Risk as Opportunity

From Avoidance to Strategic Exploitation

TL;DR

Opportunity and risk are two sides of the same coin, while familiar practices might hold back organisations striving to move forward. To drive meaningful progress, security leaders must operate in an uncomfortable space where they are pushed beyond safe, predictable decisions and encouraged to engage with calculated risks. 

Experts Shana Uhlmann and Dan Haagman propose a proactive approach to risk exploitation where CISOs learn to balance risks with opportunities using well-defined tolerances and strategic investment. The shift from simply avoiding risk to engaging with it in calculated ways helps businesses remain competitive, resilient, and innovative.

Context

The role of cyber security leaders has traditionally been defensive, focusing on minimising risks and building strong protective barriers. However, a purely defensive stance can hinder growth and actually increase vulnerability. It's also stressful.

A survey by Cybersecurity Ventures estimates that cyber crime will cost the world $10.5 trillion annually by 2025, up from $3 trillion in 2015, indicating a need for more adaptive, strategic approaches to risk.

The evolving Chief Information Security Officer (CISO) stance now demands active empowerment of business progression while protecting the most critical functions. As companies adopt digital transformation, cloud computing, AI and other emerging technologies, CISOs must understand how they enable innovation and growth to secure the business's future and simultaneously secure its current operations.

Through their collaborative insights, Shana Uhlmann , IT Director at Tattarang and Chief Information Security Officer for Tattarang and the Minderoo Foundation, and Dan Haagman , CEO of Chaleit, outline how modern CISOs can drive business value not by eliminating all risks but by managing them strategically.

This piece explores the challenges CISOs face today and presents a roadmap for transitioning from risk avoiders to risk exploiters, focusing on empowering leaders to make decisions that align cyber security with business growth.

Challenges

The transformation from risk avoidance to risk exploitation isn't an easy one. Organisations face deeply embedded cultural, structural, and psychological barriers that must be addressed before effectively changing their approach to cyber security. Risk exploitation occurs most naturally in periods of planned growth but can actually deliver the greatest dividends in the lean years of stability or cost cutting.

The technical trap

Many CISOs come from technical backgrounds where success is measured by the ability to prevent security incidents. Both Dan and Shana observe that this type of background is not necessarily the best one, as it creates a mindset focused on control and prevention rather than strategic risk management. It can also leave CISOs "in the weeds" of the many threats a business faces instead of lifting to the threats that can capsize a ship.

As Shana notes, "When we grow our CISOs from technical backgrounds, what we are teaching them is how to be risk-safe. We 'empower' them with a checklist of best practices." This can lead to security leaders finding "their place of safety in holding knowledge that no one else understands" rather than engaging with vulnerability, asking contextual questions and actively delivering the business strategy. 

The technical trap manifests in several ways:

• Overemphasis on technical controls at the expense of business enablement.
• Difficulty communicating security concepts to non-technical stakeholders.
• Tendency to seek perfect security solutions rather than acceptable risk levels.
• Focus on tactical responses rather than strategic planning — essentially a bottom-up approach of technical controls instead of a top-down "what does the business absolutely need to achieve?" approach.

Dan explains that this can lead to a pattern that may increase organisational risk by creating rigid, inflexible security frameworks. The technical trap connects with risk misconceptions. 

Misconceptions about engaging with risk

Many leaders equate risk engagement with recklessness. However, as Shana explains, engaging with risk does not mean being negligent but involves understanding and operating within clear risk tolerances. 

Misinterpreting risk engagement as inherently dangerous leads to a cautious approach that can stifle innovation and prevent organisations from seizing valuable opportunities. It is also fiscally wasteful, which, in turn, is negligence of its own kind. 

It's especially difficult to overcome these misconceptions when security leaders carry a heavy weight on their shoulders. 

The burden of risk ownership

CISOs are often wrongly perceived as the sole owners of cyber security risk, a critical challenge in current leadership that has serious consequences. 

Burnout is prevalent among CISOs due to the immense pressure to maintain high security standards while often shouldering full responsibility for risk outcomes.

