All Articles

Weekly CISO Podcast Pick – Why Cyber Risk Fails: What CISOs Should Do Instead

Posted by Biswajit Banerjee on January 8, 2026 at 5:38pm in Blog

Member Contribution • Weekly CISO Podcast Pick

This Week’s Pick by David B. Cross (CISO, Atlassian)

Series curated by the CISO Platform community. Spotlighting practical listens for security leaders and their teams.

The uncomfortable truth about cyber risk

CISOs are taught to assess, quantify and manage cyber risk. In practice, risk scores rarely drive decisions, reduce incidents or align stakeholders. Instead, they create false precision, internal conflict and slow down action.

Featured keynote — Adam Shostack (Threat Modeling Pioneer)
Delivered at Global AppSec • A critique of risk quantification and a call for pragmatic security decision-making.
Keynote excerpt • Why cyber risk fails CISOs
⏱ ~12 min read Focus: risk fallacy • prioritization • governance • decision-making

Why this matters to CISOs

  • Risk scores do not drive decisions. Most security trade-offs are made on cost, delivery speed and usability.
  • False precision creates conflict. Heat maps and likelihood debates slow down execution.
  • Executives do not think in cyber risk. They think in outcomes, trade-offs and accountability.
  • Attackers do not iterate predictably. Probability models break down against adaptive adversaries.
  • Regulators are shifting. Prescriptive controls are replacing abstract risk narratives.

Copy-paste takeaways for your team

  • Cyber risk is often unmeasurable in practice.
  • Likelihood × impact rarely reflects reality.
  • Security decisions are engineering and business trade-offs.
  • Risk language increases friction with stakeholders.
  • Outcome-based thinking works better.

Standout ideas from the keynote

  • Stop asking for perfect numbers. They do not exist in cyber security.
  • Threat modeling beats risk modeling. Focus on what can go wrong and how.
  • Use engineering bars. Bug bars and exploitability thresholds outperform risk matrices.
  • Language shapes outcomes. Replace “risk” with hazards, failures and controls.

Try these in the next 7 days

  1. Board narrative review: Replace heat maps with concrete failure scenarios.
  2. Prioritization reset: Identify fixes blocked by “risk debate.”
  3. Bug bar audit: Define non-negotiable security thresholds.
  4. Exec alignment: Frame security decisions as trade-offs, not probabilities.
  5. Language shift: Stop using likelihood where evidence is weak.
 

About David B. Cross

David B. Cross is Chief Information Security Officer at Atlassian. Before Atlassian he held senior security leadership roles at Microsoft, Google and Oracle and began his career in US Navy aviation and electronic warfare. His work focuses on building engineering centric security programs, scaling security operations and helping the next generation of practitioners build meaningful careers.

 

Want your pick featured next?

We are building a rotating slate of member recommendations from USA, Middle East and India. If you are a CISO or security leader, submit a link and 3 bullets on why it matters for other security teams.

Submit your recommendation (Members)

How we choose

  • Short, actionable outcomes for CISO teams
  • No product pitches
  • Useful beyond one region or vertical
  • Clear ideas that help security leaders explain risk, influence stakeholders and grow their teams

 

Share this with your leadership team

 
Views: 21
Tags: weekly podcast, david cross, ciso, cyber risk
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Biswajit Banerjee

Community Manager, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

Atlanta Chapter Meet: Build the Pen Test Maturity Model (Virtual Session)

Jan 14, 2026 at 7:30pm to Feb 25, 2026 at 9:00pm
Online
  • Description:

    The Atlanta Pen Test Chapter has officially begun and is now actively underway.

    Atlanta CISOs and security teams have kicked off Pen Test Chapter #1 (Virtual), an ongoing working series focused on drafting Pen Test Maturity Model v0.1, designed for an intel-led, exploit-validated, and AI-assisted security reality. The chapter was announced at …

  • Created by: Biswajit Banerjee
  • Tags: ciso, pen testing, red team, security leadership

Panel Discussion: Top Breaches in Cyber Security in 2025

Jan 22, 2026 from 8:30pm to 9:30pm
Online