Cybersecurity Today: "The Fundamental Mistake in Cybersecurity Risk Management"

Date: March 21, 2026
Host: David Shipley (filling in for Jim Love)
Guest: Jeff Gardner, veteran CISO, researcher, and consultant

Episode Overview

This episode dives deep into a foundational flaw in how the cybersecurity industry approaches risk management. Host David Shipley interviews Jeff Gardner, a long-time CISO and recent PhD graduate, whose dissertation challenges the industry's long-standing approach to risk. Gardner argues that what most cybersecurity professionals call ‘risk management’ is actually ‘threat management’, and the industry's ingrained misclassification leads to poor prioritization, wasted resources, and persistent security failures despite ever-increasing investment.

Key Discussion Points & Insights

1. Jeff Gardner’s Cybersecurity Journey & Motivation

[02:13]

• Jeff and David’s history: Collaboration in Canadian higher education cybersecurity, facing shared challenges as change agents in academic settings.
• Career path: From university CISO roles to COMPUTE Canada, consultancy, and finally Morgan Stanley.
• Origin of dissertation: Witnessed poor risk decision-making—analysts overstating risks due to technical issues (e.g., TLS versions) without considering actual likelihood and business impact.

“Cybersecurity professionals were making risk management decisions but not doing the risk calculus. And that…was really kind of an important epiphany for me.” (A, 04:36)

2. COMPUTE Canada Explained

[05:28]

• National collaboration on high-performance computing.
• Role: Building a cybersecurity program for interconnected supercomputing facilities—now the Digital Research Alliance of Canada.

3. Industry-Wide Misunderstanding of Risk

[06:52]

• Cybersecurity professionals, unlike auditors or actuaries, often don’t use true risk calculation (impact x likelihood).
• The shift began post-Morris Worm (1988), moving focus from risk calculation to technical threat management.

"What we think is risk is not risk, it's threat management." (A, 07:54)

4. Why Misclassification Matters for All Organizations

[09:04]

• Many leaders expect cybersecurity professionals to manage risk, but receive only threat language, not true risk evaluations.

“So the question really is if the people who are talking like their risk managers aren't, who is managing technical risk? That's the question.” (A, 09:51)

5. Impact of Risk Misunderstanding on Major Breaches

[10:09]

• Examples: Equifax/patch management and Target/breach ignored despite alert.
• Technical skills and resources alone don't prevent failures; the missing piece is proper risk evaluation.
• Likelihood gets ignored—analogy: meteor strike (high impact, extremely low likelihood) vs. car crash (high likelihood, moderate impact).

6. How to Practically Approach Likelihood in a Fast-Moving Field

[12:55]

• Qualitative assessments work: Ask if a risk is “inevitable, likely, unlikely, impossible” and assign impact to individuals, business units, or the whole company.
• These basic qualitative measures can fuel proper risk matrices—no need for advanced math.

“If you can get qualitative assessments…you can throw it to a risk matrix and get a quantity. And then if you get a quantity, you can make a decision…” (A, 13:58)

7. Why Prioritization is Essential

[15:43]

• Scarce resources mean not all risks can be addressed equally; we must apply effort where risk (likelihood x impact) is greatest.

8. Relentless Pace of Technology & Risk Management Skills

[17:59]

• Metaphor: Just as children develop basic mobility before learning not to chase balls into the road, our risk management skills must evolve as technology accelerates.

9. Systemic Industry Failure: Spending More for Worse Results

[18:55]

“If you went to a CEO and said, I'm gonna need you to spend 10 times as much…what am I gonna get in return? Five times worse results. You'd be tossed out the door.” (B, 19:10)

• Losses growing faster than security budgets—proof that tech-centric "risk" management isn’t delivering.

10. Training Gaps and Flawed Frameworks

[20:57]

• Cybersecurity certifying bodies (e.g. SANS, ISACA, ISC2) reinforce threat-oriented thinking.
• Industry frameworks (NIST, NICE) often lack even the core concept of ‘likelihood’.
• Only 11% of professionals actually perform risk calculations; no statistical difference compared to non-cybersecurity professionals.
• Leadership can spot the flaw but often lack risk proficiency themselves.

"We talk about risk management as one thing, not as specific actions...the failure of that model was really profound." (A, 24:57)

11. The Profession’s Divided Mindset & Consequences

[25:26]

• Some CISOs believe threat management is enough—contradicted by research showing effective risk management greatly increases the odds of success and reduces failures.

“If you want to be successful as a profession, you need risk management. If you want to fail, ignore it.” (A, 26:37)

12. Burnout, Job Dissatisfaction & the CISO Role

[27:21]

• The misalignment between risk language and skills helps explain high CISO burnout.

