How can cybersecurity leaders translate technical threats into real business decisions without losing executive alignment or strategic clarity? Today’s guest is a thoughtful cybersecurity strategist and business-focused security leader.
Introducing Jimmy Lummis, Director and Business Information Security Officer at IHG Hotels & Resorts. Jimmy joins hosts Ernie Anderson and Graeme Payne to discuss how modern security leaders must bridge the gap between technical teams and executive leadership. He also explores the realities of cyber risk quantification, the role of AI in modern threat landscapes, and why translating cybersecurity into business language is essential for effective decision making.
Takeaways
- Cybersecurity is ultimately about managing risk, not eliminating it. Jimmy explains that no organization can achieve perfect security. The real responsibility of leaders is determining what level of risk the business is willing to accept and aligning security investments accordingly.
- Cyber risk must be translated into business language. Technical discussions about vulnerabilities and controls do not resonate with executives. Effective security leaders frame cyber threats in terms of financial impact, operational disruption, and strategic risk.
- AI introduces both opportunity and new threat vectors. Organizations are racing to adopt AI, but threat actors are also leveraging these tools. Security leaders must balance innovation with responsible oversight and risk awareness.
- Traditional cybersecurity problems still matter. While emerging technologies grab headlines, many breaches still occur due to longstanding issues like identity management, patching, and basic security hygiene.
- Security leaders must act as translators between worlds. Jimmy emphasizes the importance of bridging the gap between engineers and executives. Leaders who can interpret technical realities in business terms help organizations make better strategic decisions.
- Cyber risk quantification helps prioritize security investments. Quantifying risk allows organizations to make informed tradeoffs about where to allocate resources and which threats pose the greatest potential impact.
Quote of the Show:
- “Cybersecurity is not about eliminating risk. It’s about deciding what level of risk the business is willing to accept” - Jimmy Lummis
Links:
- LinkedIn: https://www.linkedin.com/in/jimmylummis/
- Website: http://www.ihgplc.com
Ways to Tune In:
- Spotify: https://open.spotify.com/show/5LuXXqbK9k9rrVRFsdGzl0
- Apple Podcasts: https://podcasts.apple.com/podcast/cyber-smokehouse/id1872442297
- Amazon Music: https://music.amazon.com/podcasts/40a6c0da-242f-404b-8bd3-9f4997f19c47
- iHeart Radio: https://iheart.com/podcast/319629841/
- Podchaser: https://www.podchaser.com/podcasts/cyber-smokehouse-6356550