The Risk Communication Crisis: Why Cyber Sales Conversations Fail

Forward-thinking CISO asked the salespeople in front of them the same three questions last month:

• “How do I prove ROI on security spend to the CFO?”
• “Why do your risk assessments use colours instead of dollars?”
• “How do other companies measure control effectiveness?”

If your buyers are asking these questions and you don't have quantified answers, your communication model is flawed.

The ROI Measurement Crisis

Industry research shows the gap: only 20–39% of enterprises can demonstrate measurable ROI for cybersecurity investments (Gartner 2023; Ponemon Institute 2024). Just 39% of CISOs at large enterprises can show quantifiable returns for even half their security spend.

Meanwhile, 60–80% of budgets are still justified through compliance requirements and subjective risk ratings, not financial outcomes. While other business functions speak in monetary terms, cybersecurity still relies on heatmaps and colour codes.

Why Qualitative Risk Communication Fails

Independent analysis confirms the problem: “purely qualitative analyses are inherently subjective… ratings are subject to bias, poorly defined models, and undefined assumptions” (Safe Security 2024).

Frameworks such as ISO 27005 and NIST use ordinal scales and heatmaps. They cannot answer fundamental business questions: “How do you determine which red risk is the most red?”

This is why boards struggle to trust security investments.

The $230 Million Wake-Up Call

While this hack story is a few years old, it's well documented and a case in point. In December 2015, Russian attackers disrupted Ukraine’s power grid despite deployed firewalls and policies. The breach persisted for months because the utility could not answer:

• “How long does it take us to detect credential theft?”
• “What is our time-to-contain for network intrusions?”

This is exactly the measurement gap that FAIR-CAM addresses by mapping how specific controls reduce the frequency and impact of loss events

Introducing FAIR-CAM

• FAIR = Factor Analysis of Information Risk → quantifies risk in financial terms (probability × impact).
• CAM (Controls Analytics Model) = extends FAIR by explicitly modelling how resistive controls (reduce likelihood) and reactive controls (reduce impact) influence loss event frequency and loss magnitude).

A recent FAIR-CAM analysis of Databricks’ AI Security Framework revealed similar measurement gaps. Despite having more than 60 controls, they could not answer: “What is our confidence level that we detect data exfiltration within SLA?”

Without measurement, control portfolios are theatre.

The FAIR Solution

FAIR (Factor Analysis of Information Risk) removes subjectivity and provides a standard method for quantifying risk in economic terms. It is now recognised as the standard for cyber risk quantification (Safe Security 2024).

A Fortune 500 manufacturer transformed board conversations by implementing FAIR. Instead of “high, medium, low,” they reported:

• “Email security reduces expected annual loss by $3.2M with 78% confidence.”
• “Endpoint detection delivers $4.50 return for every dollar invested.”
• “Backup upgrades prevent £12M in potential ransomware impact.”

The board approved a 35% budget increase because they could compare ROI across security and other business investments.

The GPT Acceleration Factor

FAIR-CAM running in GPT can now analyse frameworks, map controls, and output measurable gaps in minutes. What once required a specialist quant team now happens in one session.

The technology barrier is gone.

Resolving Objections

When you shift to quantified risk communication, expect resistance:

• “We already use ISO or NIST.”

Those frameworks categorise risks, but they cannot measure ROI. FAIR complements them by adding the quantification layer that enables financial decision-making.

• “Quantification looks too complex.”

GPT analysed 60+ Databricks controls in one session. Complexity is now automated away.

• “We do not have the data.”

FAIR starts with ranges and improves iteratively. The first model is still more defensible than subjective scoring.

• “The board is satisfied with qualitative reporting.”

That may be true today, but regulators and investors are raising the bar. Boards expect security ROI to be measured like any other business investment.

The Market Shift

CISOs and CFOs do not buy features. They buy risk reduction.

FAIR has proven itself with innovators. The early majority is now moving, driven by board pressure for measurable ROI and the accessibility of GPT-enabled quantification. Geoffrey Moore’s Market Development Lifecycle frames it well: this market is crossing the chasm into the mainstream.

Take Action

Do you know how your best customers talk about risk priorities? Our Shift90 methodology begins with customer truth interviews that surface the exact language buyers use to justify investment. From those insights, we create conversational discovery frameworks and customer hero stories that equip sales teams to speak in quantified, buyer-led terms.

Comment with “Customer Truth” and we will share how this works in practice.

The shift to quantified risk communication is underway. The question is whether you will lead or follow.