Governing and overseeing cyber security strategy is an extremely important precondition to sustainable business continuity. This applies to all IT reliant enterprises and especially critical infrastructure. However, the inevitability of human behavioral limitations, imperfections in security-boosting technology, and adversarial evolution guarantee that businesses will regularly face cyber threats. Managing this complex dynamic nature of the modern cybersecurity landscape requires a different toolset. In our anonymized critical infrastructure case study – a financial fortune 500 organization – we augmented a cyber risk management approach, with a System Dynamics approach, to simulate future performance for the current cyber security strategy. We compared our results with their current reporting structure. Unlike this reporting structure, our simulation results were able to provide early warnings about future strategy failure, estimate the ‘shelf time’ of this strategy, identify multiple failing security measures (lapses in control), and foresee potential breach impacts.