Executive Q&A: Turning Risk Discovery into a Competitive Advantage

As organizations confront escalating regulatory pressure, expanding attack surfaces, and board-level scrutiny, the conversation around risk is evolving. For leading security teams, more documented risk doesn’t signal weakness — it signals visibility. In this Executive Q&A, Matt Hillary, SVP of Security & CISO at Drata, argues that modern security maturity is defined not by the absence of incidents, but by an organization’s ability to continuously surface, quantify, and respond to risk in business terms.

Hillary, a four-time CISO with more than 15 years of experience building enterprise security, GRC, IT, and privacy programs at high-growth SaaS and global technology firms — including leadership roles at Adobe and Amazon Web Services — discusses why fear-based risk cultures fail, how CISOs must reframe risk in financial language, and why annual assessments are no longer sufficient. His central thesis: transparency, shared ownership, and continuous instrumentation transform security from a compliance exercise into a strategic business capability.

SecurityInfoWatch (SIW) -- Many organizations still treat risk discovery as a failure. What’s broken in today’s security risk culture?

Matt Hillary: Too many organizations still behave as though risk only becomes real once it’s written down. The moment something hits a formal risk register, it feels discoverable, auditable, and attributable. That creates anxiety. Teams hesitate to document issues because documentation feels like exposure — and exposure feels like blame.

So instead, risks remain informal. They’re discussed verbally, buried in Slack threads, or managed quietly within teams. That may feel safer in the moment, but it’s materially more dangerous over time. The risk exists whether or not it’s documented. Choosing not to formalize it simply reduces your response time and narrows your available options when it eventually surfaces in a more painful way.

That fear-based dynamic produces two structural failures: a lack of clarity and a lack of accountability. Without documentation, there’s no shared understanding of severity, ownership, mitigation strategy, or timeline. And without shared understanding, execution fragments.

Healthy security cultures invert that instinct. When someone surfaces a new risk, the appropriate response is: “Good catch. Let’s evaluate it and decide how we want to respond.” It should not be: “How did this happen?” That subtle reframing changes risk from an indictment into a signal — a piece of intelligence the business can act on.

Another core issue is the misconception that risk is a “security problem.” Real risk rarely sits neatly within a single function. It lives at the seams, between product and legal, engineering and finance, and go-to-market and customer success. Security and GRC teams often have the taxonomy and tooling to make risk visible, but ownership must be shared. The most mature organizations democratize risk identification. Anyone, regardless of role, can say, “I think we have a risk here,” and know that it will trigger constructive cross-functional dialogue rather than a blame exercise.

When that dynamic exists, you see more risk logged and paradoxically, a stronger security posture.

SIW: How would you define an organization's security maturity?

Hillary: Security maturity is not defined by the absence of incidents. It’s defined by how honestly an organization understands its risk posture and how effectively it responds, adapts, and learns over time.

Mature organizations abandon the myth of perfection. Risk never goes to zero. Pursuing zero-risk environments often leads to burnout, shame cultures, and undocumented exposures. When teams feel pressure to present an image of perfection, they hide uncertainty. That drives risk underground.

Over time, that creates muscle memory. Risks are discovered, documented, assigned clear ownership, mitigated through defined actions, and re-evaluated. The organization shifts from reactive heroics to repeatable operating discipline.

True maturity is resilience: recognizing risk as constant, building durable systems to engage with it, and emerging stronger after each iteration.

SIW: Risk conversations often stall because they feel subjective. How should CISOs rethink how risk is measured and communicated?

Hillary: We’ve historically relied on abstractions — red-yellow-green heat maps, directional arrows, or qualitative labels like “high” or “medium.” Those frameworks rarely translate into executive decision-making.

When a board member hears that something moved from “medium” to “high,” the natural response is: What does that mean financially? Operationally? Strategically? And what decision are you asking me to make?

The goal is not perfect actuarial precision. It’s decision-grade clarity.

CISOs need to anchor risk in business language: potential financial exposure, probability over a defined time horizon, recovery duration, customer impact, and cost of meaningful reduction. Even directional quantification dramatically improves dialogue. Saying, “We estimate this control change reduces expected annualized loss by roughly 40%,” is far more actionable than, “This feels less risky now.”

That framing enables three executive-level conversations:

1. Which risks materially change the shape of our business if realized?
2. What are our response options — accept, transfer, reduce, avoid — and what are their respective costs?
3. Where does the next marginal dollar reduce the most exposure?

When CISOs can articulate risk as a portfolio of trade-offs, rather than a series of abstract warnings, security transitions from a cost center to a strategic capital allocator. Boards understand investment language. They understand opportunity cost. They understand expected loss.

Translate risk into those constructs, and the conversation shifts from defensiveness to optimization.

SIW: How can companies move beyond annual risk assessments and embed risk management into day-to-day operations?

Hillary: Annual assessments create snapshots. They can be useful, but they’re insufficient. Businesses change weekly — new products launch, vendors onboard, architectures evolve. A static annual artifact cannot reflect a dynamic risk landscape.

Embedding risk into operational rhythm requires structural integration.

First, trigger-based reviews should be standard. New initiatives, vendor contracts, major feature releases, or market expansions should automatically prompt risk evaluation, not just last-minute security signoff.

Second, ownership must be explicit. Risks cannot belong to abstract “teams.” They must have named accountable individuals. And those owners need regular check-ins tied to operational cadence.

Third, mitigation must live in the same work systems the business already uses, such as backlogs, OKRs, sprint planning, and product roadmaps. If risk reduction exists in a separate compliance tracker, it will always lose priority. When mitigation competes transparently with other initiatives, leadership can consciously decide on tradeoffs.

Fourth, instrumentation is critical. Continuous control monitoring transforms compliance checkboxes into live telemetry. When a control degrades, that signal should update the organization’s view of associated risk. Assumptions must be validated continuously.

A living risk program is not an annual deliverable. It is an ongoing operational discipline embedded into how the company executes strategy.

SIW: How does transparency around risk and incidents ultimately protect security leaders and organizations?

Hillary: Transparency is protective — legally, reputationally, and operationally.

When an incident occurs — and eventually one will — narrative control becomes central. Stakeholders ask: What happened? Was this foreseeable? Were we negligent?

If you maintain a living risk register with documented analysis, decision rationale, and mitigation planning, you can demonstrate diligence. You can show that risks were evaluated, options were considered, and decisions were made in context with the information available at the time.

That record does not eliminate the incident. But it establishes good faith governance. It shifts the conversation from accusation to analysis.

Internally, transparency reduces hindsight bias. Instead of assigning blame retroactively, teams can review documented assumptions and refine models. That accelerates learning.

Externally, transparent incident response often accelerates trust recovery. Customers and partners respond better to candid disclosure and concrete remediation than to minimization or obfuscation. The pattern of response matters as much as the triggering event.

At an industry level, we should aspire to a culture closer to that of aviation safety: rigorous post-incident analysis, structured knowledge sharing, and collective improvement. When organizations prioritize insight over optics, systemic resilience improves.

Ultimately, a transparent, continuously updated risk program does more than protect assets. It protects credibility. And in modern enterprise security, credibility is a strategic asset.