In the ever-evolving landscape of cybersecurity, getting boards to prioritize cyber risk quantification is akin to navigating a labyrinth. It's not just about the data; it's about making sense of it in a way that resonates with business leaders. Personally, I think that the key to unlocking this puzzle lies in the art of storytelling with numbers. The Infosecurity Europe 2026 panel of security leaders highlighted a crucial insight: focusing on the financial implications of cyber risks can be a powerful motivator for boards. This is particularly fascinating because it challenges the traditional notion that cybersecurity is an abstract, intangible concern. What makes this approach so compelling is its ability to bridge the gap between technical jargon and the boardroom's language of dollars and cents. The multinational oil and gas giant BP has been a pioneer in this approach. By applying risk management principles to cybersecurity, they've created a strategy that's both practical and impactful. James Russell, digital risk management lead at BP, emphasizes the importance of making data accessible and understandable. In my opinion, this is the crux of the matter: how do we translate complex cyber risk data into something that resonates with business leaders? The answer, Russell suggests, is to quantify it around the costs of not properly managing the risk. This is a brilliant strategy, as it leverages the universal language of money. By assigning a dollar value to cyber risks, organizations can demonstrate the tangible impact of these threats. This is especially crucial in large organizations, where the stakes are high and the consequences of a cyber attack can be devastating. However, getting buy-in from the board isn't without its challenges. Silas Bartlett, managing director for cybersecurity at NatWest Group, acknowledges the difficulty of quantifying cybersecurity risk. The bank's journey to do so involved internal discussions and a targeted approach to board reporting. The challenge, Bartlett points out, is the lack of historical data and the complexity of cyber attacks. This raises a deeper question: how can we build confidence in risk models when we don't have decades of data to draw upon? One solution, Bartlett suggests, is to incorporate assumptions into the models. By doing so, organizations can account for potential errors and new vulnerabilities. This is a clever strategy, as it allows for a more dynamic and adaptive approach to risk management. The more data that gets added over time, the more accurate the models become. This is where the concept of 'dollar attribution' comes into play. By quantifying the financial impact of cyber risks, organizations can demonstrate the value of proper cyber risk management. This, in turn, can help prevent or disrupt potential future breaches, ultimately saving the organization money. However, the challenge of translating CRQ language into a common lexicon remains. The amount of information for stakeholders can be overwhelming, and it's crucial to ensure that the data is presented in a way that's accessible and actionable. In my view, the key to success lies in finding the right balance between technical detail and business-friendly language. The goal is to empower stakeholders to make informed decisions, not to overwhelm them with jargon. In conclusion, getting boards to prioritize cyber risk quantification is a complex task, but it's not insurmountable. By focusing on the financial implications, leveraging historical data, and finding the right balance between technical detail and business-friendly language, organizations can unlock the power of cyber risk quantification. This is a crucial step in building a more resilient and secure digital future.
