From Red to Real: Why It’s Time to Rethink Cyber Risk Reporting

Cybersecurity leaders are under increasing pressure to justify their investments—especially when budgets are tightening. Ahead of his tutorial at AusCERT 2025, Jason Ha, 

Ethan’s CISO and cyber security risk specialist, told iTnews that the time has come to radically improve how organisations report and communicate cyber risk.

“Most organisations, even with the backdrop of ongoing cyber attacks, aren’t getting more money,” Ha says. “So they’re asking, ‘What’s the return on what we’ve already spent?’ That’s a key driver in pushing for more effective, traceable, and data-driven cyber risk reporting.”

In line with AusCERT’s theme of Evolve and Thrive, Ha is advocating for a more structured approach to risk—one that goes beyond the traditional “top risks” PowerPoint slide and into measurable, defensible decision-making.

“We talk about turning cyber risk from a dartboard into a formula,” he says. “That shift is crucial if we want to move from gut feel or vendor hype to actual outcomes.”

Traceability and transparency

Ha emphasises that modern risk communication needs to connect specific cyber investments directly to risk reduction goals.

“We’re saying you need to be more specific,” he explains. “It’s about saying: ‘Here are our top 10 risks, we want to reduce the top three, and these are the investments we’re making to do that. In time, we expect to see a reduction in risk by X dollars.’”

He argues that this level of clarity and traceability isn’t possible with old-school aggregated reporting models, which typically lump cyber into a single, amorphous “high risk” category. “That structure doesn’t work anymore,” he says.

More importantly, ‘traceability’ serves as the critical link across the different layers of an organisation—from board and executive to operations. “Often, these layers aren’t congruent,” he says. “At the board level, you might hear ‘cyber risk is high,’ while operationally, a dozen activities are underway without clear linkage.”

“What’s rare—but incredibly powerful—is the ability to walk through all three layers and explain: here’s why we see risk the way we do, what we're doing about it, and what outcomes we’re tracking. That traceability model allows you to report up and down the stream—so when a board member asks, ‘What did that spend achieve?’ you can point to the operational metrics that prove it’s reducing risk as promised.”

Maturity gap

So why aren’t more organisations embracing this approach? According to Ha, it comes down to maturity.

“Risk management has often been done the same way for years, and there’s resistance to change,” he says. “But cyber risks are different. They’re adversarial. They change dynamically because there’s someone on the other side actively trying to break in. That’s not something you get with liquidity risk or natural disasters.”

This complexity demands a more mechanical, structured analysis than traditional enterprise risk frameworks provide. “You need a supplemental methodology,” Ha explains. “Something that allows you to do a more granular, cause-and-effect-style breakdown of cyber threats and feed that into the broader risk model.”

Skills and simplicity

While academic models for cyber risk quantification are useful to understand the statistical mechanics of quantification, Ha says the most important thing is how you apply them in practice.

“Monte Carlo simulations and the like don’t mean much if you can’t make the analysis easy to understand for day-to-day business leaders,” he says. “You’ll just lose them. What you really need is structured thinking and a transparent, simplified approach.”

In Ha’s view, the key is to balance sophistication with accessibility: “There’s a way of doing risk quantification that is sound, but still understandable.”

And critically, it’s not about getting everything right the first time. “Start somewhere. Establish a baseline,” he urges. “People will question whether the numbers are accurate, and I always say: it’s more accurate than a colour on a risk matrix.”

“A risk valued between $10 million and $15 million is a better starting point than just saying the risk is ‘high’. Once you have that baseline, you can refine it, gather better data, and improve your model over time.”

But before even getting to quantification, Ha says there’s an essential precursor: writing better risk statements.

“Most of the time, risks aren’t structured correctly to begin with,” he says. “You can’t solve an equation if the equation is incomplete. That’s why the first step is getting your risk definitions right.”

Bridging the communication gap

For Ha, effective cyber risk reporting is also about improving communication across the business.

“There’s often a gulf between cyber teams and the business,” he says. “But that notion of traceability is the key linkage between layers. If you can clearly connect the operational activity to the strategic risk priorities and board-level concerns, you unlock a uniform view.”

It’s about being able to say, for instance, “We’re deploying this capability because it reduces one of our top risks by a measurable amount.” That common thread allows board members, executives, and technical teams to speak the same language—and understand the value of the chosen cyber investments.

Frameworks as a supporting structure

While control frameworks like NIST CSF or ISO 27001 are useful, Ha believes they’re not the main game—they’re a means, not an end.

“Controls are controls,” he says. “Whether you’re using NIST, ISO, Essential Eight—these are just different ways of looking at capability. They can all integrate into a risk-modification model.”

Still, he notes a significant evolution in the latest NIST Cybersecurity Framework 2.0. “They introduced a whole new pillar around governance, specifically to deal with this area of risk management,” he said. “It’s recognition that you need to make decisions through a risk lens first, and then choose your capabilities—not the other way around.”

Redefining the conversation

Ultimately, Ha believes that effective cyber risk reporting is about creating a new level of transparency within the business.

“You’re putting assumptions on the table. You’re bringing in relevant stakeholders and using industry data to support your findings,” he says. “It’s a fundamentally different conversation than sitting in a room and doing a five-by-five grid where someone says, ‘Yeah, seems pretty likely. Impact? Pretty high.’”

With escalating threats and mounting financial scrutiny, Ha sees cyber risk communication as a critical area for evolution.

From self-defence to black belt

So what does Ha hope audiences take away from his AusCERT talk?

“We’re saying this is like self-defence,” he explains. “Getting to black belt takes time and discipline—but learning a few basic moves so you don’t get beat up on the street? That’s not as hard. That’s where we want people to start.”

His talk outlines five foundational steps:

1. Scope the risk – Understand where to get likelihood and impact data. “Business stakeholders often understand the impact better than cyber teams do,” Ha notes.
   
   
2. Engage business owners – “It’s ironic, but the people who own the business processes are often the ones who own the risk. Use that.”
3. Define controls and traceability – Link risk to specific controls and capabilities, so you can measure impact.
4. Communicate across layers – Tailor risk communication for board, executive, and operational audiences, including audit and risk committees.
5. Start simple – Begin with what you have, and build maturity over time.

“This is the moment to modernise how we talk about cyber risk,” Ha says. “Not just for compliance or board reporting—but to make better, faster, and more defensible decisions.”