91% of CISOs say they suffer from moderate or high stress, according to a Nominet study. A 2023 Gartner Peer Community survey identified "unrealistic expectations" and "the risk of security incidents negatively impacting reputation and career" as two of the top causes of burnout among cyber security leaders.

Shana points out that without a clear delineation of risk ownership and support from business leaders and a more refined nuance of their own responsibilities, CISOs are likely to continue to face unsustainable stress levels. 

This misalignment of responsibility often results in:

• CISOs feeling personally responsible for all security incidents
• Hesitation to accept any level of risk
• Difficulty delegating security decisions to business owners
• Increased stress and burnout among security leaders

Instead, the CISO should focus on identifying risks in business-critical (top three) functions, making recommendations, and helping business leaders make informed decisions about living their business risk model.

The balance of investment

Organisations struggle with balancing security investments against business opportunities, which creates a tension between security and business growth that must be carefully managed. 

Consider a clothing manufacturer: every dollar invested in security controls is a dollar not spent on new materials, designs, or marketing initiatives. The opportunity cost must be carefully weighed against the potential risks and benefits of each investment decision. And the investment must point a path to business growth in manufacturing and selling more clothes! 

As Dan emphasises, CISOs must ensure that security investments align with broader business goals, optimising resources while safeguarding the organisation.

Let's look at some strategies to overcome these challenges. 

Solutions

Drawing from their extensive experience, Shana and Dan present a framework of practical solutions organisations can implement to shift from risk avoidance to risk exploitation. These approaches range from mindset changes to specific methodologies for decision-making and risk assessment.

Build a culture of risk exploitation

Rather than avoiding risk entirely, Shana advocates for risk exploitation, where organisations engage with risk within predefined tolerances.

Just as parents must learn to let their children face challenges and even fail safely, security leaders must create an environment where teams can explore, make mistakes, and learn without catastrophic consequences. Provide guardrails and gradually move them as the organisation grows.

This cultural shift from avoidance to exploitation can yield significant benefits. PwC's Global Risk Survey reveals that organisations adopting strategic risk management are five times more likely to achieve superior business outcomes and twice as likely to anticipate accelerated revenue growth. 

Strong risk management not only shields against threats but also empowers organisations to pursue growth. Becoming a "risk exploiter" rather than a "risk avoider" entails the following: 

• Operating comfortably with some high-risk items on the risk register
• Understanding that perfect security is neither possible nor desirable
• Accepting that isolated compromises can validate security investments
• Focusing on recovery capabilities for unavoidable risks

For example, when implementing a new business capability, consider launching with an MVP (Minimum Viable Product) rather than waiting for perfect security controls, Shana advises. This allows the organisation to realise benefits faster while managing risks through careful monitoring and incremental improvements. There is a window of early adoption where the risk is inherently lower, and you have time to understand how your new capability will actually be used. Then, you can supplement risk governance with this new knowledge. Saving time and dollars and building growth.

Understand risk dynamics

Shana introduces a sophisticated approach to risk assessment that goes beyond simple likelihood calculations. She explains three critical components that security leaders must consider: likelihood, consequence, and the often-overlooked window of opportunity. 

"Multiply your likelihood by your window of opportunity," she explains. This multiplication is crucial for understanding that true risk levels are not static. For example, "When you publish a new website, your risk is low in the first minute because nobody knows it's there. A year later, if you've been doing heaps of branding and marketing, a lot more people should know it's there. So your risk is increasing." Try visualising how the likelihood changes over time.

Another crucial dimension is the window of opportunity — the timeframe during which a risk could be exploited. Consider this: How does the risk change if you set your MFA session lifetime at 10 versus 18 hours? Flipside, how does it enable your workforce productivity? To answer this, you need to be intimate with how your organisation works and what it strives to achieve.

This dynamic view of risk challenges traditional models that treat risk as a fixed metric, which leads us to another perspective that needs changing. 

Learn from compromise

Incidents are often viewed as failures, but Shana and Dan agree on a different perspective: an isolated compromise can validate your security strategy.

