Andy Ellis

I absolutely love what you said there, Andy, about basically making him have an out, if you will, the great versus awful idea.

David, to your question, I think we've got to serve as a risk advisor, but it's a trusted risk advisor.

And how you're going to establish trust is bring them realistic options, right?

Not the invest $10 billion or I'm going to the street type of thing, or I told you so.

So building that trust is a big part of it.

And you got to bring it to them with the proper business context, not the classic fear, uncertainty, and doubt.

Something they're going to understand, something with mitigations, and really something that you're going to bring an advisement, say, hey, here's what I suggest, but here's the other alternatives that we've considered as part of that.

The only thing that gives me pause in that is the word control.

We can't control the decision.

I mean, ultimately, we have a risk if we approach it with that mindset of the old thou shalt and office of no and everything.

But you can control the environment like what you were saying, Andy.

Yeah, I think why I have a visceral reaction to that is some of the faux pas that some CISOs out there make is if they bring something and an executive has a higher risk tolerance and they don't follow that exactly, there's this like, yeah, they get offended and get upset.

Right.

But the reality is we're a partner and we're going to work together to find what that right decision is.

That's okay.

I mean, risk is a business decision at the end of the day.

Some companies are going to have a high risk tolerance, some aren't.

Your job as a CISO and as a business leader ultimately is to figure that out and to meet those goals within that risk tolerance.

Yeah.

And I think, I think you've got to have the framework where you can fail quickly, right?