April 22, 2025
The Art and Science of CRQ: Why Practitioners Must Lead the Change
James Hanbury
Global Lead Director, Co-founder

What Shackleton Can Teach Us About Navigating Cyber Risk

Picture this: It’s 1915. Your ship, the Endurance, is trapped in Antarctic ice. You’re thousands of miles from help, and the tools of modern navigation — radar, satellite tracking, GPS — don’t exist. Your decisions must be based on instinct, grit, and a few hand-drawn maps. You’re not just navigating ice — you’re leading people through fear, uncertainty, and doubt.

That was the reality facing Ernest Shackleton over a century ago. And strangely, it’s not so different from where many organisations find themselves with cyber risk today.

Cyber risk is regularly cited as one of the most critical threats facing modern enterprises. Boards ask about it. Regulators scrutinise it. Businesses pour resources into it. And yet — most still can’t say how much risk they have, how that risk is changing, or how cyber compares to other risks. They’re still navigating with instinct and colour-coded heatmaps.

Thankfully, we now have better tools — quantitative methods that provide directionally accurate forecasts of cyber risk, expressed in financial terms. But those tools aren’t enough on their own.

Just like Shackleton, success doesn’t depend only on what’s in the toolkit. It depends on people. Leaders. Change agents.

And in the world of cyber risk, that responsibility falls to the practitioner.

We're at a Crossroads — and the Clock is Ticking

Just like Shackleton couldn't wait for the ice to melt, we can't wait for perfect conditions to modernise how we manage cyber risk.

Despite years of investment, cyber losses are increasing, regulatory scrutiny is broadening, and decision-makers are still asking basic questions that many teams can’t confidently answer. The gap between perceived and actual risk remains wide — while the pressure to close it grows.

More spend isn’t the answer. We need to spend smarter — and CRQ can show us how.

The good news? The tools and methods to do this work are well within reach. Quantification isn't an emerging idea anymore — it's a growing standard. But adoption isn't automatic. Adoption takes leadership. It takes belief. It takes people.

And that puts practitioners in a powerful — and pivotal — position.

We're at a crossroads. One path continues with outdated models and vague metrics. The other leads to clarity, confidence, and meaningful impact. But that second path isn’t the easy one — it demands leadership, courage, and persistence.

The question is: which path will you choose?

Ask yourself:

  1. Can we quantify our top cyber risk scenarios in financial terms?
  2. Can we track how those risks are changing — and what's driving the change?
  3. Are we confident that cyber investment aligns with best risk reduction?

If not, you're not alone — but it means there's work to do.

CRQ Adoption Is a Change Journey

When it comes to embedding CRQ in an organisation, the real challenge isn’t just technical. It’s human.

Which is why it’s helpful to borrow a simple but powerful lens from the world of change management: the ADKAR model. It focuses on how individuals adopt new ways of working — a perfect match for the journey CRQ practitioners are often leading.

1. Awareness: Make the Status Quo Impossible to Ignore

Practitioners are often surrounded by risk frameworks, dashboards, and spreadsheets that look mature — but don’t answer the most important questions.

Take ransomware risk. One team says it’s ‘High’. Another says ‘Medium’. A third maps it to a 2.2 on a capability maturity scale. None of these describe potential loss exposure, or the probability of loss.

Even a simple CRQ model changes that conversation. It makes the gap visible. It builds the case for a better way.

I sometimes describe the current state of cyber risk measurement like this: we’re in the pub car park, throwing darts backwards over our shoulder. We might hit something, but we’ve no idea what.

CRQ doesn’t guarantee a bullseye or treble twenty, but it does something more valuable: it gets us inside the pub facing the dartboard. We’re in the game — generating insights that resemble reality. And that's already better than the alternative.

Try this: Run a light-touch CRQ analysis on a high-interest scenario (e.g. ransomware) and compare it to your current heatmap or RAG score. Keep it simple: a range of expected financial loss and a probability over a one-year period is enough. Use the contrast to start the conversation, not end it. Ask: "Which of these feels more decision-useful?"

