Here are 6 minute minutes of our best moments from CISO Series Video Chat: “Hacking Cyber Risk Quantification: An hour of critical thinking about how to measure your company’s exposure.”
Our guests for this discussion were:
- Jack Freund (@jackfreund3), vp of cyber risk methodology, BitSight
- Nick Espinosa (@NickAEsp), host of nationally syndicated show The Deep Dive with Nick Espinosa, and his daily podcast is called Nick’s Nerd News Daily.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor BitSight
Best Bad Idea

Congrats to Drew Brown, information system security developer, Federal Aviation Administration for winning this week’s Best Bad Idea.
Other honorable mentions go to:
“Assume everything is a risk and don’t allow anyone to do anything without direct verbal permission from the CEO.” – Larry Rosen, manager, security advisory, Avanade
“Let the competition tell you your risk.” – Drew Brown, information system security developer, Federal Aviation Administration
“The more security products you purchase is the best way to lower your risk.” – Dave Baideme, corporate director of information security & compliance, Canyon Ranch
“Play hot potato weekly with your C Suite…who ever lands with the potato owns ALL the risk for that week.” – Mario Simic, lead security strategist, AWS global security services, AWS
“Delete logs daily so you never record a breach or incident.” – Charles Payne, cyber security engineer
10 percent better
“Request each business group to list their most important IT system and its contribution to the company’s success.” – Roland Mueller, self-employed
“Look at your enterprise and assign risk ratings to teams/staff based on their access/use of corporate resources… i.e. your facilities staff are barely ever on a computer so the risk of them introducing a malicious event is lower than your administrative assistant that is filtering through all or your CEO’s email.” – Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology
“Any OpEx large enough to require CEO approval has security enablement built in.” – Dutch Schwartz, principal security specialist, AWS
Quotes from the chat room
“Insurance = based on past data = has ZERO relevance for Cyber Threats which are ZERODAY by design = FAIR = doesn’t work” – Eli Migdal, CEO, Boardish
“I totally agree, most are not risk experts but I think its our job to make it a clear communication exercise. Any C-level usually knows how to manage risk, ROI and such ( at least they need to know :-)).” – Eli Migdal, CEO, Boardish
“We can’t quantify the risk because we don’t do asset management.” – Paul Forst, senior manager, information security, The Bountiful Company
“Cyber insurance is failing due to lack of standard risk engineering that insurance applies to other policy lines.” – Brian Haugli, founder & CEO, RealCISO.io