Sekuro presents a multi-part blog series on why current risk management practices for cyber risk are letting us down. We’ll focus on key problems of generic risk matrices, how to better present, manage, and treat cyber risk, where to improve your current risk management program, and some key lessons learned from supporting dozens of organisations on handling cyber risk.
A Familiar Situation
Here’s a scenario many of us know well. In your average Australian organisation, the quarterly board meeting runs half a day or more, and everything gets discussed, including risk. But while risk may be the elephant in the room, it’s rarely addressed properly. It’s just a line item on a packed agenda. And while boards may speak the language of risk, they speak it in different dialects.
Then it’s time for cyber security. The CISO has spent hours preparing: rehearsing the talk, fine-tuning the slides, pulling together a pre-reading pack. But the risk register on the screen reduces their work to a couple of vague line items that say nothing about the risks the business actually faces. The board decides one risk is fine while questioning the spend to fix another. The nuance and magnitude are lost somewhere between declining share value and stepladder safety. Everyone nods, a box gets ticked to keep the auditors happy, and the agenda moves on. From a cyber perspective, nothing changed.
Defeated, the CISO trudges back to their desk, caught between frustration and a desperate need to make a difference, because they know these risks deserve more than a table on a slide. At the centre of it sits a risk framework and matrix that did its job and failed spectacularly, all at once. The way I see it, generic frameworks fail in three big ways: they misunderstand where security investment creates value, they lack selective quantification, and they get risk statements wrong in how they’re written, communicated, and treated. Let’s take a look at a relatable situation where significant security investment did not demonstrate the real value it delivered.
A Real-World Example
A mid-sized Australian financial services business made the case, secured the budget, and committed the resources needed for a genuine security uplift programme. They then spent two years deploying network segmentation, application control, privileged access management, re-jigging processes, and all the while fighting to keep going among their other obligations like BAU.
To me, that is not a modest achievement. In fact, this is a tremendous gain that most organisations simply cannot achieve for whatever reason (or excuse) they may have. This amazing outcome is the kind of thing shared at the pub or at a conference that can make peers and leaders envious.
The reality of this effort is a capability that reduces the likelihood to ‘Rare,’ leaving most attackers dead in the water and moving on to softer, easier targets (like those envious folks we just mentioned). The CISO who led this effort and the team that built it should be presenting to the board with confidence, pointing to a residual risk profile that reflects real, sustained, deliberate investment. This is the kind of outcome people win awards for or at least get a shout-out for in the all-hands meeting.
Instead, the risk register looks back at two years of exceptional work and returns a residual risk rating of ‘Medium,’ when multiplying a ‘Rare’ likelihood with a ‘Severe’ consequence, which is less than ideal and even a bit disappointing. Not because the organisation is still broadly exposed (they’re not) but because the matrix cannot distinguish between an organisation that has done nothing and one that has built something approaching best practice, so long as the consequence column still reads severe.
Cyber Risk Matrix Example
Ransomware, for example, remains a severe consequence whether you have done everything right or nothing at all, and the framework treats both situations identically. The CISO cannot demonstrate the ROI because the rating refuses to budge from ‘Medium,’ and the board, seeing that rating, reasonably assumes the problem is broadly unresolved and that a lot of money was wasted.
To the board, ‘Low’ is good and anything higher equals unresolved, which is precisely how the same matrix can breed false comfort in one risk and unwarranted alarm in another. Future investment cases get measured against an unfair register that implies the previous spend barely moved the needle.
An organisation that has worked hard and earned the right to carry a genuinely low residual risk rating instead sees their CISO sitting in a budget review meeting, defending why it needs more money. I get it because I’ve been there. That is the framework working exactly as designed. That is precisely the problem, and it is the foundation on which the deeper failures that follow are built. I’ll dig into the first now and cover the others across this series.
Failure One: Misunderstanding where security investment creates value.
In most traditional risk domains, investment reduces both the likelihood and the consequence of an event but in my view, cyber security does not work that way. In most cases, once a breach occurs, the consequence of a completed event is fixed at the point of the event. You cannot un-exfiltrate data. You cannot un-encrypt files. No post-breach investment changes what happened.
I must make a precise distinction here: investment in detection and response capability can, in some circumstances, interrupt an event before it fully completes, like stopping an exfiltration mid-transfer before all data has left the environment. This is not consequence reduction in the traditional sense; it is likelihood reduction applied at a finer grain that reduces the probability that the event reaches its worst-case outcome. Once the event has occurred, even in part, the consequence is locked in. Whether it’s a hundred files or a million, it’s still a data breach.
The risk framework must be capable of reflecting this distinction rather than collapsing it into a general assumption that response investment reduces consequence after the fact because it does not. For most cyber risks, significant programmes of work and financial investment will only reduce likelihood and not consequence in most situations While there certainly are instances where consequence can be reduced, they are rare, much harder to achieve, and less impactful that we’re led to believe by traditional risk matrices. The cyber risk framework must be built to reflect that reality rather than assume otherwise.
A generic enterprise risk framework built on the assumption that investment reduces will consistently misrepresent the return on security spending, undervalue preventive controls, and give the board the wrong answer almost every time. And because the framework presents that answer with apparent confidence and rigour, the board accepts it and moves on. Not because they are negligent, but because nothing in the process signals that the answer is wrong.
Quick Summary: Unlike traditional risk domains, cyber security investment rarely reduces consequence, because once a breach occurs the damage is largely locked in; meaningful gains sit in likelihood reduction. Yet generic enterprise risk frameworks assume spending lowers both likelihood and consequence, so an organisation that has invested years in genuine uplift still rates ‘Medium’ simply because ransomware or similar remains severe. The matrix cannot distinguish best practice from inaction, leaving CISOs unable to demonstrate ROI and boards wrongly concluding the money was wasted.
Lesson Learned: A cyber risk framework that weights both likelihood and consequence equally will systematically undervalue prevention, setting the stage for the deeper failures that follow.
Now ask yourself this question: Is your risk framework telling you the truth about your cyber investment? If your board is still measuring years of hard-won security uplift against a matrix that cannot tell best practice from inaction, it is time to change the conversation. Sekuro has helped many organisations rethink how cyber risk is quantified, presented, and treated, so their investments in security are recognised for the value they genuinely deliver. Get in touch with our team to find out how we can help you build out an approach that reflects reality and stay tuned for the next article in this series.
In the next article of this series, we’ll explore the second failure: the absence of selective quantification and why putting numbers on some cyber risks (but not all) changes the conversation a board is willing to have.
