Skip to main content

When Leadership Says “Keep Us Safe”: Finding Cyber Risk Tolerance in the 10-K

 One of the most common questions cybersecurity professionals ask executive leadership is:

“What is the organization’s risk tolerance when it comes to cyber risk?”

And one of the most common answers they get back is:

“Keep us safe.”

“Don’t let a breach happen.”

While well-intended, these answers don’t actually define risk tolerance. No organization can be perfectly safe, and “no breaches ever” isn’t a strategy—it’s a hope. When leadership can’t (or won’t) clearly articulate cyber risk tolerance, you need to look elsewhere for clues.

One of the most useful—and often overlooked—places to find them is the company’s 10-K report.


Why Risk Tolerance Matters


Risk tolerance drives real decisions:

  • How much downtime is acceptable?
  • How much data exposure is tolerable?
  • How much money should be spent on security controls?
  • Which risks are accepted versus mitigated?

Without understanding leadership’s tolerance, security teams either over-invest (creating friction and wasted spend) or under-protect (creating unacceptable exposure).


The 10-K: Executive Risk Thinking, in Writing


A public company’s 10-K is an annual filing that details financial performance, business operations, and—most importantly for security leaders—risk factors. These disclosures are reviewed by legal teams and executive leadership, which means they reflect what leadership is willing to formally acknowledge as material risk.

When you read the 10-K, focus on:

  • Risk Factors section
  • Management’s Discussion and Analysis (MD&A)
  • Any section referencing cybersecurity, data breaches, operational disruption, or regulatory exposure

Pay attention to:

  • How strongly cyber risk is worded
  • Whether breaches or data loss are explicitly mentioned
Labels:

Popular posts from this blog

Winning the Room: How to Gain and Keep Executive Support

Blog Series: Your First 90 Days as a CISO Post 4 of 4 A Plain-English Guide for New, Aspiring, and Future Security Leaders Here's a truth that many talented security professionals discover too late: you can be technically brilliant, deeply experienced, and genuinely committed to protecting the organization — and still fail as a CISO if you don't have executive support. Security programs require funding. They require organizational authority. They require the ability to make decisions that sometimes create friction for other business units. They require the backing to hold lines when the pressure to cut corners for speed or convenience is intense. None of that happens without the support of the people at the top of the organization. And yet, earning and keeping executive support is exactly the area where security leaders most often struggle. The technical skills that make someone a great security professional don't automatically translate into the c...
Read more

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI has moved faster than nearly any technology security leaders have dealt with. Tools that can generate text, code, images, and data insights are now embedded into productivity platforms, security tooling, development workflows, and business operations—often before security teams are formally involved. For CISOs, this creates a familiar but amplified challenge: innovation is happening faster than governance, and unmanaged generative AI introduces material risk across confidentiality, integrity, availability, compliance, and trust. For aspiring information security professionals, AI governance represents a growing and valuable discipline where strategic thinking matters just as much as technical depth. The good news? We don’t need to invent governance from scratch. NIST’s AI Risk Management Framework (AI RMF) provides a practical, flexible structure that security leaders can use today to govern generative AI responsibly and defensibly. Why Generative AI Governance Matt...
Read more