HSToday Editorial Board Member Ann Dunkin is calling on organizations to move beyond what is described as “compliance theater” and adopt living risk registers to drive meaningful cybersecurity outcomes.
In a recent interview with Security Digest, Dunkin – a four-time enterprise CIO and Distinguished Professor at Georgia Tech – drew on her experience leading IT operations at the U.S. Department of Energy and the Environmental Protection Agency to explain how regulatory checklists can crowd out real risk reduction.
“I see the risk register as tactical. It reflects what’s happening day-to-day, whereas the security plan is strategic. It sets the big picture and drives the five-year operating plan,” Dunkin said.
She pointed to structural challenges in government, where mandates often come without funding. “In government, the reason CIOs and CISOs get so many compliance items is because the people who deeply understand the risks are not the same people who control the funding,” she said. “It comes as yet another unfunded mandate, where Congress will direct an agency to perform an action and then provide no money for it.”
Rather than treating compliance and security as competing priorities, Dunkin recommends embedding compliance into a quarterly, continuously updated risk register that calculates risk by likelihood and consequence.
“You can build the consequences of non-compliance into your risk register in a way that brings the most important compliance items to the top,” she said. “If you determine the consequence of not complying means the business gets shut down, that item will move to the top of your risk list.”
She also stressed the importance of strong governance and CIO-CISO collaboration, noting, “The best thing a CIO and CISO can do is work as a team… That teamwork is how security is not bolted on after the fact, but it’s built in.”
As AI-driven threats grow, Dunkin warned that static checklists leave organizations exposed. “Defenders know that attackers are going to be using AI against them, so they must use AI themselves as part of their defense,” she said.
Her message: treat risk management as a living process – not a paperwork exercise.
Read the full interview here.
(AI was used in part to facilitate this article.)
