In the ever-evolving landscape of cybersecurity, getting boards to prioritize cyber risk quantification is akin to navigating a labyrinth of complex data and even more intricate strategies. But, as the experts at Infosecurity Europe 2026 pointed out, it's not just about the data; it's about making the data meaningful and actionable. Personally, I think that the key to this lies in the art of storytelling with numbers, where every digit and every dollar value tells a story of risk and opportunity.
One of the most compelling arguments for quantifying cyber risk is the financial angle. As James Russell, digital risk management lead at BP, astutely observed, "Quantifying risk with a dollar value makes it more meaningful, especially when you have a large organization. Measuring risk can be a complex, but dollar value is something everyone understands." In my opinion, this is a powerful tool that can bridge the gap between the technical and the financial, turning abstract threats into tangible costs.
However, the path to effective cyber risk quantification is not without its challenges. Silas Bartlett, managing director for cybersecurity at NatWest Group, highlighted the difficulty of gathering sufficient data to make accurate risk assessments. "When you look at the way banks measure credit risk, they have huge amounts of data over decades which we [cybersecurity] don’t have. And the complexity of a cyber-attack means we are asked how we can be confident we haven’t made a mistake?" he said. This is a critical point, as the lack of historical data can make it difficult to establish reliable models and predict future risks accurately.
To address this, organizations like NatWest have implemented strategies to build confidence in their risk models. "One of the things we’ve done is put assumptions in model to say ‘what if we’re wrong about this by 10% or a new vulnerability allows an attacker to breach our perimeter?" Bartlett explained. This proactive approach, in my view, is essential for building trust in the data and the models that are built upon it.
The ultimate goal, however, is to translate this data into actionable insights that can guide decision-making. As Russell noted, "The biggest challenge is the amount of information for stakeholders, translating CRQ language into common lexicon to help manage risk – it should be an enabler which helps your requirements." In my perspective, this is where the real value of cyber risk quantification lies – in its ability to empower organizations to make informed choices and allocate resources effectively.
In conclusion, while the journey towards effective cyber risk quantification is fraught with challenges, the rewards are significant. By focusing on the financial implications and building robust models, organizations can bridge the gap between technical and financial stakeholders, turning abstract threats into tangible costs and opportunities. This, in my opinion, is the key to getting boards to prioritize cyber risk quantification and ultimately, to building a more resilient and secure digital future.
