Compliance-heavy organizations often prioritize mandated controls over actual risk reduction, especially when funding, consequences, and accountability are misaligned.
Ann Dunkin, a four-time enterprise CIO and Distinguished Professor at Georgia Tech, describes how government and financial sectors experience this pressure differently.
She recommends using a quarterly risk register that quantifies the consequences of non-compliance and embeds security into everyday decision-making.
Organizations have a habit of falling into compliance traps without realizing it. Over time, regulatory checklists begin to stand in for real risk management, creating a sense of progress while underlying exposure grows. The issue isn’t a lack of understanding at the leadership level, but structural pressures that push decisions toward compliance at the expense of actual risk reduction.
Ann Dunkin is a 4-time enterprise CIO whose experience is grounded in navigating these tangled pressures. As the former CIO for both the US Department of Energy and the Environmental Protection Agency, she has managed multi-billion dollar budgets in some of the world's most heavily regulated organizations. Now a Distinguished Professor at Georgia Institute of Technology and an advisor to firms like Global Interconnection Group and CGAI, Dunkin explains that leaders need to move beyond the false dichotomy of compliance versus security and adopt a unified framework.
"I see the risk register as tactical. It reflects what’s happening day-to-day, whereas the security plan is strategic. It sets the big picture and drives the five-year operating plan," says Dunkin. That distinction is important because many leaders face immense pressure driven by the unique consequences of failure within their specific industry. In government, for example, there are countless compliance items to address, from broad mandates to specific technical guides. For a bank, the dynamic is fundamentally different; it cannot justify prioritizing risk management over compliance because the consequence is being shut down.
An unfunded mandate: This situation in the public sector, Dunkin says, is no accident. She pins the blame on a structural flaw where the authority to mandate security is disconnected from the power to fund it, a problem that prioritizes the appearance of action over its resourced execution. "In government, the reason CIOs and CISOs get so many compliance items is because the people who deeply understand the risks are not the same people who control the funding," Dunkin explains. "It comes as yet another unfunded mandate, where Congress will direct an agency to perform an action and then provide no money for it."
Faced with this reality, Dunkin advocates for absorbing compliance directly into the risk framework. The method relies on a living risk register, reviewed quarterly, where risk is calculated by multiplying the likelihood of an event by its consequence. By quantifying the business-ending cost of being shut down for non-compliance, that "checklist" item rightfully earns its place at the top of the risk list. The process, she says, allows leaders to "build compliance into the risk register in a concrete way, rather than trying to balance the two as separate priorities."
Time to face the consequences: "You can build the consequences of non-compliance into your risk register in a way that brings the most important compliance items to the top," Dunkin notes. "If you determine the consequence of not complying means the business gets shut down, that item will move to the top of your risk list." That prioritization, she explains, only works if leaders treat the risk register as a living document rather than a static artifact. "I used to drive the team crazy because I was never fully satisfied with the risk register. Even after they made improvements, I would come back each quarter and challenge them on the next factor, constantly asking what else we should consider."
Armchair expert: While a robust risk process is foundational, its success can be undermined by superficial governance, a topic of growing importance as corporate boards take on more cybersecurity responsibility. Dunkin points out that a lack of genuine understanding at the board level creates a vacuum that puts the onus on security leaders to fill. "Boards should have legitimate cybersecurity expertise on them, but too often, they don't. They'll appoint someone who went to a single class and declare them the resident cybersecurity expert."
Baked in: Counteracting this governance gap requires a turn in focus to the people and culture supporting the process. The key, she says, is the partnership between the CIO and CISO, whose joint efforts are vital for true CISO accountability and cyber risk management. She explains that this collaborative culture is a key determinant of success that ultimately outweighs formal reporting structures. "The best thing a CIO and CISO can do is work as a team, regardless of the reporting relationship. That teamwork is how security is not bolted on after the fact, but it's built in. It's designed in." The integrated mindset extends beyond security and applies directly to the organization's core purpose. "Business strategy is baked in, just like security."
The integrated framework is becoming a core component of organizational resilience, especially as cybersecurity risk management continues to grow more complex. The next major test is already here in the form of artificial intelligence. In an environment where proactive defense is harder to sustain and information sharing is more fragmented, static checklists leave organizations exposed. Navigating this shift requires both AI-enabled tools and disciplined decisions about how limited security resources are deployed.
"You never want to tie up all your resources in planned projects. Your incident response team, in particular, must have sufficient bandwidth so they can drop everything and respond when an incident happens," says Dunkin. That flexibility becomes even more critical as attackers adopt new capabilities. "Defenders know that attackers are going to be using AI against them, so they must use AI themselves as part of their defense," she concludes.
