TL;DR
Most organisations implement cyber risk frameworks without genuinely contextualising them to their business, leading to misaligned security investments and a false sense of security. Applied risk management — the practical implementation of security controls in specific business contexts — requires a different approach.
To create effective applied risk management practices, CISOs must resist industry pressure for quick implementation, build diverse stakeholder collectives, adapt frameworks to business priorities, incorporate time dimensions into risk models, question indicators that seem too perfect, and distribute risk understanding across the organisation.
This collaborative essay by Dan Haagman (CEO of Chaleit) and Sunil Rane (CISO at Australian Radio Network) draws on their extensive experience in cyber security leadership to show how this applied perspective delivers tangible business value rather than merely ticking compliance boxes.
Context: The problem with current risk management
Cyber risk management presents a fundamental paradox: organisations need structure to manage risk, yet no framework exists that can be perfectly applied across all contexts. This creates a challenge for security leaders: how to establish a meaningful approach that reflects their specific business reality.
As Sunil observes, "Good or bad, there is no universal framework for how we manage risk. The good part is that it allows you to adapt risk and a risk model to a specific industry. But the bad part is that there is no anchor."
The pressure on security leaders to demonstrate immediate results compounds this problem. The expectation for new CISOs to produce quick results often leads to implementations that fail to address the organisation's actual risk profile.
This rush to implementation often leads to what Dan describes as bias in programme design: "Do we rush into implementing programs, falling into groupthink and following standard norms, without taking time to pause and reflect? If so, all our subsequent investments are built on that hasty decision."
Research supports these observations. Studies show that the average CISO tenure is just 18 to 26 months, creating pressure for quick wins rather than thoughtful risk management. Additionally, Forrester research indicates that there is often a misalignment between cyber security priorities and business outcomes, which can hinder the effectiveness of security investments.
Challenges in cyber risk management
Dan and Sunil reveal four interconnected challenges that undermine effective risk management in organisations.
These challenges aren't merely technical issues but reflect deeper problems in how organisations conceptualise, implement, and maintain their risk management practices.
Understanding these challenges provides the foundation for more effective approaches.
The rush to implementation
The pressure to demonstrate immediate value drives many security leaders to implement risk frameworks hastily. "We put so much time pressure on the process of identifying risks that it sabotages our ability to properly calculate and understand them," Sunil explains.
This pressure comes from multiple sources: boards expecting quick returns on security investments, executive teams wanting immediate answers about the organisation's security posture, and industry expectations for new CISOs to deliver within 90 days.
Contrary to the industry trend of rapid implementation, a successful security leader should spend months observing before making adjustments. Dan believes that taking significant time to understand an organisation is a necessary practice that's rarely seen.
The negative consequences of rushing into risk frameworks without proper contextualisation are significant.
Organisations often adopt frameworks that don't match their business needs, invest in controls that don't address their actual risks, and create false confidence in their security posture.
As Sunil concludes, "Rushed risk assessments, driven by intense time pressure, force decisions based on speed rather than accuracy. Consequently, everything else is built upon potentially flawed foundations."
Frameworks driving business vs. business driving frameworks
Standard frameworks like NIST and ISO 27001 provide valuable structure but often lack critical dimensions relevant to business value.
"Where in NIST does it ever talk about customers, transitory periods of time, or rates and trends of a control? Nowhere," Dan reflects.
This framework-first approach leads many organisations to shape their security programmes around the framework rather than their business needs. "Many organisations address risk primarily through IT controls, driven by their ease of implementation, rather than a comprehensive cyber security strategy," he observes. This creates a disconnect between security efforts and business value.
Risk management tools further reinforce this disconnection. "GRC tools are designed to captivate users with features, diverting attention from critical risk analysis," Dan observes, highlighting how technology can sometimes distract from rather than support effective risk management.
