It’s a tough truth, but worth acknowledging: That for years, many of us in cyber security and IT have relied on risk assessments that don’t always measure up to the real threats we face.
Most of us have seen it before. Spreadsheets filled with colour-coded charts and tidy matrices showing likelihood and impact.
We wrap it all in governance processes and call it ‘risk management’. But if we’re honest, too often it’s more an exercise in comfort than a clear decision-making tool.
This isn’t a new debate. In my 30-plus years in security, I’ve seen how vague assumptions can cause real damage – whether in business operations, reputation or the bottom line.
And now, with growing threats against critical infrastructure, and increasingly complex regulatory requirements, it’s time we take a closer look at how we manage cyber risk before it’s too late.
The problem with the usual approach
Most cyber risk assessments today still follow a one-size-fits-all approach.
They tick boxes and help justify budgets, but they rarely provide meaningful, evidence-based insights for decision-makers.
If the goal is to decide where to invest, that’s fine – but let’s not pretend a heatmap alone makes it a scientific process. It’s time to shift our thinking.
We can either get serious about quantifying risk, or accept that traditional methods alone don’t cut it anymore.
Better data, better decisions
If we’re going to keep using risk-based frameworks, we need better quality data feeding into them. This means:- Using real threat intelligence, not stale assumptions
- Measuring threat actors’ capabilities more accurately
- Understanding the real likelihood of specific threats
- Continuously updating this information, not once a year
It’s not easy. High-quality data on actual adversaries and breach costs isn’t always readily available. But new tools can help – from external attack surface management, to continuous vulnerability scanning that considers real compensating controls.
Moving from guesswork to clarity
Imagine a scenario where, instead of saying “high risk”, your team can tell you:
“We face an estimated $3.6 million exposure over the next month from a sophisticated threat actor, based on live breach data and sector-specific trends.”
That’s the level of clarity boards and executives need. It translates technical risk into clear business impact, with enough detail for security teams to act, and enough context for leadership to make informed investment decisions.
So, what next?
This shift won’t happen overnight.
Moving from broad estimates to truly quantifiable risk means combining better tools, better processes and better habits across the organisation.
It means bridging the gap between security data and service management, breaking down silos, and aligning everyone behind the same facts.
At Kinetic IT, we’re working with Australian organisations to move beyond the old heatmaps – combining integrated risk-based vulnerability management with real-world data and practical, sustainable ways to lift security maturity over time.
If you’re interested in where to start, or want to share how your organisation is tackling this challenge, I’d love to hear from you.
ABOUT TONY CAMPBELL
Tony Campbell is a seasoned technology and security professional with more than 25 years of experience designing and delivering large-scale enterprise security projects across Australia. With a background spanning both public and private sectors, Tony has developed and implemented robust security strategies that align technical solutions with business goals. As well as a enterprise security specialist, Tony is a published author and journalist having written several technical books and served as a technical editor for Apress Inc. He was also the co-founder of Digital Forensics Magazine, and has developed security training courses for platforms such as Infosec Skills.
Now based in Perth, Tony is the Principal Consultant – Security Consulting & Advisory at Kinetic IT, where he continues to guide customers on cyber security strategy and maturity.
Connect with Tony on LinkedIn.
Share
