Andy Ellis

We can't control the decision.

I mean, ultimately, we have a risk if we approach it with that mindset of the old thou shalt and office of no and everything.

But you can control the environment like what you were saying, Andy.

Yeah, I think why I have a visceral reaction to that is some of the faux pas that some CISOs out there make is if they bring something and an executive has a higher risk tolerance and they don't follow that exactly, there's this like, yeah, they get offended and get upset.

Right.

But the reality is we're a partner and we're going to work together to find what that right decision is.

That's okay.

I mean, risk is a business decision at the end of the day.

Some companies are going to have a high risk tolerance, some aren't.

Your job as a CISO and as a business leader ultimately is to figure that out and to meet those goals within that risk tolerance.

Yeah.

And I think, I think you've got to have the framework where you can fail quickly, right?

Like the companies that are taking a risk are not doing transformational level risk that is going to cost the company billions of dollars.

It's AB testing, different marketing concepts.

It's trying this new technology, et cetera.

So it's not big bang risk.

It's, it's small risk.

That's tolerable.

think the last thing david that you asked was about executives that want certainty i have encountered so many board meetings and executives that say like can you tell me we won't get hacked and as we know that's super dangerous to promise things so we got to be really careful there and

Be transparent that there's no sure things, but immediately pivot that conversation to how we're managing that risk to give them that comfort, right, to really enable that business goal that they're trying to do and achieve that right balance.