One of the best ways to advise boards on cybersecurity risks is is to focus on money and how a smart approach to cyber risk management can be a strong long term investment for the organization, according to a panel of security leaders at Infosecurity Europe 2026.
Cyber exposure can be difficult to measure. However, using Cyber Risk Quantification (CRQ) and data to showcase cybersecurity threats and vulnerabilities, the most important cybersecurity issues to focus on and what the financial cost of a cyber attack could be to the organization is best way to get support from the board.
Multinational Oil and Gas company BP has been using risk management across the business for decades, but in recent years, it has started applying the practice to cybersecurity.
Vital to this strategy, James Russell, digital risk management lead at BP, said during a fireside chat on the Infosecurity Europe Deep Dive Stage, is to ensure that the data that is produced and what it means can be easily understood by managers.
“It’s something that needs to connect outside of security. But communicating cyber risk, how do you make it meaningful to business leaders?” said Russell. The answer, he continued, is to quantify it around the costs of not properly managing the risk.
Why Businesses Should Measure Risk Using Dollar Value
BP's Russell said, “Quantifying risk with a dollar value makes it more meaningful, especially when you have a large organization. Measuring risk can be a complex, but dollar value is something everyone understands.”
Silas Bartlett, managing director for cybersecurity at NatWest Group, agreed that getting board buy-in was vital for any organization looking to quantify cybersecurity risk – and it was with this in mind that the bank set out its plans to do so.
“We were having internal discussion on how to improve board reporting,” he explained during the fireside chat. “There is a enough data out there that with enough modelling we can quantify what risk looks like.”
“So, we had a target from the beginning to do board reporting and worked backwards from there,” he added.
This was not without challenges, particularly around being sure that the quality and quantity data being examined, and therefore the outcome of the risk reports, was correct.
“When you look at the way banks measure credit risk, they have huge amounts of data over decades which we [cybersecurity] don’t have. And the complexity of a cyber-attack means we are asked how we can be confident we haven’t made a mistake?” Barlett explained.
“But one of the things we’ve done is put assumptions in model to say ‘what if we’re wrong about this by 10% or a new vulnerability allows an attacker to breach our perimeter?”
The more data that gets added over time, the more accurate that model will become. One of the key outputs which good data around risk can help quantify is the “dollar attribution” – and how proper cyber risk management can save the organization money by preventing or disrupting a potential future breach.
Russell suggested that because the findings are based on real data statistics, it should help eliminate making choices around gut feeling and subjective opinion.
However, those responsible for presenting risk to must ensure that what they are sharing is based on the needs of the board. If the data is too complicated to understand, they won’t be able to do much with it.
“The biggest challenge is the amount of information for stakeholders, translating CRQ language into common lexicon to help manage risk – it should be an enabler which helps your requirements,” Russell said.