Navigating Corporate Risk and Cybersecurity: A Discussion with Annie Searle

By Sean Costigan, PhD

In a recent exploration of the intricate world of corporate risk management and cybersecurity, I enjoyed the privilege of engaging in a compelling conversation with Annie Searle, a distinguished expert in the field of operational risk management. Searle’s extensive experience in the financial, IT, and emergency services sectors illuminates the multifaceted nature of risk in the corporate world. With her academic prowess at the University of Washington, Searle is a formidable voice in the realms of corporate governance and cybersecurity. Her career trajectory is not just impressive; it’s a testament to her deep commitment to risk management excellence. Searle’s work in developing premier risk programs and advocating for technology access, notably through her involvement with the Seattle Public Library Foundation, underscores the breadth of her expertise and dedication. 

During our discussion, we delved into the intricacies of notorious corporate scandals, including cases like Theranos and Wells Fargo. Annie emphasized the utmost importance of recognizing early risk indicators, a lesson that many companies, unfortunately, have yet to put into practice. Her critique of the failures in corporate governance systems reveals a troubling disconnect between leadership’s decision-making processes and the operational ground realities of organizations. One of the most enlightening aspects of our conversation revolved around the concept of tone at the top.

Annie elucidated how leadership ethics and operational standards cascade through an organization’s hierarchy, profoundly influencing its overall conduct. She brought to light how skewed incentives and bonuses can lead managers down the wrong path, and how important it is to recognize the early warning signs of risk. Furthermore, Annie’s observations on the dilution of risk reports as they ascend the corporate ladder resonated with me, highlighting a dangerous underestimation of risks at higher management levels. In conversations with board members, Annie notes that she recommends the creation of risk committees: “Because I see risk as overarching and including cyber and I think there ought to be a relationship between the board members on that committee at the board level and the cyber organization itself.”

Our analysis of the Wells Fargo debacle shed light on the critical role of board members in overseeing company operations and managing risks. Annie’s insights into the board’s challenges, especially in comprehending and managing cybersecurity risks due to a lack of technical know-how, were eye-opening. It’s notable that, according to a recent study, just 12% of S&P 500 corporate boards have some measure of cybersecurity talent. As she notes: “we still have this gap operationally with the security apparatus where we’re not good at explaining what the threats are or why the investment will pay off or assembling a kind of research history of the threat in terms that even a C-suite executive can understand.”

We also tackled the complex new SEC rules on cybersecurity, particularly the intricacies involved in determining the materiality of a breach. Annie’s recommendation for boards to establish dedicated risk committees, distinct from audit committees, struck me as a vital step towards enhancing board-level advocacy for cybersecurity and risk management. This approach is especially crucial when cybersecurity doesn’t top the CEO’s agenda.

Reflecting on our conversation with Annie Searle, I am reminded of the pressing need for vigilant and well-informed leadership at the highest corporate levels. Her expertise sheds light on the criticality of a strategic and informed approach to risk management across organizational tiers, particularly in our increasingly digitalized world. As we advance, the lessons drawn from this insightful dialogue with Annie are more relevant than ever, emphasizing the importance of robust governance and risk management strategies in today’s complex corporate landscape.

Listen to Episode 1 of Resilience Rising by clicking the link below


Sean Costigan

8 Feb. 2024



Recent Posts


Red Sift Recognized on Deloitte’s EMEA Fast 500™ List

Francesca Rünger-Field

We’re thrilled to share that Red Sift has been included in Deloitte’s 2023 EMEA Fast 500 list. This recognition stems from 389% revenue growth over three years, $54 million in Series B funding, acquiring ASM innovator Hardenize, and introducing the Red Sift Pulse Platform. Read the press release here. About the award The Deloitte Technology Fast…

Read more
Brand Protection

The vital role of cybersecurity for Nonprofits: A deep dive 

Sean Costigan

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the…

Read more

Red Sift brings DMARC data to the SOC with new Cisco XDR…

Rebecca Warren

Today, we’re thrilled to announce that we’re extending our partnership by joining the Cisco Security Technical Alliance and integrating Red Sift OnDMARC with Cisco XDR. This integration builds on the Domain Protection partnership we announced in November 2023 to bring visibility of business email compromise into the SOC (security operations center). At release, Red…

Read more

Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more