Arielle Waldman , Features Writer , Dark Reading January 23, 2026 6 Min Read Source: Aleksandr Davydov via Alamy Stock Photo Many risk management styles thrive on fear — the fear of documenting risks and making them discoverable within the organization. Security professionals worry they'll be blamed for those risks, even if they don't amount to any real problems — and if they do lead to incidents or breaches, that worry evolves into panic. But risk gets a bad rap. A cultural shift is emerging across industries where the identification of risk and the progress it took to mitigate is embraced and rewarded. Instilling that mindset can help employees feel more comfortable speaking up to leadership, boost transparency, and improve mental health, experts say. Good Leaders Reward Risk Identification Early in his career, Drata CISO Matt Hillary berated himself for missing risks. He operated under the premise of a near-zero tolerance for risk — but quickly realized it was the wrong mentality to bring to his position as a risk manager. For one, the shame, guilt, and depression he felt trickled down to other members of the organization. Second, he lost influence as a leader because he was effectively shaming others without realizing it. He replaced that behavior by applauding risk identification. "It's a heavy weight to realize you have this dissidence that lives in your life every day as a CISO, realizing you can do everything and still have the possibility that something's going to happen — that you missed a risk or didn't do enough," he says. "It just sucks, and it's so mentally draining." 'Risk Exists Somewhere' How organizations navigate risk is important because risk management drives road maps, whether they realize it or not, explains Hillary. Technology — encompasses security, privacy, legal, and finance functions, according to Hillary — ends up being the cohort driving the idea of risk management, but it should be a companywide conversation. "The reality is, risk exists somewhere," Hillary tells Dark Reading. Curating an effective program where risk is associated with progress takes legwork, but it can lead to a healthier security culture. Factors include implementing a living risk management program that runs on continuous threat identification and assessment, Hillary says. The method makes it easier to check in with the owners of those risks when alerts sound and mitigation controls are deployed. People knowing how to reach out to security teams can be a big differentiator when an incident occurs — because incidents are bound to happen. "The best technologists are security-minded," Hillary says. "I'm always glad they feel safe to share this. Even though the risks they found might be scary, it's like: 'Hey, now we know.' And then the journey starts." Being transparent about that journey is important because that's how companies learn from incidents and can help others who may be experiencing similar situations. The current cohort of CISO values — transparency, openness, and sharing — can feel super scary when they must notify the legal team and inform leadership. "The first six to 12 months sucks, but you look back, and what did you learn?" Hillary adds. Having a risk registry is another important component of a healthy risk management program. Hillary describes it as a "way to show your homework." If a breach or major incident occurs and lawyers are involved, they can make CISOs feel totally incompetent, warns Hillary. Documenting risks demonstrates the good faith efforts he and his peers accomplished, that they did their best to secure the organization with what they had. "Mentally, at least having it out there [shows] there's an intentionality behind it," he says. "We aren't just the fall guy anymore, unless we were grossly negligent." Nurture Risk Acceptance From the Start As cyber-risks and threats magnify, CISOs are getting more face time . Customers want to be introduced to the CISO to make them feel comfortable, says Stephen Boyer, Bitsight co-founder and chief innovation officer. In turn, the CISO and security team must also feel safe to voice their concerns to help those customers and the company. Bitsight's security culture revolves around one important company value: humility. That means there's always something to learn, and no one has all the answers, Boyer explains. Bitsight also implements risk registries and built-in milestones to check risk, which takes some pressure off employees. It's no longer a question of whether they feel comfortable raising an issue because of built-in processes and checks. Bitsight embeds that mindset from its new-employee onboarding, but people feeling comfortable enough to report risks depends on an organization's culture and is not fixed universally, Boyer says. "I do think it's a competitive advantage," he says. "It helps build a culture where people feel like they can raise issues which should lead to better outcomes. You can address issues faster." The industry is moving toward resilience, which means some level of acceptable failure is inevitable, he adds. Organizations have evolved from total risk avoidance to building resilience. Boyer says conversations with other executives revealed a major evolution: Cyberattacks aren't the only imminent threat; outages prove highly disruptive as well. Companies used to feel protected by just locking down their infrastructure, but attack surfaces and vectors have vastly expanded. Now they must assume they'll lose one cloud provider, for example. "Risk avoidance is not tenable anymore," Boyer says. Sign of Maturity Risk transparency must not only be communicated but rigorously enforced by the top-level management at the company, says Selim Aissi, CEO and CSO of Arbor Global Advisors. The board also needs to play a critical role in enforcing that transparency to perform their governance duties in setting risk appetite, overseeing management's risk framework, ensuring alignment with strategy, and holding the company's executives accountable, he adds. "As CISO and board member, I personally consider people feeling comfortable reporting risk as one of the most proactive risk identification methods," says Aissi, adding that it is also a sign of a mature information security culture at a company. Monitoring and risk assessment methods are also crucial. Feeling comfortable speaking up is one thing, but companies must also ensure they have proper reporting channels. Randomly reporting risks can be detrimental and lead to even larger risks that threaten the company's reputation, Aissi warns. Celebrating risk-reporting means that those risks are taken seriously, measured against the company's risk appetite, and managed properly, he says. What Does the Future Hold? While it's proved challenging, the industry continues to shift toward more objective ways of measuring cyber-risk. Going to the board with monetary and likelihood metrics is becoming increasingly crucial to gain the resources required to tackle a growing list of cybersecurity issues. Many CISOs would like to reach a point where they can have financial terminology conversations with the board and chief financial officers, Hillary says, but it takes an actuarial science mindset to get there, compared to the traditional cyber-risk assessment many companies currently use. The question, he asks, is how to use quantitative measures to make it more objective. "Many of us CISOs are like, 'Man, this is too hard. I want to get back to this five-by-five matrix of impact and likelihood,'" he says. "We show up to our board meetings with a heat map and are like, 'This pixel in this critical realm moved 15 pixels to the left last quarter,' and they're like, 'What does that even mean?'" In some cases, the CISO role is potentially a no-win scenario, Hillary adds. "But the message is not that we are doomed for failure," he says. "It's training minds to know how to be ready because we are going to have incidents." About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection. See more from Arielle Waldman