Topic

Risk Management

2 essays in this series

December 1, 2025·3 min readGRC Risk Management Phase III — Decision Primary

Beyond GRC: Turning Signals into Business Decisions

GRC was built to create structure around regulatory requirements and produce evidence of due diligence. What it was not built for is helping organizations make better decisions about risk in real time. The gap between the signal and the decision is where most security programs lose their value.

November 3, 2025·3 min readCyber Insurance Risk Management Phase II — Understanding Primary

Risk Transfer Without Understanding: The Insurance Problem in Cyber

The organizations having the most difficulty with cyber insurance are not the ones with the worst security programs. They are the ones with the largest gap between what their policy says they have implemented and what they have actually implemented.