Cybersecurity Today The Fundamental Mistake in Cybersecurity Risk Management
Mar 21, 2026
Jeff Gardner, former university CISO and doctoral researcher now at Morgan Stanley, argues cybersecurity has mistaken threat hunting for real risk management. He recounts a TLS epiphany, explains likelihood × impact, and shows simple five-point scales and prioritization. He also discusses training gaps, CISO burnout, and efforts to fold risk thinking into frameworks like NIST.
AI Snips
Chapters
Transcript
Episode notes
Held-Up Release Over TLS That Wasn't A Real Risk
- Jeff Gardner recounts a team blocking production over TLS 1.2 vs 1.3 despite the system being non-internet-exposed and exploitability being effectively nil.
- Walking through discoverability, exploitability, likelihood, and business impact showed the correct classification was moderate risk, not extremely high risk.
Cybersecurity Confuses Threats With Risk
- Gardner's core insight: cybersecurity training reframes risk as threat/vulnerability management rather than expected loss (impact × likelihood).
- This divergence began after incident-focused CERT work post-Morris Worm and reshaped professional priorities.
Leadership Expects Risk Managers But Gets Threat Managers
- Executives universally expect cybersecurity teams to be risk managers, yet most teams use threat-focused language without performing expected-loss calculations.
- That mismatch leads to misplaced priorities and investments that don't reduce organizational risk efficiently.