Forward-thinking CISO asked the salespeople in front of them the same three questions last month:
If your buyers are asking these questions and you don't have quantified answers, your communication model is flawed.
Industry research shows the gap: only 20–39% of enterprises can demonstrate measurable ROI for cybersecurity investments (Gartner 2023; Ponemon Institute 2024). Just 39% of CISOs at large enterprises can show quantifiable returns for even half their security spend.
Meanwhile, 60–80% of budgets are still justified through compliance requirements and subjective risk ratings, not financial outcomes. While other business functions speak in monetary terms, cybersecurity still relies on heatmaps and colour codes.
Independent analysis confirms the problem: “purely qualitative analyses are inherently subjective… ratings are subject to bias, poorly defined models, and undefined assumptions” (Safe Security 2024).
Frameworks such as ISO 27005 and NIST use ordinal scales and heatmaps. They cannot answer fundamental business questions: “How do you determine which red risk is the most red?”
This is why boards struggle to trust security investments.
While this hack story is a few years old, it's well documented and a case in point. In December 2015, Russian attackers disrupted Ukraine’s power grid despite deployed firewalls and policies. The breach persisted for months because the utility could not answer:
This is exactly the measurement gap that FAIR-CAM addresses by mapping how specific controls reduce the frequency and impact of loss events
A recent FAIR-CAM analysis of Databricks’ AI Security Framework revealed similar measurement gaps. Despite having more than 60 controls, they could not answer: “What is our confidence level that we detect data exfiltration within SLA?”
Without measurement, control portfolios are theatre.
FAIR (Factor Analysis of Information Risk) removes subjectivity and provides a standard method for quantifying risk in economic terms. It is now recognised as the standard for cyber risk quantification (Safe Security 2024).
A Fortune 500 manufacturer transformed board conversations by implementing FAIR. Instead of “high, medium, low,” they reported:
The board approved a 35% budget increase because they could compare ROI across security and other business investments.
FAIR-CAM running in GPT can now analyse frameworks, map controls, and output measurable gaps in minutes. What once required a specialist quant team now happens in one session.
The technology barrier is gone.
When you shift to quantified risk communication, expect resistance:
Those frameworks categorise risks, but they cannot measure ROI. FAIR complements them by adding the quantification layer that enables financial decision-making.
GPT analysed 60+ Databricks controls in one session. Complexity is now automated away.
FAIR starts with ranges and improves iteratively. The first model is still more defensible than subjective scoring.
That may be true today, but regulators and investors are raising the bar. Boards expect security ROI to be measured like any other business investment.
CISOs and CFOs do not buy features. They buy risk reduction.
FAIR has proven itself with innovators. The early majority is now moving, driven by board pressure for measurable ROI and the accessibility of GPT-enabled quantification. Geoffrey Moore’s Market Development Lifecycle frames it well: this market is crossing the chasm into the mainstream.
Do you know how your best customers talk about risk priorities? Our Shift90 methodology begins with customer truth interviews that surface the exact language buyers use to justify investment. From those insights, we create conversational discovery frameworks and customer hero stories that equip sales teams to speak in quantified, buyer-led terms.
Comment with “Customer Truth” and we will share how this works in practice.
The shift to quantified risk communication is underway. The question is whether you will lead or follow.