"Even with the best detection techniques, there are always unknown unknowns," Shana explains.

• Some attacks will penetrate defences - and we should let them!
• Not all threats can be prevented.
• Some risks might not be detectable immediately.
• Complete prevention is often cost-prohibitive and takes money away from core business.

Rather than striving for perfect prevention, learn from each incident. An isolated compromise can demonstrate that your security investments are appropriately balanced across:

• Prevention mechanisms
• Detection capabilities
• Response procedures
• Recovery planning

The key is knowing your business tolerances across financial, brand and reputation and operational costs; making conscious decisions about risk acceptance; and evaluating whether the current detection and response capabilities provide adequate protection within those acceptable risk parameters.

If your retail business doesn't act to prevent or report every item of shop theft, then nor should the cyber program act to prevent or report every incident. 

Use the three-bucket approach

To ease communication between cyber security teams and business leaders, Shana has developed a "three-bucket" risk model:

Bucket 1: Risks that are under control and have appropriate preventive measures.

- Common threats with established, simple controls

- Incidents that can be effectively prevented or detected

- Risks with clear mitigation strategies, including full restore from backup        

Bucket 2: Risks that have some measures but may benefit from further investment.

- Emerging or growing threats requiring new controls — these may arise from the external environment or internal organisational growth

- Areas where additional investment could reduce risk

- Scenarios requiring business decisions on acceptable risk levels        

Bucket 3: Risks that cannot be effectively controlled with the available resources 

- Supply chain compromises

- Social media-related risks

- Unmanaged personal devices         

The 3-bucket approach empowers CISOs to focus on the most relevant risks within their control and also to communicate more efficiently with stakeholders. But how can you better tackle budget discussions? 

Evaluate investments strategically

When first starting out, Shana suggests implementing a simple, structured approach to evaluating security investments using four key metrics: 

• Cost: Direct and indirect financial impact (tip: consolidation reduces cost)
• Time: Implementation and ongoing maintenance requirements
• Complexity: Technical and organisational challenges
• Business value: Potential benefits and opportunities

Rate each factor on a 1-3-5 scale to get a clear framework for prioritising security initiatives and aligning with business objectives.

However, as Shana emphasises, the true value of this exercise lies not just in the scoring itself but in the questions that arise from the results. 

• For low-scoring high-priority items, ask: Why have I said they're high priority if they're not scoring well? Does this mean there is something simpler that can offer value sooner?
• For high-scoring excluded items, ask: Why wasn't I going to do that first?

The scoring system also helps solve competing priorities. When two stakeholders present different initiatives but there's only budget for one, Shana suggests bringing them together to perform the scoring exercise. Instead of competing, they start supporting each other. They realise the value of each other's ideas and how they can complement one another, fostering collaboration rather than conflict.

However, even with the best frameworks and processes in place, errors are inevitable. 

Leverage the power of wrong decisions

With some sources citing that leaders make an average of 2000 decisions every hour, successful security leaders must learn to live with the fact that they will not always make the right decisions. 

In fact, Shana emphasises that leaders in fast-paced, innovative environments can expect to make "wrong" decisions about 70% of the time. The concept, parallel to baseball players who make the Hall of Fame despite failing 70% of the time at bat, illustrates an important distinction between "wrong" and "bad" decisions:

• Wrong decisions are calculated risks taken with proper planning and monitoring, allowing for course correction. These are crucial to developing your workforce and building a high-productivity environment.
• Bad decisions are choices made without sufficient planning or understanding, leading to situations that are difficult to escape or repurpose.

The key is to create an environment where "wrong" decisions are seen as learning opportunities rather than failures. 

Shana notes that "being able to manoeuvre through wrong decisions instead of being stuck in bad decisions is what leads to success. And if an organisation isn't making more wrong decisions than right decisions, they probably aren't taking enough calculated risk to capitalise on opportunity". 

McKinsey's research shows that organisations with strong decision-making frameworks excel not only by making high-quality decisions quickly but also by aligning those decisions with strategic goals. 

