The world of cybersecurity is a complex and ever-evolving landscape, and getting boards to prioritize cyber risk quantification is no easy feat. But according to a panel of security leaders at Infosecurity Europe 2026, focusing on the financial impact of cyber threats is a powerful strategy. These experts argue that by quantifying cyber risk, organizations can make a strong case for investment in cybersecurity, demonstrating the potential long-term benefits.
One key player in this arena is BP, a multinational oil and gas company that has been at the forefront of risk management for decades. James Russell, digital risk management lead at BP, emphasizes the importance of making data accessible to managers. He highlights the challenge of communicating cyber risk to business leaders, suggesting that quantifying it around the costs of not managing the risk is a more effective approach.
The concept of assigning a dollar value to risk is not new, but it's a powerful tool for gaining board buy-in. Silas Bartlett, managing director for cybersecurity at NatWest Group, agrees. The bank has set out plans to quantify cybersecurity risk, recognizing the need for board reporting. However, this journey is not without its hurdles.
One significant challenge is the lack of historical data in cybersecurity compared to other risk areas. Bartlett acknowledges the complexity of cyber-attacks and the difficulty in ensuring data accuracy. To address this, they've incorporated assumptions into their models, such as considering potential errors or new vulnerabilities. Over time, as more data is collected, these models become more precise.
The ultimate goal is to achieve 'dollar attribution,' demonstrating how proper cyber risk management can save organizations money by preventing or mitigating future breaches. Russell believes that real data statistics will eliminate the reliance on gut feelings and subjective opinions, making it easier to make informed decisions.
However, the process is not without its pitfalls. Presenting risk data to stakeholders requires a deep understanding of their needs. If the data is too complex, it may be ignored or misunderstood. Russell emphasizes the importance of translating cyber risk quantification into a common language that enables effective risk management.
In conclusion, while quantifying cyber risk is a powerful tool, it requires careful consideration and adaptation to different organizational contexts. By focusing on financial impact and making data accessible, security leaders can make a compelling case for cybersecurity investment, ensuring that boards prioritize this critical aspect of modern business.
