If you’ve ever watched a CISO present a heat map full of red, yellow, and green squares to a board of directors, you’ve probably also watched what happens next: a long pause, followed by some version of “…so how much do we actually need to spend?”

It’s not that the board doesn’t care about cybersecurity. It’s that a color-coded grid doesn’t answer the question they’re asking. They want to know what a breach would cost, how likely it is, and whether the money they’re spending is reducing that number. High, medium, and low don’t get them there.

The good news is that there’s a better way to frame these conversations — one that trades vague ratings for quantified financial models. The shift isn’t just about better reporting. It’s about making budget planning easier, more effective, and far more likely to get funded.

Where the risk matrix falls short

The traditional risk matrix has been a staple of cybersecurity programs for decades, and it’s easy to see why. It’s simple, it’s visual, and it gives teams a way to categorize threats and communicate priorities at a glance.

But simplicity comes at a cost. When two people look at the same vulnerability and one calls it “high” while the other calls it “medium,” you don’t have a disagreement about risk — you have a measurement problem. Qualitative ratings are inherently subjective, and they collapse a lot of important nuance into a handful of buckets that mean different things to different people.

There’s a deeper issue at play, too. Security professionals are often trained to think in certainties. A system is either safely configured or it’s not. MFA is either required or it isn’t. That binary thinking is essential at the tactical level — when you’re monitoring alerts and responding to incidents, you need clear answers. But it doesn’t translate well to the boardroom, where decisions are made in the language of risk and money, not pass and fail.

This is what some have called the “fortress mindset”: cybersecurity framed as defenders holding off attackers behind walls. It’s a useful metaphor for the people walking the perimeter. But modern businesses aren’t castles. They’re complex, interconnected enterprises that operate in a world of risk and opportunity. And when security leaders show up with a heat map instead of a financial model, they’re stuck on the wrong side of that divide.

The result? Budget conversations stall. Security teams can’t articulate the return on their tools and controls. Boards and CFOs are left guessing at actual exposure, which erodes trust over time. And when two “high” risks compete for the same limited budget, there’s no tiebreaker — just gut instinct and whoever argues louder.

Understanding value at risk

At the center of any quantified approach is a concept called value at risk, or VaR. In simple terms, it’s anything your organization values — cash or its potential equivalents — that it would regret losing.

The traditional cybersecurity approach tries to prevent all incidents, regardless of whether they’d lead to actual financial loss. That’s not only functionally impossible, it’s a massive waste of resources. Most organizations face countless potential threats, but only a handful show up as materially concerning. The rest are noise.

A better approach is to identify the sources of the most probable, plausible losses — the ones that could breach your capital reserves and cause material damage — and understand which threats are most likely to cause them. Quantifying the impact of those plausible losses is how you identify your organization’s value at risk.

This matters because VaR is the concept that everything else depends on. Without it, you  may not be able to accurately measure risk transfer, excess risk, risk acceptance, or return on controls. And those are the concepts leadership needs to understand on the path from siloed security programs to integrated cyber resilience.

What quantified risk actually looks like

Once you’ve identified your value at risk, the next step is building a model that translates threats into financial terms. At its core, this means estimating two things: how often a given loss event is likely to occur (loss frequency) and how much it would cost when it does (loss magnitude).

To make those estimates grounded rather than speculative, it helps to think in three layers. First, there are signals: the foundational data points like vulnerabilities, system configurations, and threat intelligence that describe your organization’s risk posture. Then there are triggers: the initial events, like a successful phishing email or compromised credentials, that could set off a damaging chain of events. Finally, there are perils: the concrete types of financial loss that businesses actually experience, like business interruption, extortion, data breach, and fraud.

Together, these layers map technical security data onto real-world financial exposure. Instead of telling the board “we have a high risk of ransomware,” you could leverage these insights to communicate “based on a modeled analysis of our current posture, we face an estimated $2.4M in probable annual loss from ransomware, and implementing these two controls would reduce that by 60%,” for example.

That’s a conversation a CFO can work with.

It’s also worth noting that you don’t need to quantify every risk to get value from this approach. Most organizations have a small number of exposures that account for the bulk of potential loss. Start there, and the model gets more useful with every iteration.

How this changes budget conversations

One of the most powerful tools in this shift is the Loss Exceedance Curve, or LEC. It’s a visualization that plots probability against potential financial loss, answering the two questions that matter most at the executive level: How likely are we to experience cyber-related losses, and how much could they cost us?

The LEC gives executives a clear picture of what’s at stake across a range of scenarios — not just the worst case, but the range of plausible outcomes. And as security teams implement better controls, the curve shifts downward, providing visible evidence that investments are working.

But knowing your risk isn’t enough. You need to act on it. That’s where a quantified action plan comes in. Rather than presenting the board with a wish list of tools and headcount, each recommended control comes with specific data: how much financial risk reduction it delivers, which signals triggered the recommendation, an estimate of implementation and operational costs, and the return on investment.

This transforms the dynamic in several important ways. Instead of “we need more budget,” you’re saying “here’s the expected loss reduction per dollar spent.” Instead of abstract priority rankings, you’re showing the C-suite exactly what’s covered, what’s not, and what the gap costs in dollar terms. Security spending connects directly to the risk concepts finance and insurance teams already use. And instead of reactive, incident-driven budget requests, you’re enabling multi-year planning that aligns security investments with the organization’s broader risk appetite.

Getting started without boiling the ocean

If this sounds like a heavy lift, it doesn’t have to be. Start with your top three to five exposures; the threats that would cause the most material damage if they hit.

Lean on data sources you likely already have access to: insurance claims history, industry benchmarks, and your own internal incident data. Build a simple model, bring it to your finance team, pressure-test the assumptions together, and iterate. The first version won’t be perfect, and it doesn’t need to be. What matters is that you’re anchoring the conversation in financial reality rather than subjective ratings.

Historical data from the cyber insurance market can also accelerate the process significantly. Because insurers track thousands of real-world claims across every industry, that data can serve as an empirical benchmark for your own models. It allows you to calibrate estimates against actual industry trends across your industry, not just what feels right. This turns what could be seen as speculative numbers into a defensible financial model that holds up under board-level scrutiny.

The risk matrix and the fortress mindset behind it served their purpose for a long time. But the bar has moved. Boards expect financial clarity. CFOs expect ROI. And CISOs who can deliver both — who stop defending the walls and start managing financial risk — become the strategic leaders the business needs them to be.

CISOs who speak in dollars, not colors, are often better positioned to get funded. And they get funded faster.