What does it mean to be an effective CISO? For some, it’s about the number of breaches. For others, it's about the maturity of a cyber program. Yet for others, it has to do with leadership style and personality. The question, although seemingly simple, has depth. Whether it comes from a direct manager or from within, answering it helps clarify how we can be most useful to the organization.
Like any other executive function, the CISO role exists to support the business: Effective cybersecurity must reflect the organization’s full context, from revenue streams and risk tolerance to corporate culture. It follows that the true value of a CISO lies in designing and implementing a cyber program that is fit for purpose. But how can one be sure that the proposed strategy and budget are adequate?
Historically, organizations have relied on several approaches from the notorious “you are the expert” to external consultancy validation. But neither of these options enables non-technical executives to meaningfully challenge the cybersecurity plan the way they would do it for any other business case. Unless we descend to some intangible measure of maturity or specialized knowledge of cyber frameworks, for a long time there hasn’t been a good way of truly speaking the same language.
There is a better way: Cyber Risk Quantification (CRQ). If properly implemented, it provides actionable, dollar-value insights about likely losses and the ROI of suggested cyber initiatives. However, despite its promise, many CISOs still choose not to start their CRQ program for one of the two main reasons: It’s either “too difficult” or a “waste of time.”
In this post, I’m going to respond to both arguments from a practitioner’s perspective and share my learnings from implementing a successful program.
Let’s first review the existential skepticism - CRQ program being a “waste of time.” Typically, the skeptics do not challenge potential usefulness of numerical outputs - after all, this is what the C-suite is operating with in other, non-cyber areas. Rather, it is posited that no pragmatic way to reach adequate quantification exists. In other words, the argument can be simplified to “I don’t trust the outputs.” I’d like to break it down into three main categories formed as questions and to answer each of them separately.
1. Do you trust the quantification model?
FAIR is the only internationally recognized standard for CRQ. It uses the same Monte Carlo Simulation method that has been successfully applied for decades in such spheres as investing, telecommunications, insurance, and engineering. As opposed to deterministic calculators of risk, it explicitly models uncertainty and is designed with data scarcity in mind. Detailed description of the mathematical model is open for examination and feedback. It has been adopted by thousands of organizations around the world, mine included.
2. Do you trust the inputs?
This question relates to the state of data quality in the organization. While one can be confident about the structure of Financial Impact Questionnaires and the externally sourced “data shopping”, gathering and being confident about the internal data may be challenging. I will provide more comments in the section below “Too Difficult?” but for now let me just state that not knowing your organization’s potential impacts and main sources of losses is a serious problem in itself, regardless of CRQ or even cybersecurity in general.
3. Do you trust current outputs?
This is a very important perspective any skeptic must have in mind. It is fine to perceive current method as “good enough.” Nevertheless, we must be honest with ourselves when critiquing a different model and apply the same criteria to both. If we want to be able to demonstrate that we are doing our best as CISOs , we need to be able to show what we do currently is not worse, for example:
>>Do you rely on an internal expert judgement? - Explain which data points are used and how you form your judgement.
>>Do you trust a third-party consultant to do the job for you? - Question their methodology as rigorously as you’re prepared to question the alternative.
Ultimately, it forces you to question everything and make existing assumptions transparent - and to me, this is the most beautiful part of CRQ. Not just the dollar values, but the “cyber philosophy” behind it - the philosophy of a mature leader who is not afraid of being challenged but rather actively seeks challenge and transparency.
Let me now review the argument “It is Too Difficult” (therefore I do not quantify).
As somebody who went through the process of quantification more than once, I can confirm: it is not very easy (but it gets easier thanks to telemetry integrations and AI). The main difficulty is related to preparing the input data, as it typically means the following:
>>Clear understanding of what constitutes “good data” (such as FIQs and in-depth maturity measures of existing security controls)
>>Coordination and collaboration with various stakeholders (Finance, Legal, Procurement, BCM, IT, PR…) to obtain trustworthy data
>>Internal validation and possible re-calibration
Ideally, you’d have done these steps regardless if you plan to quantify or not. If you’re unsure about likely downtime losses or whether your company has a stance on ransom negotiations, your current cyber approach already has room for improvement. However, it goes beyond cybersecurity: In the same line of thinking, any top risk from your ERM program must have some assumptions. It forces you, dear CISO, to go and find out which these are, and to become an active inquirer of any business risk, from regulatory changes to talent shortages. In the end, this leads to a mindset shift - from deterministic guesswork and cyber silos to probabilistic modeling and true enterprise integration of the cyber function. Even though it might not be in place yet, the CRQ practitioner has the opportunity to become a catalyst for positive change and greater organizational efficiency - something that we’ve established to be a trait of an “Effective CISO.”
Conclusion
Cyber Risk Quantification is not a silver bullet - it won’t magically solve your problems or generate perfect numbers on its own. Nevertheless, it can drastically improve your understanding of organizational context, drive positive change in terms of clearer and better-quality assumptions, and shift away from the notorious Fear-Uncertainty-Doubt cyber narrative to useful CFO-ready metrics. A mature CRQ program is not about replacing human judgment, but about making it visible, defensible, and actionable. It strengthens how we talk to the Board, how we justify spend, and how we prioritize work. In that sense, it isn’t just about cyber risk - it’s about executive leadership.