2. Desire: Make It Personal, Make It Possible

The desire to change rarely comes from logic alone. Practitioners need to tell stories. They need to show proof that someone else made it work.

Ten years ago, maybe 1 in 10 organisations wanted to talk CRQ with me. Today, it’s more like 9 in 10. The tools have matured, but more importantly, the mindset has shifted. Boards want better answers. CFOs want smarter investment logic. Practitioners want to spend time where it counts.

Belief is contagious — show that it works, and others will follow.

Try this: Share a success story that mirrors your organisation's context — whether it’s a peer company that improved investment efficiency or an internal example where CRQ supported a smart trade-off. Focus less on how the model works, and more on how it helped someone make a better decision.

3. Knowledge: Lower the Barriers to Learning

One reason CRQ adoption has accelerated is that it’s simply more accessible. The FAIR model is well-established. SaaS tools mean you don’t need mathematics experts. And learning can happen one scenario and use case at a time.

Still, knowledge must be shared. Practitioners are often the first to get it — but to succeed, they need to become translators and guides.

Try this: Hold a short 'CRQ 101' session using a live demo or simple walkthrough of one scenario. Use visuals like loss exceedance curves or a risk summary dashboard. Avoid acronyms and formulae — focus on what the analysis tells us, not how it's calculated. End by offering a next step: "If you have a scenario in mind, I can help you model it".

4. Ability: Practising the Art and the Science

This is where CRQ’s art and science come together.

The science is real: probability theory, data modelling, impact estimation. But the art matters just as much — telling the story behind the numbers. Knowing when less detail communicates more.

As Einstein said: “If you can't explain it simply, you don't understand it well enough." And as da Vinci put it: “Simplicity is the ultimate sophistication.

That's the bar. Not just accurate models, but accessible ones.

Try this: Before presenting results, challenge yourself: Can I explain it in 60 seconds, on one slide? What decision does it inform? What's the headline? What are the limitations and why can the insights still be relied upon? If it’s not clear, refine. Simplicity isn't dumbing down it's sharpening up.

5. Reinforcement: Make It Stick by Making It Useful

Ultimately, CRQ needs to live in real decisions — not just sit in reports. Budgeting, supplier reviews, investment prioritisation, board conversations. These are the proving grounds I covered in Blog #2.

Every time someone uses a CRQ insight to make a better decision, you’re reinforcing the value. That’s what turns method into muscle.

Try this: Pick one live decision a renewal, an onboarding, a budget ask — and apply CRQ thinking. What's the potential financial exposure? What's the effect of a control uplift? Frame it around the decision-makers goal. Then, follow up: "Was this helpful? Should we do it again?"

What It Means to Be a Change Agent

ADKAR gives us a framework for explaining how change happens — but driving change takes something more. It takes people willing to lead it.

Change is rarely neat or linear. It’s messy. It’s human. It involves setbacks, course corrections, and the need to bring others with you — often more than once.

That's why successful CRQ programmes don't just rely on methods or models. They rely on practitioners who act as change agents.

And while every organisation is different, the most effective change agents I've seen share three traits:

1. Boldness

Challenge the status quo, even when it's uncomfortable.

  • Run a directional CRQ model without waiting for perfect data.
  • Contrast CRQ estimates with heatmaps to spark healthy tension.
  • Ask direct questions: What's the potential cost-benefit of making this investment?

2. Empathy

Understand where others are starting from.

  • Listen closely to what your CFO, CRO, or CIO actually needs.
  • Tailor outputs with stories, analogies, and simple visuals.
  • Acknowledge resistance — and find ways to bring people in.

3. Resilience

Keep going when momentum slows.

  • Reframe after pushback: "Let’s make it more relevant together."
  • Capture small wins — and share them regularly.
  • Find allies who can champion the message when you're not in the room.

Lead the Way

CRQ isn’t plug-and-play — and that’s a good thing. Shackleton didn’t survive the ice with better maps — he made it through with boldness, empathy, and resilience.