"We’re using risk management language but not using the skills." (A, 27:27)

• True risk-based thinking improves standing with executives and enables more rational prioritization and decision-making.

13. Should All IT Professionals Learn Risk Management?

[29:47]

• Gardner: Yes, just as accountants learn risk in their education, risk management basics should be universal for IT and non-IT staff.

14. Human Bias & Over/Underestimation of Risk

[31:14]

• Optimism bias: We think risk is always someone else's problem.
• Cybersecurity pros fall into "everything is high risk" (confirmation bias) without true calculations, leading to poor prioritization.

15. Applying Simple Risk Calculation Techniques

[39:29]

• Practical advice: Estimate likelihood (1-5), estimate impact (1-5), multiply for a basic risk score.
• Use frameworks like NIST RMF for guidance—no expensive certifications required.

16. Using Decision Matrices for Clarity

[42:00]

• Even a 2x2 matrix (high/low probability x high/low impact) dramatically clarifies which risks to avoid, reduce, accept, or delegate.

17. Is Risk Management Really Academic and Boring?

[43:37]

• No, once understood, it's a critical skill for earning executive trust and business effectiveness. Gardner admits he learned it “begrudgingly” but now sees it as transformative.

18. Final Recommendations & Takeaways

[44:30]

• Learn the real math: impact x likelihood.
• Use the business context as the frame of reference, not just systems.
• Credentials teach threat identification; true risk managers learn to “price” risk (expected loss).

"The process is very simple. It's impact times likelihood." (A, 44:35)

Notable Quotes & Memorable Moments

• On the fundamental problem:

  "What we call risk management only we call risk management…our approach to defining risk, look at configuration state, look at vulnerabilities, look at exploitability, look at adversarial agents. So we redefined risk and...it's really not risk." (A, 07:21)

• On industry progress:

  "If companies are serious about creating value, they have to do it in a risk managed way, which means they have a limited number of resources. And when you don't prioritize risk, …you're not applying those resources in an intelligent way." (A, 16:04)

• On personal transformation:

  "When I realized that risk management was the secret to making technically sound decisions and the ability to prioritize, my attitude towards risk management completely switched." (A, 19:48)

• On human bias:

  "If people are asked to appraise a risk, just pull a risk determination out of the air, optimism bias rules the day. …You have to actually force them to do the two step engagement because then optimism bias can't rule the day." (A, 32:41)

• On how to start:

  "Start with the simple calculation…estimate the likelihood, use your judgment…Do a simple risk calculation, then explain to others why you think it is what it is..." (A, 39:29)

• On lessons for the next generation:

  “The inability to speak the language of ROI and to understand truly what the risk was an impediment. And the epiphany that I've had…was an epiphany for how CISOs—our profession—can make a difference in a company.” (A, 46:37)

Key Timestamps

| Timestamp | Topic | |-----------|---------------------------------------------------------------------------------------| | 02:13 | Jeff’s path to doctoral research and the origins of his risk management focus | | 06:52 | Industry-wide misunderstanding: risk management vs. threat management | | 09:04 | Why the distinction matters to every organization, regardless of size | | 10:09 | Case studies: Equifax, Target, and risk miscalculations | | 12:55 | How to qualitatively estimate likelihood and impact for practical risk calculations | | 15:43 | Why risk prioritization is necessary in business | | 18:55 | Spending more but achieving worse outcomes: industry scale failure | | 20:57 | How certification frameworks perpetuate the misclassification of risk | | 25:26 | Pushback from within the profession (“threat management is enough”) | | 27:21 | CISO burnout and lack of true risk skills | | 29:47 | Should all IT learn risk? Yes. | | 39:29 | How individual cybersecurity professionals can begin practical risk assessments | | 42:00 | Matrix approach: 2x2 or 5x5 for decision-making | | 44:30 | Final practical recommendations and the need to go beyond vocabulary | | 46:37 | Mentoring, personal regrets, and advice for next-generation CISOs |

Tone & Language

• Candid, direct, sometimes wry or self-deprecating (Gardner: “I learned it begrudgingly”).
• Technical where needed, but always aiming for practical clarity.
• Encouraging a “revolution” in thinking, but pragmatic about incremental change.

Summary for New Listeners

If you've ever wondered why cyber breaches keep making headlines despite massive spending and armies of trained professionals, this episode delivers the uncomfortable answer: The industry has conflated ‘threat management’ with true ‘risk management,’ neglecting the math and business context that make security effective. Jeff Gardner exposes how this confusion persists, why it’s supported by current training and certification, and how individual professionals—and the industry at large—can fix it, starting with basic, practical steps.

Takeaway:
“Start with the simple calculation…estimate likelihood and impact. Use the math—not just the words—to guide your decisions. That’s real risk management.”