ATLSECCON 2026

NIST CSF, ISO 27001, PCI DSS, C2M2, ATT&CK; the frameworks and methodologies are many. Professional associations publish competing Bodies of Knowledge. Colleges and universities offer an expanding array of diplomas and degrees. Everyone has an answer to how we should do cybersecurity.

But step back and ask a simpler question: what are we actually trying to accomplish?

It's easy to lose sight of this. We get absorbed in achieving compliance, implementing the architecture du jour, or chasing the latest threat intelligence. We optimize for framework alignment rather than outcomes. We confuse the map for the territory.

Author and practitioner Rick Howard offers a clarifying formulation: the purpose of cybersecurity is to reduce the probability of a material cyber event in the next business cycle.

Since the digitization of business began in the 1960s, through the rise of the internet and the subsequent dominance of software, virtually all organizational data now resides on interconnected, always-reachable systems. Cybersecurity exists to enable organizations to operate despite this exposure. Not to achieve perfect security. Not to satisfy auditors. To manage risk.

In this talk, we'll trace this thread across the profession. We'll start with risk itself, not as an abstract concept, but as the fundamental tradeoff that underpins every security decision. We'll examine what higher education is teaching the next generation of practitioners, and what the major Bodies of Knowledge say we should master. We'll dissect several popular frameworks, many of which explicitly call for a "risk-based approach" yet often are implemented as compliance checklists. We'll close by reconceptualizing how we should view the multifaceted practice that is cybersecurity through the focusing lens of risk.