As digital infrastructure grows increasingly complex, cyber risk management has evolved into a discipline that extends far beyond firewalls and endpoint tools. It now requires strategic thinking, business fluency and clear communication across departments. With the attack surface expanding to include every employee, contractor and third-party vendor, the traditional notion of “IT handles security” no longer holds.

This shift is prompting security leaders to rethink how they explain risk and protection across the enterprise. Rather than lead with jargon or abstract future threats, the most effective approaches now emphasize practical, business-oriented frameworks. One approach gaining traction is the ART model — Avoid, Reduce, Transfer — a lens borrowed from finance that helps reframe security discussions in terms of cost, accountability and shared responsibility, according to Jackie McGuire (pictured, right), principal analyst, security analytics, operations and strategy at theCUBE Research.

“By taking things back to avoiding risk, reducing risk and transferring risk, we can help our security teams start to shape messaging for the non-security people in their organization to really understand why they need to do a phishing email test, why they’re being asked to use multi-factor authentication, why they can’t just spin up a database when they want to,” she said.

McGuire spoke with Savannah Peterson (left), principal analyst, consumer tech devices, developers and edge, at theCUBE Research, as a part of “The ART of Security Summit: Strategic Risk Management for CISOs” event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how cyber risk management is shifting from a purely technical focus to a strategic, business-aligned approach centered on the ART model to help organizations communicate and manage security risks more effectively across all levels. (* Disclosure below.)

Why cyber risk management starts with communication

Understanding cyber risk means accepting that threats are everywhere and that mitigating them isn’t solely a technical challenge — it’s a people and process problem too. Risk avoidance, the first leg of the ART model, includes limiting exposure by making informed decisions about what technologies to adopt and where access should be limited, according to McGuire.

“Avoiding is the first step. And in finance, avoiding is actually usually doing nothing,” she said. “Doing nothing in security may mean a few different things. It may mean we just don’t take this project on. To do that we have to assess the risk of every program.”

Avoidance alone isn’t enough. The next step, risk reduction, requires honest reflection on an organization’s internal capabilities and the role of external partners. Managed service providers, detection and response teams and continuous monitoring services have become vital, especially as attackers operate globally and often around the clock, McGuire explained.

“A lot of reducing risk has to do with understanding where your capabilities end,” she said. “I think if we change the way we think about partnering with managed service providers, managed security services providers, managed detection and response providers, that is one of the best ways to reduce risk.”

Transferring cyber risk requires strategy, support and clear accountability

Even with avoidance and reduction strategies in place, residual risk remains. That’s where risk transfer enters the conversation. This can mean cyber insurance policies or contractual arrangements with service providers to ensure accountability in the event of an incident. However, as the cost and complexity of insurance rise, small and midsize businesses may struggle to qualify without support from partners.

“Cyber risk insurance is not cheap. It’s not easy to qualify for,” McGuire said. “If losses over the next couple of years continue to compound the way they have historically … it’s going to get more expensive.”

Ultimately, the ART model provides a pragmatic way to talk about security. It recognizes that some risk will always be present, but by avoiding what can be, reducing what should be and transferring what must be, organizations can better manage what’s left, and better explain those decisions in language business leaders understand.

“Security really is something that affects every single part of the organization. It doesn’t have to be your area of expertise or your job function,” Peterson explained. “All of us are constantly at risk of a lot of different types of threats that could be out there on the internet as well. In order to work that into our workflow, especially in an AI time period where we’re trying to do everything so fast … make sure that all the sensitive stuff that you work with isn’t getting compromised and the data of our customers isn’t as well.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of “The ART of Security Summit: Strategic Risk Management for CISOs” event:

(* Disclosure: TheCUBE is a paid media partner for “The ART of Security Summit: Strategic Risk Management for CISOs” event. The sponsor of theCUBE’s event coverage do not have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE