The Fundamental Mistake in Cybersecurity Risk Management

Cybersecurity Isn't Managing Risk—It's Managing Threats... And That's the Problem

Host David Shipley speaks with Jeff Gardiner, a former university CISO and now at Morgan Stanley, about Gardiner's doctoral research arguing that cybersecurity has structurally misclassified "risk management" as threat management.

Gardiner explains that real risk is an expected loss calculation (impact × likelihood), while many cybersecurity frameworks and training emphasize vulnerabilities, exploitability, and system configuration without likelihood or business impact. He describes examples where teams labeled unlikely issues as "extremely high risk," discusses interviews where leaders universally expect cybersecurity staff to be risk managers, and cites findings that only about 11% of cybersecurity professionals actually perform risk calculations. Gardiner outlines a practical approach using qualitative likelihood and impact scales, prioritization, and clearer business framing, and notes ongoing discussions with NIST to improve the NICE framework.

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at Meter.com/cst

00:00 Sponsor Message
00:19 Meet Jeff Gardiner
01:51 Career Journey Origins
03:23 TLS Risk Epiphany
05:06 What Is Compute Canada
06:38 Risk Versus Threat
08:35 Why Labels Matter
11:13 Likelihood And Impact
12:26 Teaching Risk Qualitatively
15:29 Why Prioritize Risk
20:36 Training Frameworks Flaw
25:13 Research Frustrations
25:51 Risk Management Wins
26:44 Why CISOs Burn Out
27:43 Speaking Executive Risk
29:22 Teach Risk Broadly
31:36 Biases and Better Judgments
35:17 Sexy Scary vs Real Risk
36:12 Convincing the Room
39:15 Start Simple Frameworks
41:36 Risk Quadrants and Delegation
45:30 Mentorship and NIST V3
47:57 Wrap Up and Sponsor