Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Quantifying cyber risk for strategic business alignment

by Rob Mealey , Director of Data Science
Published

Shifting from fortress thinking to strategic business alignment

In Resilience’s recent webinar, “Quantifying Cyber Risk for Strategic Business Alignment,” (which I hosted along with my colleagues Eric Woelfel, Senior Cybersecurity Engineer, and Erica Leise, Senior Security Engineer) we wanted to tackle a common—and often limiting—mindset in cybersecurity. It’s a mindset I’ve seen again and again in my decade and half building machine learning and AI systems for cybersecurity applications; one that has sometimes made collaborating with cybersecurity experts around those systems more challenging.

Security experts tend to think in certainties. A system is either safely configured—or it’s not. MFA is either required—or it’s not. From the perspective of frontline security teams, this is a necessary way of thinking. When you’re actively protecting assets, monitoring perimeters, or responding to incidents, binary thinking can be essential. Either the walls hold, or they don’t.

It’s no wonder that the fortress metaphor has become so deeply ingrained in our field. It’s useful, especially for those at the tactical level—the people manning the gates and walking the walls. It frames their work in clear, relatable terms: defenders holding off attackers.

But metaphors–even useful ones–have limits. And this particular metaphor starts to break down when you zoom out to the modern CISO’s perspective.

Understanding the modern CISO’s reality

The logical endpoint of the cybersecurity as fortress mindset is a view where every organization is under constant siege. And from the vantage point of a modern CISO, that’s exactly how it can feel — every day is a new battle; every shift a new wave of attackers.

But here’s the thing: modern businesses aren’t castles. They’re not medieval fortresses. They are complex, interconnected enterprises operating in a world of risk and opportunity. And in that world, the language of business isn’t walls and weapons: it’s risk and money.

That shift — from thinking about defending the walls to managing risk and financial exposure — is at the heart of how Resilience approaches cyber risk quantification (CRQ), and it’s exactly what we explored in the webinar.

From certainty to risk management

One of the biggest challenges for security leaders is learning to operate in the gray space of uncertainty. In security, we often want to predict the future, to be right all the time, to prevent every incident. But that’s not the goal.

Our real goal is to make informed, efficient decisions under uncertainty. To anticipate and mitigate as much as possible, while recognizing that some level of risk will always remain. We want to forecast and quantify, so we can prioritize resources where they’ll do the most good — not just in terms of technical coverage, but in terms of financial and operational impact.

That’s where quantifying cyber risk comes in.

Translating security work into the language of business

Cyber threats aren’t as neatly predictable as earthquakes or hurricanes, but they do follow patterns. With the right data, experts, and systems, we can spot those patterns and use them to translate security work into business terms.

At Resilience, we break that process down into signals, triggers, and perils — three layers that help us model risk more accurately:

  • Signals are the foundational data — vulnerabilities, system configurations, threat intelligence — that describe an organization’s risk posture.
  • Triggers are the initial events, like a successful phishing email or compromised credentials, that could set off a damaging chain of events.
  • Perils are the concrete types of financial loss businesses experience: business interruption, extortion, data breach, and fraud.

Together, these layers give us a way to map technical security data onto real-world financial exposure — the language business leaders and board members understand.

Two tools for the modern CISO: the Loss Exceedance Curve and the Quantified Cyber Action Plan

One of the tools we use to bridge this gap is the Loss Exceedance Curve (LEC). It’s a powerful visualization that answers two essential questions:

  • How likely are we to experience cyber-related losses?
  • How much could those losses cost us?

The LEC plots probability against potential financial loss, giving leadership a clear picture of what’s at stake. And as security teams implement better controls, the curve shifts downward — lowering both the likelihood and severity of major incidents.

Of course, knowing your risk isn’t enough — you need to act on it. That’s why we developed the Quantified Cyber Action Plan (QCAP). It takes the financial risk data from the platform and translates it into a prioritized action plan.

Each recommended control comes with clear, quantified data:

  • How much financial risk reduction it delivers.
  • Which signals triggered the recommendation.
  • An opportunity to estimate costs for implementation, maintenance, and operations.
  • And — crucially — the return on investment (ROI), so security leaders can make the case for funding in business terms.

The goal isn’t to eliminate every possible risk — that’s impossible. The goal is to make smarter, more efficient investments that reduce the likelihood of catastrophic financial loss.

Bringing security and finance together

Ultimately, the fortress mindset isolates security from the rest of the organization. It makes cybersecurity seem like a war being fought at the gates, disconnected from the business itself.

Quantifying cyber risk changes that narrative. It gives security leaders a common language to engage with finance, risk management, and the executive team. It helps them show how security investments protect revenue, safeguard operations, and preserve the organization’s reputation — all in terms business leaders already understand.

This is the kind of alignment CISOs need, and it’s the kind of alignment we’re building into the Resilience platform.

The key takeaway from the webinar — and from my work at Resilience — is this:
We’re not here to predict the future, or to stop every possible incident. We’re here to help businesses make smarter, faster decisions in an uncertain world.

That means translating security work into business terms, so CISOs can stop feeling like they’re defending a fortress under siege — and start feeling like the strategic risk managers they truly are.

If you want to see how Resilience helps organizations quantify, manage, and transfer cyber risk, check out our platform or join us for one of our upcoming webinars.

You might also like

How Scattered Spider’s vertical-focused strategy creates industry-wide security emergencies

This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers. Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the […]

The essential guide to cyber incident response leadership and decision making

When 43% of UK businesses report experiencing a cyber breach or attack in just the past year, the question isn’t whether your organization will face a cyber incident—it’s how well you’ll respond when it happens.  This stark reality was at the center of a recent webinar hosted by Resilience, featuring insights from Scott Tenenbaum, Head […]

Navigating the growing personal liability facing CISOs

Let’s not mince words: The threat of personal liability and potential criminal charges for CISOs has become a legitimate concern. At a recent “CISOs Off the Record” panel hosted by Resilience at the 2025 RSA Conference, three experienced CISOs talked about the growing trend of CISOs being found personally liable for actions they take at […]

Does the proposed UK ransomware payment ban take things too far?

Cowritten with Henry Westwood, Resilience Cyber Underwriting Manager Simon West, Resilience Head of Customer Engagement The UK government recently launched a consultation on legislative proposals to combat ransomware attacks, one of the most significant cyber threats facing organisations today. As cybersecurity professionals working with organisations across various sectors, we’ve carefully examined these proposals and offered […]

North Korea is targeting the job interview process to infiltrate US companies

This post is based on threat intelligence compiled by Resilience Intelligence Analyst Steph Barnes, published May 8, 2025. North Korean hackers have turned the interview chair into a staging ground for cyberattacks. Two sophisticated campaigns—Contagious Interview and WageMole—are actively targeting job seekers and employers alike, with a clear endgame: funneling money back to the North […]

Scattered Spider strikes again in recent UK retail attacks

In the past two weeks, the UK retail industry has faced an unprecedented wave of sophisticated cyberattacks, exposing critical vulnerabilities across the sector. The high-profile breaches at Marks & Spencer, Harrods, and others have sent shockwaves through the industry, with M&S alone suffering an estimated £3.8 million in lost online sales per day and seeing […]