That's the spirit cyber risk needs today. It's not just a technical discipline — it's a human one. The science gives us the rigour; the art makes it usable, persuasive, and real. And it takes practitioners — not tools, not frameworks — to bring that combination to life inside organisations.

Because at its core, CRQ is both a discipline and a craft — one that blends art and science, and depends on practitioners to lead the way.

Next Up: CRQ Working Principles That Drive Adoption

This post has been about the mindset CRQ practitioners need to lead change. The next will focus on the working principles that make CRQ programmes effective in practice. If mindset is the engine of change, then principles are the steering wheel.

In the next post, I’ll outline six essential principles — from prioritising accuracy over precision, to embracing iteration, to collaborating early and often.

In the meantime, if you're ready to take the first step — or need help bringing others with you — we'd love to support you.

Read the next blog in the series

Six Principles of Effective CRQ: How to Build an Engine That Lasts

In this article, I’ll share six working principles I’ve found essential for embedding CRQ in a way that sticks — not just as a project, but as a true business capability.
James Hanbury
Global Lead Director, Co-founder
James is the co-founder and Global Lead Director of CRI. He has spent over a decade working with cyber and risk teams, helping them bring more structure and clarity to how cyber risk is measured and communicated. James began building the earliest versions of CRI's models back in 2016, using Excel to explore how organisations could approach cyber risk in a more decision-focused way. That work has since grown into a SaaS-enabled capability now used by clients around the world. Based in London, James continues to work closely with CRI's clients and partners, focusing on how to make cyber risk quantification useful, explainable, and easier to adopt in practice.
Blog
The Art and Science of CRQ: Why Practitioners Must Lead the Change
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

What Shackleton Can Teach Us About Navigating Cyber Risk

Picture this: It’s 1915. Your ship, the Endurance, is trapped in Antarctic ice. You’re thousands of miles from help, and the tools of modern navigation — radar, satellite tracking, GPS — don’t exist. Your decisions must be based on instinct, grit, and a few hand-drawn maps. You’re not just navigating ice — you’re leading people through fear, uncertainty, and doubt.

That was the reality facing Ernest Shackleton over a century ago. And strangely, it’s not so different from where many organisations find themselves with cyber risk today.

Cyber risk is regularly cited as one of the most critical threats facing modern enterprises. Boards ask about it. Regulators scrutinise it. Businesses pour resources into it. And yet — most still can’t say how much risk they have, how that risk is changing, or how cyber compares to other risks. They’re still navigating with instinct and colour-coded heatmaps.

Thankfully, we now have better tools — quantitative methods that provide directionally accurate forecasts of cyber risk, expressed in financial terms. But those tools aren’t enough on their own.

Just like Shackleton, success doesn’t depend only on what’s in the toolkit. It depends on people. Leaders. Change agents.

And in the world of cyber risk, that responsibility falls to the practitioner.

We're at a Crossroads — and the Clock is Ticking

Just like Shackleton couldn't wait for the ice to melt, we can't wait for perfect conditions to modernise how we manage cyber risk.

Despite years of investment, cyber losses are increasing, regulatory scrutiny is broadening, and decision-makers are still asking basic questions that many teams can’t confidently answer. The gap between perceived and actual risk remains wide — while the pressure to close it grows.

More spend isn’t the answer. We need to spend smarter — and CRQ can show us how.

The good news? The tools and methods to do this work are well within reach. Quantification isn't an emerging idea anymore — it's a growing standard. But adoption isn't automatic. Adoption takes leadership. It takes belief. It takes people.

And that puts practitioners in a powerful — and pivotal — position.

We're at a crossroads. One path continues with outdated models and vague metrics. The other leads to clarity, confidence, and meaningful impact. But that second path isn’t the easy one — it demands leadership, courage, and persistence.

The question is: which path will you choose?

Ask yourself:

  1. Can we quantify our top cyber risk scenarios in financial terms?
  2. Can we track how those risks are changing — and what's driving the change?
  3. Are we confident that cyber investment aligns with best risk reduction?