Educate CISOs to become business-aligned leaders

To efficiently overcome challenges, CISOs must be trained in decision-making, strategic thinking, and communication.

CISOs who can articulate risks in terms of business objectives foster more effective partnerships with executives. According to EY's 2023 Global Cybersecurity Leadership Insights Study, the most successful CISOs excel in communication, speaking the language of both the C-suite and the workforce.

Leadership development should start early in security professionals' careers, giving them opportunities to understand why the organisation exists, make decisions with a limited blast radius, learn from both successes and failures, develop business acumen alongside technical skills, and practice communicating with non-technical stakeholders.

Take control of horizon scanning

In risk management, "direction matters more than pace," Shana emphasises. This doesn't mean moving slowly but rather ensuring movement aligns with strategic goals.

While vendors constantly push new solutions and technologies, true strategic leadership requires a more thoughtful approach to future planning.

"You are responsible for your own horizon scanning rather than vendors providing you your ideas exclusively," Shana believes. 

When evaluating new capabilities and technologies, she advocates for a hierarchical approach:

• Reuse existing technologies and capabilities
• Borrow or adapt solutions from other departments
• Buy new solutions when necessary
• Build custom solutions only when there's significant benefit realisation

This framework helps security leaders better assess which technologies and approaches truly align with their organisation's needs and direction rather than being swept along by trends. 

The last step should always be to agree which product features you are not using — just because they exist doesn't mean they are value for money, time or effort in your organisation.

Key takeaways

1. Success in cyber security leadership requires shifting from risk avoidance to risk exploitation within defined tolerances.
2. CISOs must know the top 3 business goals and should focus on translating security risks into business impacts against these top 3 rather than technical details.
3. Making "wrong" decisions quickly and learning from them is usually better than making perfect decisions too late.
4. The goal isn't to eliminate all risks but to consciously accept and manage them while enabling business growth. Don't stop all shoplifting!
5. Direction matters more than pace in security strategy — leaders must have a clear vision while remaining flexible in their approach.

Cyber security leadership isn't about building impenetrable walls — it's about enabling the business to take calculated risks while maintaining appropriate visibility and response controls. 

As Shana puts it, "If you're not terrified, you're not trying." This new paradigm requires security leaders to embrace discomfort, think strategically, and focus on business outcomes rather than technical perfection, knowing the outcomes are worth it. 

If you're ready to transform your approach to cyber security leadership and risk management, Chaleit can help. Every organisation's journey is unique, and we can help you develop and implement a tailored approach that aligns with your business objectives while maintaining appropriate security controls. Let's talk.

You might also enjoy reading: The Art of Risk Management, a collaborative essay by Benjamin Stephan , CISO, and Dan Haagman , CEO of Chaleit. 

About the authors

Shana Uhlmann

Shana Uhlmann (she/her) is the IT Director at Tattarang and Chief Information Security Officer for Tattarang and the Minderoo Foundation. Prior to this, she was Assistant Director-General of Cyber Defence Capability at the Australian Cyber Security Centre, where she was responsible for the delivery of a variety of cyber defence capabilities.

Shana brings nearly 20 years of Government experience in cyber operations and capability development, including time spent in the UK as a technology liaison. In these roles, Shana was noted for successfully delivering outcomes against a breadth of key Government investment programs spanning network engineering, cloud infrastructure, and cyber defence capabilities. 

Shana is passionate about the future of identity and asking the right questions to articulate threats, live close to risk boundaries and drive investment dollars further. She combines this passion with her past experiences to craft pragmatic technology approaches to modern business challenges.

Dan Haagman

Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit and a seasoned leader in global cyber security consulting.

With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.

Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.

Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.

Disclaimer

The views expressed in this article represent the personal insights and opinions of Dan Haagman and Shana Uhlmann. Dan Haagman's views also reflect the official stance of Chaleit, while Shana Uhlmann's views are her own and do not necessarily represent the official position of her organisation. Both authors share their perspectives to foster learning and promote open dialogue.