The world of cybersecurity is a complex and ever-evolving landscape, and getting buy-in from boards of directors can be a challenging task. However, a panel of security leaders at Infosecurity Europe 2026 offered some valuable insights into how to make this process more manageable. The key? Focusing on the money. According to these experts, a smart approach to cyber risk management can be a strong long-term investment for any organization, and quantifying that risk in dollar terms is a powerful way to gain support from the board. This is where Cyber Risk Quantification (CRQ) comes in. By using data to showcase cybersecurity threats and vulnerabilities, and by quantifying the financial cost of a cyber attack, organizations can make a compelling case for prioritizing these risks. But it's not just about the numbers. As James Russell, digital risk management lead at BP, pointed out, it's crucial to ensure that the data is easily understood by managers. This means connecting cyber risk to the broader business context and quantifying it around the costs of not properly managing the risk. This is where the concept of 'dollar attribution' comes into play. By assigning a dollar value to risks, organizations can demonstrate the potential financial impact of a cyber attack and the savings that can be achieved through proper risk management. However, this is not without its challenges. As Silas Bartlett, managing director for cybersecurity at NatWest Group, noted, measuring risk using dollar values can be complex, especially when compared to the vast amounts of data and decades of history that banks use to measure credit risk. Cybersecurity, on the other hand, is still relatively new, and organizations often struggle to provide the level of confidence that they haven't made a mistake. To address this, organizations need to be transparent about their assumptions and be prepared to adjust their models as new data becomes available. This includes considering 'what if' scenarios, such as a 10% error margin or the emergence of new vulnerabilities. The more data that gets added over time, the more accurate the models will become. But it's not just about the data. As Russell emphasized, the biggest challenge is translating CRQ language into a common lexicon that stakeholders can understand. If the data is too complicated, it won't be useful. Instead, it should be an enabler that helps organizations meet their requirements. In conclusion, while quantifying cyber risk in dollar terms can be a powerful tool for gaining board support, it's essential to remember that it's just one part of a comprehensive cybersecurity strategy. By combining quantitative data with a clear, accessible narrative, organizations can make a compelling case for prioritizing cybersecurity risks and investing in long-term risk management.
