Jean-Baptiste Bres

Chief Information Security Officer

💡 Cyber Risk is a Trade-Off Problem



Key Points: Cyber Risk is a Trade-Off Problem
  • Cyber risk is not just technical issues; it is fundamentally about trade-offs between competing outcomes, and what to prioritise for customers.
  • Incident decisions should be driven by the nature of the threat (e.g., data exposure vs service disruption), with predefined thresholds and response plans agreed across the business before incidents occur.
  • Effective cyber leadership focuses on communicating business impact and options, not technical details, enabling executives to make informed decisions under uncertainty.
  • Strong cyber risk management requires early collaboration with the business and clear alignment on risk appetite, recognising that improving security often involves sacrificing flexibility, speed, or convenience.

20260717-001

We all know it is wrong, yet, most conversations about cyber risk still treat it as a technical problem with a technical fix: patch faster, monitor better, add another control. I think that's the wrong lens, or at least, an incomplete lens. As a CISO, every real decision I make now, whether it's during an incident or in a boardroom, comes down to what we're willing to give up to get something else. That's not a side effect of the job. It's the job.

As an example, a question I get asked often is some version of: during an incident, how do you balance dealing with a potential cyber breach with keeping the business running? I think the framing is wrong from the start. It's not a balance between what security wants and what the business wants. The starting point should be: what's the best outcome for our customers?

Sometimes that means keeping a service running when under attack. Sometimes it means taking it offline quickly to protect people. The right answer depends entirely on the threat. A confidentiality issue involving sensitive customer information can justify a completely different response than an availability issue or a transaction integrity issue, even when all are hitting exactly the same system. The system doesn't tell you what to do. The nature of the threat does.

Which is such decision can't be made in the moment. We need clear agreement in advance, between security, technology, risk and the business, on what outcomes we're protecting and what thresholds trigger which response. For our critical operations, that means defining ahead of time what level of risk justifies continuing to operate, operating in a degraded mode, or shutting a system down: could customer data be exposed, what type, could false transactions occur, how confident are we in the integrity of the service, how long can we safely sit in that state before the waiting itself becomes the bigger risk. Having those lines agreed before an incident happens saves enormous amounts of time when you're under pressure and don't have any to spare.

None of this is limited to incident response anymore, either. With new AI frontier models, AI accelerates both the discovery and the exploitation of vulnerabilities. We're now having the same conversations proactively, about patching, not just about breaches. If patching windows shrink from days to hours, we won't have the luxury of extensive testing, which in turn increase our risk of disruption of the systems we are trying to protect. The CrowdStrike incident 2 years ago is a perfect illustration of this.

So now, the question becomes how much operational risk we're prepared to accept to reduce cyber risk quickly. Those aren't hypothetical discussions. We're having them now, because waiting until the event occurs is often too late.

The objective isn't to protect the system. The objective is to protect the customer. Sometimes that means keeping the service running. Sometimes it means turning it off. Either way, someone has to have decided, in advance, which one it is.

Decisions Are Only as Good as the Room Making Them

People often underestimate that any decision is only as good as the understanding of the people making it. For us, cyber experts, we need to remember that when we are having these discussion within our organisations, executives and other participants aren't looking for a lesson in cyber security. They're looking for enough information to make a good decision. So try not to start with the technical issue. Start with the consequence.

I wouldn't say "we have a critical vulnerability with a CVSS of 9 out of 10, we need to fix it." I'd say: if this is exploited, it could result in unauthorised access to customer information, disruption to a critical service, or an impact on the integrity of transactions. The conversation immediately becomes more useful, because we're talking about customer outcomes and business impact rather than technical severity.

Just as important, security teams shouldn't bring problems to the table. We should bring options. Patch immediately, and reduce cyber risk while accepting operational risk and potential business impact. Delay to complete more testing, and reduce change risk while accepting a longer window of exposure. Implement compensating controls while a permanent fix is prepared. My job isn't to pick the option for the room. It's to lay out the trade-offs, the residual risk in each, and the assumptions we're making to get there.

And we have to be honest about uncertainty. We rarely have perfect information in cyber security. We may not know whether an actor has already exploited a vulnerability, whether other systems are affected, or how fast the threat is moving. Good risk communication isn't about pretending to have certainty we don't have. It's about explaining the uncertainty clearly enough that leaders can still make an informed call. Success, for me, isn't measured by how well I describe the threat. It's measured by whether the organisation can make a timely decision that protects customers and manages risk appropriately.

Executives don't need a better description of the threat. They need a better understanding of the choices in front of them.

The Same Logic Scales All the Way Up

Once you see risk this way at the level of a single incident, you start seeing it everywhere else too, including in how the security function itself operates.

It comes to moving conversation inside the organisation from "can we do this" to "how can we do this safely." Historically, security got brought in late. A business initiative or technology change would be largely designed, and only then would security be asked to review it and find the risks. By that point the conversation is naturally about control gaps, because the decisions have already been made. Working with a risk lens rather than technology lens helps change that dynamic. We engage earlier and help the business see the opportunity and the risk as part of the same conversation, instead of assessing decisions after the fact.

I can recall an interesting Board discussion I had in a previous role about reducing the risk of data leakage. The question from the board was essentially: how do we get that risk down to low? I worked toward shifting the conversation away from the rating itself and towards what a genuinely low risk appetite would actually mean in practice, because every level of risk comes with a corresponding level of control. If you want an extremely low probability of data leakage, we can move in that direction. But it means accepting real restrictions on how the business operates: preventing staff from sending emails externally, tightly restricting data sharing, locking down how information moves. Once you frame it that way, the conversation stops being about whether a control exists and becomes a discussion about customer outcomes, operational impact, and how much freedom the organisation is prepared to trade for risk reduction.

Cyber Risk Is a Trade-Off Problem

If I can pass on to you a single piece of advice today, it would be: stop talking about cyber risk in isolation. Increasingly, the decisions we call cyber decisions aren't cyber decisions at all. They're trade-off decisions.

For years, most organisations assumed (or, more likely, hoped) they could improve security, customer experience, delivery speed and operational resilience all at the same time. While it is not impossible, it is extremely complex. And we the acceleration of delivery and the change of our cyber threat environment,, we're seeing more situations where those objectives are genuinely in tension. How much operational risk are you willing to accept to deploy a critical patch faster? How much flexibility are you willing to give up to reduce the likelihood of data leakage? How much dependency on a handful of large technology providers are you willing to accept in exchange for innovation and scale? None of those are security questions. They're business questions.

AI is going to accelerate this. The speed at which vulnerabilities are discovered, exploited and weaponised will keep increasing, and organisations will have less time to debate and more need to act. The winners won't be the organisations with the best technology or the most controls. They'll be the ones who've already had the difficult conversations about risk appetite, trade-offs and priorities.

Because when pressure arrives, clarity is what matters.
Clarity on what you're protecting.
Clarity on what you're willing to sacrifice.
And clarity on who gets to make the decision.


Disclaimer: This article is not legal or regulatory advice. You should seek independent advice on your legal and regulatory obligations. The views and opinions expressed in this article are solely those of the author. These views and opinions do not necessarily represent those of AMP or its staff. Artificial Intelligence Technology was used to proof-read this article.

Linkedin Icon

Follow Jean-Baptiste Bres on Linkedin