If not, you're not alone — but it means there's work to do.

CRQ Adoption Is a Change Journey

When it comes to embedding CRQ in an organisation, the real challenge isn’t just technical. It’s human.

Which is why it’s helpful to borrow a simple but powerful lens from the world of change management: the ADKAR model. It focuses on how individuals adopt new ways of working — a perfect match for the journey CRQ practitioners are often leading.

1. Awareness: Make the Status Quo Impossible to Ignore

Practitioners are often surrounded by risk frameworks, dashboards, and spreadsheets that look mature — but don’t answer the most important questions.

Take ransomware risk. One team says it’s ‘High’. Another says ‘Medium’. A third maps it to a 2.2 on a capability maturity scale. None of these describe potential loss exposure, or the probability of loss.

Even a simple CRQ model changes that conversation. It makes the gap visible. It builds the case for a better way.

I sometimes describe the current state of cyber risk measurement like this: we’re in the pub car park, throwing darts backwards over our shoulder. We might hit something, but we’ve no idea what.

CRQ doesn’t guarantee a bullseye or treble twenty, but it does something more valuable: it gets us inside the pub facing the dartboard. We’re in the game — generating insights that resemble reality. And that's already better than the alternative.

Try this: Run a light-touch CRQ analysis on a high-interest scenario (e.g. ransomware) and compare it to your current heatmap or RAG score. Keep it simple: a range of expected financial loss and a probability over a one-year period is enough. Use the contrast to start the conversation, not end it. Ask: "Which of these feels more decision-useful?"

2. Desire: Make It Personal, Make It Possible

The desire to change rarely comes from logic alone. Practitioners need to tell stories. They need to show proof that someone else made it work.

Ten years ago, maybe 1 in 10 organisations wanted to talk CRQ with me. Today, it’s more like 9 in 10. The tools have matured, but more importantly, the mindset has shifted. Boards want better answers. CFOs want smarter investment logic. Practitioners want to spend time where it counts.

Belief is contagious — show that it works, and others will follow.

Try this: Share a success story that mirrors your organisation's context — whether it’s a peer company that improved investment efficiency or an internal example where CRQ supported a smart trade-off. Focus less on how the model works, and more on how it helped someone make a better decision.

3. Knowledge: Lower the Barriers to Learning

One reason CRQ adoption has accelerated is that it’s simply more accessible. The FAIR model is well-established. SaaS tools mean you don’t need mathematics experts. And learning can happen one scenario and use case at a time.

Still, knowledge must be shared. Practitioners are often the first to get it — but to succeed, they need to become translators and guides.

Try this: Hold a short 'CRQ 101' session using a live demo or simple walkthrough of one scenario. Use visuals like loss exceedance curves or a risk summary dashboard. Avoid acronyms and formulae — focus on what the analysis tells us, not how it's calculated. End by offering a next step: "If you have a scenario in mind, I can help you model it".

4. Ability: Practising the Art and the Science

This is where CRQ’s art and science come together.

The science is real: probability theory, data modelling, impact estimation. But the art matters just as much — telling the story behind the numbers. Knowing when less detail communicates more.

As Einstein said: “If you can't explain it simply, you don't understand it well enough." And as da Vinci put it: “Simplicity is the ultimate sophistication.

That's the bar. Not just accurate models, but accessible ones.

Try this: Before presenting results, challenge yourself: Can I explain it in 60 seconds, on one slide? What decision does it inform? What's the headline? What are the limitations and why can the insights still be relied upon? If it’s not clear, refine. Simplicity isn't dumbing down it's sharpening up.

5. Reinforcement: Make It Stick by Making It Useful

Ultimately, CRQ needs to live in real decisions — not just sit in reports. Budgeting, supplier reviews, investment prioritisation, board conversations. These are the proving grounds I covered in Blog #2.

Every time someone uses a CRQ insight to make a better decision, you’re reinforcing the value. That’s what turns method into muscle.

