The world of cybersecurity is a complex and ever-evolving landscape, and getting buy-in from boards to prioritize cyber risk quantification is a challenging task. But, according to a panel of security leaders at Infosecurity Europe 2026, focusing on the financial impact of cyber threats can be a powerful strategy. By quantifying cyber risk in terms of dollar values, organizations can make a strong case for investment in cybersecurity, demonstrating the potential financial losses that could arise from a cyber attack. This approach is particularly relevant for large organizations, where the stakes are high and the potential impact of a breach can be devastating.
One key player in this arena is BP, a multinational oil and gas company that has been at the forefront of risk management for decades. In recent years, they have successfully applied this approach to cybersecurity, ensuring that data is easily understood by managers and that the implications of cyber threats are clear. James Russell, digital risk management lead at BP, emphasizes the importance of connecting cyber risk to the broader business context. By quantifying risk in dollar terms, he argues, it becomes more meaningful to business leaders, who can then make informed decisions about resource allocation and risk mitigation.
The challenge, however, is not just in the quantification but in ensuring the data is accurate and relevant. Silas Bartlett, managing director for cybersecurity at NatWest Group, acknowledges the difficulty in measuring cyber risk due to the limited data available compared to traditional risk areas like credit risk. Banks have decades of data to work with, but cybersecurity professionals often face questions about the reliability of their models. To address this, Bartlett suggests incorporating assumptions into models, such as considering potential errors or new vulnerabilities, to build confidence in the risk assessments.
The ultimate goal is to provide 'dollar attribution,' demonstrating how proper cyber risk management can save organizations money by preventing or mitigating future breaches. This approach shifts the focus from subjective opinions to data-driven decisions, eliminating gut feelings and promoting a more objective approach to risk management. However, it's crucial to tailor the data presentation to the board's needs. If the data is too complex, it may be ignored, and the risk management strategy could fall short.
In conclusion, while quantifying cyber risk in dollar terms is a powerful tool for securing board support, it requires careful consideration of data accuracy and relevance. By embracing this approach, organizations can bridge the gap between security professionals and business leaders, fostering a more comprehensive and effective cybersecurity strategy.
