CRQ Is Dead. Long Live CRQ!

CRQ is Dead Blog Post-3-1

 

Ten years ago, I had the privilege of coining the term Cyber Risk Quantification (CRQ)—a concept that, at the time, felt revolutionary to many. Since then, I’ve watched the CRQ market evolve from an idea championed by a few pioneers to a foundational capability for modern cyber risk management. At this year’s RSA Conference, the evolution of the CRQ landscape was on full display—and it left me reflecting on just how far we’ve come.

Nick Sanna CircleNicola (Nick) Sanna is Founder of the FAIR Institute and President of SAFE

 

CRQ Has Gone Mainstream

What was once the domain of trailblazing organizations like RiskLens has now become a must-have capability across the cybersecurity ecosystem. Many cybersecurity vendors at RSA showcased some form of CRQ functionality.

This surge in adoption has been driven by two key forces:

>>The Business Imperative: Boards and executives are demanding cyber risk insights in business terms. They no longer accept technical metrics without context—they need clear, actionable information to drive decisions.

>>The Regulatory Push: With rules like the SEC’s cyber disclosure requirements and Europe’s NIS2 and DORA mandates, organizations must now demonstrate materiality and due care in how they measure and manage cyber risk.

Open Standards Are Winning

This rise in CRQ has also sparked an important debate: black-box risk scoring vs. open, transparent models.

The clear winner? Open standards.

The FAIR model has emerged as the de facto global standard in CRQ because it offers transparency, defensibility, and—most importantly—trust. Organizations want to understand how risk numbers are calculated, especially when those numbers are guiding strategic decisions or going in front of regulators.

Black-box CRQ approaches may offer speed or simplicity, but they fail the test of scrutiny. In fact, they’ve become non-starters in many mature organizations.

FAIR Has Cemented Its Place as the Global Standard

FAIR isn’t just a model—it’s a movement. It provides:

>>A common taxonomy for cybersecurity and operational risk

>>A structured measurement approach to quantify risk in financial terms

>>An ideal complement to frameworks like NIST CSF, ISO 27001, CIS Controls, and others

FAIR empowers organizations to move from compliance checklists to explicit, informed decision-making.

Automation Is the Key to Scalability

Historically, CRQ was a resource-intensive exercise—manual, slow, and dependent on a small group of trained practitioners. Many organizations rightly questioned whether the effort was worth it.

Today, that’s changed.

Thanks to modeling breakthroughs and AI, companies like SAFE have turned CRQ into an automated, always-on capability. CRQ engines can now ingest business context, threat intelligence, and control telemetry in real-time—dramatically reducing the need for manual input.

Key innovations like FAIR-CAM (Controls Analytics Model), FAIR-MAM (Materiality Assessment Model), and integrations with MITRE ATT&CK have paved the way for the new FAIR Framework for Effective Cyber Risk Management. Together, these advances make scalable, defensible CRQ not just possible—but practical.

CRQ: Not a Destination, but a Catalyst

Here’s the key insight: CRQ is not a category—it’s an enabler.

Automated CRQ is foundational to effective cyber risk management. It elevates everything it touches in cybersecurity. Examples:

>>It brings business context to cyber risk assessments

>>It drives prioritization in vulnerability management

>>It adds risk context in continuous control monitoring

>>It adds risk insights to third-party risk management

>>It powers decision-making across GRC and audit functions

Automated CRQ is an enabler to decision-making, allowing organizations to safely go faster in the pursuit of their digital growth objectives. It helps answers questions that are otherwise left to intuition and guesswork: 

>>“What is the best security architecture to support our new digital service?”

>>“What can we do to improve our cyber resilience?”

>>“How much do we need to invest to get to an acceptable level of risk?”

>>“How much cyber risk are we taking on with this new M&A activity?”

>>“What level of cyber insurance coverage do we need?” 

In short: CRQ is no longer a nice-to-have. It’s the connective tissue that ties cyber risk to business risk—and the backbone of modern cybersecurity programs.


So yes, CRQ is dead—at least as a standalone category. But its essence lives on, powering a smarter, more business-aligned future for cyber risk management.

Long live CRQ.

Learn more about the FAIR Framework for Effective Cyber Risk Management

 

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37