Why Your Cyber Risk Assessments Change Nothing (5 Fixes)

The video challenges the status quo of cyber risk assessments, arguing that most of today’s GRC practices produce heat maps and registers without influencing real business decisions. Steve McMichel deconstructs why risk management has become ritualistic, citing “risk theater” and the false precision of single‑point loss estimates, and he proposes a shift toward engineering‑focused tools and quantitative ranges.

Key insights include the observation that few organizations tie risk quantification to concrete decisions, the pitfalls of presenting a red‑quadrant heat map that never moves the board, and the advantage of expressing threats as probability ranges (e.g., 5‑10% chance of a $2‑8 million ransomware loss). He also critiques prescriptive thresholds, noting that static metrics like click‑rate can damage security culture, while dynamic, range‑based assessments better reflect cyber’s evolving nature.

McMichel references Adam Showstack’s keynote poll—where almost no hands raised for risk‑driven decisions—and Tony Martin‑Veg’s “boardroom moment” where executives ignored a high‑risk heat map. He illustrates the improved approach with a concrete ransomware scenario that sparks discussions about insurance, mitigation spending, and capital reserves.

The takeaway for practitioners is threefold: rewrite top risks using probability ranges, verify that each assessment drives a decision, and tailor communication tools to the audience—bug bars for developers, dollar‑based risk quantification for finance, and clear ROI narratives for the board. Implementing these fixes can revitalize GRC careers and deliver measurable business value.