Sit in enough boardrooms and you start to notice a strange thing. The business is in one room, talking about growth, markets, the people it depends on, the year ahead. Security is in another room, talking about threats, controls, exposure, the latest incident. Both rooms are anxious about the same thing — the future of the organization — and somehow they almost never talk to each other in a language both can follow.
I spent the better part of three decades in the second room. And the longer I sat there, the more convinced I became that the wall between the two was costing us far more than any single attack ever had.
Why the wall is so expensive
Cybersecurity, left to its own devices, becomes a technical conversation between specialists. That is not a criticism — it is the nature of the work. But for most leaders, that conversation is exhausting. It arrives full of acronyms, urgency, and worst-case scenarios, and it asks for money against risks that are hard to picture. So the business does the rational thing: it nods, approves what it must, and goes back to running the business.
The trouble is that the gaps between those two rooms are not empty. They are exactly where attackers live. A vulnerability that security understands but the business never prioritized. A critical process the business depends on but security was never told about. Every gap in understanding is an opening, and the opening is rarely technical. It is a conversation that never happened.
Protect a business well, and you discover you have to understand the business first.
The realization that became a method
After years of watching this play out across industries, government, and the military — in organizations large and small — I started writing down what the two rooms were actually saying. And a pattern appeared that I have never been able to unsee.
The business asks: Why do we exist? How do we make our money? Who do we serve best? What are we made of? What could stop us?
Security asks: Why does my role exist? Where are we exposed? Who do we partner with to defend this? What is coming after us? What could stop us?
Line them up and they are not opposing questions. They are mirror images. The last one is word-for-word identical. The two rooms were never having different conversations — they were having the same conversation in two dialects, with no one to translate.
That translation is what became CRAM™ — Cyber Risk Assessment and Management. It draws on the practices the field already trusts, and it holds two directions at once: the business looking down from its mission, and security looking up from its exposure, meeting in the middle on ground both sides can read.
What it actually does
CRAM™ is not a clever framework that replaces judgment. It is mostly disciplined listening, done in two passes.
First we map the business — in its own words, from its own leaders. The mission. How it actually makes money. The processes where even a small interruption means a large loss, and the people, technology, and partners those processes lean on. We are not asking about security yet. We are learning what is worth protecting.
Only then do we map the cyber landscape onto it: the exposures, the threats, the likelihood that one finds the other, and what it would cost if it did. Because now every risk is tied to something the business already told us it cares about. Nothing is abstract. Nothing is jargon for its own sake.
And underneath all of it sits one belief I would stake the whole method on: recognizing where you are exposed is most of the work. Name the open windows honestly, and you have done the larger part of protecting the business already.
Three questions, one picture
When it is done well, CRAM™ does not end in a binder that goes on a shelf. It ends with both rooms looking at the same picture — and a security leader who can answer the only three questions that ever really mattered.
What is the company trying to achieve? What do I need to defend? And what, honestly, am I dealing with?
Money, after all, is fuel. A business needs it the way a car needs fuel — but no one buys a car in order to buy more fuel. The point was always somewhere further down the road. Security earns its seat at the table the moment it stops talking about fuel and starts talking about the journey.
That is the whole idea. Not a tool. Not a product you are sold and left to operate alone. A way of working that we carry into an organization and run alongside the people already there — and the same discipline we eventually encoded into the CRAM™ methodology so that any organization could run it.
The two rooms were never as far apart as they seemed. They just needed someone to open the door between them.
← All insights