Originally published in the Simply Cyber Academy Blog

If you'd like to elevate your cybersecurity risk assessments from the BOGSAT method (a Bunch of Guys or Gals Sitting Around And Talking) to Cyber Risk Quantification (CRQ), serial recovering CISO Richard Seiersen is a great follow. I put what I learned from his book "How to Measure Anything in Cybersecurity Risk" and his CRQ workshop on a page, and asked him to check for blind spots in this super fun interview. Check it out if you've ever sat through a risk assessment meeting that felt like navigating a Ouija board, and wanted a better way.

Everything Is Measurable: The Foundation for Cyber Risk Quantification

Like many in GRC, I'd been struggling with the challenge of quantifying cyber risk. The data we want can seem impossible to get. And the data we have could be a distraction from what really matters. Each security domain is a profession in itself and there are at least nine other reasons  why it's complicated. But Richard's approach cuts through that complexity.

It turns out that you have more data than you think, and you need less than you think.

Start with Concept, Not Method

Richard breaks down how to measure anything (including cybersecurity risk) into three parts: concept, object, and method. It's tempting to jump straight to method - buying tools, hiring data scientists, building dashboards. But that's putting the cart before the horse.

You start with concept: What are you trying to measure and why? What does the business stand to lose?

Snap a Chalkline of Measurement: Baselines

With a sense of what matters to protect and enable the business, we set a baseline for what will be measured.  Against that baseline we can measure trends and variances to target.  Is risk:

• Decelerating?

• Improving?

• Accelerating?

• Achieving?

• Scaling? 

Don't just send a report with actuals.  Compare them to a trend or target to answer these questions.

Set Objectives in Three Metric Classes

What we measure to show improvements in our cyber resilience capabilities will fall into three metric classes: coverage, configuration and capability. 

If you're looking for a pick list of cybersecurity Key Performance Indicators and Key Risk Indicators to put in those classes, Richard notes that the Center for Internet Security has this one, but he generally doesn't believe in a pick list approach.  Start with what you need to protect and enable and decompose from there. 

Three Simple Measures That Matter

Information Security is a system, right? One of the most practical cyber risk quantification frameworks Richard shared was surprisingly simple.  To understand risk in any system, track three metrics: 

With these and just two timestamps per risk item, you can build a  measurement system that will be valuable in management decision making.

Richard's next point about cyber risk quantification was also super interesting. He challenged the common complaint in security that "the business doesn't know its risk tolerance."

Your Business Already Knows Its Risk Tolerance

Every business already has mathematically precise expressions of risk tolerance. They're in your insurance policies and capital reserves. That cyber insurance limit? That's your CFO putting a number on how much unexpected loss they're willing to transfer. Those capital reserves? That's for handling what insurance doesn't cover. The business has been managing risk tolerance for centuries - we just need to learn their language.

Richard's approach to strategy, borrowed from (another great follow and coincidentally a hometown hero for me) Roger Martin, was particularly enlightening. Strategy isn't about getting more budget for your department. It's about making trade-offs with your peers where those trade-offs hurt. Someone gets resources, someone doesn't. If you're not making those kinds of decisions collaboratively with other executives, you're not being strategic.

The 90-Second Board Presentation

Richard's first board presentation to GE when Jeff Immelt was chairman? 90 seconds. No drama. No budget requests. Just updates on pre-socialized decisions. The secret? A risk committee that meets monthly with representatives from legal, finance, and business units. By the time you reach the board, everyone's already aligned.

Watch the Video for More Highlights

Richard goes deep into:

• Vendor hot takes on Monte Carlo simulations 

• How to move from tactical to strategic thinking

• The future of Risk Operations Centers

• Why he wants heat maps to die (and what to use instead)

If you're ready to transform your GRC practice to be more like chemistry and less like alchemy, this conversation is your starting point. Richard shows that the path from BOGSAT to CRQ isn't as complicated as we make it - we just need to ask better questions.

Are you ready to measure what matters?