How to ensure teams take the right actions and executives stay informed on cyber risk burndown.
In Episode Six of The SAFE Cyber Risk Podcast, host Saket Bajoria, CPO at SAFE, speaks with Ravi Chinni, Global Head of Identity and Access Management at S&P Global. Ravi brings clarity to one of the hardest challenges in cybersecurity today: prioritizing and reducing cyber risk across an ever-expanding, globally distributed attack surface.
Ravi enriches the podcast with real-world insights on tackling everything from collecting data from disparate sources to assessing business impact and prioritizing the risk that matters most. How do you ensure teams take the right actions, and executives stay informed on risk burndown? Watch the podcast to find out.
Five key takeaways from the conversation:
1. Aggregate and normalize data from hundreds of sources
Managing cyber risk starts with visibility — but in large organizations, asset discovery is far from simple. “Discovering all the assets, it sounds straightforward, but it’s a very difficult task… a server might be talking to another API or a SaaS might be talking to another SaaS through an API.”
Managing cyber risk at this scale requires teams to be vigilant and manage data across hundreds of sources. Ravi emphasized the need to account for both active systems and shadow IT, and to map dependencies so teams can assess how attackers might laterally move within the environment. “The attack could happen anywhere… so we need to understand all the systems that we have — all the active systems, and also the ones that are decommissioned or not decommissioned yet.”
2. Prioritize risk based on business impact.
Traditional severity models fall short when context is missing. Ravi outlines three methods of prioritization: CVSS score, business context, and financial exposure. “If this vulnerability is not fixed in the next few days… it’s going to cost you $50 million. Just an example.”
“If you have an application, and it’s publicly facing, the loss could be somewhere around $150 million and our threshold is $50 million; we need to fix that vulnerability.” This risk-based approach ensures that high-impact risks are identified and managed promptly, especially in environments with thousands (or millions) of findings.
3. Focus remediation effort where it moves the needle most.
With many issues to fix and many teams responsible for fixing them, Ravi emphasized the importance of accuracy, planning, and follow-through. “The general practice is that we send out a report to them saying these are all the issues that you have. And this is the time period as per our company policy, we continuously keep tracking all the progress and report back.”
Different risk types – infrastructure, SaaS misconfigurations, application flaws – require different owners and timelines, but the principle remains the same: Prioritize, track, and close the loop. “We recommend they prioritize all the security issues as early as possible so they get enough time to remediate it, test it in the lower environment, and push it to production.”
4. Align teams and executives on risk burndown.
Executive alignment improves when cyber risk is expressed in financial terms and tracked consistently over time. “If you put something in numbers and tell them, today our risk is, let’s say, $100 million and we’re burning down at a rate of $10 million per month, they understand how we are progressing.”
Boards don’t need technical detail — they need clarity on the delta. Ravi also emphasizes the importance of explaining spikes when they occur: “There could be ups and downs… but overall what they want to see is: are we going down as time progresses?”
5. Identity is the first line of defense in a zero-trust world.
As enterprises shift to SaaS and cloud, Ravi sees Identity and Access Management (IAM) as the foundation of modern security. “Now with zero trust, IAM is the first layer. Everything is publicly available. One thing that is secure is the identity.”
His IAM must-haves include: “Continuously monitor what identities you have, clean up unused identities, secure your privileged accounts, recertify permissions, and secure everything with strong multifactor authentication.”
Ravi’s perspective is clear: you cannot manage what you cannot see, and you cannot fix what you cannot prioritize. Aggregating risk data, applying business context, and aligning remediation across teams are the only way to make progress.
“The most important thing for all the teams is to have close collaboration… making sure they continuously communicate and fix all the things they are seeing.”
Watch the Podcast with Ravi Chinni, S&P Global
At SAFE, we help global enterprises put this into action:
✅ Aggregate and normalize data from hundreds of sources
✅ Prioritize risk based on business impact
✅ Focus remediation efforts where it moves the needle most
✅ Align teams and executives on risk burndown
Test Drive SAFE One today — and transform how you quantify and reduce cyber risk.
SUBSCRIBE TO WEEKLY BLOG NEWSLETTER
SHARE THE PAGE