Sunil warns against rigid adherence to frameworks: "Don't stick to a framework and say, that's it. This is how we measure risk." He also cautions against fragmentation: "If you've got separate frameworks for cyber, enterprise, and IT, they won't connect. It's almost like you have no framework at all."
Risk as a static snapshot vs. continuous journey
Many organisations treat risk management as a point-in-time exercise — annual assessments, quarterly reports, compliance audits — rather than a continuous process that adapts to changing business conditions. This static stance fails to capture how risks change over time and how the business's relationship to those risks evolves.
Sunil observes that organisations often lack mechanisms to incorporate time dimensions into their risk frameworks. This missing dimension means many organisations react to every small change in their risk profile or, conversely, fail to respond to gradual shifts that eventually become significant problems.
The cyclical nature of organisational attention to risk compounds this challenge.
Dan describes a common pattern where organisations respond to breaches with increased focus and investment, only to gradually return to complacency:
"Following a significant breach, there's a predictable pattern: initial alarm, then a gradual erosion of knowledge. The hard-won lessons, the root causes understood through experience, are forgotten as key personnel depart."
The tacit knowledge problem
Perhaps the most overlooked challenge in risk management is what Dan calls "tacit knowledge risk": "Tacit knowledge. It goes out the door, and the organisation doesn't see it." This happens when the understanding of risk resides in people's heads rather than in documented frameworks or processes.
The danger becomes clear when key individuals leave the organisation, taking their risk knowledge with them. This dependence on specific people creates vulnerability rather than true resilience.
The problem extends beyond individual departures to include organisational changes, mergers and acquisitions, and other transitions that disrupt the continuity of risk understanding.
As Sunil notes, "We suddenly lose all context, essentially restarting without any understanding of how we arrived at the current situation."
Solutions for more applied risk management
While these challenges may seem daunting, both Dan and Sunil offer practical solutions to address them based on years of experience in security leadership.
Their recommendations don't require abandoning frameworks entirely or massive investments in new tools. Instead, they focus on fundamentally rethinking how organisations implement risk management, emphasising business alignment, collective understanding, and practical application.
Adopt the observation effect
Instead of rushing to implement risk frameworks, effective security leaders take time to observe and understand the organisation first.
Sunil advocates for what he calls "the observation effect": "Don't challenge that status quo just yet, but raise the flag to say that we need to reevaluate and provide reasons for it."
This doesn't mean doing nothing. Rather, it involves watching how things function, identifying what works and what doesn't, and building understanding before making changes.
For organisations that need to demonstrate progress while still taking time for observation, Sunil suggests picking one part of the business, using it as a showcase or an experiment, changing the dynamic in that part of the business, and creating a feedback loop. This creates early wins while building the foundation for more comprehensive changes.
Communicating this observation-based model to stakeholders requires careful framing.
"Challenge the organisation's assumptions with reasoned arguments and propose alternative approaches. Share your initial perspectives, focusing on 'how we should approach it,' rather than dictating a definitive solution," Sunil recommends.
Have a business-first attitude
Effective risk management starts with understanding what matters to the business and its customers, then adapts frameworks to support those priorities.
Rather than starting with frameworks or tools, begin with business objectives and work backwards. "Let's wireframe what we have. Take the time to build out a wireframe and get collective agreement," says Sunil. Only after establishing a business-aligned foundation should organisations consider how frameworks and tools can support their approach.
This doesn't necessarily mean abandoning established frameworks but using them as guides rather than rigid structures. "A framework is only a guide, right? So don't be afraid to add to it," he advises. Flexibility allows organisations to benefit from industry best practices while adapting them to their specific context.
The business-first stance also addresses the problem of disconnected frameworks across the organisation. Instead of separate frameworks for cyber, enterprise risk, and IT, you create a unified understanding of risk that connects to business value.
Incorporate time into risk
Incorporating time dimensions into risk management transforms it from a static assessment to a dynamic process that reflects business reality.
