- Pro
Shifting mindset to harness risk, not just avoid it
Comments (0) ()When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock)
When people talk about innovation in cybersecurity, they often focus on tools, technologies or frameworks.
But in my view, one of the most powerful and under looked shifts is to do with changing mindsets.
Elyse GunnSocial Links NavigationChief Information Security Officer at Nasuni.
- Amazon Black Friday deals are live: here are our picks!
The strongest organizations I’ve worked with are the ones that learn how to measure and harness their risk, not just avoid it.
You may like-
The largest AI security risks aren't in code, they're in culture
-
When prevention fails: the case for building cyber resilience, not walls
-
From resilience to antifragility: embracing a new era in cybersecurity
They don’t respond to new ideas with, “We can’t, because…” but instead with, “Let’s see how we can make this happen, safely and with the right controls in place.”
Security as a competitive edge
This rethink of culture doesn’t just reduce risk, it helps organizations build competitive advantage.
When a CISO and their team are clear and communicative on where the business is and is not comfortable taking risk - in short, the business’s risk appetite - the organization is in a much better place to respond to market change.
That confidence comes from strong risk frameworks, open dialogue, and a shared understanding that effective security is a business enabler, not just a gatekeeper.
Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.Open perspective
What makes a real difference is when people in different departments or business units bring an idea to security colleagues and they’re met with an open perspective of, "Let’s see how we can find a way to do this safely.”
That kind of response builds trust and opens the door to collaboration. When teams know that their security function is there to help them succeed, and not just to say no, they’re much more likely to ask, "Can we do this?" in the first place. It creates a culture where innovation and protection go hand in hand.
A couple of examples show the benefits:
Take an organization keen to move to more agile operations: if the security department can make an early commitment to partner with specific lines of business seeking to use faster cloud applications, it can help business unit colleagues devise a strategy in conjunction with solutions architects and trusted cloud providers to derisk and streamline cloud migration - rather than quickly veto such innovation requests on the grounds of unacceptable risk.
You may like-
The largest AI security risks aren't in code, they're in culture
-
When prevention fails: the case for building cyber resilience, not walls
-
From resilience to antifragility: embracing a new era in cybersecurity
When security is baked-in from the beginning, rather than bolted on at the end, everyone involved in the process is happier.
Similarly, an open-minded security function will help the C-level and other departments develop a data-centric development strategy to create the foundations for machine learning and AI tools - without defaulting to data compliance risk arguments to rule out such innovation pathways.
Some business challenges will need wider collaborations between CISOs and other corporate functions: for example, World Economic Forum research in 2025 found that 66% of respondents believe that AI will affect cybersecurity in the next 12 months, but only 37% have the processes in place for safe AI deployment. Surely there is no bigger case for open minds and deeper collaboration?
Saying no, driving up risk
The opposite approach, where departmental colleagues simply assume that security will simply block the idea so they don’t make the request in the first place, introduces far more risk.
That’s when you end up with teams starting their own shadow IT and shadow development projects, with inadequate controls and insecure workflows, and the CISO finding out about a risk only after it’s manifested into an incident.
By saying no too often as a security professional, you don’t eliminate risk – you just drive it underground and contribute to longstanding issues. Gartner research in 2022 found that four in ten employees were already using some form of shadow IT. With the boom in browser-based AI tools, I can only imagine what that number is today.
Clear parameters
Of course, not every innovation or leftfield request gets the go-ahead. But a principled yes, one that includes communicating clear parameters and safeguards, is far more powerful than a blanket no. It means security becomes part of the solution from the outset.
It helps ensure the organization remains robust and secure in its operations while empowering teams to experiment and grow.
Agile applications and business processes with inbuilt cybersecurity differentiate and boost organizations' responsiveness. This openness, innovation and competitive edge is what good security delivers in practice.
I challenge other cybersecurity professionals to model this mindset shift and encourage others to embrace it. Because in a fast-moving threat landscape, curiosity and collaboration are strategic strengths for an organization. And businesses that harness their risk, rather than run from it, will build a powerful competitive advantage.
Check out our feature on the best IT automation software.
Elyse GunnSocial Links NavigationChief Information Security Officer at Nasuni.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Logout Read more
The largest AI security risks aren't in code, they're in culture
When prevention fails: the case for building cyber resilience, not walls
From resilience to antifragility: embracing a new era in cybersecurity
Building cyber resilience through design and disclosure
Creating a cyber-first culture through strategic governance
Building a security-first framework against evolving cyberthreats
Latest in Pro
Best portable projector of 2025
Need an eSIM but not sure which one to buy? I have the perfect Black Friday eSIM deal for you
Take extra care shopping for Black Friday deals - experts find thousands of fake websites looking to steal your details
Microsoft Teams guest access could let hackers bypass some critical security protections
Many of us aren't confident we could spot a fake website this Black Friday - so be on your guard
Print security means business security: protecting data across the physical-digital boundary
Latest in Opinion
Windows 10 adoption is stalling, so Microsoft must fix a major issue
The Commodore 64 is back on the production line for the first time in 30 years – and I want it, even if it makes zero sense
Amazon blocks ChatGPT shopping agent – what the fallout could mean for you
The new code war: Cold War paranoia meets cyber conflict
The war on trust: how AI is rewriting the rules of cyber resilience
Sam Altman wants his AI device to feel like 'sitting in the most beautiful cabin by a lake,' but it sounds more like endless surveillance
LATEST ARTICLES- 1Ali Larter on Angela's 'exhausting' iconic blowouts in Landman season 2
- 2OpenAI reveals ChatGPT’s most popular features
- 3FBI says hackers have stolen $262 million in account takeover scams in 2025 so far - here's how you can stay safe
- 4I'm a VPN expert, and I've found the 3 Black Friday VPN deals you need to pick up while you still can!
- 5Meta and Google could be about to sign a mega AI chip deal - and it could change everything in the tech space
