• Annual risk assessments are too slow for dynamic cyber threats
• Kathmann views cyber risk as a data science problem requiring real-time analysis
• Risk indicators like phishing scores and control metrics must be continuously monitored
• Ransomware is not a risk, it’s an outcome of control failures
• Third-party risks must be treated as inevitable with fast response mechanisms in place
• Canaries and detailed access mapping improve breach detection and containment
• SOC 2 and ISO reports often offer false assurance
• Transparency and live audit data access are key for vendor trust
• AI can support risk management only when data is centralized
• True resilience reduces impact, not just likelihood

In a world where digital evolution and innovation happen almost at light speed, it’s perhaps ironic that most companies still seem to manage cyber risk like it's a quarterly chore.

The brutal truth is that risk doesn’t wait. It evolves by the hour – sometimes by the minute.

For Nick Kathmann, CISO at LogicGate, this outdated mindset leaves organizations dangerously exposed.

“Something bad happens, and everyone scrambles,” he told delegates at Risk Americas, CeFPro’s flagship U.S. event in New York. “But risk didn’t start with the incident – the signals were there all along. We just weren’t looking fast enough.”

Consider that, for a moment. For Kathmann, the key is not about the depth of the search, but the speed.

In Kathmann’s view, cyber risk is now a data science problem. Terabytes of telemetry, incident reports, and control metrics flood enterprises daily, yet remain siloed.

“At a previous company, I had $11.9 million in spend in one business unit just on SIEM tools,” he recalls. “But most of that data just sat there. If we can’t correlate control telemetry with incidents in real time, then we’re blind.”

He draws a compelling analogy to vehicle safety. “When all you have is a seatbelt, that’s your most important control. But real safety comes from layering it – airbags, ABS, crumple zones. Some tools reduce the likelihood. Others reduce the impact. That’s defense in depth.”

The key is knowing when your controls are slipping and acting before they fail.

Traditional risk registers, he argues, get this wrong. “Ransomware isn’t a risk. It’s an outcome. It’s the result of multiple control failures. You can’t reduce ransomware. You can reduce phishing success, and you can reduce lateral movement. That’s how you stop ransomware.”

Kathmann champions what he calls ‘real-time risk indicators’ – the quantifiable metrics tied to controls like phishing test click rates or zero-trust deployment.

When these metrics drift toward thresholds, that’s the early warning. “If every time our phishing score hits 70, we get an incident, then 70 is our company’s risk line. Don’t wait to cross it.”

This approach isn’t limited to internal systems. The number one concern lies with third parties. “What keeps a CISO up at night? Getting a call that customer data is for sale, and realizing it came from a vendor. Then, trying to figure out which one.”

His solution: treat third-party breaches as inevitable. Map their data access, control their connections, and deploy digital canaries – decoy records unique to each vendor that expose the leak’s source.

He cited a sophisticated third-party attack on a major crypto exchange, where attackers infiltrated a commonly used software development tool through social engineering.

The actual compromise came via a developer accepting a fake job interview, unwittingly downloading malware.

“They didn’t attack the company. They didn’t even attack the vendor. They attacked a contributor to a tool the vendor used. That’s how deep this goes,” Kathmann told the conference.

Kathmann calls out the illusion of assurance in current audit frameworks. “SOC 2s, ISOs — too often they’re just pieces of paper. I’ve seen firms with thousands of employees claim they didn’t have a single critical vulnerability all year. That’s just not real.”

His answer is transparency. “When I run third-party risk, I offer APIs so clients can see our audit records in real time. No waiting. That’s what real accountability looks like.”

Looking ahead, Kathmann argues that artificial intelligence won’t fix broken GRC by itself.

“AI is great at finding patterns, but it needs good data. If your risk data lives in a dozen tools and teams, AI can’t help you. The first step is integration – get the context together.”

Ultimately, it’s about shifting from historical risk to predictive resilience, he argued. “If we do this right, then incidents become fender benders, not catastrophic pileups. We’ll still have risks – but we’ll have clarity, speed, and control.”