Over several years I led design and eventually owned the product vision for Bitsight’s Cyber Risk Quantification feature. What started as a partnership integration became one of the most complex and rewarding projects of my career, a domain I had to learn from scratch, a user I had limited access to, and a product where trust in the output was everything.
By the time the second major version shipped, I was functioning as the primary subject matter expert, setting the roadmap, presenting strategy to executives, and making the calls on what users needed next. The feature reached $787k in ARR before being sunset due to a business pivot. I learned more from this project than almost any other.
Role
Lead Designer / Product Strategist
Company
Bitsight
Project Type
Research, Product Vision, UX Design
The Problem
Security leaders measure risk in technical terms. Boards speak dollars. Cyber Risk Quantification bridges that gap, translating security posture into probable financial exposure across real breach scenarios like ransomware, data theft, and denial of service.
The modeling behind it is deeply complex: Monte Carlo simulations, actuarial data from insurance claims, probabilistic loss distributions. Our challenge was making that legible, trustworthy, and actionable for CISOs who needed to present it to their boards.
Project Goals
Translate Complex Simulations
Make Monte Carlo outputs readable for non-statisticians
Connect Risk to Dollars
Map Bitsight threat vectors to real financial loss scenarios
Build Trust in the Output
Design for credibility, not just clarity
Drive Action
Connect exposure directly to remediation paths
The Partnership Model
We didn’t build the financial modeling engine ourselves. Bitsight partnered with Kovrr, a specialist in cyber risk quantification whose platform uses insurance claims data and actuarial models to generate financial loss scenarios. Kovrr provided the modeling layer, Bitsight provided the security ratings data and the customer relationship. My job was to design the integrated experience that made both data sources coherent and trustworthy.
We later transitioned to a second partnership with VisibleRisk, which brought a different data model and required rethinking how we presented results. Each partnership change was also a design problem.
Learning the Domain
Before I could design anything credibly I had to understand CRQ well enough to explain it to someone else. I ran a bullseye stakeholder mapping workshop to identify every player in the governance space, who were the buyers, the influencers, the operators, and who had authority to act on what we built. CISOs emerged as the critical user.
I then conducted in-depth interviews with 12 CISOs across healthcare, finance, and manufacturing to understand how they thought about financial risk, what they trusted, and where existing tools were failing them.
Takeaways-1CISOs were skeptical of black-box outputs. They wanted to compare their exposure against industry benchmarks. And they were far more familiar with NIST and MITRE than CIS, which became an important lesson later.
Version 1: First Launch
The first version introduced five financial risk scenarios aligned with common cyber insurance claim categories: Ransomware and Extortion, Denial of Service, Data Theft and Privacy, Third Party Liability, Regulatory Compliance, and Third Party Service Provider Failure.
For each scenario we surfaced the probable maximum, minimum, and median loss. A range rather than a single number was critical for trust. The data visualizations were the hardest design problem. We tested multiple approaches until the charts communicated magnitude and uncertainty without feeling like a statistics textbook.
Version 2: Benchmarking and Controls
After launch I went back to the same CISOs for a second research round. The reception was positive but the feedback pointed clearly to what was missing: context. Knowing your average annual loss is $6M means little without knowing whether that’s high or low for a company your size and industry.
Benchmarks
We designed a benchmarking view placing each company’s AAL against industry standard and best-in-class comparisons. We also added a loss magnitude visualization showing where a company’s current AAL sat relative to their theoretical maximum exposure. It helped users understand not just where they were, but how much worse it could get.
Version 2 also introduced security controls, giving users a path from exposure to action. We launched with the CIS framework for implementation reasons. This was a mistake. Our research had shown users preferred NIST and MITRE. I should have pushed to test the framework choice earlier rather than letting engineering convenience drive the decision.
Owning the Product Vision
As the partnership with Kovrr transitioned I became the internal subject matter expert. A new PM joined the team but relied on me to define the roadmap, set the research strategy, and establish the product vision. I was presenting direction to executives and making prioritization calls.
It was the closest I’ve come to functioning as a product manager while staying deeply embedded in the design. It confirmed that the best senior design work isn’t just about craft. It’s about having enough domain fluency to lead the conversation about what to build and why.
Impact
$787k ARR at peak driven entirely by a net-new feature with no prior market fit validation
12 CISOs re-engaged after V2 launch with strong positive feedback and requests for continued iteration
Became the internal SME owning roadmap, executive strategy, and product vision for the feature lifecycle
What I’d Do Differently
Test framework assumptions before committing to implementation. We knew CIS was easier to build and chose it anyway. A quick preference test with five CISOs would have cost a week and saved months of rework.
Get to the benchmarking insight faster. The comparison context was the “aha” moment for most users. It should have been in V1, not V2.
Probabilistic outputs need progressive disclosure. Showing the full loss distribution upfront overwhelmed some users. A simpler entry point with depth on demand would have reduced the trust barrier earlier.
Keep Going
There is more to explore, rummage through more of my recent design work.
Design System
Unified, scalable design system for a product suite.
Want to see more?
Explore my complete portfolio.
Still Not Enough? Time to Raid the Archives
Check my older work, that I have not had the heart to retire yet.
Hope to hear from you
Please, take a moment and send a message and lets connect.
