The Boardroom Battle: Why Cybersecurity Needs a Financial Makeover
If you’ve ever tried explaining cybersecurity risks to a boardroom, you know it’s like speaking a foreign language. Technical jargon, abstract threats, and vague probabilities—it’s enough to make even the most patient executive tune out. But what if I told you there’s a way to cut through the noise? At Infosecurity Europe 2026, a panel of security leaders argued that the key lies in something surprisingly simple: money.
The Language of the Boardroom: Dollars and Sense
Here’s the thing: boards don’t speak in vulnerabilities or attack vectors. They speak in ROI, cost savings, and long-term investments. Personally, I think this is where cybersecurity has been missing the mark for years. We’ve been trying to sell fear, uncertainty, and doubt, but what boards really want is clarity and financial impact.
Take BP, for example. A company that’s been managing risk for decades has recently turned its attention to cybersecurity. James Russell, their digital risk management lead, made a point that stuck with me: “Quantifying risk with a dollar value makes it more meaningful.” It’s not just about saying, ‘We might get hacked.’ It’s about saying, ‘If we get hacked, it could cost us $50 million.’ That’s a language everyone understands.
The Data Dilemma: Building Trust in Numbers
But here’s where it gets tricky. Cybersecurity data isn’t like financial data. Banks have decades of credit risk models to rely on, but cyber risk is still in its infancy. Silas Bartlett from NatWest Group admitted that quantifying cyber risk is like building a house on quicksand. “How can we be confident we haven’t made a mistake?” he asked.
What makes this particularly fascinating is the way they’re tackling it. Instead of aiming for perfection, they’re building models with assumptions. What if we’re wrong by 10%? What if a new vulnerability emerges? It’s not about being right all the time; it’s about being directionally correct. And as more data comes in, the models get smarter.
The Hidden Cost of Gut Feelings
One thing that immediately stands out is how much of cybersecurity decision-making is still based on gut feelings. Russell pointed out that data-driven risk quantification could eliminate this subjectivity. But here’s the catch: the data has to be accessible. If you present a board with a spreadsheet full of technical metrics, they’ll glaze over. The challenge, as Russell put it, is “translating CRQ language into a common lexicon.”
From my perspective, this is where the real work lies. It’s not just about collecting data; it’s about storytelling. You need to take those dollar values and weave them into a narrative that resonates. For instance, instead of saying, ‘We need a bigger budget,’ you say, ‘Investing $1 million in cybersecurity could save us $10 million in potential losses.’
The Broader Implications: A Shift in Mindset
If you take a step back and think about it, this isn’t just about cybersecurity. It’s about how we communicate risk in general. Whether it’s climate change, supply chain disruptions, or geopolitical instability, the same principle applies: quantify the impact in terms that matter to decision-makers.
What this really suggests is that cybersecurity is no longer just a technical problem—it’s a business problem. And solving it requires a shift in mindset. We need to stop treating cybersecurity as a cost center and start seeing it as a strategic investment.
The Future of Cyber Risk Quantification
Looking ahead, I think we’re going to see more organizations adopting this approach. As cyber threats grow in complexity, the need for clear, actionable insights will only increase. But it won’t be easy. Building accurate models, translating technical data, and winning boardroom buy-in are all significant challenges.
What many people don’t realize is that this isn’t just about preventing breaches; it’s about building resilience. By quantifying risk, organizations can make smarter decisions about where to allocate resources, how to prioritize threats, and how to measure success.
Final Thoughts: The Power of Perspective
In my opinion, the biggest takeaway from Infosecurity Europe 2026 is this: cybersecurity isn’t just about protecting systems—it’s about protecting value. And the best way to do that is to speak the language of the boardroom.
So, the next time you’re trying to get buy-in for a cybersecurity initiative, don’t lead with fear. Lead with dollars. Because at the end of the day, that’s what really matters.
