In the ever-evolving landscape of cybersecurity, getting boards to prioritize cyber risk quantification is akin to navigating a labyrinth. It's not just about the data; it's about making sense of it in a way that resonates with business leaders. Personally, I think that the key to unlocking this puzzle lies in the art of storytelling with numbers. The Infosecurity Europe 2026 panel of security leaders highlighted a crucial insight: focusing on the financial implications of cyber risks is a powerful way to gain board support. This approach is not merely about quantifying risks; it's about translating them into a language that the board understands and cares about - money. What makes this particularly fascinating is the challenge of measuring something as intangible as cyber exposure. However, by using Cyber Risk Quantification (CRQ) and data to showcase threats and vulnerabilities, we can paint a vivid picture of the potential financial costs of a cyber attack. This is where the real magic happens: turning abstract risks into concrete dollar values. For instance, multinational Oil and Gas company BP has been a pioneer in this field, applying risk management principles to cybersecurity. James Russell, digital risk management lead at BP, emphasizes the importance of making data easily understandable for managers. In my opinion, this is the crux of the matter: how do we communicate cyber risk in a way that resonates with business leaders? The answer, Russell suggests, is to quantify it around the costs of not properly managing the risk. This is where the concept of 'dollar attribution' comes into play. By attributing dollar values to risks, we can demonstrate the potential savings that proper cyber risk management can bring. However, this is not without its challenges. Silas Bartlett, managing director for cybersecurity at NatWest Group, acknowledges the complexity of measuring cybersecurity risk. The bank's journey towards quantifying cybersecurity risk involved internal discussions and a target-driven approach. But the real hurdle was ensuring the quality and quantity of data being examined. This is where the concept of 'model assumptions' comes into play. By incorporating assumptions into models, we can account for potential errors and new vulnerabilities. The more data we accumulate over time, the more accurate our models become. This raises a deeper question: how do we ensure that the data we use is not only accurate but also meaningful to the board? The answer lies in the art of storytelling with numbers. We must ensure that the data we present is not only based on real statistics but also tailored to the needs of the board. If the data is too complicated, it will be of little use. In conclusion, getting boards to prioritize cyber risk quantification is a complex task that requires a nuanced approach. By focusing on the financial implications of cyber risks and using data to showcase threats and vulnerabilities, we can make a compelling case for investment in cybersecurity. However, we must also ensure that the data we present is easily understandable and tailored to the needs of the board. This is the true art of cybersecurity risk management: turning abstract risks into concrete dollar values that resonate with business leaders.
