists or reroutes. Rosa might say that the attempt to control work through OKRs produces a new form of uncontrollability - cynical compliance, superficial alignment, or gaming the system. Once again, the world pushes back.

Embracing uncontrollability

So what would it mean to take uncontrollability seriously in security work - not as a flaw, but as a condition of meaningful engagement?

It might mean creating space for unscripted exploration, time for security engineers to dig into systems without a predetermined goal. It might mean treating postmortems not just as procedural reviews, but as opportunities for storytelling and reattunement. It might mean hiring not just for knowledge, but for curiosity, humility, and the ability to sit with ambiguity.

These practices can’t replace controls, of course. But they can balance them. They can reintroduce the idea that not everything that matters can be systematized, and that, in security, the most important truths are often the hardest to pin down.

Toward resonant security

Security at its best isn’t just domination or control — it’s relationship. It’s a responsiveness to change, an openness to being surprised, and a deep respect for the complexity of the systems we inhabit. Rosa’s philosophy offers a reminder that meaning emerges not when we master the world, but when we meet it in dialogue.

The challenge, then, is not to abandon control but to hold it lightly. To control less, but connect more. To leave space for the unexpected, the unmeasurable, the uncontrollable. Because that’s where the real work begins.

Holding both control and resonance

None of this is an argument against standards, frameworks, or controls. They are essential. In a complex, fast-moving organization, you need shared expectations, baseline protections, and a way to demonstrate that the fundamentals are in place. Controls are what keep the floor from falling out, but floors aren't the same as ceilings.

If we treat controls as the entirety of security, we risk building a program that is defensible but dead, or compliant but disconnected from the actual threats and systems it's meant to address. We meet business goals on paper, but miss the deeper goal: understanding and even relating to our systems, our teams, and the evolving nature of risk itself.

The challenge, then, is to hold both. To meet baseline expectations and leave room for curiosity and creativity. To satisfy the auditors and encourage the applied intuition of the engineer who notices something odd and follows it. To maintain just enough control to stay grounded, and just enough freedom to stay alive.

Security, like life, is richer when we allow for uncontrollability. It in the uncontrolled where insight lives, and how the world speaks back. It's how we stay curious, how we stay creative, and how we stay human.

---

Rosa's concepts have become a helpful lens for me when looking at other contexts within this modern world, such as political movements, technological advancements, organizational dynamics, and parenting tweens... among other things.

Thanks to Tripp Fuller for an initial introduction to Rosa in a theological / faith context (1, 2). Thanks to Christian Frichot and Keith Hoodlet for early feedback on this attempt at application of these concepts in a security context.