The world of cybersecurity is a complex and ever-evolving landscape, and getting buy-in from boards to prioritize cyber risk quantification is no easy feat. But according to a panel of security leaders at Infosecurity Europe 2026, focusing on the financial impact of cyber threats is a powerful strategy to gain support. This approach is particularly effective when you consider the potential long-term benefits of a smart cyber risk management strategy.
One key player in this arena is BP, a multinational oil and gas company that has been at the forefront of risk management for decades. In recent years, they've successfully applied this expertise to cybersecurity, with a particular emphasis on making data accessible and understandable for managers. James Russell, digital risk management lead at BP, highlights the importance of connecting cyber risk to the broader business context. He argues that quantifying cyber risk in terms of dollar values is essential, as it provides a tangible and relatable measure that resonates with business leaders.
Russell's perspective is shared by Silas Bartlett, managing director for cybersecurity at NatWest Group. Bartlett acknowledges the challenges of gaining board buy-in for cybersecurity risk quantification, especially when compared to the vast data and historical context that banks have when measuring credit risk. However, he emphasizes the importance of setting clear targets and working backwards from there. By doing so, organizations can build confidence in their risk models and demonstrate the potential for cost savings through effective cyber risk management.
The concept of 'dollar attribution' is a crucial output of this data-driven approach. It highlights how proper cyber risk management can prevent or mitigate potential breaches, ultimately saving the organization money. This tangible benefit is a powerful motivator for boards, as it demonstrates a direct return on investment. However, it's essential to ensure that the data presented is tailored to the board's needs and accessible to stakeholders.
Russell underscores the challenge of translating complex cyber risk data into a common language that stakeholders can understand and use effectively. He emphasizes that the goal is to enable stakeholders to manage risk, not overwhelm them with information. This delicate balance between providing valuable insights and avoiding information overload is crucial to the success of any cyber risk quantification strategy.
In conclusion, the path to getting boards to prioritize cyber risk quantification involves a combination of strategic data presentation, a focus on financial impact, and a deep understanding of the board's needs. By embracing these principles, organizations can navigate the complex world of cybersecurity with greater confidence and potentially secure a brighter, more secure future.
