May 16, 2025
In cybersecurity, the most complex problems often do not have neat solutions. But in a recent conversation with veteran CISO Ed Amoroso and Balbix CEO and Founder Gaurav Banga, one thing was clear: we’re past the point where “we tried our best” is enough. Accountability, quantification, and context are now table stakes for any organization serious about managing cyber risk.
Here are four big takeaways from our chat that shed light on how security leaders can use Cyber Risk Quantification (CRQ) to gain clarity, prioritize effectively, and drive progress, even when resources are limited.
You can catch up on the full webinar here.
Grounding CRQ in Context Unlocks Actionability
The conversation started with a powerful idea: grounding AI and automation in real-world context is the key to making cyber risk quantification actionable. It’s not enough to assign a score to an issue—security leaders need to understand why it matters, what to do about it, and what’s feasible given budget or operational constraints.
Before any AI or automation can help, context is needed. As Gaurav mentioned, “You have to ground the algorithms in actual context and facts. That grounding is probably the single most important thing you can do.”
Without context, a risk score is just a number. Grounded in your environment—your assets, business priorities, security controls, and constraints—it becomes a decision-making tool.
That’s how CRQ drives real outcomes. It helps teams ask: What’s the best I can do given my constraints? What’s the residual risk I’m accepting? And how do I communicate that tradeoff clearly to leadership?
Yes, CRQ Makes You Accountable—and That’s a Good Thing
One surprising challenge with CRQ is the fear of accountability. When you show a number and an action plan, it becomes yours. Unlike technical dashboards full of raw alerts, quantification is explicit. Ed framed this as a healthy shift that separates mature programs from the rest.
“If you’ve been in the job five years and your numbers haven’t improved, that’s going to show. And the data is what it is—it’s the great truth serum,” Ed said. “The AI’s not going to fudge your numbers just because you want them to look better.”
That’s the value of CRQ. It’s a mirror. It shows progress, or lack thereof, and gives CISOs the tools to take ownership of risk in business terms. It can feel intimidating, especially in the early stages. However, over time, it builds trust with stakeholders and boards who increasingly expect this level of transparency.
Maturity Is a Mindset, Not a Milestone
One of the biggest myths about CRQ is that it’s only for “mature” organizations. Ed pushed back hard on this idea.
“Then who is mature enough?” he asked. “The State Department? They get hacked all the time. Big banks? They’ve had terrible incidents. I’ve seen tiny SMBs with incredibly mature programs, and giant enterprises that are a complete mess.”
In reality, CRQ is how you build maturity. Measuring your attack surface, understanding likelihood, and quantifying potential losses helps an organization grow more effective over time.
Maturity isn’t about having a certain budget or team size. It’s about making informed decisions and being willing to measure what matters. In fact, many small or mid-sized businesses run highly mature programs because they prioritize clarity and focus. Conversely, some large enterprises—with all their funding—still operate in silos and struggle with risk visibility.
“Nobody thinks their program is perfect. Everybody is at some point in the journey. How do you think you get to maturity? You get there by acting like one.”
So, if you think you’re not ready for CRQ, that’s probably a signal that you need it the most. Start small. Focus on what you can measure and improve. Maturity follows action, not the other way around.
No Budget? Time to Think Like a CIO
The final question was the most familiar: What if you want to do CRQ but don’t have a budget?
Ed didn’t mince words. “You have to rationalize and consolidate. This is where CISOs need to learn CIO economics. There’s no room for fluff.”
That means eliminating redundant tools, sunsetting platforms that don’t deliver value, and avoiding overbuying for features you don’t need. It also means ensuring the tools you invest in provide cross-functional insights, like helping security, IT, and business teams speak the same language about risk.
Efficiency isn’t just about saving money—it’s about creating space in the budget for what matters most. When risk is clearly quantified, it becomes much easier to justify spending to leadership.
CRQ, Context, and Confidence—with Balbix
Cyber risk quantification isn’t just a reporting tool. It’s a path to maturity, a framework for accountability, and a powerful way to connect technical controls with business decisions.
Balbix helps organizations precisely quantify cyber risk, grounded in real-time data about your assets, vulnerabilities, likelihoods, controls, and business impact. Our platform provides clear, contextualized guidance so you can prioritize what matters, take action confidently, and prove your progress.
