The world of cybersecurity is a complex and ever-evolving landscape, and getting buy-in from the boardroom can be a challenging endeavor. But according to a panel of security leaders at Infosecurity Europe 2026, there's a powerful strategy that can help bridge this gap: Cyber Risk Quantification (CRQ). By focusing on the financial implications of cybersecurity threats, organizations can make a compelling case for prioritizing cyber risk management, and it's all about the money.
The concept of CRQ is simple yet transformative. It involves using data to illustrate the most critical cybersecurity issues and the potential financial fallout from a cyber attack. This approach is particularly effective when presented in a way that resonates with business leaders, who often speak the language of dollars and cents. James Russell, digital risk management lead at BP, understands this intimately. He emphasizes the importance of making cyber risk data accessible and meaningful to managers, ensuring it transcends the confines of the security department.
Russell's insight is profound: "Quantifying risk with a dollar value makes it more meaningful, especially in large organizations." This statement encapsulates the essence of CRQ's power. By assigning a monetary value to risks, organizations can better grasp the potential impact of a cyber attack and the long-term benefits of effective risk management. It's a powerful tool that can drive decision-making and secure the necessary resources.
However, the path to successful CRQ implementation is not without its hurdles. Silas Bartlett, managing director for cybersecurity at NatWest Group, acknowledges the challenges. The bank's journey towards quantifying cybersecurity risk involved internal discussions and a strategic approach. They set a target for board reporting and worked backwards, ensuring the data and models were robust and reliable.
One of the key challenges, as Bartlett points out, is the lack of historical data in cybersecurity compared to other risk areas. Banks have decades of data to analyze, while cybersecurity professionals often grapple with the complexity of cyber attacks and the need for confidence in their risk assessments. To address this, they've incorporated assumptions into their models, considering potential errors and new vulnerabilities.
The ultimate goal of CRQ is to provide "dollar attribution," demonstrating how proper cyber risk management can save organizations money by preventing or mitigating future breaches. This approach shifts the focus from subjective opinions to data-driven decisions, eliminating gut feelings from the equation. However, it's crucial to tailor the data presentation to the board's needs, ensuring it's accessible and actionable.
Russell highlights a critical aspect: the challenge of translating CRQ language into a common lexicon for stakeholders. It's essential to make the data an enabler, helping to meet organizational requirements. In the end, the success of CRQ lies in its ability to bridge the gap between the technical world of cybersecurity and the business-savvy boardroom, ultimately driving better decision-making and a more secure future.