This approach establishes parameters for how long a risk can exceed acceptable thresholds before requiring intervention. "Establish and agree upon clear time boundaries, similar to defining Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) in disaster recovery," Sunil explains.
Dan connects this to his aviation experience:
"Aviation offers a useful metaphor: while exceeding certain limits won't immediately cause failure, there's a 'transient window' – a defined range with upper and lower parameters – where temporary deviations are permissible."
Adding the time vector to risk management has several benefits:
Prevents overreaction and avoids unnecessary responses to temporary risk fluctuations.
Focuses resources by directing attention to sustained risk issues, not transient ones.
Provides a more nuanced view of risk trends over time.
Establishes observation parameters — defines the frequency of observation, change implementation, tolerance levels, and time limits for risk deviation.
Facilitates adaptation and enables appropriate responses to business changes (mergers, product launches, etc.) that impact risk profiles.
Embed risk understanding
To address the tacit knowledge problem and create resilience, organisations need to distribute risk understanding across multiple stakeholders rather than centralising it in specific individuals or teams.
By ensuring that multiple people understand the organisation's approach to risk, its risk profile, and the rationale behind risk decisions, organisations reduce their vulnerability to staff turnover and organisational changes.
Building this collective is iterative. Sunil refers to it as the 'nomination effect': for example, legal suggests risk, then together they expand the circle, asking, 'Who else can bring value?' This creates an ever-growing network of stakeholders who contribute to and understand the organisation's risk posture.
The collective idea also addresses the problem of siloed risk frameworks across the organisation. Diverse perspectives brought together create a unified understanding of risk that connects cyber, enterprise risk, compliance, and other functions.
"The key is to make sure lots of people get it, so the whole system doesn't collapse if someone leaves or the company changes," Sunil explains.
Key takeaways
Based on the authors' experience, here are actionable insights that organisations and security leaders can implement regardless of size, industry, or current maturity level:
Take your time. Resist industry pressure to implement risk frameworks quickly. The observation effect — watching and learning before making changes — leads to more contextualised, effective risk management.
Start with the business. Begin with a clear understanding of what matters to customers and the business, then adapt frameworks to serve these priorities.
Incorporate time dimensions. Build time tolerance into risk models, allowing for flexibility and observation periods. This prevents overreaction to transient issues and focuses resources on sustained trends.
Question everything. Maintain a healthy scepticism: question even seemingly ideal situations, and trust your intuition because if something doesn't feel right, there's likely a reason.
Distribute risk understanding. Create redundancy in risk knowledge to avoid single points of failure. This builds genuine organisational resilience rather than dependence on specific individuals.
Applied risk management requires investment — not just in tools and frameworks but in time, attention, and human understanding.
This investment delivers returns through more effective risk management, better alignment between security efforts and business value, and greater organisational resilience. From a cost centre, security becomes a business enabler that helps the organisation take appropriate risks.
At Chaleit, we apply this business-aligned approach to risk management in all our client engagements. Our team of cyber security experts works alongside your organisation to build a risk management practice that reflects your specific business context rather than imposing generic frameworks.
Would you like to explore how these principles could transform your organisation's security posture? Let's talk.
About the authors
Sunil Rane
Sunil Rane is an experienced technology leader specialised in the design and management of Information Security. His experience spans diverse technology landscapes and encompasses wide aspects of Information Security.
Leveraging a multifaceted background in consulting, managed services, and in-house roles across diverse industries — Banking, Financial Services, Education, Oil & Gas, Telecommunication, Media and Government — he understands complex organisational dynamics and the consultative environment.
Sunil thrives taking on the challenge of building a strong security culture in organisations and mentoring emerging technology start-ups. He seeks to balance a high technical capability with a strategic approach to foster business, promote innovation while maintaining cyber excellence.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit, a seasoned leader in global cyber security consulting, and an Honorary Professor of Practice at Murdoch University in Perth, Australia.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Sunil Rane. Dan Haagman's views also reflect the official stance of Chaleit, while Sunil Rane's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.