Try this: Pick one live decision a renewal, an onboarding, a budget ask — and apply CRQ thinking. What's the potential financial exposure? What's the effect of a control uplift? Frame it around the decision-makers goal. Then, follow up: "Was this helpful? Should we do it again?"

What It Means to Be a Change Agent

ADKAR gives us a framework for explaining how change happens — but driving change takes something more. It takes people willing to lead it.

Change is rarely neat or linear. It’s messy. It’s human. It involves setbacks, course corrections, and the need to bring others with you — often more than once.

That's why successful CRQ programmes don't just rely on methods or models. They rely on practitioners who act as change agents.

And while every organisation is different, the most effective change agents I've seen share three traits:

1. Boldness

Challenge the status quo, even when it's uncomfortable.

  • Run a directional CRQ model without waiting for perfect data.
  • Contrast CRQ estimates with heatmaps to spark healthy tension.
  • Ask direct questions: What's the potential cost-benefit of making this investment?

2. Empathy

Understand where others are starting from.

  • Listen closely to what your CFO, CRO, or CIO actually needs.
  • Tailor outputs with stories, analogies, and simple visuals.
  • Acknowledge resistance — and find ways to bring people in.

3. Resilience

Keep going when momentum slows.

  • Reframe after pushback: "Let’s make it more relevant together."
  • Capture small wins — and share them regularly.
  • Find allies who can champion the message when you're not in the room.

Lead the Way

CRQ isn’t plug-and-play — and that’s a good thing. Shackleton didn’t survive the ice with better maps — he made it through with boldness, empathy, and resilience.

That's the spirit cyber risk needs today. It's not just a technical discipline — it's a human one. The science gives us the rigour; the art makes it usable, persuasive, and real. And it takes practitioners — not tools, not frameworks — to bring that combination to life inside organisations.

Because at its core, CRQ is both a discipline and a craft — one that blends art and science, and depends on practitioners to lead the way.

Next Up: CRQ Working Principles That Drive Adoption

This post has been about the mindset CRQ practitioners need to lead change. The next will focus on the working principles that make CRQ programmes effective in practice. If mindset is the engine of change, then principles are the steering wheel.

In the next post, I’ll outline six essential principles — from prioritising accuracy over precision, to embracing iteration, to collaborating early and often.

In the meantime, if you're ready to take the first step — or need help bringing others with you — we'd love to support you.

Key messages

01

02

03

Blog
The Art and Science of CRQ: Why Practitioners Must Lead the Change

Summary

What Shackleton Can Teach Us About Navigating Cyber Risk

Picture this: It’s 1915. Your ship, the Endurance, is trapped in Antarctic ice. You’re thousands of miles from help, and the tools of modern navigation — radar, satellite tracking, GPS — don’t exist. Your decisions must be based on instinct, grit, and a few hand-drawn maps. You’re not just navigating ice — you’re leading people through fear, uncertainty, and doubt.

That was the reality facing Ernest Shackleton over a century ago. And strangely, it’s not so different from where many organisations find themselves with cyber risk today.

Cyber risk is regularly cited as one of the most critical threats facing modern enterprises. Boards ask about it. Regulators scrutinise it. Businesses pour resources into it. And yet — most still can’t say how much risk they have, how that risk is changing, or how cyber compares to other risks. They’re still navigating with instinct and colour-coded heatmaps.

Thankfully, we now have better tools — quantitative methods that provide directionally accurate forecasts of cyber risk, expressed in financial terms. But those tools aren’t enough on their own.

Just like Shackleton, success doesn’t depend only on what’s in the toolkit. It depends on people. Leaders. Change agents.

And in the world of cyber risk, that responsibility falls to the practitioner.

We're at a Crossroads — and the Clock is Ticking

Just like Shackleton couldn't wait for the ice to melt, we can't wait for perfect conditions to modernise how we manage cyber risk.

Despite years of investment, cyber losses are increasing, regulatory scrutiny is broadening, and decision-makers are still asking basic questions that many teams can’t confidently answer. The gap between perceived and actual risk remains wide — while the pressure to close it grows.

