Last week, we explored the mindset needed to lead change in cyber risk. This included the boldness to challenge the status quo, the empathy to meet people where they are, and the resilience to keep going when momentum stalls.
Indeed, mindset is essential, but mindset alone isn’t enough.
Shackleton(see Blog #3 for context) didn’t survive the ice with spirit alone. He paired it with discipline, shaped by clear principles that guided every decision.
The same is true for CRQ. If mindset is the engine of change, principles are the steering wheel.
Take, for example, the Wright brothers. When others failed to conquer flight, Wilbur and Orville succeeded through iteration, ingenuity, and scientific curiosity. They built their own wind tunnels when the existing data wasn’t good enough. They tested, learned, and refined hundreds of times. They knew mastering flight wasn’t about one breakthrough, but instead was about putting the right principles into practice and sticking to them. In doing so, they mastered the four key forces of flight: lift, weight, thrust, and drag.
I think that's the kind of discipline CRQ needs today.
In this article, I’ll share six working principles I’ve found essential for embedding CRQ in a way that sticks — not just as a project, but as a true business capability.
In cyber risk, we often have incomplete data, shifting threats, and uncertain consequences. Precision can be tempting — the allure of decimal points and tightly bounded ranges — but if those figures don’t reflect reality, they can mislead more than they inform.
Accuracy, by contrast, means being directionally right enough to support a decision.
I think a good parallel comes from healthcare. In an emergency, paramedics don’t wait for complete information. They stabilise base on high-probability indicators such as airway, breathing, and circulation. They don't wait for perfect diagnostic certainty as this would waste precious time.
Of course, cyber risk decisions are rarely life-and-death in the same way but the principle holds. When uncertainty is unavoidable, we shouldn’t let perfect be the enemy of good enough.
In CRQ, the goal isn’t to eliminate uncertainty — it’s to understand it, work with it, and move forward from it.
Practical tip:
When reviewing CRQ results, ask: “Is this insight clear and reliable enough to inform a real decision?” If yes, move forward. If not, sharpen the assumptions that matter most — not every variable.
The temptation to overcomplicate early is real. Sometimes we may want to build the perfect model, factor in every dependency, capture every scenario. However, too much complexity can stall momentum and discourage the iterative learning CRQ needs.
The better approach? Start simple. Build a model that’s good enough to inform a decision. Share it, listen to stakeholders, and make refinements.
Waiting for the perfect model delays the real value: building trust, shaping smarter decisions, and embedding quantification into the fabric of risk management.
Practical tip:
When designing your first CRQ outputs, focus on answering one meaningful question clearly. Then ask your audience: “What’s the next most important thing you’d like to understand?” Let those questions guide your next iteration.
Despite what the articles in this series might suggest, my first professional passion wasn’t cyber risk — it was flying.
While studying at Warwick, I joined the University Air Squadron system, aiming to fly for the Royal Air Force. It was a fantastic opportunity and one that gave me lifelong friends and taught me many useful lessons.
One of the first lessons of airmanship we learned was simple: Aviate, Navigate, Communicate — in that order. Fly the plane first, then work out where you are, then call for help if needed.
The logic was simply to focus first on the critical objective — keeping the aircraft safely in the air, with everything else coming second.
This is the same discipline CRQ needs. When you’re deep in analysis, it's easy to lose sight of the real goal. But no matter how sophisticated the model, the mission stays simple: inform better decisions.
Practical tip:
Before you start modelling, write down: “This analysis is intended to inform [specific decision].” If you can’t answer that clearly, you might not be ready to start.
In Blog #2, I talked about why clear, relevant communication is critical to making CRQ results useful. This principle builds on that because if the insight isn’t framed in business terms, it won’t land.
Decision-makers don’t want model mechanics. They want clear, confident answers to questions like:
I've shared some examples in the table below of how small shifts in language can make a big difference.
Practical tip:
Before presenting CRQ results, ask: “If I had to explain this insight to our CFO over a coffee — no slides, no jargon — how would I do it?” If it isn’t clear, refine until it is.
CRQ isn’t a solo effort. Even the best model can fall flat if you don’t engage the right people early — not just to inform the work, but to strengthen it.
In cyber risk, where uncertainty is high and perfect data is rare, collective knowledge is crucial.
That’s why techniques like calibrated expert judgment matter so much. This is something I'm personally a big proponent of.
As How to Measure Anything in Cybersecurity Risk highlights (Chapter 7, 2ndedition), good collaboration isn't guesswork — it's improved through techniques like:
At every stage — from scoping to estimating frequency, impact, or cost-benefit —collaboration strengthens CRQ. Bring stakeholders in early and use calibration techniques to make estimates stronger, not just louder.
Practical tip:
Before starting, map three groups: 1. Knowledge holders: operational, financial, legal, and technical experts. 2. Challengers: people who spot gaps and test assumptions. 3. Decision-makers: those who must act.
One of the fastest ways to lose trust in CRQ is to hide how the numbers were reached.
If stakeholders can't see the logic behind the estimates, even the best model feels inaccessible, which will breed scepticism.
Transparency doesn't mean overwhelming people with detail. It means being open enough that the logic is visible, even if every formula isn't.
Here are some simple ways you can stay transparent:
It might feel counter intuitive, but acknowledging uncertainty builds credibility rather than eroding it.
Practical tip:
Frame CRQ outputs into three buckets: 1. Knowns: Past data, observable facts. 2. Assumptions: estimates based on expert judgement. 3. Uncertainties: Areas of volatility or ambiguity.
Mindset gives CRQ its momentum, but principles give it direction.
It’s easy to treat CRQ as a project: model a few scenarios, build some dashboards, deliver a few insights. However, if we want CRQ to truly change how cyber risk is understood and managed, it needs to become a discipline which is embedded into everyday thinking.
Following the principles I've laid out above isn’t about rigid rules. It’s about building better habits that make CRQ stronger, more trusted, and more decision-relevant over time.
It's the same spirit that enabled the Wright brothers to master flight — relentless learning, disciplined iteration, and trust in core principles.
