Here are 6 1/2 minutes of last Friday’s CISO Series Video Chat, “Hacking Risk Management: An hour of critical thinking on how we’re allocating resources against our risk posture”. This was a really popular discussion with tons of questions that was slammed with great advice.

Watch the full video

Joining me in this discussion were:

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our event sponsor, Reciprocity

This image has an empty alt attribute; its file name is 2020.0805_Podcast_banner_Forrester_600x100px.png
ZenGRC by Reciprocity is an award-winning, cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at

Best Bad Idea

There were a whopping 50 bad ideas for last week’s chat. Congrats to Rick Woodward, cyber security analyst, for Gibbs & Cox, Inc. for winning best bad idea. Here are a few more honorable bad ideas:

“Keep a log of all your risks and potential impacts on a public Google Docs sheet so others can provide input.” – Terry Olaes, technical director, Skybox Security

“Limit access to your risk registry to your security team.” – Anji Greene, director of security and privacy, Bazaarvoice

“All risks get put in a hat then pulled out for priority.” – Shawn Bowen, CISO, Restaurant Brands International

“Determine business criticality based on which department yells loudest during an outage.” – Steve Swift, security manager, Rehmann

Best comments from the chat room

“I think that the BCDR (business continuity disaster recovery) approach is perfect for cyber. It’s assuming the worst case probability and focusing on all on mitigation and severity.” – Eli Migdal, CEO, Boardish

“Cyber risk is near and dear to our hearts, but a CFO may say ‘I’m more concerned with the threat of litigation’ and as a quantifiable dispassionate view, it’s not wrong.” – Dutch Schwartz, strategic lead, AWS Global Security Services Team, AWS

“There isn’t a dollar amount in the world that can buy a customer’s faith in your ethics back.” – Brittany Cunningham, advanced software security engineer, Relativity

“Lawyers will tell you what you cannot do, they will rarely tell you what to do. That’s the legal intersection in almost all cases.” – Chase Pettet, staff security architect, Mirantis