More spend isn’t the answer. We need to spend smarter — and CRQ can show us how.

The good news? The tools and methods to do this work are well within reach. Quantification isn't an emerging idea anymore — it's a growing standard. But adoption isn't automatic. Adoption takes leadership. It takes belief. It takes people.

And that puts practitioners in a powerful — and pivotal — position.

We're at a crossroads. One path continues with outdated models and vague metrics. The other leads to clarity, confidence, and meaningful impact. But that second path isn’t the easy one — it demands leadership, courage, and persistence.

The question is: which path will you choose?

Ask yourself:

  1. Can we quantify our top cyber risk scenarios in financial terms?
  2. Can we track how those risks are changing — and what's driving the change?
  3. Are we confident that cyber investment aligns with best risk reduction?

If not, you're not alone — but it means there's work to do.

CRQ Adoption Is a Change Journey

When it comes to embedding CRQ in an organisation, the real challenge isn’t just technical. It’s human.

Which is why it’s helpful to borrow a simple but powerful lens from the world of change management: the ADKAR model. It focuses on how individuals adopt new ways of working — a perfect match for the journey CRQ practitioners are often leading.

1. Awareness: Make the Status Quo Impossible to Ignore

Practitioners are often surrounded by risk frameworks, dashboards, and spreadsheets that look mature — but don’t answer the most important questions.

Take ransomware risk. One team says it’s ‘High’. Another says ‘Medium’. A third maps it to a 2.2 on a capability maturity scale. None of these describe potential loss exposure, or the probability of loss.

Even a simple CRQ model changes that conversation. It makes the gap visible. It builds the case for a better way.

I sometimes describe the current state of cyber risk measurement like this: we’re in the pub car park, throwing darts backwards over our shoulder. We might hit something, but we’ve no idea what.

CRQ doesn’t guarantee a bullseye or treble twenty, but it does something more valuable: it gets us inside the pub facing the dartboard. We’re in the game — generating insights that resemble reality. And that's already better than the alternative.

Try this: Run a light-touch CRQ analysis on a high-interest scenario (e.g. ransomware) and compare it to your current heatmap or RAG score. Keep it simple: a range of expected financial loss and a probability over a one-year period is enough. Use the contrast to start the conversation, not end it. Ask: "Which of these feels more decision-useful?"

2. Desire: Make It Personal, Make It Possible

The desire to change rarely comes from logic alone. Practitioners need to tell stories. They need to show proof that someone else made it work.

Ten years ago, maybe 1 in 10 organisations wanted to talk CRQ with me. Today, it’s more like 9 in 10. The tools have matured, but more importantly, the mindset has shifted. Boards want better answers. CFOs want smarter investment logic. Practitioners want to spend time where it counts.

Belief is contagious — show that it works, and others will follow.

Try this: Share a success story that mirrors your organisation's context — whether it’s a peer company that improved investment efficiency or an internal example where CRQ supported a smart trade-off. Focus less on how the model works, and more on how it helped someone make a better decision.

3. Knowledge: Lower the Barriers to Learning

One reason CRQ adoption has accelerated is that it’s simply more accessible. The FAIR model is well-established. SaaS tools mean you don’t need mathematics experts. And learning can happen one scenario and use case at a time.

Still, knowledge must be shared. Practitioners are often the first to get it — but to succeed, they need to become translators and guides.

Try this: Hold a short 'CRQ 101' session using a live demo or simple walkthrough of one scenario. Use visuals like loss exceedance curves or a risk summary dashboard. Avoid acronyms and formulae — focus on what the analysis tells us, not how it's calculated. End by offering a next step: "If you have a scenario in mind, I can help you model it".

4. Ability: Practising the Art and the Science

This is where CRQ’s art and science come together.

The science is real: probability theory, data modelling, impact estimation. But the art matters just as much — telling the story behind the numbers. Knowing when less detail communicates more.

As Einstein said: “If you can't explain it simply, you don't understand it well enough." And as da Vinci put it: “Simplicity is the ultimate sophistication.

That's the bar. Not just accurate models, but accessible ones.

