Enterprise security programs lag behind an industrialized cybercrime economy, relying on compliance and post-incident response that create false confidence while real risk accumulates.
Richard Harrison, CISO and Head of Cyber and Architecture at Foodstuffs South Island, challenges security theater and reframes security as reducing the likelihood of material business impact.
He promotes a proactive risk operations model that prioritizes business risk, daily signal reduction, and clear board-level conversations about cost, trust, and operational impact.
Enterprise security teams are facing a mismatch of incentives and timing. Cybercrime now operates like an industry, moving quickly and exploiting narrow windows of opportunity. Meanwhile, many security programs remain optimized for post-incident response, searching for evidence of compromise rather than eliminating the conditions that make compromise likely in the first place.
With more than twenty years in cybersecurity and digital transformation, Richard Harrison has seen how easily security drifts into process over purpose. In his role as CISO and Head of Cyber and Architecture at Foodstuffs South Island, he warns that "security theater" can be more dangerous than inaction, giving leadership a misplaced sense of control while real risks persist.
According to Harrison, an over-reliance on compliance frameworks is one of the clearest signs a SOC is stuck in the past. "We have to get away from the idea that things like compliance, like religiously adopting frameworks, will make us more secure. It appeases boards and executives who just want to answer the question, 'Are we secure?' But that's just an illusion," he says.
Hunter or hunted?: Even threat hunting can be a trap. "Threat hunting sounds proactive, but in reality, it's not," Harrison continues. "What you're often looking for is evidence of a breach or an attack, as opposed to asking, 'Where are the risks in my environment an attacker could exploit, and how do I shut those down?'" To counter this illusion, Harrison calls for rebuilding the Security Operations Center into a "Security Risk Operations" model. The mission is to proactively hunt for business risks, not just technical ones.
Pain management: The goal, Harrison says, is to shrink the "long tail of risk"—the dangerous window of time between when a vulnerability appears and when it is fixed—because that's precisely the period attackers are built to exploit. "We have to come back to the core purpose of security: reducing the probability of a material impact to the organization. That means understanding what 'material' actually is, which requires asking boards and executives a simple question: when does this become painful?"
But a proactive posture requires resources, and that means getting the C-suite on board. Harrison says the key is "risk storytelling," a strategy focused on ditching technical jargon to translate threats into tangible business impacts. To do this, he says, you must "connect their heads to their hearts" by framing risk around things they truly care about, like customer trust in buying everyday items like milk and bread. Framing the conversation in this way turns a budget request into a shared, strategic business decision.
Cash over CVEs: "You've got to talk their language. Their language is cash, revenue, trust, reputation. They don't care about the CVE number. You have to say, 'We've got a problem. If that risk materializes, we're not going to be able to get goods to the stores.' You present the cost for every hour of unavailability as X and the fix as Y, and then ask: 'Are you happy to take the risk, or do you want to solve the problem?'" he explains. "My role is to present that picture, tell the story, have a conversation, and allow the board to arrive at an informed choice."
At the heart of Harrison's strategy is a simple conviction: security's foundational weaknesses are human, not technological. His pragmatic approach, for instance, focuses on how sophisticated groups like Scattered Spider exploit the service desk through social engineering, rather than getting caught up in the hype around AI-enabled attacks. The strategic intent is to make an organization a more difficult target, thereby disrupting the criminal's business model and encouraging them to find an easier victim.
The root of the risk: "Ultimately, I think security is a human issue. We decide what systems we're going to buy, how we're going to configure them, and whether we're going to accept risk. That's why you've got to spend a lot of time with people: educating, building awareness, and allowing them to exercise better judgment."
A dose of skepticism: "Frankly, a lot of what is being called Generative AI is really just repackaged stuff that's already there," Harrison notes. "While it's something to keep an eye on, I'm not convinced yet that we're seeing massive, wide-scale attacks. There's probably another six to twelve months yet before it becomes significant."
In an environment of constantly changing threats, Harrison says leaders must abandon the old cadence of quarterly or even monthly security reviews. He believes a proactive mindset requires a daily discipline, enabled by modern systems that can find the signal in the noise. "It’s every day. Every minute and every hour. You need systems that can ingest massive amounts of data and surface the critical issues," he concludes. "We see billions of events across the organization, but I need to get to the five or six that could cause real problems and act fast. And if those same issues show up day after day, then the real work is fixing what’s causing them."
