Cybersecurity Isn't Managing Risk—It's Managing Threats... And That's the Problem
Host David Shipley speaks with Jeff Gardiner, a former university CISO and now at Morgan Stanley, about Gardiner's doctoral research arguing that cybersecurity has structurally misclassified "risk management" as threat management.
Gardiner explains that real risk is an expected loss calculation (impact × likelihood), while many cybersecurity frameworks and training emphasize vulnerabilities, exploitability, and system configuration without likelihood or business impact. He describes examples where teams labeled unlikely issues as "extremely high risk," discusses interviews where leaders universally expect cybersecurity staff to be risk managers, and cites findings that only about 11% of cybersecurity professionals actually perform risk calculations. Gardiner outlines a practical approach using qualitative likelihood and impact scales, prioritization, and clearer business framing, and notes ongoing discussions with NIST to improve the NICE framework.
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at Meter.com/cst
00:00 Sponsor Message 00:19 Meet Jeff Gardiner 01:51 Career Journey Origins 03:23 TLS Risk Epiphany 05:06 What Is Compute Canada 06:38 Risk Versus Threat 08:35 Why Labels Matter 11:13 Likelihood And Impact 12:26 Teaching Risk Qualitatively 15:29 Why Prioritize Risk 20:36 Training Frameworks Flaw 25:13 Research Frustrations 25:51 Risk Management Wins 26:44 Why CISOs Burn Out 27:43 Speaking Executive Risk 29:22 Teach Risk Broadly 31:36 Biases and Better Judgments 35:17 Sexy Scary vs Real Risk 36:12 Convincing the Room 39:15 Start Simple Frameworks 41:36 Risk Quadrants and Delegation 45:30 Mentorship and NIST V3 47:57 Wrap Up and Sponsor
