You Can’t Quantify Risk with a Checkbox | John Feezell on CRQ | Risk in Numbers Podcast Ep. 1

Written By Anthony Tran
Risk in Numbers Podcast Episode 1 John Feezell CRQ

In the inaugural episode of our podcast Risk in Numbers, Greg Spicer from Ostrich Cyber-Risk converses with John Feezell, Associate Partner at Kyndryl, about a growing trend: transitioning from checkbox compliance to financially informed cybersecurity strategies.

With over two decades in cyber risk and compliance, John offers a practical, people-focused perspective, emphasizing the importance of Cyber Risk Quantification (CRQ) for security leaders seeking a place in business discussions.

Listen to the episode here:
Spotify Link.
Youtube Link.

What We Talked About

Limitations of control checklists

While many organizations depend on frameworks like NIST or ISO, John argues these are merely starting points. He describes them as “flotsam in the water” with hidden dangers beneath. Control frameworks may seem safe, but lack of quantification creates a false sense of security.

The dopamine trap in checkbox security

John points out that teams often become addicted to the satisfaction of completing controls, even if those controls do not actually mitigate risks. “It releases dopamine, but the threats remain unchanged.”

CRQ integrates cybersecurity into business discussions

Through CRQ, teams can articulate cybersecurity risks in financial terms, opening dialogues with executives and boards. “Cyber risk evolves into a business risk, not just a technical one.”

Effective prioritization

True prioritization involves collaboration with marketing, legal, and finance, where cyber teams compete for resources with a defensible case—something CRQ supports.

Managing Excitement and Overwhelm

Interestingly, John notes that some organizations become so enthusiastic about CRQ that they attempt to quantify everything at once. His advice? “Start surgically. Achieve small wins before expanding.”

This means applying CRQ to significant decisions, like selecting between two controls or prioritizing vendor assessments out of many.

The Challenge of Probabilistic Thinking

An unexpected hurdle is our cognitive wiring. John observes that many professionals, even in senior positions, find probabilistic thinking challenging. Resources like How to Measure Anything in Cybersecurity Risk and Thinking in Bets can assist in developing this skill.

Key Takeaways for CISOs and Risk Leaders

  • CRQ shifts focus from maturity scores to business impact.

  • It establishes a common language with the board and C-suite.

  • Quantification focuses on defensibility rather than perfection.

  • Perfect data isn't necessary to begin.

  • Start small, find an executive sponsor, and build from there.

Final Thought

John asserts, “CRQ is no longer optional; it’s essential for organizations.”

The best time to begin? Yesterday.

The second-best time? Today.

Curious about how Ostrich assists teams in initiating CRQ? Schedule a demo.

Anthony Tran
Next

Webinar Recap: How Zero Trust and Cyber Risk Quantification Work Together