The 3Q sandwich: Strategies for improving risk and security operations
"Cybersecurity excellence isn’t about perfection – it's about making consistently wise, well-informed decisions."
Cybersecurity is one of the biggest challenges that companies face. CISOs lead on implementing effective security policies, ensuring compliance around technology standards and data privacy, and work with the business to support their activities. According to research by the World Economic Forum, more than half (54 percent) of large organisations consider supply chain challenges as the greatest barrier to achieving cyber resilience. Alongside this, 45 percent of cyber leaders are concerned about disruption to their companies’ operations and business processes.
Yet, many cybersecurity professionals are guilty of often wrapping complex, technical realities in language that alienates rather than engages their business counterparts. To be successful in their roles, CISOs must talk in the language of business and enterprise risk, not just security. So, how can you effectively communicate cyber risks out to the business, and demonstrate the value that your programmes deliver?
Let’s set the baseline. Useful and business aligned cyber risk assessments need SPACE (Specificity, Practical precision, timely Analysis, Cost effectiveness analysis, Effective communication).
And, unfortunately, these are not optional if you want to deliver effective risk operations to the business. What might help is a simple framework: the 3Q sandwich. It’s not just a catchy phrase – it is a methodical way to frame cyber risk assessments, ensuring they are both business-aligned and genuinely actionable. It comprises three key ingredients:
- Qualitative Analysis
- Quantitative Risk Register
- Qualitative Presentation
Let’s unpack this step-by-step to see why each layer matters deeply to your business.
Qualitative Analysis: Understand the Crown Jewels
The first layer of the 3Q sandwich supports specificity. It begins by engaging business stakeholders directly, identifying precisely which assets or business processes are your organisation’s 'crown jewels'. These are the assets whose loss or compromise would fundamentally cripple the business and lead to financial losses.
The analysis must involve all relevant stakeholders. And it is not enough to merely list possible threats; they must be contextualised within scenarios that resonate with the business. Ask yourself and your stakeholders: "What specific threats could realistically impact these critical assets?" and, critically, "Why does this matter, what could be lost?"
This step cannot be vague. Ambiguity kills clarity, which is essential when communicating risks to a non-technical audience. Be ruthlessly clear about the relevant threat classes and loss scenarios. By clearly identifying the specific risk scenarios upfront, you lay the groundwork for accurate and meaningful quantitative analysis.
Quantitative Risk Register: Speaking the Language of Business
Once you know what’s truly important (your crown jewels) and how they could be affected, it’s time to put together the quantitative risk register. Businesses operate on numbers; they measure value, risk, and performance in monetary terms. Cybersecurity must do the same.
In this quantitative layer, you translate qualitative findings into financial impacts. What might a data breach cost, realistically, in pounds and pence? Consider immediate financial losses, regulatory fines, legal fees, remediation costs, and even the harder-to-quantify reputational damage. Practical precision here is essential. This is neither the moment for guesswork or wild estimates, nor for seeking the absolute numbers. The goal is to be precise enough (relying on verifiable and reliable industry and in-house sources), to get to defensible calculations that resonate clearly with finance directors, executives, and board members alike.
Transparency in methodology builds trust and supports cost-effectiveness analysis; what else would you use for that ROI analysis? This helps you prioritise risks and remediations. Remember, every risk decision is a business decision. Our job is not to shield leaders from difficult truths but to equip them fully to make informed, strategic choices.
Qualitative Presentation: Communicating Clearly and Effectively
The third layer of our 3Q sandwich is communication. You’ve done your rigorous analysis, quantified the risks, and built a robust financial picture. Now, it’s time to share these insights with clarity and empathy.
Appropriate communication isn't about dumbing down information; it's about respecting your audience enough to speak their language. Tailor your message to each stakeholder’s objectives and concerns. For instance, finance teams might need detailed numeric impacts, while senior leadership might prefer strategic summaries emphasising business continuity or regulatory compliance.
Timeliness matters too. Delays dilute urgency and relevance. Make sure your analysis reaches decision-makers precisely when they need it most, enabling timely decisions and action.
Why This Matters: Bridging Cybersecurity and Business
The 3Q sandwich isn’t just a clever metaphor. It’s a pragmatic framework for communication and analysis. Done correctly, it brings cybersecurity closer to the heart of the business. It shifts security from an IT-centric conversation to a business-critical discussion, allowing the Chief Information Security Officer (CISO) to demonstrate genuine business value.
This method ensures specificity, practical precision, timely delivery, cost-effectiveness, and appropriate stakeholder communication – the hallmarks of effective cyber risk management. CISOs who adopt the approach will find themselves more integrated with business leaders, seen less as a cost centre and more as strategic advisors. Ultimately, it fosters trust and informed decision-making.
Cybersecurity is never purely a technical issue; it is inherently a business challenge. Hence, the industry must shift from looking only at potential attacks or vulnerabilities and therefore shift from attack- to risk-surface mentality. This helps you implement better operational processes around risk, where every decision about investment, resources, or strategic prioritisation must align with wider organisational objectives. By using the 3Q sandwich, cybersecurity teams not only clarify the risks but also advocate effectively for necessary improvements. Once the process is operationalised, it would become the foundation of a Risk Operation Centre, or ROC, that can manage the wider strategic need around security and effectiveness.
In conclusion, the 3Q approach, with its blend of qualitative analysis for risk-scenario definitions, quantitative assessments for practical precision and cost-effectiveness analysis, and clear, timely and tailored communication, epitomises a ROC in action.
Remember: cybersecurity excellence isn’t about perfection – it's about making consistently wise, well-informed decisions.
Ivan Milenkovic serves as Vice President for Cyber Risk Technology at Qualys, a cloud-based IT, security, and compliance company. With over 20 years of experience in aligning complex technology landscapes and fluctuating risks with core business objectives, Ivan’s background includes a Group CISO role at a major multinational BPO, running a cyber advisory practice, and serving on multiple advisory boards.
Earlier in his career, he was involved in the design and operations of systems supporting the Olympic Games, and he proudly notes having delivered projects across every continent except the frozen ones. Ivan is a Certified Information Security Officer (S-CISO®) and is one of the trainers on the CISO2.0 course for the SECO Institute (for the S-CISO certification). He is currently pursuing a Cyber MBA at Lancaster University in the UK.
