The world of cybersecurity is a complex and ever-evolving landscape, and getting buy-in from the boardroom can be a challenging task. But according to industry experts, focusing on the financial implications of cyber risks is a powerful strategy to secure support for cybersecurity initiatives. This approach, known as Cyber Risk Quantification (CRQ), is a game-changer for organizations looking to prioritize their cybersecurity efforts.
At the heart of this strategy is the idea that money talks. By quantifying cyber risks in dollar terms, organizations can demonstrate the potential financial impact of a cyber attack and the long-term benefits of effective risk management. This is particularly crucial in large, complex organizations where decision-makers may not have a technical background.
James Russell, digital risk management lead at BP, a multinational oil and gas company, shared his insights during a fireside chat at Infosecurity Europe 2026. He emphasized the importance of making data accessible and meaningful to business leaders. Russell's key takeaway? Quantifying cyber risk around the costs of not managing it properly is essential.
This approach is not without its challenges. Silas Bartlett, managing director for cybersecurity at NatWest Group, acknowledged the difficulty of quantifying cybersecurity risk due to the limited data available compared to traditional risk areas like credit risk. Banks have decades of data to work with, but cybersecurity professionals often face the question of how to ensure the accuracy of their risk assessments.
To address this, Bartlett's team incorporated assumptions into their models, such as considering potential errors of 10% or new vulnerabilities that could breach their perimeter. The more data they collect over time, the more accurate their models become, leading to better risk quantification and management.
The concept of 'dollar attribution' is a key output of this process. By demonstrating how proper cyber risk management can save organizations money by preventing or disrupting potential breaches, CRQ becomes a powerful tool for securing buy-in. It shifts the focus from subjective opinions to data-driven decisions, making it easier to justify investments in cybersecurity.
However, Russell also highlighted a critical aspect: the need to tailor the data to the board's needs. If the information is too complex, it may not be actionable. The challenge lies in translating CRQ language into a common lexicon that empowers stakeholders to manage risk effectively.
In conclusion, Cyber Risk Quantification is a strategic approach that can help organizations secure the necessary support for their cybersecurity initiatives. By focusing on the financial implications and making data accessible, businesses can make a compelling case for investing in cybersecurity, ultimately strengthening their defenses against the ever-present threat of cyber attacks.
