Cybersecurity Decision Support
Cybersecurity Decision Support
  • Home
  • About
  • Blog

About me and three of my favorite heuristics for cybersecurity

Hi, I'm Bill Frank, and RiskPundit is my company. I've been doing cybersecurity for over 25 years. 


With the rise of Generative and especially Agentic AI, rationalizing control investments has become even more important, as attack surfaces are growing much faster than cybersecurity budgets. 


Before I shifted to "risk management" in 2019, I focused on EDR. Before that, next-gen firewalls. And my first ten years in cybersecurity was all about SIEM.


The term, "risk management" has gotten a bad wrap over the years as merely a compliance checkbox. But done right, i.e., by treating cyber risk as business risk, it can drive an organization's cybersecurity program.


I think of cyber risk management as "Moneyball" for cybersecurity. So risk is the probability of material cyber-related loss events. By material, I mean the loss events of concern to business leaders.


So I'm focused on helping security leaders and their teams with budget-allocation decisions to prioritize and justify "control" investments. By controls I mean the combination of people, processes, and technologies. 


My focus on risk management natually extended to compliance. So I've worked through the "compliance requirements/security needs" tension that security teams regularly deal with. 


Below, I highlight three heuristics that have helped me over the years. Maybe you'll find them useful, too.


If you're looking for a more resume-like background, click the button below to visit my LinkedIn page.

My LinkedIn page

1. There are no perfect solutions, just trade-offs

In cybersecurity, as in life, there are no perfect solutions, only trade-offs. That's probably the number one lesson I've learned during my 25+ years in cybersecurity. Security leaders are always constrained by limited budgets and resources. Therefore, control investments must always be prioritized. The only real question is how best to do that. This has been my focus since 2019.

2. Don't confuse Theory and Practice

Here is another heuristic that's helped me over the years. "In theory, there is no difference between theory and practice. But in practice, there is."  Contrary to popular belief, this is not a quote from Yogi Berra. 


This surfaces in so many ways. Policies vs. practices. Control capabilities vs. implementation. Tool demo vs. deployment.

3. Compliance and Risk Management focus on different adversaries

While compliance and risk are often lumped together under GRC, they are distinct. Compliance management helps CISOs defend against auditors, while risk management helps them defend against attackers. 


While both are important, compliance should be a byproduct of risk management. Too often, I have found it the other way around.

Schedule a No-cost Consult

Subscribe to my Blog

Sign up for new blog posts and upcoming events.

Check me out on LinkedIn

Copyright © 2026 RiskPundit LLC  - All Rights Reserved.

Powered by

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept