Skip to main content
Image coming soon

From Heat Map to Boardroom: Translating Cyber Risk Into Numbers Your CFO Actually Believes

$199.00
Adding to cart… The item has been added

For mid-career cyber risk practitioners

From Heat Map to Boardroom

Translating cyber risk into numbers your CFO actually believes. And the ISO 27005 method behind it.

The course for risk managers who have outgrown high/medium/low heat maps and want their board pack to drive decisions instead of getting nodded at and filed.

$199 one-time
Tailored to your sector · 48-hour turnaround · 30-day money-back

Includes a hand-built quantification playbook for your specific industry and risk appetite. Both the course and the playbook are tailored to you, not template-substituted.

You presented the cyber risk heat map. The CFO asked one question. The room went quiet.

"That red box. What does it cost us?"

If you have stood in that room and not had a clean number to hand, this course is for you. Heat maps survived for so long because they were cheap to produce and visually decisive. They are also why cyber risk gets parked in the technical risk register and never quite makes it into the enterprise risk conversation. The CFO speaks in dollars, basis points, and confidence intervals. Most of cyber risk reporting speaks in colours and adjectives. The translation gap is the gap between "we have a risk programme" and "we make decisions with it."

You can close it. ISO 27005 (revised 2022) gives you the methodology. FAIR gives you the taxonomy. The data exists in your incident records, your vendor questionnaires, and your industry loss benchmarks. The skill is in knowing how to combine them into a number you would defend in front of an auditor or a board member. This course teaches that skill.

What is in the course

12 modules. ~90-page course book with worked examples in your industry. The FAIR taxonomy quick reference. A spreadsheet model for your first 5 quantified scenarios. A board-pack template that has worked in front of real boards. Each course is hand-built for the buyer at order time, with your sector and your in-scope frameworks woven into the examples.

Tell us your sector, your primary framework (ISO 27001, 27005, NIST CSF, NIST 800-53), and your team shape at checkout. We tailor the course around them. Delivery within 48 hours.

01Why heat maps stopped workingThe diagnosis. Why "high" risk on a heat map gets a polite nod and no decision. Why two reds and a green is not actionable for a CFO.
02The translation gap, namedFive concrete translations between cyber-speak and finance-speak. Annualised loss. Single-loss expectancy. Exceedance probability. Capital at risk. Tail risk.
03ISO 27005:2022 in 30 minutesThe 2022 revision changed the method substantially. The new event-based and asset-based approaches, when to use which, and how to combine them in a single programme.
04The FAIR taxonomy: useful parts onlyLoss event frequency, threat event frequency, vulnerability, primary loss, secondary loss. What to actually compute in week one. What to ignore until year two.
05Your first quantified scenario, end to endA worked example: ransomware to your three largest revenue-bearing systems. From asset valuation through loss expectancy to a number you would defend.
06Where the numbers actually come fromVerizon DBIR, Advisen / RANE, IBM Cost of a Data Breach, sectoral CISA advisories, your own incident records, your vendors' SOC 2 reports. How to triangulate when no single source is authoritative.
07Bayesian updating without the maths degreeWhen your initial estimate was wrong. How to update probabilities as new incidents and near-misses land, without restating the whole register every quarter.
08Communicating uncertaintyConfidence intervals that read well in a board pack. Why "between $4M and $14M with 90 percent confidence" lands harder than "high".
09The CFO conversation, scriptedSix specific questions a numerate CFO asks when handed a quantified cyber-risk register. Pre-loaded answers for each, with the supporting figure ready.
10The board pack: one slide, three numbers, one decisionA single-slide template that walks a board through the exposure, the residual after mitigation, and the recommended decision. Built so the chair can read it in 30 seconds.
11Common pitfalls and how auditors spot themOver-precision. Double-counting. Confusing rates with totals. Anchoring to your one worst-imagined scenario. Auditors trained on quantitative methods spot these in seconds.
12From practitioner to advisorHow the cyber-risk practitioners who speak both languages get pulled into M&A diligence, capital-allocation conversations, and director-of-risk roles. Where the career goes after the skill lands.

