I was in the belly of the beast, right there on the LinkedIn asphalt, watching the whole sorry spectacle unfold. It was another one of those gospel sermons about the Chief Information Security Officer (CISO), a corporate martyr, they call him, finally shedding his “defender” skin and learning to “talk like an executive.”
The party line is always the same: Stop whining about firewalls and start quantifying risk.
“We’re carrying $300 million in exposure,” the good CISO says, flashing his spreadsheet like a cheap badge. “But a $1 million investment can buy down $50 million. See? That’s not a security story; that’s a business case.”
Bullshit. Pure, unadulterated, boardroom-grade bullshit.
The core lie of that whole spiel, the stinking red herring they throw at the board, is the “spend down to zero risk allegory.” They use the impossibility of achieving zero risk as an excuse for never achieving structural integrity. It’s the financial equivalent of slapping a ‘Caution Wet Floor’ sign next to a bottomless pit and calling it risk management.
This whole quantitative risk management (QRM) frenzy, this push for the financial analogy, is what I call the Ice Cream Solution. It tastes great, gives an immediate sugar rush, and satisfies the craving for an easy number. But it offers zero nutritional value. It’s the comfort food of the corner office. No matter how good it tastes you don’t want to eat it and only it day in and day out. The QRM model is not the main course; it’s a sweet, deceptive dessert served to mask a meal of utter corporate sickness. It allows the company to feel like they’ve made a hard, smart decision without ever having to touch the tough, expensive, structural problems below the surface.
The entire QRM craze is a gigantic, self-serving con. It’s not about making anything actually secure; it’s about making the decision-makers feel comfortable with the level of acceptable ruin.
We fell for this shit because it was the path of least resistance. It offered a tactical answer to a strategic failure. We accepted quick fixes that resulted in terrible outcomes, like adding lead to gasoline to fix engine knock because it seemed like a commonsense solution at the time. It just poisoned millions. QRM is the lead in our security gasoline.
Imagine the madness: When a company builds a motor, it doesn’t use QRM. It buys a CNC machine based on capability and defined engineering standards, precision, reliability, and speed, because the price is set by the required quality, not the estimated risk of a catastrophic engine failure. We abandoned that systemic engineering for risk acceptance.
The QRM crowd throws around phrases like “residual risk” as if it’s a scientific fact. But that residual risk, that neat $250 million of exposed capital they’ve agreed to carry, is a goddamn phantasm. It’s a number calculated on historical probabilities in a system where the adversary is interactive and utterly unpredictable. A single zero-day or a collapse in a third-party vendor, an unknown unknown, can turn that beautiful, quantified model into confetti faster than you can say negligence.
We’re told the CISO must abandon his engineering rigor and become a Wall Street wannabe because the corporate overlords are too damned lazy to learn the basic grammar of cybersecurity. Imagine the Chief Legal Counsel walking into a board meeting and being told, “Hey, dumb it down, counselor. Use more metaphors. We don’t speak ‘jurisprudence.'” They’d be laughed out of the room. Yet, the CISO is expected to allegorize his way to competence because talking about a secure system architecture is just too hard.
The CMO, the General Counsel, the VP of Logistics, they all use their own specialized language and they all uniquely translate their needs into economic impact to secure budget. The Chief Medical Officer demands investment in health outcomes for his budget; he doesn’t simply manage the liability of sickness. We are asking the CISO to manage the liability of a broken system rather than demanding the funding to design a system that is not broken.
The QRM model is designed to facilitate sub-optimization because it’s a tool for financial governance, not systemic engineering. It encourages a perpetual state of incremental fixes. It gives no ammunition to the CISO who wants to make the right choice, the massive, disruptive, $50 million investment in a Zero Trust architecture that would actually solve the systemic architectural debt. It allows the company to ignore and accept insecurity as a good business risk instead of moving past it.
Like cocaine or worse heroin CISOs take their medicine, sing a great tune with all the other executives, and another one bites the dust. They get hooked on the opiate of a sub optimal solution that is accepted and sit around waiting for the bad trip where they get fired at the end.
They don’t want the optimal meal; they want the tasty, easy dessert. They want the feeling of control without the cost of discipline.
So, here’s the dirty truth: when a CISO presents a QRM model, he isn’t being a financial hero. He is simply creating a defensible paper trail for when the system inevitably shits the bed. He’s saying to the board, “I warned you, and you accepted this loss.” This is not leadership. This is enabling executive malfeasance.
The best choice, the one that is likely cheaper in the long run and the only one that truly matters, is to stop managing the consequences of insecurity and start demanding Security Engineering as a non-negotiable, non-optional, cost-of-doing-business capability. Until then, this whole CISO-as-business executive paradigm is just another corporate delusion, a feel-good lie designed to keep the money flowing and the executives sleeping soundly while the wolves are already inside the fucking wire.
The QRM FAQ
QRM Question: “If engineering is the answer, why did you spend forty years failing to convince the board to fund a purely secure architecture, and isn’t QRM the only way to even begin buying down technical debt?”
Answer: Your model defines the debt, but it doesn’t challenge the borrower’s fundamental recklessness. QRM is a palliative measure that relieves the political pain of the moment, allowing executives to postpone the necessary, systemic architectural surgery indefinitely. It’s a Band-Aid slapped on structural rot, justifying continuous, incremental failure.
QRM Question: “How can you call QRM a ‘phantasm’ when it forces the entire business to agree on the financial impact of a breach, thereby establishing the clear, defensible accountability you claim is lacking?”
Answer: Accountability is not created by a number; it’s created by a non-negotiable standard of practice. The dollar value is merely a proxy for risk, and it becomes a political target that gets negotiated down. The accountability you claim is a mirage, one that dissolves the moment a zero-day renders the underlying calculation worthless.
QRM Question: “If we discard the language of dollars, how do you expect to objectively compare the value of an identity management project against a new sales initiative to secure the necessary capital allocation?”
Answer: You compare it using capability standards and fiduciary duty, the same way the legal counsel secures budget to prevent regulatory fines. The question should not be about the ROI of a security tool, but whether the current system violates industry standards for competence and care. True capital allocation starts with meeting the minimum engineered requirements for modern commerce.
QRM Question: “Given the lack of a universal, legally mandated ‘secure by design’ standard, what specific, measurable engineering benchmark are you proposing the CISO use to justify millions in spending?”
Answer: The lack of a perfect legal standard is your excuse for selling an easy answer. The industry already possesses detailed architectural frameworks like Zero Trust and established controls like the CIS Benchmarks; we simply need the executive will to enforce them as minimum engineering specifications. Your QRM model actively undermines this process by making a lower, cheaper level of insecurity financially acceptable.
QRM Question: “How is the CISO ‘enabling executive malfeasance’ if they use QRM to document the exact level of residual risk the board has knowingly and financially accepted, thereby creating a clear paper trail?”
Answer: The paper trail merely proves the board was negligent with precise figures. Selling the board on an “acceptable level of ruin” is a failure of leadership and vision, not a success of communication. True leadership would demand the engineering solution that renders the negotiation of ruin unnecessary.
QRM Question: “Isn’t the ‘Ice Cream Solution’ argument just an admission that your ideal, perfectly engineered world is politically and financially impossible, making QRM the only practical pathway forward for a CISO today?”
Answer: QRM is not the only practical pathway; it is the preferred pathway for inertia. Your system is self-perpetuating because it allows the business to avoid the painful, but necessary, systemic cost of technical debt. The only way to evolve to reality is to stop valuing the comfort of a quantified lie over the cost of an engineered truth.
About the Author
