In today's digital landscape, where cyber threats loom large, the question of how to effectively communicate and prioritize cybersecurity risks to corporate boards is a critical one. This article delves into the insights shared by security leaders at Infosecurity Europe 2026, exploring the power of quantifying cyber risk and the challenges and opportunities it presents.
The Money Factor: A Universal Language
One of the key takeaways from the panel discussion is the emphasis on translating cyber risk into a language that boards understand: money. By quantifying cyber risk with a dollar value, organizations can make a strong case for investing in robust cyber risk management strategies. This approach, as highlighted by James Russell of BP, ensures that the data and its implications are easily digestible for managers and business leaders.
Quantifying Risk: A Complex Yet Essential Task
While cyber exposure is notoriously difficult to measure, the use of Cyber Risk Quantification (CRQ) and data-driven insights offers a promising solution. By showcasing the financial costs of potential cyber attacks and the most critical cybersecurity issues, organizations can gain board support for their risk management initiatives. However, as Silas Bartlett from NatWest Group points out, this process is not without its challenges.
The Data Dilemma: Quality vs. Quantity
One of the primary challenges in quantifying cyber risk is ensuring the accuracy of the data and models used. Unlike traditional risk measurements in banking, where decades of data are available, the field of cybersecurity faces a lack of historical data. This raises questions about the confidence level in risk assessments and the potential for errors. Bartlett suggests addressing this by incorporating assumptions into models, such as considering a 10% margin of error or the impact of new vulnerabilities.
The Power of Data-Driven Decisions
Despite the complexities, the benefits of quantifying cyber risk are significant. As Russell suggests, data-driven findings can help eliminate subjective opinions and gut feelings in decision-making. By presenting risk assessments in a clear and understandable manner, organizations can ensure that boards have the necessary information to make informed choices. However, as Russell cautions, the challenge lies in translating CRQ language into a common lexicon that stakeholders can easily grasp.
A Strategic Approach to Board Engagement
NatWest Group's experience provides an insightful case study. The bank recognized the need for improved board reporting and set out a strategic plan to quantify cybersecurity risk. By working backward from this target, they were able to navigate the challenges of data quality and quantity. This approach underscores the importance of a well-defined strategy and a clear understanding of the board's requirements when presenting cyber risk assessments.
Conclusion: A Data-Driven Future
In a world where cyber threats are evolving rapidly, the ability to quantify and communicate cyber risk effectively is a powerful tool. By adopting a strategic approach, organizations can ensure that their boards are well-informed and engaged in cyber risk management. As the field of cybersecurity continues to mature, the insights shared at Infosecurity Europe 2026 serve as a valuable guide for businesses looking to prioritize and invest in their cyber defenses.
