On this page
When it comes to cyber risk assessment, it isn’t all technical. Executives can use the skills and knowledge that inherently come along with effective organizational management and leadership.
Heather Hinton, cybersecurity specialist and instructor at Harvard Professional & Executive Development, explains some key considerations for business leaders.
Meet Our Expert

Heather Hinton
CISO at Sitecore
Defining Your Risk Appetite
The reality is that there is no such thing as 100 percent safe.
“That’s the reason you have to focus on defensible,” says Hinton. “Risk is part of what we all inherently balance every day as part of life, whether it’s crossing the street or going on the internet.”
Continuing the pedestrian analogy, Hinton explains that a person may ask themselves, “Is it acceptable for me to cross the street in the middle, or do I go to the stoplight and use the crosswalk?” She adds, “Defensible risk is that the town puts in crosswalks and puts up signs that say ‘Yield to Pedestrians.’”
| Acceptable Risk | Defensible Risk |
| Crossing the street in the middle | Crossing the street at the crosswalk/light |
While both scenarios come with a risk, how we balance it is making a decision about whether the risk is acceptable using the information available to us. This, says Hinton, is the foundation for determining organizational readiness and cyber resilience.
The 3 Pillars of Organizational Readiness
Cyber risk assessment touches many aspects of an organization, from top to bottom — and it’s not all happening in a server room. Here are three areas to prioritize.
1. People & Culture
An organization’s people are perhaps the most important factor in organizational readiness.
“You have to have an environment where people feel safe reporting mistakes or acknowledging that something might have gone wrong — and knowing that they’re not going to be held responsible for being the bearer of bad news,” explains Hinton.
Transparency of information is important in every aspect of a business, whether related to security posture or project management.
“When bad news happens in the security world, it’s often really bad news,” she continues. “Not ‘this project is going to miss its deadline by a week’ but bad like ‘all of our customer data was breached and our competitors now have access to it.’ That’s something that can be viewed as an existential threat to a business.”
People and culture also play a key role in the next two pillars: when in a pressure cooker situation, an organization needs its people to help “tell the story of what happened, of why it happened, and how we fix it.”
2. Process & Governance
In cybersecurity, process and governance are key to good decision-making to not only assess risk, but also in how you respond to a threat or attack.
There needs to be a solid framework in place to listen to all of the inputs and take in as many points of view and as much advice as possible to make a risk decision. Hinton adds that giving people a sense of ownership is key.
For example, in manufacturing, the “if you see something, say something” mentality has become second nature. On an automobile assembly line floor, any individual could push a button to do an emergency stop if they saw a quality issue. That same employee empowerment could be applied to cyber risk.
3. Technology Resilience
Strengthening your cyber resilience is key to how you can respond to an attack. Organizations must have the right systems and processes in place to maintain operations as well as recover from any type of breach. This includes how you communicate to customers and stay compliant with any industry regulations.
Risk is part of what we all inherently balance every day as part of life, whether it’s crossing the street or going on the internet.
Heather Hinton
Evaluating Cyber Resilience in Regulated Industries
While every business in every industry must be concerned with their security posture, ones in highly regulated fields have more at stake. Finance, healthcare, and manufacturing are among the industries that have strict compliance rules — and for good reason. Sensitive customer data, safety considerations, and other vital factors can be appealing to bad actors.
But what about SMB? How can smaller firms achieve high organizational readiness without Fortune 500 budgets? Hinton acknowledges that’s a challenge, but explains that there are solid resources available to support businesses with fewer internal resources, such as the NIST’s Cybersecurity Framework and the FTC’s Cybersecurity for Small Businesses website.
“You need to embrace your smallness and learn from the work of others to help you get better,” she says.
Maturity vs. Compliance: Why “Passing an Audit” Isn’t Enough
While Hinton says it sounds like a marketing catchphrase, there’s truth to the statement “being compliant is the floor, not the ceiling.”
“There are a lot of things that you do that materially impact your security that are not in those compliance frameworks. So, just because you are compliant, there’s zero guarantee that you actually are secure. It just says, ‘I am compliant with the things I have chosen to test.’”
Checklist: Preparing for the Next Risk Review
As you prepare for your next risk audit, there are a few key steps and questions leaders should be asking:
- Identify assets and priorities: Have we ranked our data by business value? Have we established what’s more important after an incident: restoring service or preserving evidence?
- Test assumptions: When was the last time we ran a non-technical tabletop exercise?
- Review third-parties: How good is the vendor’s incident response and do we have clear lines of communication established?
- Budget alignment: Is our security spend addressing our highest-impact risks, which may include training for employees and customers to reduce “the human factor”?
- Communication: Are you prepared to share board reports in “business impact” language rather than “technical” language for optimal understanding?
Hinton adds a caveat to the budget alignment: “There’s always a new technology, always a new threat actor, always a limited budget,” she explains. “So even if I got and spent everything I asked for, I wouldn’t be able to secure it to the point of zero risk.”
Next Steps: Boosting Your Expertise and Confidence in Cyber Risk Assessment
Leaders don’t need to be coders to be a champion of cybersecurity. Hinton says risk assessment is rooted in something you learn in organizational and change management courses: “Make the best decision that you can with the information and resources at hand.” But as technology changes more rapidly than ever, gaining the skills, knowledge, and framework to better assess and communicate cyber risk is beneficial for leaders in organizations of all kinds.
Prepare for the reality — and risks — of business today with Harvard Professional & Executive Development’s Cybersecurity for Business Leaders: Risk and Resilience program. You’ll build the fluency necessary to evaluate and communicate risk, collaborate with IT teams, and build a culture of security across your organization.