The Boardroom Battle: Why Cybersecurity Needs a Dollar Sign
If you’ve ever tried explaining cybersecurity risks to a boardroom, you know it’s like speaking a foreign language. Firewalls, phishing, zero-day exploits—these terms might as well be ancient runes to executives focused on quarterly earnings and shareholder value. But what if we could translate cybersecurity into something they do understand? Something like, say, dollars and cents.
That’s the core idea behind Cyber Risk Quantification (CRQ), a concept gaining traction in boardrooms worldwide. At Infosecurity Europe 2026, security leaders from BP and NatWest Group made a compelling case for why framing cyber risk in financial terms isn’t just smart—it’s essential.
The Language of Money: Why It Works
One thing that immediately stands out is how universally understood money is. James Russell, BP’s digital risk management lead, put it bluntly: ‘Quantifying risk with a dollar value makes it more meaningful, especially in a large organization.’ Personally, I think this is a game-changer. Cybersecurity has long been seen as a technical problem, but when you attach a price tag to a potential breach, it becomes a business problem. And business problems get attention.
What many people don’t realize is that this approach isn’t just about scaring boards with big numbers. It’s about creating a shared language. When you say, ‘A ransomware attack could cost us $10 million,’ you’re not just stating a fact—you’re inviting a conversation about investment, mitigation, and long-term strategy.
The Data Dilemma: Building Trust in Numbers
Of course, it’s not as simple as pulling numbers out of thin air. Silas Bartlett, NatWest Group’s cybersecurity managing director, highlighted the challenges of modeling cyber risk. ‘We don’t have decades of data like credit risk teams do,’ he noted. This raises a deeper question: How can we build confidence in these models when the data is still evolving?
From my perspective, the answer lies in transparency. Bartlett’s team at NatWest tackled this by incorporating assumptions into their models—what if their estimates are off by 10%? What if a new vulnerability emerges? This kind of scenario planning not only strengthens the model but also builds trust with stakeholders. It’s a reminder that risk quantification isn’t about perfection; it’s about making informed decisions.
The Gut Feeling vs. The Data-Driven Decision
What this really suggests is that CRQ isn’t just a tool for boards—it’s a cultural shift. James Russell pointed out that data-driven insights should help eliminate decisions based on gut feelings. But here’s the catch: the data has to be usable. If you present a board with a 50-page report full of technical jargon, they’ll tune out. The key is translating complex risk metrics into actionable insights.
A detail that I find especially interesting is how this mirrors the evolution of other business functions. Think about how marketing shifted from ‘brand awareness’ to ROI-driven campaigns. Cybersecurity is undergoing a similar transformation, moving from a cost center to a strategic investment.
The Long Game: Why This Matters Beyond the Boardroom
If you take a step back and think about it, CRQ isn’t just about getting boards to approve bigger cybersecurity budgets. It’s about embedding resilience into the DNA of an organization. When cyber risk is quantified in financial terms, it becomes part of the broader risk management strategy—not an afterthought.
Personally, I think this is where the real opportunity lies. By aligning cybersecurity with business goals, we’re not just preventing breaches; we’re enabling innovation. Companies that master this approach will be better equipped to navigate an increasingly digital—and dangerous—world.
The Bottom Line: Cybersecurity is a Business Issue
In my opinion, the biggest takeaway from Infosecurity Europe is this: cybersecurity is no longer a technical problem to be solved by IT teams. It’s a business risk that demands a business solution. CRQ isn’t just a trend—it’s a necessity.
What makes this particularly fascinating is how it challenges traditional silos. Security teams, finance departments, and board members are now speaking the same language. And in a world where cyber threats are constantly evolving, that kind of alignment could be the difference between survival and collapse.
So, the next time you’re in a boardroom, don’t lead with firewalls or encryption protocols. Lead with dollars and cents. Because when it comes to cybersecurity, that’s a language everyone understands.
