You're leading a security engineering initiative where the problem is real, but the path forward is unclear. Different stakeholders want different outcomes: some want the fastest risk reduction, others want minimal disruption to delivery, and the available data is incomplete.
How would you handle ambiguity when there is no obvious right answer?