Plus 3 bonuses

  • Sample scenario library. 12 fully-worked scenarios you can clone for your own register, with the inputs and the maths shown step by step.
  • FAIR taxonomy quick reference. Two-page laminate-friendly summary. The taxonomy without the certification course.
  • Lifetime updates. When ISO updates 27005 or FAIR releases new guidance, the materials are revised and pushed to your existing download link.
Included free with every purchase

Plus, a hand-built quantification playbook for your industry

Every buyer of the course also receives a custom implementation playbook generated specifically for them. Not template-substituted. Hand-built around your sector and your in-scope frameworks, using the same source-grounded corpus the course is built on.

Typical content of the tailored quantification playbook:

  • A sector-calibrated baseline scenario library (financial services, healthcare, manufacturing, SaaS, government, education, etc.)
  • A populated FAIR worksheet for your three highest-value asset classes, ready to defend in front of an auditor
  • Your industry's typical loss benchmarks pre-loaded, with source citations
  • A board-pack template adapted to your governance cadence (quarterly, monthly, ad hoc)
  • A coverage map showing which ISO 27001 / NIST CSF / SOC 2 controls back which scenarios, so your audit evidence rolls up naturally

Course + playbook delivered within 48 hours of purchase. You confirm your sector and primary framework at checkout. We send the bundle straight to your inbox.

Who this is built for

Mid-career cyber risk practitioners

You have done ISO 27001. You have run audits. You are the one who builds the risk register. The next step is quantification, and your team has not made the jump yet.

Risk and compliance managers reporting up

You report to a CRO, CISO, or board risk committee that has started asking dollar-denominated questions. The reports you took to last year's committee do not satisfy this year's.

Internal auditors and assurance specialists

You evaluate the risk programme. The qualitative methods are increasingly under challenge from numerate auditors. Knowing where the quantification programme is robust and where it is not is the new audit skill.

What you can do after finishing

  • Quote a defensible loss expectancy for any cyber scenario the CFO names, on the spot, without retreating to "we will model it and come back."
  • Translate the risk register into a single board slide that drives a decision instead of getting nodded at and filed.
  • Pass quantitative scrutiny from numerate auditors who will challenge your inputs, your update cadence, and your confidence intervals.
  • Run the ISO 27005:2022 method end-to-end, including the new event-based and asset-based approaches, and know when to combine them.
  • Speak both languages. Technical to your engineering teams, financial to your CFO, governance to your board. The skill that pulls cyber-risk practitioners into the conversations where capital is allocated.
  • Step up the role. Risk managers who can quantify get pulled into M&A diligence, capital-at-risk modelling, and director-of-risk positions. The transition is the topic of Module 12.

Sample: the heat-map-to-number translation, from Module 02

One concrete translation from the second module, to show the shape of the work.

Module 02 · Translation 1 of 5: from "high cyber risk" to "annualised loss expectancy"

What a risk manager says: "Customer data breach is a high risk. The likelihood is high because we have unpatched legacy systems. The impact is high because we have over a million records."

What the CFO heard: "We have a problem. I do not know the size of it. I cannot prioritise it against the seven other risks I heard about today."

The translation:

  • Loss event frequency: 0.08 per year (we estimate one event every 12.5 years, based on industry breach incidence in our sector and our control posture)
  • Primary loss per event: $4.2M (notification, credit monitoring, legal, internal remediation; from IBM Cost of a Breach calibrated to our record count)
  • Secondary loss per event: $7.5M (customer churn, regulatory fine in the most likely jurisdiction, reputational impact on next funding round; modelled, with confidence interval $3M to $14M)
  • Annualised loss expectancy: ~$0.94M, with 90 percent confidence between $0.32M and $1.74M
  • Decision the number drives: the $200K patching programme has an ROI of approximately 4.7x in expected loss reduction. Approved.

