Cyber Security Today

Cybersecurity Isn't Managing Risk—It's Managing Threats... And That's the Problem Host David Shipley speaks with Jeff Gardner, a former university CISO and now at Morgan Stanley, about Gardner's doctoral research arguing that cybersecurity has structurally misclassified "risk management" as threat management.  Gardner explains that real risk is an expected loss calculation (impact × likelihood), while many cybersecurity frameworks and training emphasize vulnerabilities, exploitability, and system configuration without likelihood or business impact. He describes examples where teams labeled unlikely issues as "extremely high risk," discusses interviews where leaders universally expect cybersecurity staff to be risk managers, and cites findings that only about 11% of cybersecurity professionals actually perform risk calculations. Gardner outlines a practical approach using qualitative likelihood and impact scales, prioritization, and clearer business framing, and notes ongoing discussions with NIST to improve t