Try this: Before presenting results, challenge yourself: Can I explain it in 60 seconds, on one slide? What decision does it inform? What's the headline? What are the limitations and why can the insights still be relied upon? If it’s not clear, refine. Simplicity isn't dumbing down it's sharpening up.

5. Reinforcement: Make It Stick by Making It Useful

Ultimately, CRQ needs to live in real decisions — not just sit in reports. Budgeting, supplier reviews, investment prioritisation, board conversations. These are the proving grounds I covered in Blog #2.

Every time someone uses a CRQ insight to make a better decision, you’re reinforcing the value. That’s what turns method into muscle.

Try this: Pick one live decision a renewal, an onboarding, a budget ask — and apply CRQ thinking. What's the potential financial exposure? What's the effect of a control uplift? Frame it around the decision-makers goal. Then, follow up: "Was this helpful? Should we do it again?"

What It Means to Be a Change Agent

ADKAR gives us a framework for explaining how change happens — but driving change takes something more. It takes people willing to lead it.

Change is rarely neat or linear. It’s messy. It’s human. It involves setbacks, course corrections, and the need to bring others with you — often more than once.

That's why successful CRQ programmes don't just rely on methods or models. They rely on practitioners who act as change agents.

And while every organisation is different, the most effective change agents I've seen share three traits:

1. Boldness

Challenge the status quo, even when it's uncomfortable.

  • Run a directional CRQ model without waiting for perfect data.
  • Contrast CRQ estimates with heatmaps to spark healthy tension.
  • Ask direct questions: What's the potential cost-benefit of making this investment?

2. Empathy

Understand where others are starting from.

  • Listen closely to what your CFO, CRO, or CIO actually needs.
  • Tailor outputs with stories, analogies, and simple visuals.
  • Acknowledge resistance — and find ways to bring people in.

3. Resilience

Keep going when momentum slows.

  • Reframe after pushback: "Let’s make it more relevant together."
  • Capture small wins — and share them regularly.
  • Find allies who can champion the message when you're not in the room.

Lead the Way

CRQ isn’t plug-and-play — and that’s a good thing. Shackleton didn’t survive the ice with better maps — he made it through with boldness, empathy, and resilience.

That's the spirit cyber risk needs today. It's not just a technical discipline — it's a human one. The science gives us the rigour; the art makes it usable, persuasive, and real. And it takes practitioners — not tools, not frameworks — to bring that combination to life inside organisations.

Because at its core, CRQ is both a discipline and a craft — one that blends art and science, and depends on practitioners to lead the way.

Next Up: CRQ Working Principles That Drive Adoption

This post has been about the mindset CRQ practitioners need to lead change. The next will focus on the working principles that make CRQ programmes effective in practice. If mindset is the engine of change, then principles are the steering wheel.

In the next post, I’ll outline six essential principles — from prioritising accuracy over precision, to embracing iteration, to collaborating early and often.

In the meantime, if you're ready to take the first step — or need help bringing others with you — we'd love to support you.

Key messages

01

02

03

Recent Insights

From Pilot to Capability: The Journey to Operationalise CRQ

CRQ can’t remain a pilot forever. To drive meaningful, repeatable value, it needs to mature into a business capability: trusted, embedded, and regularly informing decisions.
James Hanbury
Thought Leadership

Winning the First Yes: Navigating the Five Most Common CRQ Objections

Before a single scenario is modelled or a number estimated, one of first challenges in adopting cyber risk quantification (CRQ) is simply persuading stakeholders it's worth doing.
James Hanbury
Blog

Six Principles of Effective CRQ: How to Build an Engine That Lasts

In this article, I’ll share six working principles I’ve found essential for embedding CRQ in a way that sticks — not just as a project, but as a true business capability.
James Hanbury
Blog

Empowering you to make smarter cyber risk decisions.

Discover how we can help you with our scalable cyber risk quantification platform.

Thank you! A member of the team will be in touch shortly.
Oops! Something went wrong while submitting the form. Please try again.