The world of cybersecurity is a complex and ever-evolving landscape, and getting buy-in from the boardroom can be a challenging task. But according to a panel of security leaders at Infosecurity Europe 2026, focusing on the financial implications of cyber risks is a powerful strategy to gain support. This approach, known as Cyber Risk Quantification (CRQ), is about more than just numbers; it's about making the intangible tangible and relatable to business leaders.
One key player in this arena is BP, a multinational oil and gas company that has been at the forefront of risk management for decades. James Russell, digital risk management lead at BP, emphasizes the importance of making data accessible and understandable for managers. He highlights the challenge of translating CRQ language into a common lexicon that can help stakeholders manage risk effectively.
Russell's perspective is shared by Silas Bartlett, managing director for cybersecurity at NatWest Group. Bartlett acknowledges the complexity of measuring cyber risk, especially when compared to the vast data banks in the financial sector. He notes that the challenge lies in ensuring the quality and quantity of data are accurate, and this is where assumptions and modeling come into play.
The concept of 'dollar attribution' is a crucial output of CRQ. It demonstrates how proper cyber risk management can save organizations money by preventing or mitigating potential breaches. By quantifying risks with dollar values, businesses can make more informed decisions, moving away from gut feelings and subjective opinions.
However, the process is not without its hurdles. Presenting risk data to the board requires a deep understanding of their needs. If the information is too complex, it may be of little use. The key, according to Russell, is to ensure that CRQ is an enabler, helping stakeholders meet their requirements.
In conclusion, Cyber Risk Quantification is a powerful tool for gaining board support in cybersecurity. By focusing on financial implications and making data accessible, organizations can bridge the gap between security and business leadership, ultimately strengthening their defenses against cyber threats.
