“Stop Trying To Quantify Risk”: Risk Management Wisdom (& Star Wars Analogies) From CISO Andy Ellis
Run the Numbers
Rethinking Risk Assessment in Cybersecurity
This chapter explores the limitations of quantifying cybersecurity risks in monetary terms, critiquing its effectiveness in aligning expectations between security experts and financial leaders. It introduces the FAIR system for improved risk evaluation and discusses incident severity levels to enhance organizational risk management.
Cybersecurity risks have become more complex and unpredictable than ever, yet many companies struggle to quantify these threats in terms that truly matter. How can CFOs and CISOs effectively communicate about risk, make smart security investments, and navigate the emerging challenges posed by AI? In this episode, CJ interviews Andy Ellis, a renowned cybersecurity leader, former CISO of Akamai, investor, director, advisor, leadership coach, and author of the book 1% Leadership. Andy unpacks why most companies measure risk the wrong way and breaks down his "Pyramid of Pain” framework for categorizing it. He discusses the dynamics between CFOs and CISOs in purchasing security tools, demystifies security budgeting and vendor negotiations, dives into the evolving role of AI in security operations, and explains why the CISO and CIO roles are on a collision course. Andy also reveals insider stories from the frontlines of major breaches, shares a compelling risk analogy inspired by vampires and zombies, and clears up once and for all why the demise of the Death Star was not a failure of risk management.
—
LINKS:
Andy Ellis on LinkedIn: https://www.linkedin.com/in/csoandy
Andy Ellis on X: (@CSOAndy) https://x.com/csoandy
Website:
https://www.csoandy.com
1% Leadership: https://www.amazon.com/1-Leadership-Master-Improvements-Leaders/dp/0306830817
How to CISO:
https://www.howtociso.com
Duha One:
CJ on X (@cjgustafson222): https://x.com/cjgustafson222
Mostly metrics:
—
TIMESTAMPS:
(00:00) Preview and Intro
(02:49) Sponsor – Rillet | Pulley | Brex
(07:23) Defining Risk: Technical & Human-Friendly Perspectives
(09:20) Actuarial Risk Versus Human-Driven Risk
(15:33) Why the Demise of the Death Star Wasn’t a Failure of Risk Management
(16:58) Sponsor – Aleph | RightRev | Navan
(21:22) How the Death Star Metaphor Relates to Real-World Security Breaches
(23:20) Why Risk Should Not Be Quantified in Dollar Terms
(25:15) The Pyramid of Pain: Risk Severity and Surprise Levels
(30:21) How CFOs and CISOs Should Partner on Security Purchases
(34:03) Are Security Budgets Over or Under-Spent?
(36:22) Balancing Budget for Security Tools and People
(39:48) Tips for FP&As on Brokering the Security Budget With Your CISO
(44:10) Factoring AI Uncertainty in a Three-Year Security Roadmap
(46:38) AI Washing in Security Products and Realistic Impact
(48:55) The Limitations of Security Operations
(50:53) The Future of CIO and CISO Roles and Organizational Reporting
(54:55) Why IT Shouldn’t Report to the CFO
(57:18) Israeli Unit 8200 and Cybersecurity Innovation
(59:50) Startups Versus Public Companies: Differing Risk Models
(1:02:52) Wrap
—
SPONSORS:
Rillet is the AI-native ERP modern finance teams are switching to because it’s faster, simpler, and 100% built for how teams operate today. See how fast your team can move. Book a demo at https://www.rillet.com/metrics.
Pulley is the cap table management platform built for CFOs and finance leaders who need reliable, audit-ready data and intuitive workflows, without the hidden fees or unreliable support. Switch in as little as 5 days and get 25% off your first year: https://pulley.com/mostlymetrics.
Brex offers the world's smartest corporate card on a full-stack global platform that is everything CFOs need to manage their finances on an elite level. Plus, they offer modern banking and treasury as well as intuitive expenses and accounting automation, bill pay, and travel. Find out more at https://www.brex.com/metrics
Aleph automates 90% of manual, error-prone busywork, so you can focus on the strategic work you were hired to do. Minimize busywork and maximize impact with the power of a web app, the flexibility of spreadsheets, and the magic of AI. Get a personalised demo at https://www.getaleph.com/run
RightRev automates the revenue recognition process from end to end, gives you real-time insights, and ensures ASC 606 / IFRS 15 compliance—all while closing books faster. For RevRec that auditors actually trust, visit
https://www.rightrev.com
and schedule a demo.
Navan is the all-in-one travel and expense solution that can give you access to exclusive, proprietary Nasdaq-validated data that reveals what's happening with corporate travel investments. See the Navan Business Travel Index at https://navan.com/bti.
#Cybersecurity #RiskManagement #CISO #SecurityOperations #SecurityFinance
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.mostlymetrics.com
The AI-powered Podcast Player