The point is not the precision of the number. It is that the number is now in the same language as every other risk the CFO is balancing, including weather, supplier failure, and FX exposure. That is the boardroom-ready position.

Why this is different from other risk quantification courses

Built on the ISO 27005:2022 revision, not the 2018 version The 2022 revision changed the methodology meaningfully. Most courses are still teaching the old approach. This one is built on the current one. Sector-calibrated, not generic The worked examples in the course book and the playbook use your sector's actual loss patterns. Healthcare reads like healthcare. FinServ reads like FinServ.
Source-grounded against the published standard text ISO 27005:2022 clauses, NIST SP 800-30 references, FAIR taxonomy v1.4 citations. Not paraphrased. Verbatim where it matters. Human edited, not LLM-generated The 718-framework corpus the course is built on took 18 months of human source verification. The course inherits that discipline.
FAIR taxonomy without the FAIR certification price You get the useful parts of FAIR Foundations in module 04, calibrated for ISO 27005 practitioners, at $199 instead of $3,500. No vendor lock-in Excel and Google Sheets templates. PDF reference. Nothing depends on a paid platform or a SaaS subscription.

Format and access

  • Delivered within 48 hours. You confirm your sector and framework at checkout. The materials are hand-built and emailed to you.
  • Self-paced. Most buyers finish the 12 modules across two long evenings and reference the playbook and scenario library for years.
  • Print-friendly. Every PDF formatted for double-sided printing if you prefer paper.
  • Excel templates work in Excel, Numbers, Google Sheets. No vendor lock-in.
  • Lifetime updates. When ISO updates 27005 or FAIR releases new guidance, the materials are revised and pushed to your existing download link.

FAQ

Do I need FAIR certification or a stats background?

No. The course teaches the useful parts of FAIR (loss event frequency, threat event frequency, primary and secondary loss) in Module 04, calibrated for ISO 27005 practitioners. You do not need the FAIR Foundations or FAIR Institute Analyst credential to do the work the course asks for. A working knowledge of probability is helpful. A stats degree is not required.

My organisation uses NIST CSF, not ISO 27005. Is this still for me?

Yes. The quantification method is independent of the framework. The course teaches the method using ISO 27005:2022 as the methodological anchor (because it is the most explicit), and the playbook is tailored to your in-scope framework whether that is ISO, NIST CSF, NIST 800-30, or a custom internal one.

Will this work for me if I do not have a CFO who asks numerate questions?

It will. The CFO scenario in Module 09 is the most demanding case. If your audience is a more typical mid-market CISO or CRO, the same numbers land even better because the gap they are filling is even wider. The audience for quantified cyber risk has expanded beyond Fortune 100 CFOs.

Can I share this with my team?

The licence is single-user. For team and enterprise licensing (5+ seats, white-label rights, or training delivery rights), email us. Bulk pricing available.

What if it does not earn its keep?

30-day money-back guarantee. Email us, get a full refund, keep the materials. The course is built on the assumption that the first board pack you produce afterwards is worth the price several times over. If it is not for you, get the money back.

Is the content updated when ISO 27005 changes?

Yes. When ISO publishes a revision (the next one is scheduled within the standard's normal review cycle), the affected chapters are revised and pushed to the existing download link at no extra cost. You get a notification email.

$199 one-time. Tailored to your sector. 48 hours.

12 modules. ~90-page course book. The FAIR taxonomy quick reference. A populated FAIR worksheet for your three highest-value asset classes. A board-pack template that has worked in front of real boards. Plus a sector-calibrated quantification playbook hand-built for you. 30-day money-back guarantee.

Add to cart above. Confirm your sector at checkout. Bundle delivered within 48 hours.

The Art of Service · Built on a 718-framework, 20,400-control, 332,000-mapping corpus · Source-grounded, human edited · ISO 27005:2022 method, FAIR taxonomy, NIST SP 800-30 references

!