How Much Risk Would a CISO Risk if a CISO Could Risk Risk?

#1723312: How Much Risk Would a CISO Risk if a CISO Could Risk Risk?

Description:	CISOs first appeared in the C-Suite over thirty years ago. But their responsibilities and functions within an organization still vary wildly. If an organization wants their CISO to be more effective, take a moment to understand their purpose and how they function. This week’s episode is hosted by David Spark, producer of CISO Series and Brett Conlon, CISO, American Century Investments. Joining them are Ryan Barras, CISO, Mount Sinai Medical Center. Listen to the full episode here. Nobody understands what we do The CISO role remains misunderstood three decades after its creation. CISOs sit in the C-suite by title but often lack real organizational power. Responsibilities vary wildly between organizations. The biggest part of the job is relationship building, not technical execution. CISOs need to understand their organizations better than anyone else—the culture, the business model, the risks, the vendors. Few disciplines are as broad. The C-suite must understand that cyber's job is to protect them from a critical business risk, that they may not understand, but it's the CISO's job to understand it and explain it. As a CISO, understand the basics of how the business operates. Where do you get customers and what drives revenue? Conversations about the volume of vulnerabilities are meaningless to business operations. Talk about what happens when point-of-sale systems go down for two days and the mobile app stops working. That's business impact. Someone else should fix this Industry problems versus business problems create a critical distinction. If you hear "there needs to be," you're dealing with an industry problem—something holding everyone back with no financial incentive for any one organization to fix. Introducing regulation won't necessarily solve the problem. Healthcare is heavily regulated and still suffers massive breach rates. The real issue is vendors don't listen to industry needs. They build products and hunt for buyers rather than understanding what different industries require. What manufacturing needs differs from healthcare, which differs from finance. Vendors chase the most profitable industries rather than tailoring solutions by sector. The most beneficial change would be reversing the conference model—vendors listening to industry problems instead of pitching solutions. Forums like ISSA provide spaces for open dialogue on industry-wide challenges. But many problems labeled as industry-wide are really just excuses for not addressing basic security fundamentals. Make the audience care We've all suffered through bad panel sessions. The worst offense is when moderators, who are hosts, don't introduce their guests. Instead, they ask panelists to introduce themselves. No professional talk show host does this because it signals you barely know your guests. Who would believe they're your guests? Moderators who answer their own questions destroy conversational flow. Good panels happen when participants reveal personal information you couldn't find by Googling it. Read the room. Panelists speaking at the wrong technical level lose the room. The best panels get the audience involved throughout the discussion rather than saving questions for the end. It's true audience-to-panel engagement, and that creates a successful discussion that will hopefully drive attendees to rush the stage. Speaking CEO The ideal CEO-CISO relationship centers on risk advisory, not technical updates. When CEOs ask "tell me what I don't know," they want to understand the security landscape for their industry, get a solid soundbite about business impact, and know what you're doing about it. This isn't your moment to air grievances. Keep it focused on industry context, company-specific risks, and your response. Making the CEO look good means making your team look good. Take a holistic approach that addresses issues within larger organizational processes, not just technology silos. When asked, "Are we secure?" educate your audience that they won't be receiving a "yes" or "no" answer. Security, just like business, is a journey. Simply describe the development and hopeful improvement of the security program. Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.
More info:	https://ciso-series.beehiiv.com/p/how-much-risk-would-a-ciso-risk-if-a-ciso-could-risk-risk?_bhlid=e7d31b67721abbeed27fba3c5d1d98366975b920

Description:

CISOs first appeared in the C-Suite over thirty years ago. But their responsibilities and functions within an organization still vary wildly. If an organization wants their CISO to be more effective, take a moment to understand their purpose and how they function.

This week’s episode is hosted by David Spark, producer of CISO Series and Brett Conlon, CISO, American Century Investments. Joining them are Ryan Barras, CISO, Mount Sinai Medical Center.

Listen to the full episode here.

Nobody understands what we do

The CISO role remains misunderstood three decades after its creation. CISOs sit in the C-suite by title but often lack real organizational power. Responsibilities vary wildly between organizations. The biggest part of the job is relationship building, not technical execution. CISOs need to understand their organizations better than anyone else—the culture, the business model, the risks, the vendors. Few disciplines are as broad. The C-suite must understand that cyber's job is to protect them from a critical business risk, that they may not understand, but it's the CISO's job to understand it and explain it. As a CISO, understand the basics of how the business operates. Where do you get customers and what drives revenue? Conversations about the volume of vulnerabilities are meaningless to business operations. Talk about what happens when point-of-sale systems go down for two days and the mobile app stops working. That's business impact.

Someone else should fix this

Industry problems versus business problems create a critical distinction. If you hear "there needs to be," you're dealing with an industry problem—something holding everyone back with no financial incentive for any one organization to fix. Introducing regulation won't necessarily solve the problem. Healthcare is heavily regulated and still suffers massive breach rates. The real issue is vendors don't listen to industry needs. They build products and hunt for buyers rather than understanding what different industries require. What manufacturing needs differs from healthcare, which differs from finance. Vendors chase the most profitable industries rather than tailoring solutions by sector. The most beneficial change would be reversing the conference model—vendors listening to industry problems instead of pitching solutions. Forums like ISSA provide spaces for open dialogue on industry-wide challenges. But many problems labeled as industry-wide are really just excuses for not addressing basic security fundamentals.

Make the audience care

We've all suffered through bad panel sessions. The worst offense is when moderators, who are hosts, don't introduce their guests. Instead, they ask panelists to introduce themselves. No professional talk show host does this because it signals you barely know your guests. Who would believe they're your guests? Moderators who answer their own questions destroy conversational flow. Good panels happen when participants reveal personal information you couldn't find by Googling it. Read the room. Panelists speaking at the wrong technical level lose the room. The best panels get the audience involved throughout the discussion rather than saving questions for the end. It's true audience-to-panel engagement, and that creates a successful discussion that will hopefully drive attendees to rush the stage.

Speaking CEO

The ideal CEO-CISO relationship centers on risk advisory, not technical updates. When CEOs ask "tell me what I don't know," they want to understand the security landscape for their industry, get a solid soundbite about business impact, and know what you're doing about it. This isn't your moment to air grievances. Keep it focused on industry context, company-specific risks, and your response. Making the CEO look good means making your team look good. Take a holistic approach that addresses issues within larger organizational processes, not just technology silos. When asked, "Are we secure?" educate your audience that they won't be receiving a "yes" or "no" answer. Security, just like business, is a journey. Simply describe the development and hopeful improvement of the security program.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

More info:

https://ciso-series.beehiiv.com/p/how-much-risk-would-a-ciso-risk-if-a-ciso-could-risk-risk?_bhlid=e7d31b67721abbeed27fba3c5d1d98366975b920

Date added	Feb. 6, 2026, 11:56 p.m.
Source	beehiiv
Subjects	PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Security Management/Strategic Security/ROI/ROSI - CISO and Higher Level