Your Board Deserves a Number
Like a toddler with his favorite crayon, we’ve been answering the most important question in cybersecurity with a color.
The CISO sits down in front of the board. Someone asks the question. The question. “What’s our exposure?”
And the CISO pulls up a heat map.
Red, yellow, green. A few dots scattered across a grid. Maybe a 5x5 matrix if the team got ambitious. The board nods. The CISO exhales. Everyone moves on.
I’ve been watching this ritual since before I could legally drink. The Navy calls them Operational Risk Management matrices. I filled out my first one as an eighteen year old midshipman at the Naval Academy before I went on a scuba diving trip (where, incidentally, I ended up drinking). Kept filling them out as an ensign. Kept filling them out at NSA. The format never changed. The colors never changed. The false confidence never changed.
The research shows that heat maps are bad science. Not imperfect. Not “a useful starting point.” Bad. Tony Cox published the proof in 2008. Doug Hubbard has been hammering this for over a decade. Qualitative risk matrices compress wildly different risk profiles into identical color buckets, reverse the rank ordering of actual risks, and give decision-makers the feeling of rigor without any of the substance. They are astrology with better formatting.
And yet. Every GRC platform ships with one. Every risk framework defaults to one. Every CISO I know has presented one to a board at least once.
The alternative feels hard. Quantitative risk forecasting sounds like it requires a statistics PhD and a year of data collection. So everyone defaults to the 5x5 grid and calls it a day.
It doesn’t require any of that. It requires five variables and a spreadsheet.
Rick Howard and I have been building a workshop that proves it. We teach the entire pipeline in under two hours: Bayesian updating, Fermi estimation, and Monte Carlo simulation. Not the theoretical versions. The practical, back-of-the-envelope, good-enough-to-be-useful versions. Attendees walk in with heat maps and walk out with a loss exceedance curve: a single chart that shows the probability of losses exceeding any dollar threshold you care about.
Five inputs. An outside-in probability from industry data. An inside-out reduction from your controls. A confidence interval on losses. A materiality threshold. That’s it. Plug them into a lognormal distribution, run 10,000 simulated scenarios, and you get a curve that tells your CFO something a color never could. Use it to justify budget allocations, tool integrations, insurance premiums, workforce development programs, hiring decisions, sitting around and doing nothing. The works.
Philip Tetlock’s “superforecasting” research proved that structured estimation beats expert intuition. Fermi showed that decomposing a hard question into tractable pieces gets you within an order of magnitude. Neither technique requires advanced math. Both require the willingness to put a number on something and be wrong.
That willingness is the hard part. Not the math.
We’re teaching this workshop at RSAC 2026. Everything is free and available at learnfirstprinciples.com: the interactive tools, the estimation exercises, and the Excel workbook that generates your own loss exceedance curve from your organization’s data.
Next time someone asks “what’s our exposure?”, hand them a curve instead of a color. They deserve a number.



