Webinar Recap: How Zero Trust and Cyber Risk Quantification Work Together

Written By Anthony Tran

In our latest webinar with the FAIR™ Institute, we explored a timely question: “Zero Trust in CRQ, or CRQ in Zero Trust?” It wasn’t just a play on words. The conversation, led by John Linford (The Open Group) and Hasan Yasar (Carnegie Mellon University), unpacked how these two concepts—often treated as separate—actually reinforce each other when applied together.

The session was hosted by FAIR Institute’s Luke Bader and moderated by Ostrich Cyber Risk co-founder Greg Spicer.

You can view the recording here.

What We Covered

The panel dug into what Zero Trust really means (beyond the buzzword), how Cyber Risk Quantification (CRQ) adds structure to decision-making, and how organizations can bring the two together for smarter, more defensible cyber strategies. A few core topics stood out:

  • Why Zero Trust is an approach, not a tool—and how it shifts security closer to the asset

  • Why CRQ is essential to prioritize protections that matter most

  • The role of data: where to find it, how to use it, and what to do when it’s incomplete

  • How FAIR™ and Zero Trust can support the same business goals when used together

  • Why culture and collaboration are the biggest barriers to success—not the tech

Zero Trust Needs CRQ to Be Meaningful

As John put it, “Zero Trust is about protecting what matters—but you can’t protect what you don’t understand.” That’s where CRQ comes in. If Zero Trust tells you to focus on high-value assets, CRQ gives you a way to define and prioritize those assets based on potential financial impact.

Hasan added that we’ve been spending millions on tools, but still seeing breaches. “Security isn’t failing because of lack of investment—it’s failing because we’re not prioritizing well,” he said. Risk quantification helps shift that.

CRQ Needs Zero Trust to Be Operational

On the flip side, CRQ isn’t meant to sit in a spreadsheet. The data needs to inform how organizations design their security models and implement controls. Zero Trust gives you that framework. Together, they bridge the gap between analysis and action.

It All Comes Back to Culture

Both panelists were clear: the biggest hurdle isn’t methodology—it’s mindset. Shifting from reactive, perimeter-based thinking to proactive, asset-focused protection means changing how teams work, communicate, and prioritize.

Their advice?

  • Don’t wait for perfect data—start with what you have

  • Make it collaborative: risk, security, and business teams need to talk early and often

  • Build trust: if security is always seen as the blocker, people won’t come to you until it’s too late

  • Start with high-impact assets and decisions. You don’t have to quantify everything—just what moves the needle

Final Thought

There’s no such thing as “Zero Trust in CRQ” today—but there should be. These aren’t competing strategies. When combined, they help organizations simplify security, focus on what matters, and make risk-informed decisions with confidence.

“Security is a team sport. If you make it hard to do, people will go around it.” – John Linford

Want to see how Ostrich helps teams bring CRQ to life inside a Zero Trust model? Get in touch with us or schedule a demo.

Anthony Tran
Next

The Importance of Cyber Risk Due Diligence in M&A for Private Equity Firms