The world of cybersecurity is a complex and ever-evolving landscape, and getting buy-in from boards of directors can be a challenging task. But according to a panel of security leaders at Infosecurity Europe 2026, there's a powerful strategy that can help bridge this gap: Cyber Risk Quantification (CRQ). By focusing on the financial implications of cyber threats, organizations can make a strong case for prioritizing cybersecurity investments.
The concept of CRQ is simple yet transformative. It involves using data to illustrate the potential financial impact of cyber attacks and vulnerabilities. This approach is particularly effective when presented in a way that resonates with business leaders, who often speak the language of money. James Russell, digital risk management lead at BP, emphasizes the importance of making cyber risk meaningful to these decision-makers.
Russell's insight is a game-changer. By quantifying cyber risk in terms of dollar values, organizations can demonstrate the potential financial losses associated with inadequate risk management. This approach is especially crucial for large organizations, where the stakes are high. As Russell puts it, "Quantifying risk with a dollar value makes it more meaningful, especially when you have a large organization. Measuring risk can be complex, but dollar value is something everyone understands."
This sentiment is echoed by Silas Bartlett, managing director for cybersecurity at NatWest Group. Bartlett acknowledges the difficulty of gaining board support for cybersecurity initiatives, but he highlights the importance of setting clear targets and working backwards. The bank's strategy involves using existing data and modeling to quantify cybersecurity risk, a process that is not without its challenges.
One of the key hurdles is the lack of historical data in the cybersecurity field compared to other areas like credit risk. Bartlett explains, "When you look at the way banks measure credit risk, they have huge amounts of data over decades, which we [cybersecurity] don’t have. And the complexity of a cyber-attack means we are asked how we can be confident we haven’t made a mistake?"
To address this, Bartlett's team incorporates assumptions into their models, such as considering potential errors or new vulnerabilities. As more data is collected over time, the models become more accurate, enabling the calculation of "dollar attribution." This concept highlights how effective cyber risk management can lead to significant cost savings by preventing or mitigating future breaches.
However, the process of presenting CRQ data to boards requires careful consideration. The information must be tailored to the board's needs, ensuring it is accessible and actionable. Russell warns, "The biggest challenge is the amount of information for stakeholders, translating CRQ language into a common lexicon to help manage risk – it should be an enabler which helps your requirements."
In conclusion, Cyber Risk Quantification is a powerful tool for securing board support for cybersecurity initiatives. By presenting data in a financially relevant manner, organizations can make a compelling case for investment. As the cybersecurity landscape continues to evolve, this approach will likely become even more crucial, ensuring that businesses are prepared for the ever-present threat of cyber attacks.
