July 14, 2026
Why I Think Every CISO Needs to Start Speaking in Dollars, Not Adjectives
I come from a background in operational risk and compliance and I’ve spent the last few years monitoring incidents, running structured risk…
By Benard Kariuki
5 min read
I come from a background in operational risk and compliance and I've spent the last few years monitoring incidents, running structured risk assessments, and translating findings for leadership. Lately, I've been deepening that into GRC through a cybersecurity specialization at Africahackon Academy, and one methodology has genuinely pulled me in: Cyber Risk Quantification (CRQ).
I recently read MetricStream's "A Comprehensive Guide to Cyber Risk Quantification," and it reframed something I'd taken for granted for years, so I wanted to share my own take on why it matters.
For years, cyber risk has been described to me the same tired way: "likely to occur," "somewhat likely to impact the business." I used to nod along. Then it hit me: none of that actually tells a CFO or a board member anything they can act on. It raises more questions than it answers.
That's the gap CRQ is built to close. In simple terms, it's the practice of estimating cyber exposure in monetary terms, not "high, medium, low," but actual numbers a business can plan around. Honestly, I think it's overdue.
Why this matters right now
A few things convinced me this isn't just another GRC buzzword. Each one points to the same conclusion: guessing isn't good enough anymore.
IBM's 2025 Cost of a Data Breach Report puts the average breach at $4.44 million. When the downside is a real, specific number like that, calling your risk "high" or "medium" doesn't help anyone plan for it. CRQ is what lets a business actually budget and insure against a figure that size, instead of reacting to it after the fact.
Attack surfaces are also exploding: every business adopting AI, IoT, or cloud tools is quietly opening new doors for attackers. More entry points means more scenarios to evaluate, and qualitative labels don't scale once you're juggling dozens of exposure points at once. CRQ's scenario-based approach is built exactly for that, because it forces you to rank exposures by actual expected loss rather than gut feel.
Then there's the money problem. StationX's 2026 Cybersecurity Spending Statistics report pegs global defensive spend at roughly $24.2 million an hour, massive, until you compare it to the estimated $1.2 billion an hour that cybercrime costs. Do the math and attackers are walking away with roughly $49 for every $1 defenders spend. That imbalance is exactly why CRQ matters: with finite budgets losing badly to unlimited attacker upside, every dollar has to go where it reduces the most expected loss, and you can only know that if you've quantified it.
Add to that Gartner's June 2024 forecast that 17% of cyberattacks will involve generative AI by 2027, and Cybersecurity Ventures' 2025 Ransomware Report, which projects that by 2031 the world will see a ransomware attack every two seconds, up sharply from one every eleven seconds in 2021. As attack frequency accelerates this fast, a risk rating you set six months ago is already outdated. CRQ's numbers can be recalculated as new threat data comes in, something a static "high/medium/low" label was never built to do.
There's also a governance angle that's specifically why I find this very compelling. The same IBM 2025 report found that breaches involving unmonitored "shadow AI" added an average of $670,000 in extra cost per incident, and separately, that 63% of organizations still don't have an AI governance policy in place at all. That's not a technical gap; it's a governance gap, and it's exactly the kind of blind spot CRQ is designed to surface. You can't quantify exposure you haven't identified, and most organizations haven't even mapped where their shadow AI risk sits.
Qualitative vs. quantitative, side by side
This is the shift in one picture: a heat map tells you a risk is "high." A loss curve tells you it could cost between $2M and $8M, with a most-likely figure of $4M. One is a color. The other is a number you can actually plan a budget around.
How CRQ actually works
Stripped down, I see it as a seven-step process:
- Know what needs protecting. Identify the systems, data, and business processes that hold the most value, and assign each one a realistic business value.
- Build realistic attack scenarios. Break risks down into real-world attack paths: how they'd unfold, what asset gets hit, and where that leaves the organization most exposed.
- Stress-test your existing controls. Work out whether a given scenario is likely to succeed, and how much damage your current controls can actually absorb.
- Estimate how often it might happen. The goal isn't perfect precision. It's staying directionally accurate enough to make a better-informed decision.
- Put a number on the damage. Translate the impact into quantifiable figures: response costs, fines, downtime, customer loss, reputational harm.
- Model the range of outcomes. Blend your frequency estimates with the financial impact to generate a spread of possible outcomes, from expected losses to worst-case scenarios.
- Turn the insight into action. The step most companies skip: actually using those numbers to decide where the next security dollar goes.
Where it beats the old way
Qualitative risk assessment isn't useless, but it has a ceiling. It relies on subjective judgment, which means two analysts can look at the same risk and rank it differently. CRQ forces consistency. It expresses risk in financial terms that link directly to business impact, which also happens to be the one language every executive in the room already speaks fluently.
This is Not a Silver Bullet, Though
I'll be honest, CRQ has real limitations:
- Data gaps. It depends on historical data and threat intelligence that's often incomplete or hard to validate.
- Messy variables. Translating an incident into an actual dollar figure means wrestling with things like regulatory penalties and reputational damage, which don't model cleanly.
- Choosing the right framework isn't trivial. Monte Carlo, FAIR (Factor Analysis of Information Risk), Annualized Loss Expectancy, Value at Risk: which one fits depends heavily on your organization's size, maturity, and how much good data you actually have.
- Trust takes time. Even with a solid model, getting the C-suite to buy in doesn't happen overnight.
- Threat landscapes shift fast. Yesterday's estimate can go stale quicker than you'd expect.
My take
None of that is a reason to avoid CRQ. It's a reason to adopt it with your eyes open. The businesses that get this right won't be the ones with the fanciest model. They'll be the ones that start small, stay honest about their data's limitations, and keep refining as they go.
What I Recommend to Any Organization Considering This:
- Start with your crown jewels, not your whole environment. Identify the handful of systems and data assets that actually matter most, and quantify those first. Trying to model everything at once is how CRQ projects stall.
- Match your model to your maturity. If you don't have clean historical loss data yet, don't force a complex Monte Carlo simulation. Start with something simpler like Annualized Loss Expectancy and build up.
- Treat your first numbers as directionally right, not gospel. The goal early on is better-informed decisions, not false precision. Communicate confidence levels honestly to leadership.
- Revisit constantly. Attack surfaces and threat actors move fast. A quantification model that isn't updated regularly becomes a liability of its own.
- Use it to bridge IT and the boardroom, not replace judgment. CRQ is most powerful as a translation tool between technical risk and business decision-making, not as a substitute for experienced analysts in the room.
Cyber risk isn't going to get simpler. The organizations that learn to price it accurately, rather than just describe it, are the ones that will actually stay ahead of it.
Where do you land on this? If you're already using CRQ, I'd love to hear which model you started with and what convinced your leadership to trust the numbers. And if your organization is still running on heat maps, I'm curious what's holding the shift back: data, budget, or buy-in? Drop your take and let's have a conversation.
Sources: IBM Cost of a Data Breach Report 2025; StationX Cybersecurity Spending Statistics 2026; Gartner, "Gartner Predicts 17% of Total Cyberattacks Will Involve Generative AI by 2027" (June 2024); Cybersecurity Ventures 2025 Ransomware Report; MetricStream, "A Comprehensive Guide to Cyber Risk Quantification."